xdr-terraform-modules/base/transit_gateway_interconnect_vpn/main.tf

resource "aws_customer_gateway" "attachment" {
  count = var.interconnects_count
  bgp_asn = var.interconnect_asn
  ip_address = var.interconnect_public_ips[count.index]
  type = "ipsec.1"
  tags = merge(var.standard_tags, var.tags)
}

resource "aws_vpn_connection" "vpn" {
  count = var.interconnects_count
  customer_gateway_id = aws_customer_gateway.attachment[count.index].id
  transit_gateway_id  = var.transit_gateway_id
  type                = aws_customer_gateway.attachment[count.index].type
  tags = merge(var.standard_tags, var.tags)

  # The following settings (and more) originally could not be configured. We may want to revisit to see
  # if these things should be hardened, but they look strong to me already.
  tunnel1_ike_versions                 = [ "ikev2", ]
  tunnel1_phase1_dh_group_numbers      = [ 15, 16, 17, ]
  tunnel1_phase1_encryption_algorithms = [ "AES256", ]
  tunnel1_phase1_integrity_algorithms  = [ "SHA2-256", ]
  tunnel1_phase2_dh_group_numbers      = [ 15, 16, 17, ]
  tunnel1_phase2_encryption_algorithms = [ "AES256", ]
  tunnel1_phase2_integrity_algorithms  = [ "SHA2-256", ]

  tunnel2_ike_versions                 = [ "ikev2", ]
  tunnel2_phase1_dh_group_numbers      = [ 15, 16, 17, ]
  tunnel2_phase1_encryption_algorithms = [ "AES256", ]
  tunnel2_phase1_integrity_algorithms  = [ "SHA2-256", ]
  tunnel2_phase2_dh_group_numbers      = [ 15, 16, 17, ]
  tunnel2_phase2_encryption_algorithms = [ "AES256", ]
  tunnel2_phase2_integrity_algorithms  = [ "SHA2-256", ]
}