-
Notifications
You must be signed in to change notification settings - Fork 4.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add vpn client protocol support for virtual network gateway #946
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @dcaro,
Thank you for adding this! I've taken a look over it and left some comments inline. Outside of that running the tests produces a none empty plan for me:
DIFF:
UPDATE: azurerm_virtual_network_gateway.test
vpn_client_configuration.0.radius_server_address: "" => "1.2.3.4"
vpn_client_configuration.0.radius_server_secret: "" => "verysecretsecret"
STATE:
Look forward to getting this merged once these concerns are worked out 🙂
Type: schema.TypeList, | ||
Optional: true, | ||
Elem: &schema.Schema{ | ||
Type: schema.TypeString, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is it possible to get some validation of this property?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good catch! I have added a value validation.
@@ -137,9 +137,20 @@ func resourceArmVirtualNetworkGateway() *schema.Resource { | |||
Type: schema.TypeString, | |||
}, | |||
}, | |||
"vpn_client_protocol": { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could we name this vpn_client_protocols
to match the SDK?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That makes sense, done.
@@ -137,9 +137,20 @@ func resourceArmVirtualNetworkGateway() *schema.Resource { | |||
Type: schema.TypeString, | |||
}, | |||
}, | |||
"vpn_client_protocol": { | |||
Type: schema.TypeList, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should probably be a set unless order matters/duplicates are allowed
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
you are right, order does not matters, changed.
"root_certificate": { | ||
Type: schema.TypeSet, | ||
Required: true, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What happens if neither root_certificate
or radius_server_address
are set? if that is an error condition we should use a CustomizeDiff
to check.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If the root_certificate and radius_server_address are set, this is accepted by azure with no root cert and the vpnclient cannot be downloaded. I've added a CustomizeDiff so that if a radius_server_address is set is had to be a valid IPv4 address and the secret shall not be empty.
Config: config, | ||
Check: resource.ComposeTestCheckFunc( | ||
testCheckAzureRMVirtualNetworkGatewayExists("azurerm_virtual_network_gateway.test"), | ||
), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could we check here to see if the state is correct:
resource.TestCheckResourceAttr(resourceName, "key", "value"),
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done, I have added couple of other attribute checks on basic and lowerCaseSubnetName tests as well.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have included the changes and added a regex validation for the IPv4 address using regex. Let me know if you have a preferred method.
@@ -137,9 +137,20 @@ func resourceArmVirtualNetworkGateway() *schema.Resource { | |||
Type: schema.TypeString, | |||
}, | |||
}, | |||
"vpn_client_protocol": { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That makes sense, done.
@@ -137,9 +137,20 @@ func resourceArmVirtualNetworkGateway() *schema.Resource { | |||
Type: schema.TypeString, | |||
}, | |||
}, | |||
"vpn_client_protocol": { | |||
Type: schema.TypeList, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
you are right, order does not matters, changed.
Type: schema.TypeList, | ||
Optional: true, | ||
Elem: &schema.Schema{ | ||
Type: schema.TypeString, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good catch! I have added a value validation.
"root_certificate": { | ||
Type: schema.TypeSet, | ||
Required: true, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If the root_certificate and radius_server_address are set, this is accepted by azure with no root cert and the vpnclient cannot be downloaded. I've added a CustomizeDiff so that if a radius_server_address is set is had to be a valid IPv4 address and the secret shall not be empty.
Config: config, | ||
Check: resource.ComposeTestCheckFunc( | ||
testCheckAzureRMVirtualNetworkGatewayExists("azurerm_virtual_network_gateway.test"), | ||
), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done, I have added couple of other attribute checks on basic and lowerCaseSubnetName tests as well.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @dcaro,
Thank you for the updates. I've given this another look and left some comments inline.
@@ -11,6 +11,7 @@ import ( | |||
"github.com/hashicorp/terraform/helper/schema" | |||
"github.com/hashicorp/terraform/helper/validation" | |||
"github.com/terraform-providers/terraform-provider-azurerm/azurerm/utils" | |||
"regexp" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could we sort this and put regex above with the other built in packages?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
sure, updated.
} | ||
flat["vpn_client_protocols"] = vpnClientProtocols | ||
|
||
flat["radius_server_address"] = *cfg.RadiusServerAddress |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could we check these for nil
?
if v := cfg.RadiusServerAddress; if v != nil {
flat["radius_server_address"] = *v
}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
added
"vpn_client_configuration.0.root_certificate", | ||
"vpn_client_configuration.0.revoked_certificate", | ||
}, | ||
Elem: &schema.Schema{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This doesn't apply to a TypeString
"vpn_client_configuration.0.root_certificate", | ||
"vpn_client_configuration.0.revoked_certificate", | ||
}, | ||
Elem: &schema.Schema{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This doesn't apply to a TypeString
if vpnClientConfig, ok := vpnClient.([]interface{})[0].(map[string]interface{}); ok { | ||
if vpnClientConfig["radius_server_address"] != "" { | ||
if !validIP4(vpnClientConfig["radius_server_address"].(string)) { | ||
return fmt.Errorf("radius_server_address is not an IPv4 address") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This validation can be done in the schema, for example:
ValidateFunc: validation.StringMatch(
regexp.MustCompile("^[-a-z0-9]{3,50}$"),
"Cosmos DB Account name must be 3 - 50 characters long, contain only letters, numbers and hyphens.",
),
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The schema is indeed a better place to do this check.
if !validIP4(vpnClientConfig["radius_server_address"].(string)) { | ||
return fmt.Errorf("radius_server_address is not an IPv4 address") | ||
} | ||
if vpnClientConfig["radius_server_secret"] == "" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
as above, could be validated by schema & regex
|
||
if vpnClient, ok := diff.GetOk("vpn_client_configuration"); ok { | ||
if vpnClientConfig, ok := vpnClient.([]interface{})[0].(map[string]interface{}); ok { | ||
if vpnClientConfig["radius_server_address"] != "" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think what you want to do here is check to make sure one or the other is set as mentioned above?
as in:
_, hasRadius := vpnClientConfig["radius_server_address"]
_, hasRootCert := vpnClientConfig["root_certificate"]
if !hasRadius && !hasRootCert {
#error
}
if hasRadius {
if _, hasRadiusSecret := vpnClientConfig["radius_server_secret"]; !hasRadiusSecret {
#error
}
}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
With this hasRadius and hasRootCert are set to true. I have changed a bit the logic to check if both radius server address and value are set. If this neither of them are set, we can assume that we are using the certificate method and nil is accepted.
return nil | ||
} | ||
|
||
func validIP4(ipAddress string) bool { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
could we rename this to validateIP4
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
removed since this is done in the schema.
@@ -269,11 +276,20 @@ resource "azurerm_virtual_network_gateway" "test" { | |||
private_ip_address_allocation = "Dynamic" | |||
subnet_id = "${azurerm_subnet.test.id}" | |||
} | |||
|
|||
vpn_client_configuration { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could we add an entirely new test for these properties instead of adding them to an existing test?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
sure, done.
…unction and customizeDiff, added new test
I have just pushed an update with the changes that you have suggested. Let me know if there are any other points. Thanks for the review. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the changes @dcaro! This LGTM now 👍
I am trying to use the new
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks! |
Added support for vpn client protocol and radius server with the following fields:
vpn_client_protocol
radius_server_address
radius_server_secret