azurerm_virtual_network_gateway_connection expects a shared_key even when it is not needed

[MasterBroda]

Is there an existing issue for this?

• [X] I have searched the existing issues

Community Note

• Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave comments along the lines of "+1", "me too" or "any updates", they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.7.5

AzureRM Provider Version

4.2.0

Affected Resource(s)/Data Source(s)

azurerm_virtual_network_gateway_connection

Terraform Configuration Files

resource "azurerm_virtual_network_gateway_connection" "connection" {
  name                       = "cxn-xyz"
  location                   = var.location
  resource_group_name        = var.resource_group_name
  type                       = "ExpressRoute"
  express_route_circuit_id   = express_route_circuit_id
  virtual_network_gateway_id = vng_id
  routing_weight             = 100
  shared_key                 = "SHARED_KEY"
}

Debug Output/Panic Output

│ Error: creating Connection (Subscription: "[MASKED]"
│ Resource Group Name: "RG-xyz"
│ Connection Name: "cxn-xyz"): performing CreateOrUpdate: unexpected status 400 (400 Bad Request) with error: CannotSetSharedKeyForExpressRouteConnectionType: Shared Key cannot be set for Connection /subscriptions/[MASKED]/resourceGroups/RG-xyz/providers/Microsoft.Network/connections/cxn-xyz of type ExpressRoute.

Expected Behaviour

The shared_key must be set as optional as it was in v3 of the provider so that the gateway connections for express routes can be successfully created.

Actual Behaviour

The provider sets the shared_key as required which completely blocks the creation of the gateway connection.

Steps to Reproduce

1. create an express route.
2. create a virtual network gateway.
3. create a connection for the gateway using the tf snipped given above.

Important Factoids

No response

References

No response

[neil-yechenwei]

Thanks for raising this issue. Seems this property has been marked as required property. See more details from this PR. Maybe the PR owner has some suggestion on this property.

[DesideriusE]

Unfortunately, the PR referred to does not provide any motivation for making this property required. This change should not have been made as the property is only meaningful for IPSEC-based gateways.

Please revert to the previous 'optional argument' status. This is not difficult to do, so it's reasonable to expect this reversal in the upcoming release (4.3.0).

[MasterBroda]

@stephybun's PR doesn't really explain the reasoning behind marking shared_key as required. The terraform plan will always succeed but the actual apply will fail as mentioned in the issue description.

[DesideriusE]

Sure. This makes it even more urgent that the change that marks this property as required be reverted asap.

[DesideriusE]

So, release 4.0.3 is out, but, reading the documentation this issue has not been addressed. Is it on the backlog for the next release?

[rcskosir]

:wave: Great catch! Thanks for reaching out and reporting this bug, unfortunately I do not have an ETA on when this will be reverted. However, any future work via the team or the community will end up linked here via a PR.

[cmgksims]

when do they plan on getting this fixed. Blocks existing deployments because it expects the key to be there even if its not needed.

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.