/
datasource_vcd_nsxt_ipsec_vpn_tunnel.go
272 lines (255 loc) · 8.8 KB
/
datasource_vcd_nsxt_ipsec_vpn_tunnel.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
package vcd
import (
"context"
"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
)
func datasourceVcdNsxtIpSecVpnTunnel() *schema.Resource {
return &schema.Resource{
ReadContext: datasourceVcdNsxtIpSecVpnTunnelRead,
Schema: map[string]*schema.Schema{
"org": {
Type: schema.TypeString,
Optional: true,
ForceNew: true,
Description: "The name of organization to use, optional if defined at provider " +
"level. Useful when connected as sysadmin working across different organizations",
},
"vdc": {
Type: schema.TypeString,
Optional: true,
Description: "The name of VDC to use, optional if defined at provider level",
Deprecated: "Edge Gateway will be looked up based on 'edge_gateway_id' field",
},
"edge_gateway_id": {
Type: schema.TypeString,
Required: true,
ForceNew: true,
Description: "Edge gateway name in which IP Sec VPN configuration is located",
},
"name": {
Type: schema.TypeString,
Required: true,
Description: "Name of IP Sec VPN configuration",
},
"enabled": {
Type: schema.TypeBool,
Computed: true,
Description: "Enables or disables this configuration (default true)",
},
"description": {
Type: schema.TypeString,
Computed: true,
Description: "Description of NAT rule",
},
"pre_shared_key": {
Type: schema.TypeString,
Computed: true,
Description: "Pre-Shared Key (PSK)",
},
"authentication_mode": {
Type: schema.TypeString,
Computed: true,
Description: "One of 'PSK' (default), 'CERTIFICATE'",
},
"certificate_id": {
Type: schema.TypeString,
Computed: true,
Description: "Optional certificate ID to use for authentication",
},
"ca_certificate_id": {
Type: schema.TypeString,
Computed: true,
Description: "Optional CA certificate ID to use for authentication",
},
"local_ip_address": {
Type: schema.TypeString,
Computed: true,
Description: "IPv4 Address for the endpoint. This has to be a sub-allocated IP on the Edge Gateway.",
},
"local_networks": {
Type: schema.TypeSet,
Computed: true,
Description: "Set of local networks in CIDR format. At least one value is required",
Elem: &schema.Schema{
Type: schema.TypeString,
},
},
"remote_ip_address": {
Type: schema.TypeString,
Computed: true,
Description: "Public IPv4 Address of the remote device terminating the VPN connection",
},
"remote_id": {
Type: schema.TypeString,
Computed: true,
Description: "ID of the remote peer site",
},
"remote_networks": {
Type: schema.TypeSet,
Computed: true,
Description: "Set of remote networks in CIDR format. Leaving it empty is interpreted as 0.0.0.0/0",
Elem: &schema.Schema{
Type: schema.TypeString,
},
},
"logging": {
Type: schema.TypeBool,
Computed: true,
Description: "Sets whether logging for the tunnel is enabled or not. (default - false)",
},
"security_profile_customization": {
Type: schema.TypeList,
Computed: true,
Description: "Security profile customization",
Elem: &schema.Resource{
Schema: map[string]*schema.Schema{
"ike_version": {
Type: schema.TypeString,
Computed: true,
Description: "IKE version one of IKE_V1, IKE_V2, IKE_FLEX",
},
"ike_encryption_algorithms": {
Type: schema.TypeSet,
Computed: true,
Description: "Encryption algorithms. One of SHA1, SHA2_256, SHA2_384, SHA2_512",
Elem: &schema.Schema{
Type: schema.TypeString,
},
},
"ike_digest_algorithms": {
Type: schema.TypeSet,
Computed: true,
Description: "Secure hashing algorithms to use during the IKE negotiation. One of SHA1, " +
"SHA2_256, SHA2_384, SHA2_512",
Elem: &schema.Schema{
Type: schema.TypeString,
},
},
"ike_dh_groups": {
Type: schema.TypeSet,
Computed: true,
Description: "Diffie-Hellman groups to be used if Perfect Forward Secrecy is enabled. One " +
"of GROUP2, GROUP5, GROUP14, GROUP15, GROUP16, GROUP19, GROUP20, GROUP21",
Elem: &schema.Schema{
Type: schema.TypeString,
},
},
