-
Notifications
You must be signed in to change notification settings - Fork 4.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for custom IPsec/IKE policies for VPN connections #834
Add support for custom IPsec/IKE policies for VPN connections #834
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
hey @dominik-lekse
Thanks for this PR - I've taken a look though and left some comments inline but this is mostly looking good. The comments I've left are mostly minor, the biggest question/concern being if if the default values have changed.
Thanks!
@@ -79,13 +79,19 @@ func resourceArmVirtualNetworkGatewayConnection() *schema.Resource { | |||
"enable_bgp": { | |||
Type: schema.TypeBool, | |||
Optional: true, | |||
Default: false, | |||
Computed: true, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is this same default returned from Azure?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, false is the API default for enable_bgp. The intention for this change was to increase the transparency of the provider towards the API, i.e. allow the API to decide for the default. Unfortunately, the API docs are not quite elaborate on the default values (https://docs.microsoft.com/en-us/rest/api/network-gateway/virtualnetworkgatewayconnections/createorupdate).
}, | ||
|
||
"routing_weight": { | ||
Type: schema.TypeInt, | ||
Optional: true, | ||
Default: 10, | ||
Computed: true, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is this same default returned from Azure?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same reasoning as above, 10 is the default value, but it should not be fixed in the provider.
d.Set("routing_weight", conn.RoutingWeight) | ||
d.Set("shared_key", conn.SharedKey) | ||
if conn.EnableBgp != nil { | ||
d.Set("enable_bgp", conn.EnableBgp) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
do we want to dereference this field?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is currently done in ResourceData.Set
@@ -180,7 +289,9 @@ func resourceArmVirtualNetworkGatewayConnectionRead(d *schema.ResourceData, meta | |||
d.Set("virtual_network_gateway_id", conn.VirtualNetworkGateway1.ID) | |||
} | |||
|
|||
d.Set("authorization_key", conn.AuthorizationKey) | |||
if conn.AuthorizationKey != nil { | |||
d.Set("authorization_key", conn.AuthorizationKey) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
providing this value is a string, we shouldn't need this check?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It is an optional field in the API, is it then also safe to avoid this check?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since d.Set
handles setting pointer values (even if they're nil - to an empty value) - it should be fine :)
|
||
if conn.IpsecPolicies != nil { | ||
ipsec_policies := flattenArmVirtualNetworkGatewayConnectionIpsecPolicies(conn.IpsecPolicies) | ||
d.Set("ipsec_policy", ipsec_policies) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
given this is a complex object, can we check for errors here via:
if err := d.Set("ipsec_policy", ipsec_policies); err != nil {
return fmt.Errorf("Error setting `ipsec_policy`: %+v", err)
}
minor could we also rename the variable ipsec_policies
to ipsecPolicies
to match the other variables?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Regarding the variable naming, I found it helpful to quickly identify the source of which the value originates. I.e. I chose CamelCase for values from the Azure Go SDK whereas snake_case for value from the Terraform schema.
However, to match the other resources, I will revert it.
} | ||
|
||
resource "azurerm_local_network_gateway" "test" { | ||
name = "test-${var.random}" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
(same here) can we change test
-> acctest
?
} | ||
|
||
resource "azurerm_virtual_network_gateway_connection" "test" { | ||
name = "test-${var.random}" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
(same here) can we change test
-> acctest
?
or `None`. | ||
|
||
* `sa_datasize` - (Optional) The IPSec SA payload size in KB. Must be at least | ||
`1024` KB. Defaults to `102400000` KB. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
given the value can stretch so high, would it be worth converting this value to/from MB?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would recommend to keep KBytes as a unit here for two reasons: 1) In the Azure docs this values is consistently described in this unit (https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-vpn-faq#ipsecike) and 2) it is quite common among VPN vendors to configure this in Kbytes (e.g https://www.cisco.com/c/en/us/td/docs/security/security_management/cisco_security_manager/security_manager/4-1/user/guide/CSMUserGuide_wrapper/vpipsec.html#pgfId-959357)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
makes sense 👍
if v, ok := d.GetOk("ipsec_policy"); ok { | ||
ipsec_policies := v.([]interface{}) | ||
props.IpsecPolicies = expandArmVirtualNetworkGatewayConnectionIpsecPolicies(ipsec_policies) | ||
log.Printf("Ipsec policies: %+q", props.IpsecPolicies) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can we remove this print statement?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sure, this is a true left over 😄
func flattenArmVirtualNetworkGatewayConnectionIpsecPolicies(ipsecPolicies *[]network.IpsecPolicy) []interface{} { | ||
ipsec_policies := make([]interface{}, 0, len(*ipsecPolicies)) | ||
|
||
for _, ipsecPolicy := range *ipsecPolicies { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
there's a potential crash here if ipsecPolicies
is nil - could we make this:
ipsec_policies := make([]interface{}, 0)
if inputPolicies := ipsecPolicies; inputPolicies != nil {
for _, ipsecPolicy := range *inputPolicies {
# ..
}
}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, I shouldn't rely on the caller here
Tested this PR and it works well for me. Would be nice to have this in the next release. Without a custom IPsec policy, an Azure VPN GW uses crypto algorithms that are no longer considered secure (3DES, SHA1, MODP1024 - see https://wiki.strongswan.org/projects/strongswan/wiki/SecurityRecommendations) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
hey @dominik-lekse
Thanks for pushing those changes - this now LGTM 👍 - I'll kick of the test suite now
Thanks!
@tombuildsstuff Thanks for merging 👍 |
@tombuildsstuff thanks for merging |
👋 hey folks! Just to let you know that support for this has just been released in v1.2.0 of the AzureRM Provider - full details of what's included are available here: https://github.com/terraform-providers/terraform-provider-azurerm/blob/v1.2.0/CHANGELOG.md#120-march-02-2018 Thanks! |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks! |
This pull requests adds support for custom IPsec/IKE policies for VPN connections. Also, policy based traffic selectors can now be enabled explicitly for a connection.
Tests
I have added a new test which covers a custom
ipsec_policy
and theuse_policy_based_traffic_selectors
switch.References