Client 2 Site - VPN Server - IAM and Client Certificate

ThomasUllrich666 commented 1 year ago

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

I want to create a Client 2 Site VPN Server. I am able to successfully applying my code. But after a new terraform plan, terraform wants to apply a change.

Code:

resource "ibm_is_vpn_server" "vpn_instance" {
  certificate_crn = var.server_certificate_crn
  client_authentication {
    method    = "username"
    identity_provider = "iam"
  }
  client_authentication {
    method    = "certificate"
    client_ca_crn = var.client_certificate_crn
  }
  client_ip_pool         = var.client_ip_pool
  client_idle_timeout    = 2800
  enable_split_tunneling = true
  name                   = format("%s-vpn-server",var.vpc_name) 
  port                   = 443
  protocol               = "udp"
  subnets                = [for x in ibm_is_subnet.vpn_subnets : x.id]  
  resource_group = data.ibm_resource_group.resource_group.id  

}

If I do another terraform plan, after a successfull apply, i see this output:

# module.vpnServer.ibm_is_vpn_server.vpn_instance will be updated in-place
  ~ resource "ibm_is_vpn_server" "vpn_instance" {
        id                         = "r010-2636a932-4794-4607-aeae-a12e378dc391"
        name                       = "sek-idp-vpn-server"
        # (24 unchanged attributes hidden)

      ~ client_authentication {
          - client_ca_crn     = "crn:v1:bluemix:public:secrets-manager:eu-de:a/ed3b49a8893442b4aa8084bda0d7482f:853e8b28-6f68-400d-9cd8-748471c760a3:secret:24b0e5be-835a-9f0e-d821-7aba69b42163" -> null
          + identity_provider = "iam"
          ~ method            = "certificate" -> "username"
        }
      ~ client_authentication {
          + client_ca_crn     = "crn:v1:bluemix:public:secrets-manager:eu-de:a/ed3b49a8893442b4aa8084bda0d7482f:853e8b28-6f68-400d-9cd8-748471c760a3:secret:24b0e5be-835a-9f0e-d821-7aba69b42163"
          - identity_provider = "iam" -> null
          ~ method            = "username" -> "certificate"
        }
    }

Maybe it is a better solution to split the IAM and Client_fertificate function in 2 parts

New or Affected Resource(s)

ibm_is_vpn_server

Potential Terraform Configuration

resource "ibm_is_vpn_server" "vpn_instance" {
  ...
  client_iam_authentication {    
    identity_provider = "iam"
  }
  client_cert_authentication {    
    client_ca_crn = var.client_certificate_crn
  }

References

0000

daniel-butler-irl commented 1 year ago

This looks similar to this issue I have https://github.com/IBM-Cloud/terraform-provider-ibm/issues/4171 The workaround is to change the order of them in the terraform code 😞

ThomasUllrich666 commented 1 year ago

thx daniel. As you said ... its a workaround and not a solution.

ujjwal-ibm commented 1 year ago

looking

IBM-Cloud / terraform-provider-ibm