SIGSEGV when trying to create `azurerm_virtual_network_gateway_connection`

[matthewaerose]

Is there an existing issue for this?

• [X] I have searched the existing issues

Community Note

• Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

1.2.4

AzureRM Provider Version

3.28.0

Affected Resource(s)/Data Source(s)

azurerm_virtual_network_gateway_connection

Terraform Configuration Files

data "azurerm_resource_group" "aks-rg" {
  name = "<resource-group-name>"
}

data "terraform_remote_state" "engops-prod" {
  backend = "remote"
  config = {
    organization = "ORGNAME"
    workspaces = {
      name = "engops-core-production"
    }
  }
}

data "azurerm_virtual_network" "aks-prod-vnet" {
  name                = "<name-of-vnet>"
  resource_group_name = "<name-of-vnet-rg>"
}

resource "azurerm_subnet" "prod-gateway-subnet" {
  name                 = "GatewaySubnet"
  resource_group_name  = data.azurerm_resource_group.aks-rg.name
  virtual_network_name = data.azurerm_virtual_network.aks-prod-vnet.name
  address_prefixes     = ["10.60.253.0/24"]
}

resource "azurerm_public_ip" "pip-1-aks-gw" {
  name                = "pip-1-aks-gw"
  location            = data.azurerm_resource_group.aks-rg.location
  resource_group_name = data.azurerm_resource_group.aks-rg.name
  allocation_method   = "Static"

  sku   = "Standard"
  zones = ["1", "2", "3"]

  tags = merge({
    "terraform" = "true",
    "name"      = "pip-1-aks-gw",
    },
    local.tags
  )
}

resource "azurerm_public_ip" "pip-2-aks-gw" {
  name                = "pip-2-aks-gw"
  location            = data.azurerm_resource_group.aks-rg.location
  resource_group_name = data.azurerm_resource_group.aks-rg.name
  allocation_method   = "Static"

  sku   = "Standard"
  zones = ["1", "2", "3"]

  tags = merge({
    "terraform" = "true",
    "name"      = "pip-2-aks-gw",
    },
    local.tags
  )
}

resource "azurerm_virtual_network_gateway" "vnet-gw-prod" {
  name                = "vnet-gw-prod"
  location            = data.azurerm_resource_group.aks-rg.location
  resource_group_name = data.azurerm_resource_group.aks-rg.name
  sku                 = "VpnGw3AZ"
  type                = "Vpn"
  vpn_type            = "RouteBased"
  active_active       = "true"
  generation          = "Generation2"
  enable_bgp          = true

  ip_configuration {
    name                          = "vpn-gw-ip-config-1"
    public_ip_address_id          = resource.azurerm_public_ip.pip-1-aks-gw.id
    private_ip_address_allocation = "Dynamic"
    subnet_id                     = resource.azurerm_subnet.prod-gateway-subnet.id
  }

  ip_configuration {
    name                          = "vpn-gw-ip-config-2"
    public_ip_address_id          = resource.azurerm_public_ip.pip-2-aks-gw.id
    private_ip_address_allocation = "Dynamic"
    subnet_id                     = resource.azurerm_subnet.prod-gateway-subnet.id
  }

  bgp_settings {
    asn = 650001
  }

  tags = merge({
    "terraform" = "true",
    "name"      = "vnet-gw-prod",
    },
    local.tags
  )
}

resource "azurerm_local_network_gateway" "lng-prod-1" {
  name                = "lng-prod-1"
  location            = data.azurerm_resource_group.aks-rg.location
  resource_group_name = data.azurerm_resource_group.aks-rg.name
  gateway_address     = data.terraform_remote_state.engops-prod.outputs.cit-prod-connection-addresses["connection-1-tunnel-1"]

  bgp_settings {
    asn                 = data.terraform_remote_state.engops-prod.outputs.cit-prod-connection-tunnel-bgp-asns["connection-1-tunnel-1"]
    bgp_peering_address = data.terraform_remote_state.engops-prod.outputs.cit-prod-connection-tunnel-cgw-inside-addresses["connection-1-tunnel-1"]
  }

