Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Changes to VPN Tunnels with "vcd_nsxt_ipsec_vpn_tunnel" sets "security_profile_customization" back to default #1069

Closed
fgrehl opened this issue Jun 16, 2023 · 2 comments
Closed

Changes to VPN Tunnels with "vcd_nsxt_ipsec_vpn_tunnel" sets "security_profile_customization" back to default #1069

fgrehl opened this issue Jun 16, 2023 · 2 comments
Assignees
@Didainius @adezxc

Comments

@fgrehl
Copy link

fgrehl commented Jun 16, 2023
edited
Loading

Hello,

when an existing IPsec Tunnel with "security_profile_customization" configured is changed (eg. A Network is added to remote_networks), the Security Customizations are set back to "Default". A second terraform apply solves the problem.

Terraform Version

Terraform v1.5.0
vmware/vcd v3.9.0 + 3.7.0

Affected Resource(s)

  • vcd_nsxt_ipsec_vpn_tunnel

Terraform Configuration Files

resource "vcd_nsxt_ipsec_vpn_tunnel" "ipsec" {
  edge_gateway_id = data.vcd_nsxt_edgegateway.egw.id
  name            = "VPN"

  pre_shared_key    = "xxxxxxxxxx"
  local_ip_address  = "1.2.3.4"
  local_networks    = ["10.10.10.0/24", "30.30.30.0/28"]
  remote_ip_address = "5.6.7.8"
  remote_networks   = ["192.168.1.0/24", "192.168.10.0/24"]

  security_profile_customization {
    ike_version                  = "IKE_V2"
    ike_encryption_algorithms    = ["AES_128"]
    ike_digest_algorithms        = ["SHA2_256"]
    ike_dh_groups                = ["GROUP14"]
    ike_sa_lifetime              = 86400
    tunnel_pfs_enabled           = true
    tunnel_df_policy             = "COPY"
    tunnel_encryption_algorithms = ["AES_256"]
    tunnel_digest_algorithms     = ["SHA2_256"]
    tunnel_dh_groups             = ["GROUP14"]
    tunnel_sa_lifetime           = 3600
    dpd_probe_internal           = "30"
  }
}

Expected Behavior

Security Customizations should not be set to "Default" when making changes to the Tunnel configuration.

Actual Behavior

Two terraform apply are required to make changes to IPsec Tunnels with Security Customizations

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

  1. Add Network remote_networks
  2. terraform apply - This will Add the network but set Profile back to "Default"
  3. Verify Tunnel Status in VCD UI - Tunnel Security Profile is configured to "Default"
  4. terraform apply - This will notice that the profile is wrong and fix it
@adezxc adezxc mentioned this issue Jun 20, 2023
Merged
@adezxc
Copy link

adezxc commented Jun 20, 2023

Hi @fgrehl, thanks for submissing this issue

I created a PR in #1072 that should fix this, we missed some control flow during update which caused the inconsistent plan. You should be able to test it out by using my branch here: https://github.com/adezxc/terraform-provider-vcd/tree/ipsec_tunnel_fix but it should be merged into the next release of the provider.

Thanks again for the issue!

@adezxc
Copy link

adezxc commented Jul 24, 2023

Hi @fgrehl, with the new provider version, the fix is now live in the release.

@adezxc adezxc closed this as completed Jul 25, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Didainius Didainius

@adezxc adezxc

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Didainius @adezxc @fgrehl