create vpn connection to support destination routing tunnel type (#2409)

* create vpn connection to support destination routing tunnel type

* add changelog 2409.txt

Author: bruceybian

.changelog/2409.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+resource/tencentcloud_vpn_connection: Support creating routing type vpn connection.
+```

tencentcloud/extension_vpc.go

@@ -238,6 +238,18 @@ var VPN_IKE_EXCHANGE_MODE = []string{
 	VPN_IKE_EXCHANGE_MODE_MAIN,
 }
 
+const (
+	ROUTE_TYPE_STATIC       = "STATIC"
+	ROUTE_TYPE_STATIC_ROUTE = "StaticRoute"
+	ROUTE_TYPE_POLICY       = "Policy"
+)
+
+var VPN_CONNECTION_ROUTE_TYPE = []string{
+	ROUTE_TYPE_STATIC,
+	ROUTE_TYPE_STATIC_ROUTE,
+	ROUTE_TYPE_POLICY,
+}
+
 const (
 	VPN_IKE_IDENTITY_ADDRESS = "ADDRESS"
 	VPN_IKE_IDENTITY_FQDN    = "FQDN"

tencentcloud/resource_tc_vpn_connection.go

@@ -66,9 +66,10 @@ func resourceTencentCloudVpnConnection() *schema.Resource {
 				Description: "Pre-shared key of the VPN connection.",
 			},
 			"security_group_policy": {
-				Type:        schema.TypeSet,
-				Required:    true,
-				Description: "Security group policy of the VPN connection.",
+				Type:     schema.TypeSet,
+				Optional: true,
+				Description: "SPD policy group, for example: {\"10.0.0.5/24\":[\"172.123.10.5/16\"]}, 10.0.0.5/24 is the vpc intranet segment, and 172.123.10.5/16 is the IDC network segment. " +
+					"Users specify which network segments in the VPC can communicate with which network segments in your IDC.",
 				Elem: &schema.Resource{
 					Schema: map[string]*schema.Schema{
 						"local_cidr_block": {
@@ -232,9 +233,12 @@ func resourceTencentCloudVpnConnection() *schema.Resource {
 				Description: "Encrypt proto of the VPN connection.",
 			},
 			"route_type": {
-				Type:        schema.TypeString,
-				Computed:    true,
-				Description: "Route type of the VPN connection.",
+				Type:         schema.TypeString,
+				Optional:     true,
+				Computed:     true,
+				ForceNew:     true,
+				ValidateFunc: validateAllowedStringValue(VPN_CONNECTION_ROUTE_TYPE),
+				Description:  "Route type of the VPN connection. Valid value: `STATIC`, `StaticRoute`, `Policy`.",
 			},
 			"state": {
 				Type:        schema.TypeString,
@@ -313,26 +317,28 @@ func resourceTencentCloudVpnConnectionCreate(d *schema.ResourceData, meta interf
 	if v, ok := d.GetOk("dpd_timeout"); ok {
 		request.DpdTimeout = helper.String(strconv.Itoa(v.(int)))
 	}
-	//set up  SecurityPolicyDatabases
 
-	sgps := d.Get("security_group_policy").(*schema.Set).List()
-	if len(sgps) < 1 {
-		return fmt.Errorf("Para `security_group_policy` should be set at least one.")
-	}
-
-	request.SecurityPolicyDatabases = make([]*vpc.SecurityPolicyDatabase, 0, len(sgps))
-	for _, v := range sgps {
-		m := v.(map[string]interface{})
-		var sgp vpc.SecurityPolicyDatabase
-		local := m["local_cidr_block"].(string)
-		sgp.LocalCidrBlock = &local
-		// list
-		remoteCidrBlocks := m["remote_cidr_block"].(*schema.Set).List()
-		for _, vv := range remoteCidrBlocks {
-			remoteCidrBlock := vv.(string)
-			sgp.RemoteCidrBlock = append(sgp.RemoteCidrBlock, &remoteCidrBlock)
+	if v, ok := d.GetOk("route_type"); ok {
+		request.RouteType = helper.String(v.(string))
+	}
+
+	//set up  SecurityPolicyDatabases
+	if v, ok := d.GetOk("security_group_policy"); ok {
+		sgps := v.(*schema.Set).List()
+		request.SecurityPolicyDatabases = make([]*vpc.SecurityPolicyDatabase, 0, len(sgps))
+		for _, v := range sgps {
+			m := v.(map[string]interface{})
+			var sgp vpc.SecurityPolicyDatabase
+			local := m["local_cidr_block"].(string)
+			sgp.LocalCidrBlock = &local
+			// list
+			remoteCidrBlocks := m["remote_cidr_block"].(*schema.Set).List()
+			for _, vv := range remoteCidrBlocks {
+				remoteCidrBlock := vv.(string)
+				sgp.RemoteCidrBlock = append(sgp.RemoteCidrBlock, &remoteCidrBlock)
+			}
+			request.SecurityPolicyDatabases = append(request.SecurityPolicyDatabases, &sgp)
 		}
-		request.SecurityPolicyDatabases = append(request.SecurityPolicyDatabases, &sgp)
 	}
 