  tags = merge({
    "terraform" = "true",
    "name"      = "lng-prod-1",
    },
    local.tags
  )
}

resource "azurerm_virtual_network_gateway_connection" "conn-prod-1" {
  name                = "conn-prod-1"
  location            = data.azurerm_resource_group.aks-rg.location
  resource_group_name = data.azurerm_resource_group.aks-rg.name

  type                       = "IPsec"
  virtual_network_gateway_id = resource.azurerm_virtual_network_gateway.vnet-gw-prod.id
  local_network_gateway_id   = resource.azurerm_local_network_gateway.lng-prod-1.id

  shared_key = data.terraform_remote_state.engops-prod.outputs.cit-prod-connection-tunnel-pre-shared-keys["connection-1-tunnel-1"]

  enable_bgp = true

  connection_protocol = "IKEv1"

  custom_bgp_addresses {
    primary   = data.terraform_remote_state.engops-prod.outputs.cit-prod-connection-tunnel-vgw-inside-addresses["connection-1-tunnel-1"]
    secondary = data.terraform_remote_state.engops-prod.outputs.cit-prod-connection-tunnel-cgw-inside-addresses["connection-1-tunnel-1"]
  }

  tags = merge({
    "terraform" = "true",
    "name"      = "conn-prod-1",
    },
    local.tags
  )
}

resource "azurerm_local_network_gateway" "lng-prod-2" {
  name                = "lng-prod-2"
  location            = data.azurerm_resource_group.aks-rg.location
  resource_group_name = data.azurerm_resource_group.aks-rg.name
  gateway_address     = data.terraform_remote_state.engops-prod.outputs.cit-prod-connection-addresses["connection-1-tunnel-2"]

  bgp_settings {
    asn                 = data.terraform_remote_state.engops-prod.outputs.cit-prod-connection-tunnel-bgp-asns["connection-1-tunnel-2"]
    bgp_peering_address = data.terraform_remote_state.engops-prod.outputs.cit-prod-connection-tunnel-cgw-inside-addresses["connection-1-tunnel-2"]
  }

  tags = merge({
    "terraform" = "true",
    "name"      = "lng-prod-2",
    },
    local.tags
  )
}

resource "azurerm_virtual_network_gateway_connection" "conn-prod-2" {
  name                = "conn-prod-2"
  location            = data.azurerm_resource_group.aks-rg.location
  resource_group_name = data.azurerm_resource_group.aks-rg.name

  type                       = "IPsec"
  virtual_network_gateway_id = resource.azurerm_virtual_network_gateway.vnet-gw-prod.id
  local_network_gateway_id   = resource.azurerm_local_network_gateway.lng-prod-2.id

  shared_key = data.terraform_remote_state.engops-prod.outputs.cit-prod-connection-tunnel-pre-shared-keys["connection-1-tunnel-2"]

  enable_bgp = true

  connection_protocol = "IKEv1"

  custom_bgp_addresses {
    primary   = data.terraform_remote_state.engops-prod.outputs.cit-prod-connection-tunnel-vgw-inside-addresses["connection-1-tunnel-2"]
    secondary = data.terraform_remote_state.engops-prod.outputs.cit-prod-connection-tunnel-cgw-inside-addresses["connection-1-tunnel-2"]
  }

  tags = merge({
    "terraform" = "true",
    "name"      = "conn-prod-2",
    },
    local.tags
  )
}
resource "azurerm_local_network_gateway" "lng-prod-3" {
  name                = "lng-prod-3"
  location            = data.azurerm_resource_group.aks-rg.location
  resource_group_name = data.azurerm_resource_group.aks-rg.name
  gateway_address     = data.terraform_remote_state.engops-prod.outputs.cit-prod-connection-addresses["connection-2-tunnel-1"]

  bgp_settings {
    asn                 = data.terraform_remote_state.engops-prod.outputs.cit-prod-connection-tunnel-bgp-asns["connection-2-tunnel-1"]
    bgp_peering_address = data.terraform_remote_state.engops-prod.outputs.cit-prod-connection-tunnel-cgw-inside-addresses["connection-2-tunnel-1"]
  }

