From f72c2c8207acd97fa966374529d8cf38413a1805 Mon Sep 17 00:00:00 2001
From: Philipp Resch <phil@2kd.de>
Date: Wed, 18 Dec 2019 10:16:40 +0100
Subject: [PATCH] added option "connection_protocol" to vnetgw conn (#5145)

This fixes #5144
---
 ..._arm_virtual_network_gateway_connection.go |  18 +++
 ...virtual_network_gateway_connection_test.go | 108 ++++++++++++++++++
 ...l_network_gateway_connection.html.markdown |   5 +
 3 files changed, 131 insertions(+)

diff --git a/azurerm/resource_arm_virtual_network_gateway_connection.go b/azurerm/resource_arm_virtual_network_gateway_connection.go
index a77cf88d047a..f1110fdfd952 100644
--- a/azurerm/resource_arm_virtual_network_gateway_connection.go
+++ b/azurerm/resource_arm_virtual_network_gateway_connection.go
@@ -125,6 +125,17 @@ func resourceArmVirtualNetworkGatewayConnection() *schema.Resource {
 				Computed: true,
 			},
 
+			"connection_protocol": {
+				Type:     schema.TypeString,
+				Optional: true,
+				Computed: true,
+				ForceNew: true,
+				ValidateFunc: validation.StringInSlice([]string{
+					string(network.IKEv1),
+					string(network.IKEv2),
+				}, false),
+			},
+
 			"ipsec_policy": {
 				Type:     schema.TypeList,
 				Optional: true,
@@ -369,6 +380,8 @@ func resourceArmVirtualNetworkGatewayConnectionRead(d *schema.ResourceData, meta
 		d.Set("shared_key", conn.SharedKey)
 	}
 
+	d.Set("connection_protocol", string(conn.ConnectionProtocol))
+
 	if conn.ExpressRouteGatewayBypass != nil {
 		d.Set("express_route_gateway_bypass", conn.ExpressRouteGatewayBypass)
 	}
@@ -486,6 +499,11 @@ func getArmVirtualNetworkGatewayConnectionProperties(d *schema.ResourceData) (*n
 		props.SharedKey = utils.String(v.(string))
 	}
 
+	if v, ok := d.GetOk("connection_protocol"); ok {
+		connectionProtocol := v.(string)
+		props.ConnectionProtocol = network.VirtualNetworkGatewayConnectionProtocol(connectionProtocol)
+	}
+
 	if v, ok := d.GetOk("ipsec_policy"); ok {
 		props.IpsecPolicies = expandArmVirtualNetworkGatewayConnectionIpsecPolicies(v.([]interface{}))
 	}
diff --git a/azurerm/resource_arm_virtual_network_gateway_connection_test.go b/azurerm/resource_arm_virtual_network_gateway_connection_test.go
index cf5ff4e6063a..4d83ad1c0626 100644
--- a/azurerm/resource_arm_virtual_network_gateway_connection_test.go
+++ b/azurerm/resource_arm_virtual_network_gateway_connection_test.go
@@ -111,6 +111,29 @@ func TestAccAzureRMVirtualNetworkGatewayConnection_ipsecpolicy(t *testing.T) {
 	})
 }
 
