Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for custom IPsec/IKE policies for VPN connections #834

Merged

Conversation

dominik-lekse
Copy link
Contributor

This pull requests adds support for custom IPsec/IKE policies for VPN connections. Also, policy based traffic selectors can now be enabled explicitly for a connection.

Tests

I have added a new test which covers a custom ipsec_policy and the use_policy_based_traffic_selectors switch.

TF_ACC=1 go test ./azurerm -v -run=TestAccAzureRMVirtualNetworkGatewayConnection_ipsecpolicy -timeout 180m
=== RUN   TestAccAzureRMVirtualNetworkGatewayConnection_ipsecpolicy
--- PASS: TestAccAzureRMVirtualNetworkGatewayConnection_ipsecpolicy (2401.33s)
PASS
ok  	github.com/terraform-providers/terraform-provider-azurerm/azurerm	2401.357s

References

Copy link
Contributor

@tombuildsstuff tombuildsstuff left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hey @dominik-lekse

Thanks for this PR - I've taken a look though and left some comments inline but this is mostly looking good. The comments I've left are mostly minor, the biggest question/concern being if if the default values have changed.

Thanks!

@@ -79,13 +79,19 @@ func resourceArmVirtualNetworkGatewayConnection() *schema.Resource {
"enable_bgp": {
Type: schema.TypeBool,
Optional: true,
Default: false,
Computed: true,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is this same default returned from Azure?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, false is the API default for enable_bgp. The intention for this change was to increase the transparency of the provider towards the API, i.e. allow the API to decide for the default. Unfortunately, the API docs are not quite elaborate on the default values (https://docs.microsoft.com/en-us/rest/api/network-gateway/virtualnetworkgatewayconnections/createorupdate).

},

"routing_weight": {
Type: schema.TypeInt,
Optional: true,
Default: 10,
Computed: true,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is this same default returned from Azure?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same reasoning as above, 10 is the default value, but it should not be fixed in the provider.

d.Set("routing_weight", conn.RoutingWeight)
d.Set("shared_key", conn.SharedKey)
if conn.EnableBgp != nil {
d.Set("enable_bgp", conn.EnableBgp)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do we want to dereference this field?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is currently done in ResourceData.Set

@@ -180,7 +289,9 @@ func resourceArmVirtualNetworkGatewayConnectionRead(d *schema.ResourceData, meta
d.Set("virtual_network_gateway_id", conn.VirtualNetworkGateway1.ID)
}

d.Set("authorization_key", conn.AuthorizationKey)
if conn.AuthorizationKey != nil {
d.Set("authorization_key", conn.AuthorizationKey)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

providing this value is a string, we shouldn't need this check?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is an optional field in the API, is it then also safe to avoid this check?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since d.Set handles setting pointer values (even if they're nil - to an empty value) - it should be fine :)


if conn.IpsecPolicies != nil {
ipsec_policies := flattenArmVirtualNetworkGatewayConnectionIpsecPolicies(conn.IpsecPolicies)
d.Set("ipsec_policy", ipsec_policies)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

given this is a complex object, can we check for errors here via:

if err := d.Set("ipsec_policy", ipsec_policies); err != nil {
  return fmt.Errorf("Error setting `ipsec_policy`: %+v", err)
}

minor could we also rename the variable ipsec_policies to ipsecPolicies to match the other variables?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Regarding the variable naming, I found it helpful to quickly identify the source of which the value originates. I.e. I chose CamelCase for values from the Azure Go SDK whereas snake_case for value from the Terraform schema.

However, to match the other resources, I will revert it.

}

resource "azurerm_local_network_gateway" "test" {
name = "test-${var.random}"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(same here) can we change test -> acctest?

}

resource "azurerm_virtual_network_gateway_connection" "test" {
name = "test-${var.random}"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(same here) can we change test -> acctest?

or `None`.

* `sa_datasize` - (Optional) The IPSec SA payload size in KB. Must be at least
`1024` KB. Defaults to `102400000` KB.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

given the value can stretch so high, would it be worth converting this value to/from MB?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would recommend to keep KBytes as a unit here for two reasons: 1) In the Azure docs this values is consistently described in this unit (https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-vpn-faq#ipsecike) and 2) it is quite common among VPN vendors to configure this in Kbytes (e.g https://www.cisco.com/c/en/us/td/docs/security/security_management/cisco_security_manager/security_manager/4-1/user/guide/CSMUserGuide_wrapper/vpipsec.html#pgfId-959357)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

makes sense 👍

if v, ok := d.GetOk("ipsec_policy"); ok {
ipsec_policies := v.([]interface{})
props.IpsecPolicies = expandArmVirtualNetworkGatewayConnectionIpsecPolicies(ipsec_policies)
log.Printf("Ipsec policies: %+q", props.IpsecPolicies)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can we remove this print statement?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure, this is a true left over 😄

func flattenArmVirtualNetworkGatewayConnectionIpsecPolicies(ipsecPolicies *[]network.IpsecPolicy) []interface{} {
ipsec_policies := make([]interface{}, 0, len(*ipsecPolicies))

for _, ipsecPolicy := range *ipsecPolicies {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

there's a potential crash here if ipsecPolicies is nil - could we make this:

ipsec_policies := make([]interface{}, 0)
if inputPolicies := ipsecPolicies; inputPolicies != nil {
  for _, ipsecPolicy := range *inputPolicies {
    # ..
  }
}

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, I shouldn't rely on the caller here

@stintel
Copy link

stintel commented Mar 1, 2018

Tested this PR and it works well for me. Would be nice to have this in the next release. Without a custom IPsec policy, an Azure VPN GW uses crypto algorithms that are no longer considered secure (3DES, SHA1, MODP1024 - see https://wiki.strongswan.org/projects/strongswan/wiki/SecurityRecommendations)

Copy link
Contributor

@tombuildsstuff tombuildsstuff left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hey @dominik-lekse

Thanks for pushing those changes - this now LGTM 👍 - I'll kick of the test suite now

Thanks!

@tombuildsstuff
Copy link
Contributor

Tests pass:

screen shot 2018-02-28 at 17 24 32

@tombuildsstuff tombuildsstuff merged commit 325df2e into hashicorp:master Mar 1, 2018
tombuildsstuff added a commit that referenced this pull request Mar 1, 2018
@dominik-lekse
Copy link
Contributor Author

@tombuildsstuff Thanks for merging 👍

@stintel
Copy link

stintel commented Mar 1, 2018

@tombuildsstuff thanks for merging
@dominik-lekse thanks for your contribution

@tombuildsstuff
Copy link
Contributor

👋 hey folks!

Just to let you know that support for this has just been released in v1.2.0 of the AzureRM Provider - full details of what's included are available here: https://github.com/terraform-providers/terraform-provider-azurerm/blob/v1.2.0/CHANGELOG.md#120-march-02-2018

Thanks!

@ghost
Copy link

ghost commented Mar 31, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks!

@ghost ghost locked and limited conversation to collaborators Mar 31, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Feature Request: support for custom IPsec/IKE policies
3 participants