 	//set up IKEOptionsSpecification
@@ -397,6 +403,7 @@ func resourceTencentCloudVpnConnectionCreate(d *schema.ResourceData, meta interf
 	if v, ok := d.GetOk("health_check_remote_ip"); ok {
 		request.HealthCheckRemoteIp = helper.String(v.(string))
 	}
+
 	var response *vpc.CreateVpnConnectionResponse
 	err = resource.Retry(readRetryTimeout, func() *resource.RetryError {
 		result, e := meta.(*TencentCloudClient).apiV3Conn.UseVpcClient().CreateVpnConnection(request)
@@ -573,7 +580,9 @@ func resourceTencentCloudVpnConnectionRead(d *schema.ResourceData, meta interfac
 	_ = d.Set("customer_gateway_id", *connection.CustomerGatewayId)
 	_ = d.Set("pre_share_key", *connection.PreShareKey)
 	//set up SPD
-	_ = d.Set("security_group_policy", flattenVpnSPDList(connection.SecurityPolicyDatabaseSet))
+	if *connection.RouteType != ROUTE_TYPE_STATIC_ROUTE {
+		_ = d.Set("security_group_policy", flattenVpnSPDList(connection.SecurityPolicyDatabaseSet))
+	}
 
 	//set up IKE
 	_ = d.Set("ike_proto_encry_algorithm", *connection.IKEOptionsSpecification.PropoEncryAlgorithm)
@@ -673,25 +682,24 @@ func resourceTencentCloudVpnConnectionUpdate(d *schema.ResourceData, meta interf
 
 	//set up  SecurityPolicyDatabases
 	if d.HasChange("security_group_policy") {
-		sgps := d.Get("security_group_policy").(*schema.Set).List()
-		if len(sgps) < 1 {
-			return fmt.Errorf("Para `security_group_policy` should be set at least one.")
-		}
-		request.SecurityPolicyDatabases = make([]*vpc.SecurityPolicyDatabase, 0, len(sgps))
-		for _, v := range sgps {
-			m := v.(map[string]interface{})
-			var sgp vpc.SecurityPolicyDatabase
-			local := m["local_cidr_block"].(string)
-			sgp.LocalCidrBlock = &local
-			// list
-			remoteCidrBlocks := m["remote_cidr_block"].(*schema.Set).List()
-			for _, vv := range remoteCidrBlocks {
-				remoteCidrBlock := vv.(string)
-				sgp.RemoteCidrBlock = append(sgp.RemoteCidrBlock, &remoteCidrBlock)
+		if v, ok := d.GetOk("security_group_policy"); ok {
+			sgps := v.(*schema.Set).List()
+			request.SecurityPolicyDatabases = make([]*vpc.SecurityPolicyDatabase, 0, len(sgps))
+			for _, v := range sgps {
+				m := v.(map[string]interface{})
+				var sgp vpc.SecurityPolicyDatabase
+				local := m["local_cidr_block"].(string)
+				sgp.LocalCidrBlock = &local
+				// list
+				remoteCidrBlocks := m["remote_cidr_block"].(*schema.Set).List()
+				for _, vv := range remoteCidrBlocks {
+					remoteCidrBlock := vv.(string)
+					sgp.RemoteCidrBlock = append(sgp.RemoteCidrBlock, &remoteCidrBlock)
+				}
+				request.SecurityPolicyDatabases = append(request.SecurityPolicyDatabases, &sgp)
 			}
-			request.SecurityPolicyDatabases = append(request.SecurityPolicyDatabases, &sgp)
+			changeFlag = true
 		}
-		changeFlag = true
 	}
 
