Add vpn client protocol support for virtual network gateway

[dcaro]

Added support for vpn client protocol and radius server with the following fields:
vpn_client_protocol
radius_server_address
radius_server_secret

[katbyte]

Hi @dcaro,

Thank you for adding this! I've taken a look over it and left some comments inline. Outside of that running the tests produces a none empty plan for me:

DIFF:
		
		UPDATE: azurerm_virtual_network_gateway.test
		  vpn_client_configuration.0.radius_server_address: "" => "1.2.3.4"
		  vpn_client_configuration.0.radius_server_secret:  "" => "verysecretsecret"
		
		STATE:

Look forward to getting this merged once these concerns are worked out 🙂

[katbyte]

Is it possible to get some validation of this property?

[dcaro]

Good catch! I have added a value validation.

[katbyte]

Could we name this vpn_client_protocols to match the SDK?

[dcaro]

That makes sense, done.

[katbyte]

This should probably be a set unless order matters/duplicates are allowed

[dcaro]

you are right, order does not matters, changed.

[katbyte]

What happens if neither root_certificate or radius_server_address are set? if that is an error condition we should use a CustomizeDiff to check.

[dcaro]

If the root_certificate and radius_server_address are set, this is accepted by azure with no root cert and the vpnclient cannot be downloaded. I've added a CustomizeDiff so that if a radius_server_address is set is had to be a valid IPv4 address and the secret shall not be empty.

[katbyte]

Could we check here to see if the state is correct:

resource.TestCheckResourceAttr(resourceName, "key", "value"),

[dcaro]

done, I have added couple of other attribute checks on basic and lowerCaseSubnetName tests as well.

[dcaro]

I have included the changes and added a regex validation for the IPv4 address using regex. Let me know if you have a preferred method.

[dcaro]

That makes sense, done.

[dcaro]

you are right, order does not matters, changed.

[dcaro]

Good catch! I have added a value validation.

[dcaro]

If the root_certificate and radius_server_address are set, this is accepted by azure with no root cert and the vpnclient cannot be downloaded. I've added a CustomizeDiff so that if a radius_server_address is set is had to be a valid IPv4 address and the secret shall not be empty.

[dcaro]

done, I have added couple of other attribute checks on basic and lowerCaseSubnetName tests as well.

[katbyte]

Hi @dcaro,

Thank you for the updates. I've given this another look and left some comments inline.

[katbyte]

Could we sort this and put regex above with the other built in packages?

[dcaro]

sure, updated.

[katbyte]

Could we check these for nil?

if v := cfg.RadiusServerAddress; if v != nil {
  flat["radius_server_address"] = *v
}

[dcaro]

added

[katbyte]

This doesn't apply to a TypeString

[katbyte]

This doesn't apply to a TypeString

[katbyte]

This validation can be done in the schema, for example:

				ValidateFunc: validation.StringMatch(
					regexp.MustCompile("^[-a-z0-9]{3,50}$"),
					"Cosmos DB Account name must be 3 - 50 characters long, contain only letters, numbers and hyphens.",
				),

[dcaro]

The schema is indeed a better place to do this check.

[katbyte]

as above, could be validated by schema & regex

[katbyte]

I think what you want to do here is check to make sure one or the other is set as mentioned above?

as in:

_, hasRadius := vpnClientConfig["radius_server_address"]
_, hasRootCert := vpnClientConfig["root_certificate"]

if !hasRadius && !hasRootCert {
    #error
}

if hasRadius {
    if _, hasRadiusSecret := vpnClientConfig["radius_server_secret"]; !hasRadiusSecret {
        #error
    }
}

[dcaro]

With this hasRadius and hasRootCert are set to true. I have changed a bit the logic to check if both radius server address and value are set. If this neither of them are set, we can assume that we are using the certificate method and nil is accepted.

[katbyte]

could we rename this to validateIP4?

[dcaro]

removed since this is done in the schema.

[katbyte]

Could we add an entirely new test for these properties instead of adding them to an existing test?

[dcaro]

sure, done.

[dcaro]

I have just pushed an update with the changes that you have suggested. Let me know if there are any other points. Thanks for the review.

[katbyte]

Thanks for the changes @dcaro! This LGTM now 👍

[katbyte]

Tests pass aside from the usual flakiness:

[Phydeauxman]

I am trying to use the new vpn_client_protocol argument and it is not working. I am running Terraform v0.11.7 and provider.azurerm v1.8.0. The output I am getting from plan is:

Error: azurerm_virtual_network_gateway.sdvnet: vpn_client_configuration.0: invalid or unknown key: vpn_client_protocol

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks!