Add ability to manage VPN tunnel options

[dthvt]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

The AWS API/CLI supports modify-vpn-tunnel-options, which can be used to set explicit parameters, for example DH Groups, encryption algorithms, & integrity algorithms, allowable on a tunnel. It would be nice to be able to manage these via terraform without resorting to a local provisioner using the CLI. This is useful to ensure that the tunnels do not support options which are disallowed by organization security policies for VPN tunnels.

I don't know if it's more practical to add this as a feature of aws_vpn_connection or have a separate aws_vpn_tunnel_options resource that could be used to manage an existing tunnel via the modify-vpn-tunnel-options API.

New or Affected Resource(s)

• aws_vpn_connection
• aws_vpn_tunnel_options

Potential Terraform Configuration

resource "aws_vpn_tunnel_options" "main" {
  vpn_connection_id = aws_vpn_connection.main.id
  vpn_tunnel_outside_ip_address = aws_vpn_connection.main.tunnel1_address
  phase_1_dh_group_numbers = [
    14, 15
  ]
}
    

References

• https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-vpn-tunnel-options.html

[tkoeck]

The feature to adjust the tunnel options is particular important for connecting to Azure VPN tunnels. It's not possible to set up a stable VPN connection with Azure without adjusting tunnel options on AWS side.

[artburkart]

For what it's worth, the Azure Terraform provider has a configuration block called ipsec_policy inside its azurerm_virtual_network_gateway_connection resource. It works well, so adopting the same pattern here would probably work too.

[kellersyf]

This change is great! I hope that the PR is merged soon.

That being said, would you mind adding support for the StartupAction parameter that was added at the end of August?

Announcement
CLI Reference

Looking forward to seeing this available in a future provider version.

[tkoeck]

For what it's worth, the Azure Terraform provider has a configuration block called ipsec_policy inside its azurerm_virtual_network_gateway_connection resource. It works well, so adopting the same pattern here would probably work too.

It seems to be that that option only allows to adjust phase 2 and not phase 1 options on the Azure side.

[MRinalducci]

@kellersyf just added support for DPDTimeoutAction and StartupAction parameters.

[tleung999]

Thank you for adding this. We also need to be able to adjust the tunnels options for tunnels between GCP and AWS, else the payload size becomes too large for GCP to rekey. https://cloud.google.com/network-connectivity/docs/vpn/how-to/creating-ha-vpn.

Known issue: When configuring VPN tunnels to AWS, use the IKEv2 encryption protocol and select fewer transform sets on the AWS side, otherwise the Cloud VPN tunnel can fail to rekey. For example, select a combination of single Phase 1 and Phase 2 encryption algorithms, integrity algorithms, and DH group numbers.

This rekeying issue is caused by a large SA payload size for the default set of AWS transform sets. This large payload size results in IP fragmentation of IKE packets on the AWS side, which Cloud VPN does not support.

[breathingdust]

Hi all! 👋 Just wanted to direct you to our public roadmap for this quarter (Nov-Jan) in which this item has been mentioned.

Due to the significant community interest in support for this feature, we will be looking at merging existing contributions soon.

We appreciate all the contributions and feedback thus far.

Look out for support in the provider soon!

[MRinalducci]

Hi all,
I just added support for:

• LocalIpv4NetworkCidr
• RemoteIpv4NetworkCidr
• LocalIpv6NetworkCidr
• RemoteIpv6NetworkCidr
• TunnelInsideIpVersion
• TunnelInsideIpv6Cidr

It closes also issue #14698.

[ghost]

This has been released in version 3.22.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!