DHGROUP Choices Issue

[nemrood]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureRM Provider) Version

Terraform v0.14.5 AzureRM v2.60

Affected Resource(s)

azurerm_vpn_gateway_connection

Terraform Configuration Files

module.tf

resource "azurerm_vpn_gateway_connection" "vpnconn" {
  name               = xxx
  vpn_gateway_id     = xxx
  remote_vpn_site_id = xxx

  vpn_link {

      name                           = xxx
      bandwidth_mbps                 = xxx
      vpn_site_link_id               = xxx

     ipsec_policy {

          dh_group                              =  "DHGroup2"
          ike_encryption_algorithm     = "AES256"
          ike_integrity_algorithm         = "SHA256"
          encryption_algorithm           = "AES256"
          integrity_algorithm               = "SHA256"
          pfs_group                              = "PFS24"
          sa_data_size_kb                     = "1024"
          sa_lifetime_sec                      = "300"
        }
      }
    }

Debug Output

Error: creating Vpn Gateway Connection Resource "vWAN-TS-Connections" (Resource Group "MASKED" / VPN Gateway "MASKED"): network.VpnConnectionsClient#CreateOrUpdate: Failure sending request: StatusCode=400 -- Original Error: Code="InvalidDhGroupSpecifiedForResource" Message="Invalid DhGroup specified for Resource /subscriptions/MASKED/resourceGroups/MASKED/providers/Microsoft.Network/vpnGateways/MASKED/vpnConnections/MASKED/vpnLinkConnections/ER-Link-Connection. The allowed DhGroup values are DHGroup14,DHGroup24,ECP256,ECP384." Details=[]

Expected Behaviour

in the ipsec_policy block, we should be able to set the DHGroup attribute to DHGroup1 or DHGroup2.

Actual Behaviour

-->Terraform/Azure rejects the choice and says the only allowed values are : DHGroup14,DHGroup24,ECP256,ECP384

NOTE: on terraform documentation we can see that DHGROUP1, DHGROUP2, PFS1 and PFS2 are valid options, we can also set them via scripts or az cli, but when using terraform it just gives the error shown above.

Steps to Reproduce

Standard Process (init, validate, plan, apply).

Important Factoids

Public Azure

Terraform DOC : https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/vpn_gateway_connection

[favoretti]

Hi there, thank you for reporting this. This error comes from the API, not from the terraform, so the API version that terraform currently uses to talk to the ARM does not support these values.

[nemrood]

Hello and thanks for your reply, is there any version recommendations you can provide us so we can push these values via terraform ?

Good day !

[favoretti]

"dh_group": {
    Type:     pluginsdk.TypeString,
    Required: true,
    ValidateFunc: validation.StringInSlice([]string{
            string(network.DhGroupNone),
        string(network.DhGroupDHGroup1),
        string(network.DhGroupDHGroup2),
        string(network.DhGroupDHGroup14),
        string(network.DhGroupDHGroup24),
        string(network.DhGroupDHGroup2048),
        string(network.DhGroupECP256),
        string(network.DhGroupECP384),
    }, false),
}                               },

Hmm, actually terraform does support this.. Maybe it's region-specific?