 	if d.HasChange("dpd_enable") {

tencentcloud/resource_tc_vpn_connection_test.go

@@ -115,6 +115,36 @@ func TestAccTencentCloudVpnConnectionResource_basic(t *testing.T) {
 					resource.TestCheckResourceAttr("tencentcloud_vpn_connection.connection", "enable_health_check", "false"),
 				),
 			},
+			{
+				Config: testAccVpnConnectionConfigUpdate3,
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckVpnConnectionExists("tencentcloud_vpn_connection.connection"),
+					resource.TestCheckResourceAttr("tencentcloud_vpn_connection.connection", "name", "vpn_connection_test2"),
+					resource.TestCheckResourceAttr("tencentcloud_vpn_connection.connection", "pre_share_key", "testt"),
+					resource.TestCheckResourceAttr("tencentcloud_vpn_connection.connection", "tags.test", "testt"),
+					resource.TestCheckResourceAttr("tencentcloud_vpn_connection.connection", "ike_proto_encry_algorithm", "3DES-CBC"),
+					resource.TestCheckResourceAttr("tencentcloud_vpn_connection.connection", "ike_proto_authen_algorithm", "SHA"),
+					resource.TestCheckResourceAttr("tencentcloud_vpn_connection.connection", "ike_local_identity", "ADDRESS"),
+					resource.TestCheckResourceAttr("tencentcloud_vpn_connection.connection", "ike_remote_identity", "ADDRESS"),
+					resource.TestCheckResourceAttr("tencentcloud_vpn_connection.connection", "ike_dh_group_name", "GROUP2"),
+					resource.TestCheckResourceAttr("tencentcloud_vpn_connection.connection", "ike_exchange_mode", "AGGRESSIVE"),
+					resource.TestCheckResourceAttr("tencentcloud_vpn_connection.connection", "ike_sa_lifetime_seconds", "86401"),
+					resource.TestCheckResourceAttr("tencentcloud_vpn_connection.connection", "ipsec_encrypt_algorithm", "3DES-CBC"),
+					resource.TestCheckResourceAttr("tencentcloud_vpn_connection.connection", "ipsec_integrity_algorithm", "SHA1"),
+					resource.TestCheckResourceAttr("tencentcloud_vpn_connection.connection", "ipsec_pfs_dh_group", "NULL"),
+					resource.TestCheckResourceAttr("tencentcloud_vpn_connection.connection", "ipsec_sa_lifetime_seconds", "7200"),
+					resource.TestCheckResourceAttr("tencentcloud_vpn_connection.connection", "ipsec_sa_lifetime_traffic", "2570"),
+					resource.TestCheckResourceAttrSet("tencentcloud_vpn_connection.connection", "net_status"),
+					resource.TestCheckResourceAttrSet("tencentcloud_vpn_connection.connection", "state"),
+					resource.TestCheckResourceAttrSet("tencentcloud_vpn_connection.connection", "encrypt_proto"),
+					resource.TestCheckResourceAttr("tencentcloud_vpn_connection.connection", "route_type", "StaticRoute"),
+					resource.TestCheckResourceAttrSet("tencentcloud_vpn_connection.connection", "vpn_proto"),
+					resource.TestCheckResourceAttr("tencentcloud_vpn_connection.connection", "dpd_enable", "1"),
+					resource.TestCheckResourceAttr("tencentcloud_vpn_connection.connection", "dpd_timeout", "40"),
+					resource.TestCheckResourceAttr("tencentcloud_vpn_connection.connection", "dpd_action", "restart"),
+					resource.TestCheckResourceAttr("tencentcloud_vpn_connection.connection", "enable_health_check", "false"),
+				),
+			},
 		},
 	})
 }
@@ -378,3 +408,57 @@ resource "tencentcloud_vpn_connection" "connection" {
   enable_health_check = false
 }
 `
+
+const testAccVpnConnectionConfigUpdate3 = `
+resource "tencentcloud_vpn_customer_gateway" "cgw" {
+  name              = "terraform_test"
+  public_ip_address = "1.3.3.3"
+}
+
+# Create VPC and Subnet
+data "tencentcloud_vpc_instances" "foo" {
+  name = "Default-VPC"
+}
+
+resource "tencentcloud_vpn_gateway" "vpn" {
+  name      = "terraform_update"
+  vpc_id    = data.tencentcloud_vpc_instances.foo.instance_list.0.vpc_id
+  bandwidth = 5
+  zone      = "ap-guangzhou-3"
+
+  tags = {
+    test = "test"
+  }
+}
+resource "tencentcloud_vpn_connection" "connection" {
+  name                       = "vpn_connection_test2"
+  vpc_id                     = data.tencentcloud_vpc_instances.foo.instance_list.0.vpc_id
+  vpn_gateway_id             = tencentcloud_vpn_gateway.vpn.id
+  customer_gateway_id        = tencentcloud_vpn_customer_gateway.cgw.id
+  pre_share_key              = "testt"
+  ike_proto_encry_algorithm  = "3DES-CBC"
+  ike_proto_authen_algorithm = "SHA"
+  ike_local_identity         = "ADDRESS"
+  ike_exchange_mode          = "AGGRESSIVE"
+  ike_local_address          = tencentcloud_vpn_gateway.vpn.public_ip_address
+  ike_remote_identity        = "ADDRESS"
+  ike_remote_address         = tencentcloud_vpn_customer_gateway.cgw.public_ip_address
+  ike_dh_group_name          = "GROUP2"
+  ike_sa_lifetime_seconds    = 86401
+  ike_version                = "IKEV2"
+  ipsec_encrypt_algorithm    = "3DES-CBC"
+  ipsec_integrity_algorithm  = "SHA1"
+  ipsec_sa_lifetime_seconds  = 7200
+  ipsec_pfs_dh_group         = "NULL"
+  ipsec_sa_lifetime_traffic  = 2570
+  dpd_enable = 1
+  dpd_timeout = "40"
+  dpd_action = "restart"
+  route_type = "StaticRoute"
+
+  tags = {
+    test = "testt"
+  }
+  enable_health_check = false
+}
+`