"ike_sa_lifetime": {
Type: schema.TypeInt,
Computed: true,
Description: "Security Association life time (in seconds). It is number of seconds " +
"before the IPsec tunnel needs to reestablish",
},
"tunnel_pfs_enabled": {
Type: schema.TypeBool,
Computed: true,
Description: "Perfect Forward Secrecy Enabled or Disabled. Default (enabled)",
},
"tunnel_df_policy": {
Type: schema.TypeString,
Computed: true,
Description: "Policy for handling defragmentation bit. One of COPY, CLEAR",
},
"tunnel_encryption_algorithms": {
Type: schema.TypeSet,
Computed: true,
Description: "Encryption algorithms to use in IPSec tunnel establishment. One of AES_128, " +
"AES_256, AES_GCM_128, AES_GCM_192, AES_GCM_256, NO_ENCRYPTION_AUTH_AES_GMAC_128, " +
"NO_ENCRYPTION_AUTH_AES_GMAC_192, NO_ENCRYPTION_AUTH_AES_GMAC_256, NO_ENCRYPTION",
Elem: &schema.Schema{
Type: schema.TypeString,
},
},
"tunnel_digest_algorithms": {
Type: schema.TypeSet,
Computed: true,
Description: "Digest algorithms to be used for message digest. One of SHA1, SHA2_256, " +
"SHA2_384, SHA2_512",
Elem: &schema.Schema{
Type: schema.TypeString,
},
},
"tunnel_dh_groups": {
Type: schema.TypeSet,
Computed: true,
Description: "Diffie-Hellman groups to be used is PFS is enabled. One of GROUP2, GROUP5, " +
"GROUP14, GROUP15, GROUP16, GROUP19, GROUP20, GROUP21",
Elem: &schema.Schema{
Type: schema.TypeString,
},
},
"tunnel_sa_lifetime": {
Type: schema.TypeInt,
Computed: true,
Description: "Security Association life time (in seconds)",
},
"dpd_probe_internal": {
Type: schema.TypeInt,
Computed: true,
Description: "Value in seconds of dead probe detection interval. Minimum is 3 seconds and " +
"the maximum is 60 seconds",
},
},
},
},
"security_profile": {
Type: schema.TypeString,
Computed: true,
Description: "Security type which is use for IPsec VPN Tunnel. It will be 'DEFAULT' if nothing is " +
"customized and 'CUSTOM' if some changes are applied",
},
"status": {
Type: schema.TypeString,
Computed: true,
Description: "Overall IPsec VPN Tunnel Status",
},
"ike_service_status": {
Type: schema.TypeString,
Computed: true,
Description: "Status for the actual IKE Session for the given tunnel",
},
"ike_fail_reason": {
Type: schema.TypeString,
Computed: true,
Description: "Provides more details of failure if the IKE service is not UP",
},
},
}
}
func datasourceVcdNsxtIpSecVpnTunnelRead(_ context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
vcdClient := meta.(*VCDClient)
orgName := d.Get("org").(string)
edgeGatewayId := d.Get("edge_gateway_id").(string)
nsxtEdge, err := vcdClient.GetNsxtEdgeGatewayById(orgName, edgeGatewayId)
if err != nil {
return diag.Errorf("error retrieving Edge Gateway: %s", err)
}
ipSecVpnTunnelName := d.Get("name").(string)
ipSecVpnTunnel, err := nsxtEdge.GetIpSecVpnTunnelByName(ipSecVpnTunnelName)
if err != nil {
return diag.Errorf("error retrieving NSX-T IPsec VPN Tunnel configuration with name '%s': %s", ipSecVpnTunnelName, err)
}
// Set general schema for configuration
err = setNsxtIpSecVpnTunnelData(d, ipSecVpnTunnel.NsxtIpSecVpn)
if err != nil {
return diag.Errorf("error storing NSX-T IPsec VPN Tunnel configuration to schema: %s", err)
}
d.SetId(ipSecVpnTunnel.NsxtIpSecVpn.ID)
// Tunnel Security Properties
tunnelConnectionProperties, err := ipSecVpnTunnel.GetTunnelConnectionProperties()
if err != nil {
return diag.Errorf("error reading NSX-T IPsec VPN Tunnel Security Customization: %s", err)
}
err = setNsxtIpSecVpnProfileTunnelConfigurationData(d, tunnelConnectionProperties)
if err != nil {
return diag.Errorf("error storing NSX-T IPsec VPN Tunnel Security Customization to schema: %s", err)
}
// Read tunnel status data from separate endpoint
tunnelStatus, err := ipSecVpnTunnel.GetStatus()
if err != nil {
return diag.Errorf("error reading NSX-T IPsec VPN Tunnel status: %s", err)
}
setNsxtIpSecVpnTunnelStatusData(d, tunnelStatus)
return nil
}