inputs = {
transit_gateway_id = local.transit_gateway_id
customer_gateway_id = local.customer_gateway_id
connect_to_transit_gateway = true
vpn_connection_static_routes_only = true
vpn_connection_static_routes_destinations = local.vpn_static_routes
}

Note - no tunnel cidrs and tunnel preshared keys set.

The errors are in the output, all place where "try(coalesce...." is used.

│ Error: Error in function call
│
│ on outputs.tf line 3, in output "vpn_connection_id":
│ 3: value = try(coalesce(
│ 4: aws_vpn_connection.default[0].id,
│ 5: aws_vpn_connection.tunnel[0].id,
│ 6: aws_vpn_connection.preshared[0].id,
│ 7: aws_vpn_connection.tunnel_preshared[0].id,
│ 8: "")
│ 9: )
│ ├────────────────
│ │ while calling try(expressions...)
│ │ aws_vpn_connection.default[0].id is "vpn-1234567890"
│ │ aws_vpn_connection.preshared is empty tuple
│ │ aws_vpn_connection.tunnel is empty tuple
│ │ aws_vpn_connection.tunnel_preshared is empty tuple
│
│ Call to function "try" failed: no expression succeeded:
│ - Invalid index (at outputs.tf:5,30-33)
│ The given key does not identify an element in this collection value: the collection has no elements.
│ - Invalid index (at outputs.tf:6,33-36)
│ The given key does not identify an element in this collection value: the collection has no elements.
│ - Invalid index (at outputs.tf:7,40-43)
│ The given key does not identify an element in this collection value: the collection has no elements.
│
│ At least one expression must produce a successful result.

$ tf --version
Terraform v1.3.4
on darwin_amd64

• provider registry.terraform.io/hashicorp/aws v4.39.0

Can you please add support for transit gateway?

Thanks for this great module!

Is your request related to a new offering from AWS?

Is this functionality available in the AWS provider for Terraform? See CHANGELOG.md, too.

• Yes ✅: v3.22.0

See: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpn_connection#enable_acceleration

Is your request related to a problem? Please describe.

To use Global Accelerator for low latency and high throughput, you can enable acceleration on site-to-site VPN connections.

Describe the solution you'd like.

An option enable_acceleration would be great that, maybe in combination with a check if connect_to_transit_gateway is set as this is only usable with tgw.

Describe alternatives you've considered.

Can't see any.

Additional context

https://docs.aws.amazon.com/vpn/latest/s2svpn/accelerated-vpn.html

@miguelaferreira I hope you don't mind finishing this as soon as possible.

The instructions described in README.md in each example directory should work (terraform init => plan => apply => destroy). It is one of the requirements for any good module, especially in terraform-aws-modules :)

Now there are 2 main problems with them:

• terraform init => terraform plan => * module.vpn_gateway.aws_vpn_gateway_route_propagation.private_subnets_vpn_routing: aws_vpn_gateway_route_propagation.private_subnets_vpn_routing: value of 'count' cannot be computed
• vpc_subnet_ids var in [examples/complete-vpn-gateway-with-static-routes/main.tf]
  (https://github.com/terraform-aws-modules/terraform-aws-vpn-gateway/blob/master/examples/complete-vpn-gateway-with-static-routes/main.tf#L10)

Thanks!

Is your request related to a new offering from AWS?

Is this functionality available in the AWS provider for Terraform?

• Yes ✅: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpn_connection#enable_acceleration

Is your request related to a problem? Please describe.

To use Global Accelerator for low latency and high throughput, you can enable acceleration on site-to-site VPN connections.

Describe the solution you'd like.

An option enable_acceleration would be great that, maybe in combination with a check if connect_to_transit_gateway is set as this is only usable with tgw.

Describe alternatives you've considered.

Can't see any.

Additional context

I have seen same issues and feat requests for adding this flag. Why is the requests was ingnored? It's very useful flag

Is your request related to a new offering from AWS?

Is this functionality available in the AWS provider for Terraform? See CHANGELOG.md, too.

• Yes ✅: please list the AWS provider version which introduced this functionality

Describe the solution you'd like.

I have multiple VPN connections and name "VPN Connection between VPC vpc-zyx and Customer Gateway cgw-xyz" doesn't tell much.
Do you think you can variablize it with default option set as it is right now?

Describe alternatives you've considered.

Additional context

Hey,
First of all, thanks for this great module. Appreciate it!

Can you please support the following parameters of TF resource aws_vpn_connection:
tunnel1_inside_cidr - (Optional) The CIDR block of the inside IP addresses for the first VPN tunnel.
tunnel2_inside_cidr - (Optional) The CIDR block of the second IP addresses for the first VPN tunnel.
tunnel1_preshared_key - (Optional) The preshared key of the first VPN tunnel.
tunnel2_preshared_key - (Optional) The preshared key of the second VPN tunnel.