website/docs/r/vpn_connection.html.markdown

@@ -52,7 +52,6 @@ The following arguments are supported:
 * `customer_gateway_id` - (Required, String, ForceNew) ID of the customer gateway.
 * `name` - (Required, String) Name of the VPN connection. The length of character is limited to 1-60.
 * `pre_share_key` - (Required, String) Pre-shared key of the VPN connection.
-* `security_group_policy` - (Required, Set) Security group policy of the VPN connection.
 * `vpn_gateway_id` - (Required, String, ForceNew) ID of the VPN gateway.
 * `dpd_action` - (Optional, String) The action after DPD timeout. Valid values: clear (disconnect) and restart (try again). It is valid when DpdEnable is 1.
 * `dpd_enable` - (Optional, Int) Specifies whether to enable DPD. Valid values: 0 (disable) and 1 (enable).
@@ -77,6 +76,8 @@ The following arguments are supported:
 * `ipsec_pfs_dh_group` - (Optional, String) PFS DH group. Valid value: `GROUP1`, `GROUP2`, `GROUP5`, `GROUP14`, `GROUP24`, `NULL`. Default value is `NULL`.
 * `ipsec_sa_lifetime_seconds` - (Optional, Int) SA lifetime of the IPSEC operation specification, unit is second. Valid value ranges: [180~604800]. Default value is 3600 seconds.
 * `ipsec_sa_lifetime_traffic` - (Optional, Int) SA lifetime of the IPSEC operation specification, unit is KB. The value should not be less then 2560. Default value is 1843200.
+* `route_type` - (Optional, String, ForceNew) Route type of the VPN connection. Valid value: `STATIC`, `StaticRoute`, `Policy`.
+* `security_group_policy` - (Optional, Set) SPD policy group, for example: {"10.0.0.5/24":["172.123.10.5/16"]}, 10.0.0.5/24 is the vpc intranet segment, and 172.123.10.5/16 is the IDC network segment. Users specify which network segments in the VPC can communicate with which network segments in your IDC.
 * `tags` - (Optional, Map) A list of tags used to associate different resources.
 * `vpc_id` - (Optional, String, ForceNew) ID of the VPC. Required if vpn gateway is not in `CCN` type, and doesn't make sense for `CCN` vpn gateway.
 
@@ -94,7 +95,6 @@ In addition to all arguments above, the following attributes are exported:
 * `encrypt_proto` - Encrypt proto of the VPN connection.
 * `is_ccn_type` - Indicate whether is ccn type. Modification of this field only impacts force new logic of `vpc_id`. If `is_ccn_type` is true, modification of `vpc_id` will be ignored.
 * `net_status` - Net status of the VPN connection. Valid value: `AVAILABLE`.
-* `route_type` - Route type of the VPN connection.
 * `state` - State of the connection. Valid value: `PENDING`, `AVAILABLE`, `DELETING`.
 * `vpn_proto` - Vpn proto of the VPN connection.