Bug report- Virtual WAN VPN Gateway Connection Route Tables

[trapeznikov]

Is there an existing issue for this?

• I have searched the existing issues

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Version of the module you are using

5.7.9

Rover Version

aztfmod/rover:1.5.6-2309.0507

Terraform Version

1.5.6

AzureRM Provider Version

3.75.0

Affected Resource(s)/Data Source(s)

azurerm_vpn_gateway_connection

Terraform Configuration Files

https://github.com/aztfmod/terraform-azurerm-caf/blob/main/examples/networking/virtual_wan/109-vwan-vpn-gateway-connection/virtual_wan.tfvars

Expected Behaviour

Deploy VPN Gateway Connection with Route Tables associated and propagated.

propagated_route_table is currently not set up correctly in the module. I can submit a PR to fix it, but I'm not sure how to keep current behaviour with both propagated_route_table and propagated_route_tables.
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/vpn_gateway_connection#propagated_route_table

We may also want to consider implementing Virtual Hub Route Table with azurerm_virtual_hub_route_table resource https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_hub_route_table

Actual Behaviour

╷
│ Error: Too many propagated_route_table blocks
│ 
│   on ../modules/networking/vpn_gateway_connection/module.tf line 76, in resource "azurerm_vpn_gateway_connection" "vpn_gateway_connection":
│   76:         content {
│ 
│ No more than 1 "propagated_route_table" blocks are allowed
╵
╷
│ Error: Incorrect attribute value type
│ 
│   on ../modules/networking/vpn_gateway_connection/module.tf line 77, in resource "azurerm_vpn_gateway_connection" "vpn_gateway_connection":
│   77:           route_table_ids = can(propagated_route_table.value.id) ? propagated_route_table.value.id : var.route_tables[try(propagated_route_table.value.lz_key, var.client_config.landingzone_key)][propagated_route_table.value.key].id
│     ├────────────────
│     │ var.client_config.landingzone_key is "examples"
│     │ var.route_tables is object with 1 attribute "examples"
│ 
│ Inappropriate value for attribute "route_table_ids": list of string required.
╵
╷
│ Error: Incorrect attribute value type
│ 
│   on ../modules/networking/vpn_gateway_connection/module.tf line 77, in resource "azurerm_vpn_gateway_connection" "vpn_gateway_connection":
│   77:           route_table_ids = can(propagated_route_table.value.id) ? propagated_route_table.value.id : var.route_tables[try(propagated_route_table.value.lz_key, var.client_config.landingzone_key)][propagated_route_table.value.key].id
│     ├────────────────
│     │ var.client_config.landingzone_key is "examples"
│     │ var.route_tables is object with 1 attribute "examples"
│ 
│ Inappropriate value for attribute "route_table_ids": list of string required.

Steps to Reproduce

Run standalone module with example networking/virtual_wan/109-vwan-vpn-gateway-connection
terraform apply -var-file=<(cat ../examples/networking/virtual_wan/109-vwan-vpn-gateway-connection/*.tfvars)

Important Factoids

No response

References

No response

[trapeznikov]

@arnaudlh PR#1923 doesn't address this issue, I encountered it while working on that PR but don't have clear directions on how to fix it. I can submit a PR that will address it, but it will have a breaking change.

[arnaudlh]

@trapeznikov ok reopening the issue :) how breaking would the change be? :)

[trapeznikov]

@arnaudlh well, I guess it may not be a breaking change if it fixes the current broken code :)
I'll submit a PR soon.

[trapeznikov]

@arnaudlh it looks like there's more issues than just propagated_route_table. In the code example routetable1 is used as associated_route_table; however, based on documentation only Default route table can be associated to a branch connection. After fixing the error I mentioned in the issue, I'm getting this error Associated route table on branches can't be custom route table. I will keep current logic as is, in case it will ever be possible to associate non default route tables with VPN connections, but will use Default route table is nothing is passed to associated_route_table.

│ Resource Group Name: "fydb-rg-vnet-hub-re1"
│ Gateway Name: "fydb-vgw-caf-sea-vpn-s2s"
│ Connection Name: "fydb-vcn-connection-1"): polling after VpnConnectionsCreateOrUpdate: polling failed: the Azure API returned the following error:
│ 
│ Status: "Unknown"
│ Code: "InvalidAssociatedRouteTable"
│ Message: "The specified associated route table '/subscriptions/014b9b3d-8ab2-40d8-974b-498f881a75fe/resourceGroups/fydb-rg-vnet-hub-re1/providers/Microsoft.Network/virtualHubs/fydb-vhub-hub-re1/hubRouteTables/example-vhubroutetable1' for connection '/subscriptions/014b9b3d-8ab2-40d8-974b-498f881a75fe/resourceGroups/fydb-rg-vnet-hub-re1/providers/Microsoft.Network/vpnGateways/fydb-vgw-caf-sea-vpn-s2s/vpnConnections/fydb-vcn-connection-1' is invalid 'Associated route table on branches can't be custom route table.'."