  tags = merge({
    "terraform" = "true",
    "name"      = "lng-prod-3",
    },
    local.tags
  )
}

resource "azurerm_virtual_network_gateway_connection" "conn-prod-3" {
  name                = "conn-prod-3"
  location            = data.azurerm_resource_group.aks-rg.location
  resource_group_name = data.azurerm_resource_group.aks-rg.name

  type                       = "IPsec"
  virtual_network_gateway_id = resource.azurerm_virtual_network_gateway.vnet-gw-prod.id
  local_network_gateway_id   = resource.azurerm_local_network_gateway.lng-prod-3.id

  shared_key = data.terraform_remote_state.engops-prod.outputs.cit-prod-connection-tunnel-pre-shared-keys["connection-2-tunnel-1"]

  enable_bgp = true

  connection_protocol = "IKEv1"

  custom_bgp_addresses {
    primary   = data.terraform_remote_state.engops-prod.outputs.cit-prod-connection-tunnel-vgw-inside-addresses["connection-2-tunnel-1"]
    secondary = data.terraform_remote_state.engops-prod.outputs.cit-prod-connection-tunnel-cgw-inside-addresses["connection-2-tunnel-1"]
  }

  tags = merge({
    "terraform" = "true",
    "name"      = "conn-prod-3",
    },
    local.tags
  )
}

resource "azurerm_local_network_gateway" "lng-prod-4" {
  name                = "lng-prod-4"
  location            = data.azurerm_resource_group.aks-rg.location
  resource_group_name = data.azurerm_resource_group.aks-rg.name
  gateway_address     = data.terraform_remote_state.engops-prod.outputs.cit-prod-connection-addresses["connection-2-tunnel-2"]

  bgp_settings {
    asn                 = data.terraform_remote_state.engops-prod.outputs.cit-prod-connection-tunnel-bgp-asns["connection-2-tunnel-2"]
    bgp_peering_address = data.terraform_remote_state.engops-prod.outputs.cit-prod-connection-tunnel-cgw-inside-addresses["connection-2-tunnel-2"]
  }

  tags = merge({
    "terraform" = "true",
    "name"      = "lng-prod-4",
    },
    local.tags
  )
}

resource "azurerm_virtual_network_gateway_connection" "conn-prod-4" {
  name                = "conn-prod-1"
  location            = data.azurerm_resource_group.aks-rg.location
  resource_group_name = data.azurerm_resource_group.aks-rg.name

  type                       = "IPsec"
  virtual_network_gateway_id = resource.azurerm_virtual_network_gateway.vnet-gw-prod.id
  local_network_gateway_id   = resource.azurerm_local_network_gateway.lng-prod-4.id

  shared_key = data.terraform_remote_state.engops-prod.outputs.cit-prod-connection-tunnel-pre-shared-keys["connection-2-tunnel-2"]

  enable_bgp = true

  connection_protocol = "IKEv1"

  custom_bgp_addresses {
    primary   = data.terraform_remote_state.engops-prod.outputs.cit-prod-connection-tunnel-vgw-inside-addresses["connection-2-tunnel-2"]
    secondary = data.terraform_remote_state.engops-prod.outputs.cit-prod-connection-tunnel-cgw-inside-addresses["connection-2-tunnel-2"]
  }

  tags = merge({
    "terraform" = "true",
    "name"      = "conn-prod-2",
    },
    local.tags
  )
}