+func TestAccAzureRMVirtualNetworkGatewayConnection_connectionprotocol(t *testing.T) {
+	expectedConnectionProtocol := "IKEv1"
+	resourceName := "azurerm_virtual_network_gateway_connection.test"
+
+	ri := tf.AccRandTimeInt()
+	config := testAccAzureRMVirtualNetworkGatewayConnection_connectionprotocol(ri, testLocation())
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testCheckAzureRMVirtualNetworkGatewayConnectionDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: config,
+				Check: resource.ComposeTestCheckFunc(
+					testCheckAzureRMVirtualNetworkGatewayConnectionExists(resourceName),
+					resource.TestCheckResourceAttr(resourceName, "connection_protocol", expectedConnectionProtocol),
+				),
+			},
+		},
+	})
+}
+
 func TestAccAzureRMVirtualNetworkGatewayConnection_updatingSharedKey(t *testing.T) {
 	firstResourceName := "azurerm_virtual_network_gateway_connection.test_1"
 	secondResourceName := "azurerm_virtual_network_gateway_connection.test_2"
@@ -502,3 +525,88 @@ resource "azurerm_virtual_network_gateway_connection" "test" {
 }
 `, rInt, location)
 }
+
+func testAccAzureRMVirtualNetworkGatewayConnection_connectionprotocol(rInt int, location string) string {
+	return fmt.Sprintf(`
+variable "random" {
+  default = "%d"
+}
+
+resource "azurerm_resource_group" "test" {
+  name     = "acctestRG-${var.random}"
+  location = "%s"
+}
+
+resource "azurerm_virtual_network" "test" {
+  name                = "acctestvn-${var.random}"
+  location            = "${azurerm_resource_group.test.location}"
+  resource_group_name = "${azurerm_resource_group.test.name}"
+  address_space       = ["10.0.0.0/16"]
+}
+
+resource "azurerm_subnet" "test" {
+  name                 = "GatewaySubnet"
+  resource_group_name  = "${azurerm_resource_group.test.name}"
+  virtual_network_name = "${azurerm_virtual_network.test.name}"
+  address_prefix       = "10.0.1.0/24"
+}
+
+resource "azurerm_public_ip" "test" {
+  name                = "acctest-${var.random}"
+  location            = "${azurerm_resource_group.test.location}"
+  resource_group_name = "${azurerm_resource_group.test.name}"
+  allocation_method   = "Dynamic"
+}
+
+resource "azurerm_virtual_network_gateway" "test" {
+  name                = "acctest-${var.random}"
+  location            = "${azurerm_resource_group.test.location}"
+  resource_group_name = "${azurerm_resource_group.test.name}"
+
+  type     = "Vpn"
+  vpn_type = "RouteBased"
+  sku      = "VpnGw1"
+
+  ip_configuration {
+    name                          = "vnetGatewayConfig"
+    public_ip_address_id          = "${azurerm_public_ip.test.id}"
+    private_ip_address_allocation = "Dynamic"
+    subnet_id                     = "${azurerm_subnet.test.id}"
+  }
+}
+
+resource "azurerm_local_network_gateway" "test" {
+  name                = "acctest-${var.random}"
+  location            = "${azurerm_resource_group.test.location}"
+  resource_group_name = "${azurerm_resource_group.test.name}"
+
+  gateway_address = "168.62.225.23"
+  address_space   = ["10.1.1.0/24"]
+}
+
+resource "azurerm_virtual_network_gateway_connection" "test" {
+  name                = "acctest-${var.random}"
+  location            = "${azurerm_resource_group.test.location}"
+  resource_group_name = "${azurerm_resource_group.test.name}"
+
+  type                       = "IPsec"
+  virtual_network_gateway_id = "${azurerm_virtual_network_gateway.test.id}"
+  local_network_gateway_id   = "${azurerm_local_network_gateway.test.id}"
+
+  connection_protocol = "IKEv1"
+
+  ipsec_policy {
+    dh_group         = "DHGroup14"
+    ike_encryption   = "AES256"
+    ike_integrity    = "SHA256"
+    ipsec_encryption = "AES256"
+    ipsec_integrity  = "SHA256"
+    pfs_group        = "PFS2048"
+    sa_datasize      = 102400000
+    sa_lifetime      = 27000
+  }
+
+  shared_key = "4-v3ry-53cr37-1p53c-5h4r3d-k3y"
+}
+`, rInt, location)
+}
diff --git a/website/docs/r/virtual_network_gateway_connection.html.markdown b/website/docs/r/virtual_network_gateway_connection.html.markdown
index da4190de5aa5..b9d5cf0bf737 100644
--- a/website/docs/r/virtual_network_gateway_connection.html.markdown
+++ b/website/docs/r/virtual_network_gateway_connection.html.markdown
@@ -245,6 +245,11 @@ The following arguments are supported:
     Site-to-Site or VNet-to-VNet connection is created whereas ExpressRoute
     connections do not need a shared key.
 
+* `connection_protocol` - (Optional) The IKE protocol version to use. Possible
+    values are `IKEv1` and `IKEv2`. Defaults to `IKEv2`. 
+    Changing this value will force a resource to be created. 
+-> **Note**: Only valid for `IPSec` connections on virtual network gateways with SKU `VpnGw1`, `VpnGw2`, `VpnGw3`, `VpnGw1AZ`, `VpnGw2AZ` or `VpnGw3AZ`. 
+    
 * `enable_bgp` - (Optional) If `true`, BGP (Border Gateway Protocol) is enabled
     for this connection. Defaults to `false`.