They have been added in TF 0.11.3 and AWS module 1.8.0 - if you are too busy, I can open a Pull Request as well. Just let me know.

Thanks and cheers,
Jochen

If I want to use this module as part of establishing fx a VPN tunnel between GCP and AWS, I need access to the preshared keys from the AWS VPN connection.

These are part of the vpn_customer_gateway_configuration output from the module, but the content is in XML.
This requires parsing, to be able to use just the PSKs.So far, I have worked around this with a data source of type external, which calls a small Python script, that extracts and returns the preshared keys.

This is obviously sub optimal, so it would be great if the tunnel1_preshared_key and tunnel2_preshared_key attributes from the vpn_gateway.aws_vpn_connection.default[0] resource could be added as outputs.

How can the IKE params be specified: https://docs.aws.amazon.com/vpn/latest/s2svpn/VPNTunnels.html (DPD, DH-groups, encryption algos, etc)

https://github.com/terraform-aws-modules/terraform-aws-vpn-gateway/blob/master/outputs.tf#L113-L125

Should be set sensitive = true, because it contains pre shared key secrets.

Description

Is there a reason why dpd_timeout_seconds is not set (for both tunnels) in the preshared and tunnel_preshared resources?

⚠️ Note

The 2 variables are set in the default and tunnel resources:

  tunnel1_dpd_timeout_seconds = var.tunnel1_dpd_timeout_seconds
  tunnel2_dpd_timeout_seconds = var.tunnel2_dpd_timeout_seconds

Versions

• Terraform: 1.0.2
• Provider(s):
• Module:

Reproduction

Code Snippet to Reproduce

Expected behavior

The 2 variable are set in all the 4 resources.

Actual behavior

Cannot set the DPD timeout for the preshared and tunnel_preshared

Terminal Output Screenshot(s)

Additional context

I have a question about the labeling in the examples. It's unclear to me what is supposed to be public and private, and whether or not the public subnets also need to be included in vpc_subnet_route_table_ids

This variable seems to define a list of private subnets:

variable "vpc_private_subnets" {
  type    = "list"
  default = ["10.10.11.0/24", "10.10.12.0/24", "10.10.13.0/24"]
}

But it is actually being used as public subnets:

module "vpc" {
...
  private_subnets = ["10.10.1.0/24", "10.10.2.0/24", "10.10.3.0/24"]
  public_subnets  = ["${var.vpc_private_subnets}"]

And, where I'm most confused, the only route tables with propagation added are the private subnets, but the count is the public subnet variable.

module "vpn_gateway" {
...
  vpc_subnet_route_table_ids   = ["${module.vpc.private_route_table_ids}"]
  vpc_subnet_route_table_count = "${length(var.vpc_private_subnets)}"

My questions are:

1. is this naming accidental or intentional? (perhaps I'm missing something!)
2. do public subnets also need to be added to vpc_subnet_route_table_ids?
3. why are propagate_public_route_tables_vgw and propagate_private_route_tables_vgw not set in the VPC module?

Thanks for your time!

I have this module being called 4 times to create different vpn connections with VPC ID, VGW and CGW being pased to the module.

When I try to import a resource, while it's preparing it throws the following error:

Error: Invalid template interpolation value

  on .terraform/modules/vpn-connection/terraform-aws-modules-terraform-aws-vpn-gateway-051039a/main.tf line 13, in locals:
  13:   connection_identifier = var.connect_to_transit_gateway ? "TGW ${var.transit_gateway_id}" : "VPC ${var.vpc_id}"
    |----------------
    | var.vpc_id is null

The expression result is null. It cannot include a null value in a string
template.

Only way around this for now is having to comment out the VPN module and import.

Can a maintainer please create a branch terraform011 from tag v0.6.1?

Users that haven't yet upgraded to terraform 0.12 would still appreciate support for 0.11.

I'm requesting a review of the required argument: customer_gateway_id.

Description:
I have use cases where I would be working with a virtual gateway (vpn gateway) but not setting up a VPN connection or would require a customer_gateway_id, i.e., working with direct connect virtual interfaces.

Expected Behavior:
If the create_vpn_connection argument is set to false, it should remove the required argument customer_gateway_id

Please reach out if additional feedback is required.

Some statically-routed policy-based VPNs, like Cisco Meraki, require you to configure the local_ipv4_network_cidr and remote_ipv4_network_cidr VPN connection parameters. These parameters cannot be configured using the current terraform-aws-vpn-gateway module and they are required to create a functional policy-based VPN in scenarios when you are not tunneling all traffic to AWS.

Note: There is presently an issue hashicorp/terraform-provider-aws#16879 with the aws provider that prevents you from configuring any CIDR prefix with less than 32 network bits. The issue will need to be resolved before this feature can be added to this module.

