Add support for custom IPsec/IKE policies for VPN connections

[dominik-lekse]

This pull requests adds support for custom IPsec/IKE policies for VPN connections. Also, policy based traffic selectors can now be enabled explicitly for a connection.

Tests

I have added a new test which covers a custom ipsec_policy and the use_policy_based_traffic_selectors switch.

TF_ACC=1 go test ./azurerm -v -run=TestAccAzureRMVirtualNetworkGatewayConnection_ipsecpolicy -timeout 180m
=== RUN   TestAccAzureRMVirtualNetworkGatewayConnection_ipsecpolicy
--- PASS: TestAccAzureRMVirtualNetworkGatewayConnection_ipsecpolicy (2401.33s)
PASS
ok  	github.com/terraform-providers/terraform-provider-azurerm/azurerm	2401.357s

References

• Resolves Feature Request: support for custom IPsec/IKE policies #759

[tombuildsstuff]

hey @dominik-lekse

Thanks for this PR - I've taken a look though and left some comments inline but this is mostly looking good. The comments I've left are mostly minor, the biggest question/concern being if if the default values have changed.

Thanks!

[tombuildsstuff]

is this same default returned from Azure?

[dominik-lekse]

Yes, false is the API default for enable_bgp. The intention for this change was to increase the transparency of the provider towards the API, i.e. allow the API to decide for the default. Unfortunately, the API docs are not quite elaborate on the default values (https://docs.microsoft.com/en-us/rest/api/network-gateway/virtualnetworkgatewayconnections/createorupdate).

[tombuildsstuff]

is this same default returned from Azure?

[dominik-lekse]

Same reasoning as above, 10 is the default value, but it should not be fixed in the provider.

[tombuildsstuff]

do we want to dereference this field?

[dominik-lekse]

This is currently done in ResourceData.Set

[tombuildsstuff]

providing this value is a string, we shouldn't need this check?

[dominik-lekse]

It is an optional field in the API, is it then also safe to avoid this check?

[tombuildsstuff]

Since d.Set handles setting pointer values (even if they're nil - to an empty value) - it should be fine :)

[tombuildsstuff]

given this is a complex object, can we check for errors here via:

if err := d.Set("ipsec_policy", ipsec_policies); err != nil {
  return fmt.Errorf("Error setting `ipsec_policy`: %+v", err)
}

minor could we also rename the variable ipsec_policies to ipsecPolicies to match the other variables?

[dominik-lekse]

Regarding the variable naming, I found it helpful to quickly identify the source of which the value originates. I.e. I chose CamelCase for values from the Azure Go SDK whereas snake_case for value from the Terraform schema.

However, to match the other resources, I will revert it.

[tombuildsstuff]

(same here) can we change test -> acctest?

[tombuildsstuff]

(same here) can we change test -> acctest?

[tombuildsstuff]

given the value can stretch so high, would it be worth converting this value to/from MB?

[dominik-lekse]

I would recommend to keep KBytes as a unit here for two reasons: 1) In the Azure docs this values is consistently described in this unit (https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-vpn-faq#ipsecike) and 2) it is quite common among VPN vendors to configure this in Kbytes (e.g https://www.cisco.com/c/en/us/td/docs/security/security_management/cisco_security_manager/security_manager/4-1/user/guide/CSMUserGuide_wrapper/vpipsec.html#pgfId-959357)

[tombuildsstuff]

makes sense 👍

[tombuildsstuff]

can we remove this print statement?

[dominik-lekse]

Sure, this is a true left over 😄

[tombuildsstuff]

there's a potential crash here if ipsecPolicies is nil - could we make this:

ipsec_policies := make([]interface{}, 0)
if inputPolicies := ipsecPolicies; inputPolicies != nil {
  for _, ipsecPolicy := range *inputPolicies {
    # ..
  }
}

[dominik-lekse]

Yes, I shouldn't rely on the caller here

[stintel]

Tested this PR and it works well for me. Would be nice to have this in the next release. Without a custom IPsec policy, an Azure VPN GW uses crypto algorithms that are no longer considered secure (3DES, SHA1, MODP1024 - see https://wiki.strongswan.org/projects/strongswan/wiki/SecurityRecommendations)

[tombuildsstuff]

hey @dominik-lekse

Thanks for pushing those changes - this now LGTM 👍 - I'll kick of the test suite now

Thanks!

[tombuildsstuff]

Tests pass:

[dominik-lekse]

@tombuildsstuff Thanks for merging 👍

[stintel]

@tombuildsstuff thanks for merging
@dominik-lekse thanks for your contribution

[tombuildsstuff]

👋 hey folks!

Just to let you know that support for this has just been released in v1.2.0 of the AzureRM Provider - full details of what's included are available here: https://github.com/terraform-providers/terraform-provider-azurerm/blob/v1.2.0/CHANGELOG.md#120-march-02-2018

Thanks!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks!