Terraform-provider-aws: Add ability to manage VPN tunnel options

Created on 13 Jan 2020  路  8Comments  路  Source: hashicorp/terraform-provider-aws

Community Note

  • Please vote on this issue by adding a 馃憤 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description


The AWS API/CLI supports modify-vpn-tunnel-options, which can be used to set explicit parameters, for example DH Groups, encryption algorithms, & integrity algorithms, allowable on a tunnel. It would be nice to be able to manage these via terraform without resorting to a local provisioner using the CLI. This is useful to ensure that the tunnels do not support options which are disallowed by organization security policies for VPN tunnels.

I don't know if it's more practical to add this as a feature of aws_vpn_connection or have a separate aws_vpn_tunnel_options resource that could be used to manage an existing tunnel via the modify-vpn-tunnel-options API.

New or Affected Resource(s)

  • aws_vpn_connection
  • aws_vpn_tunnel_options

Potential Terraform Configuration

resource "aws_vpn_tunnel_options" "main" {
  vpn_connection_id = aws_vpn_connection.main.id
  vpn_tunnel_outside_ip_address = aws_vpn_connection.main.tunnel1_address
  phase_1_dh_group_numbers = [
    14, 15
  ]
}

References

  • https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-vpn-tunnel-options.html

    • enhancement servicec2
    Source
    picture dthvt
    👍118 👀6

    Most helpful comment

    Hi all! :wave: Just wanted to direct you to our public roadmap for this quarter (Nov-Jan) in which this item has been mentioned.

    Due to the significant community interest in support for this feature, we will be looking at merging existing contributions soon.

    We appreciate all the contributions and feedback thus far.

    Look out for support in the provider soon!

    picture breathingdust on 6 Nov 2020
    🎉4 👍2

    All 8 comments

    The feature to adjust the tunnel options is particular important for connecting to Azure VPN tunnels. It's not possible to set up a stable VPN connection with Azure without adjusting tunnel options on AWS side.

    tkoeck picture tkoeck on 20 Jul 2020
    👍6

    For what it's worth, the Azure Terraform provider has a configuration block called ipsec_policy inside its azurerm_virtual_network_gateway_connection resource. It works well, so adopting the same pattern here would probably work too.

    artburkart picture artburkart on 14 Aug 2020
    👍1

    This change is great! I hope that the PR is merged soon.

    That being said, would you mind adding support for the StartupAction parameter that was added at the end of August?

    Announcement
    CLI Reference

    Looking forward to seeing this available in a future provider version.

    kellersyf picture kellersyf on 15 Sep 2020
    👍1

    For what it's worth, the Azure Terraform provider has a configuration block called ipsec_policy inside its azurerm_virtual_network_gateway_connection resource. It works well, so adopting the same pattern here would probably work too.

    It seems to be that that option only allows to adjust phase 2 and not phase 1 options on the Azure side.

    tkoeck picture tkoeck on 15 Sep 2020

    @kellersyf just added support for DPDTimeoutAction and StartupAction parameters.

    MRinalducci picture MRinalducci on 15 Sep 2020
    👍2

    Thank you for adding this. We also need to be able to adjust the tunnels options for tunnels between GCP and AWS, else the payload size becomes too large for GCP to rekey. https://cloud.google.com/network-connectivity/docs/vpn/how-to/creating-ha-vpn.

    Known issue: When configuring VPN tunnels to AWS, use the IKEv2 encryption protocol and select fewer transform sets on the AWS side, otherwise the Cloud VPN tunnel can fail to rekey. For example, select a combination of single Phase 1 and Phase 2 encryption algorithms, integrity algorithms, and DH group numbers.

This rekeying issue is caused by a large SA payload size for the default set of AWS transform sets. This large payload size results in IP fragmentation of IKE packets on the AWS side, which Cloud VPN does not support.
    tleung999 picture tleung999 on 21 Oct 2020
    👍2

    Hi all! :wave: Just wanted to direct you to our public roadmap for this quarter (Nov-Jan) in which this item has been mentioned.

    Due to the significant community interest in support for this feature, we will be looking at merging existing contributions soon.

    We appreciate all the contributions and feedback thus far.

    Look out for support in the provider soon!

    breathingdust picture breathingdust on 6 Nov 2020
    🎉4 👍2

    Hi all,
    I just added support for:

    • LocalIpv4NetworkCidr
    • RemoteIpv4NetworkCidr
    • LocalIpv6NetworkCidr
    • RemoteIpv6NetworkCidr
    • TunnelInsideIpVersion
    • TunnelInsideIpv6Cidr

    It closes also issue #14698.

    MRinalducci picture MRinalducci on 21 Nov 2020
    Was this page helpful?
    0 / 5 - 0 ratings

    Related issues

    andywirv picture andywirv  路  3Comments
    reedloden picture reedloden  路  3Comments
    hashibot picture hashibot  路  3Comments
    hashibot picture hashibot  路  3Comments
    hashibot picture hashibot  路  3Comments