ibm_is_vpc_routing_table_route ingress route to VPN not working

[powellquiring]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform IBM Provider Version

% tf version
Terraform v1.4.6
on darwin_arm64
+ provider registry.terraform.io/ibm-cloud/ibm v1.52.1

Affected Resource(s)

• ibm_is_vpc_routing_table_route

Terraform Configuration Files

Terraform example is here: https://github.com/IBM-Cloud/vpc-transit/blob/master/modules/vpn_tf/vpn.tf

Added ingress route in hub to VPN using terraform:

Terraform will perform the following actions:

  # module.enterprise_link_vpn[0].ibm_is_vpc_routing_table_route.transit_tgw_ingress["0"] will be created
  + resource "ibm_is_vpc_routing_table_route" "transit_tgw_ingress" {
      + action          = "deliver"
      + created_at      = (known after apply)
      + creator         = (known after apply)
      + destination     = "192.168.0.0/24"
      + href            = (known after apply)
      + id              = (known after apply)
      + lifecycle_state = (known after apply)
      + name            = "zus-south-1-to-enterprise"
      + next_hop        = "0717-a8415a69-5b96-4574-86ad-2a2e505246ef"
      + origin          = (known after apply)
      + route_id        = (known after apply)
      + routing_table   = "r006-2c356bc2-dfa5-4130-9202-a2be0cfc1c40"
      + vpc             = "r006-b4a17eb1-9612-4b05-bb78-bbdb910074b9"
      + zone            = "us-south-1"
    }

Plan: 1 to add, 0 to change, 0 to destroy.
module.enterprise_link_vpn[0].ibm_is_vpc_routing_table_route.transit_tgw_ingress["0"]: Creating...
╷
│ Error: Routing table route validation failed -  route with a next_hop associated with a VPN connection can not be added to the routing table with one of the ingress flags enabled
│
│   with module.enterprise_link_vpn[0].ibm_is_vpc_routing_table_route.transit_tgw_ingress["0"],
│   on ../modules/vpn_tf/vpn.tf line 140, in resource "ibm_is_vpc_routing_table_route" "transit_tgw_ingress":
│  140: resource "ibm_is_vpc_routing_table_route" "transit_tgw_ingress" {
│

Trying the following from the CLI, notice the VPC and Route Table are the same as the ones above. This worked:

V=r006-b4a17eb1-9612-4b05-bb78-bbdb910074b9
IRT=r006-2c356bc2-dfa5-4130-9202-a2be0cfc1c40
ibmcloud is vpc-routing-table-update $V $IRT --accept-routes-from-resource-type-filters vpn_gateway

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please share a link to the ZIP file.

[powellquiring]

https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/is_vpc_routing_table_route#example-usage

• [ ] The docs are not clear. It looks like this would be required to set up an ingress to VPN gateway (ibm_is_vpn_gateway_connection) but I can not figure out how to use this:

[SunithaGudisagarIBM1]

Hi @powellquiring,

Yes, i was able to reproduce the issue and will update the doc with the correct example.

Thank you Sunitha

resource "ibm_is_vpc" "example" {
  name = "example-vpc"
}

resource "ibm_is_subnet" "testacc_subnet1" {
  name            = "example-subnet"
  vpc             = ibm_is_vpc.example.id
  zone            = "us-south-1"
  ipv4_cidr_block = "10.240.0.0/24"
}

resource "ibm_is_vpn_gateway" "testacc_VPNGateway1" {
  name   = "example-gateway"
  subnet = ibm_is_subnet.testacc_subnet1.id
  mode   = "route"
}

resource "ibm_is_vpn_gateway_connection" "testacc_VPNGatewayConnection1" {
  name          = "example-gateway-connection"
  vpn_gateway   = ibm_is_vpn_gateway.testacc_VPNGateway1.id
  peer_address  = ibm_is_vpn_gateway.testacc_VPNGateway1.public_ip_address
  preshared_key = "VPNDemoPassword"
}

resource "ibm_is_vpc_routing_table" "example" {
  vpc                           = ibm_is_vpc.example.id
  name                          = "example-routing-table"
  route_direct_link_ingress     = true
  route_transit_gateway_ingress = false
  route_vpc_zone_ingress        = false
}

resource "ibm_is_vpc_routing_table_route" "example" {
  vpc           = ibm_is_vpc.example.id
  routing_table = ibm_is_vpc_routing_table.example.routing_table
  zone          = "us-south-1"
  name          = "custom-route-2"
  destination   = "192.168.4.0/24"
  action        = "deliver"
  // next_hop      = "10.240.0.0" //ibm_is_vpn_gateway_connection.example.gateway_connection // Example value "10.0.0.4" 
  next_hop = ibm_is_vpn_gateway_connection.testacc_VPNGatewayConnection1.gateway_connection 
}

With the below setup, the configuration works fine..

resource "ibm_is_vpc" "example" {
  name = "example-vpc"
}

resource "ibm_is_subnet" "testacc_subnet1" {
  name            = "example-subnet"
  vpc             = ibm_is_vpc.example.id
  zone            = "us-south-1"
  ipv4_cidr_block = "10.240.0.0/24"
}

resource "ibm_is_vpn_gateway" "testacc_VPNGateway1" {
  name   = "example-gateway"
  subnet = ibm_is_subnet.testacc_subnet1.id
  mode   = "route"
}

resource "ibm_is_vpn_gateway_connection" "testacc_VPNGatewayConnection1" {
  name          = "example-gateway-connection"
  vpn_gateway   = ibm_is_vpn_gateway.testacc_VPNGateway1.id
  peer_address  = ibm_is_vpn_gateway.testacc_VPNGateway1.public_ip_address
  preshared_key = "VPNDemoPassword"
}

resource "ibm_is_vpc_routing_table" "example" {
  vpc                           = ibm_is_vpc.example.id
  name                          = "example-routing-table"
  route_direct_link_ingress     = false
  route_transit_gateway_ingress = false
  route_vpc_zone_ingress        = false
}

resource "ibm_is_vpc_routing_table_route" "example" {
  vpc           = ibm_is_vpc.example.id
  routing_table = ibm_is_vpc_routing_table.example.routing_table
  zone          = "us-south-1"
  name          = "custom-route-2"
  destination   = "192.168.4.0/24"
  action        = "deliver"
  // next_hop      = "10.240.0.0" //ibm_is_vpn_gateway_connection.example.gateway_connection // Example value "10.0.0.4" 
  next_hop = ibm_is_vpn_gateway_connection.testacc_VPNGatewayConnection1.gateway_connection 
}

[SunithaGudisagarIBM1]

https://github.com/IBM-Cloud/terraform-provider-ibm/pull/4564