provider/azurerm: Add resources virtual network gateway and connection

[dominik-lekse]

This pull request adds the resources azurerm_virtual_network_gateway and azurerm_virtual_network_gateway_connection which can be used to manage Azure VPN Gateways and Connections.

In pull request #9255, @pmcatominey provided the major part the resource azurerm_virtual_network_gateway implementation. This pull request bases on the top of this and contains the original commits of #9255. In addition, the resource azurerm_virtual_network_gateway has been completed and implementation and tests of the resource azurerm_virtual_network_gateway_connection have been added. Further, documentation for both resources is included.

Please consider the following notes when reviewing:

• Expect the resource azurerm_virtual_network_gateway to run for a while since "creating a gateway can take a long time to complete. Often 45 minutes or more." (see https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-create-site-to-site-rm-powershell#a-namecreategatewaya6-create-the-virtual-network-gateway). The Terraform resource polls for the status until the virtual network gateways is fully provisioned and can be used with other resources such as connections.
• In [WIP] provider/azurerm: virtual_network gateway and connection #9255, @pmcatominey mentioned a bug of the Azure management API when destroying a gateway subnet which has been associated with a virtual network gateway which has been successfully destroyed seconds before. I can confirm that the bug is still present, i.e. that such a gateway subnet cannot be deleted for a couple of minutes. Unfortunately, the API does not expose a status on such a subnet which we could use to distinguish. Instead of waiting for a fixed length of time at the end of destroying a virtual network gateway, I have implemented an alternative solution. When a gateway subnet cannot be deleted with a response which occurs when an associated virtual network gateway has been removed previously, Terraform will retry the deletion for a fixed period of time. In my opinion, this workaround is reasonable although it has to be implemented in the subnet resource.
• Both resources should support Azure ExpressRoute functionality, however this is not part of the test coverage since I do not have access to an Azure subscription which is ready for this.

Acceptance tests:

• TestAccAzureRMVirtualNetworkGateway_basic: Create a virtual network gateway and destroys it
• TestAccAzureRMVirtualNetworkGatewayConnection_sitetosite: Creates a site-to-site connection and destroys it
• TestAccAzureRMVirtualNetworkGatewayConnection_vnettovnet: Creates virtual network gateways in two Azure regions and connects them using a vnet-to-vnet connection
• TestAccAzureRMVirtualNetworkGateway_importBasic: Verifies import of a virtual network gateway
• TestAccAzureRMVirtualNetworkGatewayConnection_importSiteToSite: Verifies import of a virtual network gateway connection

=== RUN   TestAccAzureRMVirtualNetworkGateway_basic
--- PASS: TestAccAzureRMVirtualNetworkGateway_basic (2190.70s)
=== RUN   TestAccAzureRMVirtualNetworkGateway_importBasic
--- PASS: TestAccAzureRMVirtualNetworkGateway_importBasic (2280.54s)
=== RUN   TestAccAzureRMVirtualNetworkGatewayConnection_sitetosite
--- PASS: TestAccAzureRMVirtualNetworkGatewayConnection_sitetosite (2401.24s)
=== RUN   TestAccAzureRMVirtualNetworkGatewayConnection_importSiteToSite
--- PASS: TestAccAzureRMVirtualNetworkGatewayConnection_importSiteToSite (2664.22s)
=== RUN   TestAccAzureRMVirtualNetworkGatewayConnection_vnettovnet
--- PASS: TestAccAzureRMVirtualNetworkGatewayConnection_vnettovnet (2480.51s)

Open tasks:

• Successful create and delete resources using azurerm_virtual_network_gateway and azurerm_virtual_network_gateway_connection in a scenario
• Implement test for azurerm_virtual_network_gateway (TestAccAzureRMVirtualNetworkGateway_basic)
• Implement import test for azurerm_virtual_network_gateway (TestAccAzureRMVirtualNetworkGateway_importBasic)
• Documentation for azurerm_virtual_network_gateway
• Implement test for azurerm_virtual_network_gateway_connection to test site-to-site connection (TestAccAzureRMVirtualNetworkGatewayConnection_sitetosite)
• Implement test for azurerm_virtual_network_gateway_connection to test vnet-to-vnet connection (TestAccAzureRMVirtualNetworkGatewayConnection_vnettovnet)
• Implement import test for azurerm_virtual_network_gateway_connection (TestAccAzureRMVirtualNetworkGatewayConnection_importSiteToSite)
• Documentation for azurerm_virtual_network_gateway_connection
• Review

This pull request will resolve the issues, #8372, #10634 and includes the pull request #9255. It would be great to get feedback from you waiting for these resources.