Debug Output/Panic Output

Stack trace from the terraform-provider-azurerm_v3.28.0_x5 plugin:

panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x8 pc=0x4815973]

goroutine 196 [running]:
github.com/hashicorp/terraform-provider-azurerm/internal/services/network.expandGatewayCustomBgpIPAddresses(0xc0001bd0e0?, 0xc00037e678)
github.com/hashicorp/terraform-provider-azurerm/internal/services/network/virtual_network_gateway_connection_resource.go:789 +0x1b3
github.com/hashicorp/terraform-provider-azurerm/internal/services/network.getVirtualNetworkGatewayConnectionProperties(0x6fc23ac00?, {{0xc002296870}, 0xc00227e840, 0x0, 0xc001266460, 0xc001267040, 0xc001267030, 0xc001266470, 0xc001266480, 0xc001543950})
github.com/hashicorp/terraform-provider-azurerm/internal/services/network/virtual_network_gateway_connection_resource.go:660 +0xeb7
github.com/hashicorp/terraform-provider-azurerm/internal/services/network.resourceVirtualNetworkGatewayConnectionCreateUpdate(0xc001edf500, {0x59bcfe0?, 0xc00140a400})
github.com/hashicorp/terraform-provider-azurerm/internal/services/network/virtual_network_gateway_connection_resource.go:382 +0x81d
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*Resource).create(0x6b58b10?, {0x6b58b10?, 0xc00204be00?}, 0xd?, {0x59bcfe0?, 0xc00140a400?})
github.com/hashicorp/terraform-plugin-sdk/v2@v2.18.0/helper/schema/resource.go:695 +0x178
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*Resource).Apply(0xc000e8c1c0, {0x6b58b10, 0xc00204be00}, 0xc002049450, 0xc001edf380, {0x59bcfe0, 0xc00140a400})
github.com/hashicorp/terraform-plugin-sdk/v2@v2.18.0/helper/schema/resource.go:837 +0xa7a
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*GRPCProviderServer).ApplyResourceChange(0xc000133ea8, {0x6b58b10?, 0xc00204bd40?}, 0xc001a1c5f0)
github.com/hashicorp/terraform-plugin-sdk/v2@v2.18.0/helper/schema/grpc_provider.go:1021 +0xe3c
github.com/hashicorp/terraform-plugin-go/tfprotov5/tf5server.(*server).ApplyResourceChange(0xc0006a5680, {0x6b58b10?, 0xc0021381b0?}, 0xc0001b4f50)
github.com/hashicorp/terraform-plugin-go@v0.10.0/tfprotov5/tf5server/server.go:813 +0x4fc
github.com/hashicorp/terraform-plugin-go/tfprotov5/internal/tfplugin5._Provider_ApplyResourceChange_Handler({0x5fd5640?, 0xc0006a5680}, {0x6b58b10, 0xc0021381b0}, 0xc00210a360, 0x0)
github.com/hashicorp/terraform-plugin-go@v0.10.0/tfprotov5/internal/tfplugin5/tfplugin5_grpc.pb.go:385 +0x170
google.golang.org/grpc.(*Server).processUnaryRPC(0xc00023ec40, {0x6b6a9b0, 0xc0017e4ea0}, 0xc001fce480, 0xc0017d8990, 0xacbf480, 0x0)
google.golang.org/grpc@v1.47.0/server.go:1283 +0xcfd
google.golang.org/grpc.(*Server).handleStream(0xc00023ec40, {0x6b6a9b0, 0xc0017e4ea0}, 0xc001fce480, 0x0)
google.golang.org/grpc@v1.47.0/server.go:1620 +0xa1b
google.golang.org/grpc.(*Server).serveStreams.func1.2()
google.golang.org/grpc@v1.47.0/server.go:922 +0x98
created by google.golang.org/grpc.(*Server).serveStreams.func1
google.golang.org/grpc@v1.47.0/server.go:920 +0x28a

Error: The terraform-provider-azurerm_v3.28.0_x5 plugin crashed!

This is always indicative of a bug within the plugin. It would be immensely
helpful if you could report the crash with the plugin's maintainers so that it
can be fixed. The output above should help diagnose the issue.

Expected Behaviour

vnet gateway connections are created.

Actual Behaviour

provider panics and provides stack trace.

Steps to Reproduce

1. terraform init
2. terraform plan --out=plan.tfplan
3. terraform apply plan.tfplan

Important Factoids

n/a

References

No response

[github-actions[bot]]

This functionality has been released in v3.29.0 of the Terraform Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.