Migrate HA VPN tunnels to GA

Question

Migrate HA VPN tunnels to GA

Sekyrovat opened this issue 10 months ago · 2 comments

TL;DR

Remove instances of provider = google-beta from the submodule in favour of the GA.

Terraform Resources

Terraform resource I'm leveraging to create the full VPN while getting issues

module "vpnVpcA" {
  source           = "terraform-google-modules/vpn/google//modules/vpn_ha"
  version          = "~> 1.3.0"
  router_name      = google_compute_router.crVpcA.name
  project_id       = var.projects["sideA"]
  region           = var.region_picks["nane1"]
  network          = var.vpc_pick["vpcA"]
  name             = "op2gcp"
  router_asn       = 64515
  peer_gcp_gateway = module.vpnVpcB.self_link
    tunnels = {
      remote-0 = {
        bgp_peer = {
          address = "169.254.1.1"
          asn     = 64517
        }
        bgp_peer_options                = null
        bgp_session_range               = "169.254.1.2/30"
        ike_version                     = 2
        vpn_gateway_interface           = 0
        peer_external_gateway_interface = null
        shared_secret                   = ""
      }
      remote-1 = {
        bgp_peer = {
          address = "169.254.2.1"
          asn     = 64517
        }
        bgp_peer_options                = null
        bgp_session_range               = "169.254.2.2/30"
        ike_version                     = 2
        vpn_gateway_interface           = 1
        peer_external_gateway_interface = null
        shared_secret                   = ""
      }
    }
  router_advertise_config = local.vpn0CustomRoutes
  depends_on              = [module.vpcA]
}

Working approach, leverages the same core HA VPN submodule but creates the tunnels separately through the core resource.

module "vpnVpcA" {
  source           = "terraform-google-modules/vpn/google//modules/vpn_ha"
  version          = "~> 1.3.0"
  router_name      = google_compute_router.crVpcA.name
  project_id       = var.projects["sideA"]
  region           = var.region_picks["nane1"]
  network          = var.vpc_pick["vpcA"]
  name             = "op2gcp"
  router_asn       = 64515
  peer_gcp_gateway = module.vpnVpcB.self_link
  router_advertise_config = local.vpn0CustomRoutes
  depends_on              = [module.vpcA]
}

resource "google_compute_vpn_tunnel" "intunnel" {
  name                  = "in"
  project = var.projects["sideA"]
  region                = var.region_picks["nane1"]
  vpn_gateway           = module.vpnVpcA.gateway.id
  peer_gcp_gateway      = module.vpnVpcB.gateway.id
  shared_secret         = "pennyandjoey"
  router                = google_compute_router.crVpcA.id
  vpn_gateway_interface = 0
}

Detailed design

VPC SC is configured in the Side B project/org, and permissions are given as iterations fail, so far the only permission we are unable to tackle pertains to the call compute.beta.VpnTunnelsService.Insert.

Additional information

Currently creating HA VPN constructs through the HA VPN submodule seems to be calling to the Beta APIs. This presents itself as an issue when working with VPC SC.

When creating the Tunnels the following call seems to be made compute.beta.VpnTunnelsService.Insert, the issue that arises is that in VPC SC we can't target Beta calls, therefore creating Tunnels fails.

This issue may be present more widely than the tunnels themselves however and therefore the potential removal of the Beta provider should be done for the submodule as a whole.

Answer 1 · 2023-11-06T22:35:16.000Z

Labels in google_compute_vpn_tunnel is not available in GA provider. Created an issue for the provider team.

hashicorp/terraform-provider-google#16458

Answer 2 · 2023-11-21T03:18:58.000Z

fixed in #135