// Dominik

[anniehedgpeth]

Hey @tombuildsstuff, any word on when this will be merged? I have a new template that requires this resource. :) Thanks!

[dominik-lekse]

Just resolved recent conflicts with master.

I assume the Terraform team has fixed their sprint goal for the current release cycle and there are also lots of other community pull requests which consume review time.

Would appreciate if this could fit in one of the upcoming release cycles.

[tombuildsstuff]

Hi @dominik-lekse

Thanks for opening this PR - apologies for the delay in reviewing this. I've taken a look through and left some comments inline - and also opened a bug on the Azure Rest API Specs Repository about the broken API.

After chatting internally, until the API is fixed - would it be possible to investigate containing this logic within the Virtual Network Gateway resource, rather than within the Subnet resource (as recently we've discovered some resources which can only be modified separately, rather than in parallel). There's a couple of different approaches here, either by utilising a State Func with a ContinuousTargetOccurence set - or to see if the Virtual Network Gateway is visible through the either Virtual Network Gateway's List method / Resource Group's contents?

Thanks!

[tombuildsstuff]

Same as above, however if these fields are going to be the same value is it worth consolidating this on a single field for now?

[dominik-lekse]

Done.

[tombuildsstuff]

Comparing the API documentation with the Portal - it appears that whilst the API supports Ultra, it's only supported for ExpressRoute's, rather than Virtual Network Gateway's:

As such - is it worth removing Ultra from this list for the moment?

[dominik-lekse]

As an alternative, I would add a validation function which cross checks gateway type and sku. Would that be fine?

[tombuildsstuff]

from what I can see, I don't believe this method's being used, as such can we remove it?

[dominik-lekse]

Done.

[tombuildsstuff]

I believe this also wants to be Computed: true?

[dominik-lekse]

Done.

[tombuildsstuff]

I believe this also wants to be Computed: true?

[dominik-lekse]

Done.

[tombuildsstuff]

minor can we rename this to be CreateUpdate rather than just Create seeing as it's used for both Creating and Updating?

[dominik-lekse]

Done.

[tombuildsstuff]

From what I can see this value can't be set - as such I think this line can be removed?

[dominik-lekse]

You are right, the connection_status cannot be set, it is read-only. The idea to keep this was to allow the user to use it as part of an output variable. However, in this case, a separate data source is the better option right?

[dominik-lekse]

I will move this to a separate data source.

[tombuildsstuff]

Does the API generate a Shared Key if one isn't specified in the Request? If so, this should be Computed - but unfortunately the API docs aren't clear here

[dominik-lekse]

The shared key needs to be provided as the API does not generate one. I suggest to keep this as it is.

[tombuildsstuff]

given this value is Computed only (and as such isn't setable) - I believe this line can be removed?

[dominik-lekse]

See above

[tombuildsstuff]

given this value is Computed only (and as such isn't setable) - I believe this line can be removed?

[dominik-lekse]

See above

[dominik-lekse]

Thanks for reviewing @tombuildsstuff. I will be able to go through your points until the end of the week.

[YuriyKishchenko]

Ping @dominik-lekse

[dominik-lekse]

Sorry for being silent here for a while. Unfortunately, working on this pull request fall behind other priorities.

I will try to catch up on this Friday with the comments.

In particular, I am sure a rebase with the current master is necessary since #14004 is merged.

As a request to the community: We can also collaborate on finishing this pull request. To those of you eager to collaborate: Just ping me here and I invite you with write permissions to the fork which is the basis for this pull request https://github.com/dominik-lekse/terraform/tree/public-feature/azurerm-vpn-gateway.

[dominik-lekse]

I will reopen the pull request in the new azurerm provider repository with the requested changes.

[tombuildsstuff]

That'd be awesome - thanks @dominik-lekse :)

[YuriyKishchenko]

Hi @dominik-lekse
Microsoft have just introduced new SKUs for VPN: https://azure.microsoft.com/en-us/blog/new-azure-vpn-gateways-now-6x-faster/

Could you please update your pull request

[dominik-lekse]

@YuriyKischenko I have implemented the new SKUs, they will be part of the pull request I will open in the https://github.com/terraform-providers/terraform-provider-azurerm repository soon.

Even with the new gateway types, running the tests still takes > 2 hours :(

[tombuildsstuff]

Closing the original PR since this has been migrated to the new repo: hashicorp/terraform-provider-azurerm#133

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.