I'm trying to create a VPN connection in my VPC w/ static routes, but when the routes are attempted to be made, the vpnConnectionId is missing

terraform.tfvars

  vpc_cidr         = "172.23.0.0/16"
  azs              = ["us-west-1a", "us-west-1c"]
  public_subnets   = ["172.23.1.0/24", "172.23.4.0/24"]
  private_subnets  = ["172.23.2.0/24", "172.23.5.0/24"]
  database_subnets = ["172.23.3.0/24", "172.23.6.0/24"]
  create_database_subnet_route_table = "false"

  static_private_routes = [
    "10.4.0.0/16",
    "172.16.3.0/24",
    "172.17.0.0/24",
    "192.168.200.0/22"
  ]

  create_gateway = "true"

  enable_vpn_gateway = "true"

  propagate_private_route_tables_vgw = "true"

  ###########################
  # PROD_GW3 Customer Gateway
  ###########################
  prod_gw3_ip_address = "x.x.x.x"
  
  #############
  # VPN1 Tunnel
  #############
  vpn1_tunnel1_inside_cidr = "x.x.x.x/30"
  vpn1_tunnel2_inside_cidr = "x.x.x.x/30"

Modules

  terraform {
    backend "s3" {}
  }

  provider "aws" {
    version = "~> 1.31.0"
    region  = "${var.region}"
    profile = "${var.profile}"
  }

  ###########
  # VPC setup
  ###########
  module "vpc" {
    source  = "terraform-aws-modules/vpc/aws"
    version = "1.44.0"

    enable_vpn_gateway                 = "${var.enable_vpn_gateway}"
    propagate_private_route_tables_vgw = "${var.propagate_private_route_tables_vgw}"

    ...
  }

 ###############
 # VPN 1 Gateway
 ###############
 module "vpn1_gateway" {
    source  = "terraform-aws-modules/vpn-gateway/aws"
    version = "1.5.0"

    vpc_id                       = "${module.vpc.vpc_id}"
    vpn_gateway_id               = "${module.vpc.vgw_id}"
    customer_gateway_id          = "${aws_customer_gateway.prod_gw3.id}"
    vpc_subnet_route_table_ids   = ["${module.vpc.private_route_table_ids}"]
    vpc_subnet_route_table_count = "${length(var.private_subnets)}"

    vpn_connection_static_routes_destinations = "${var.static_private_routes}"
    vpn_connection_static_routes_only         = "true"

    create_vpn_connection         = "${var.create_gateway}"
    create_vpn_gateway_attachment = "${var.create_gateway}"

    tunnel1_inside_cidr = "${var.vpn1_tunnel1_inside_cidr}"
    tunnel2_inside_cidr = "${var.vpn1_tunnel2_inside_cidr}"
  }

 ##########
 # PROD GW3
 ##########
 resource "aws_customer_gateway" "prod_gw3" {
   count = "${var.create_gateway? 1 : 0}"

    bgp_asn    = 65000
    ip_address = "${var.prod_gw3_ip_address}"
    type       = "ipsec.1"
  }

Error / output

module.vpn1_gateway.aws_vpn_connection_route.default[2]: Creating...
  destination_cidr_block: "" => "172.17.0.0/24"
module.vpn1_gateway.aws_vpn_connection_route.default[0]: Creating...
  destination_cidr_block: "" => "10.4.0.0/16"
module.vpn1_gateway.aws_vpn_connection_route.default[3]: Creating...
  destination_cidr_block: "" => "192.168.200.0/22"
module.vpn1_gateway.aws_vpn_connection_route.default[1]: Creating...
  destination_cidr_block: "" => "172.16.3.0/24"
Releasing state lock. This may take a few moments...

Error: Error applying plan:

4 error(s) occurred:

* module.vpn1_gateway.aws_vpn_connection_route.default[1]: 1 error(s) occurred:

* aws_vpn_connection_route.default.1: Error creating VPN connection route: MissingParameter: The request must contain the parameter vpnConnectionId
	status code: 400, request id: ecabe556-90bc-4405-b455-1b8328d82efd
* module.vpn1_gateway.aws_vpn_connection_route.default[2]: 1 error(s) occurred:

* aws_vpn_connection_route.default.2: Error creating VPN connection route: MissingParameter: The request must contain the parameter vpnConnectionId
	status code: 400, request id: fff15287-b3e9-483f-a9ab-ed69183a16f4
* module.vpn1_gateway.aws_vpn_connection_route.default[3]: 1 error(s) occurred:

* aws_vpn_connection_route.default.3: Error creating VPN connection route: MissingParameter: The request must contain the parameter vpnConnectionId
	status code: 400, request id: 99aa694f-e42a-4224-b784-e5481780eb55
* module.vpn1_gateway.aws_vpn_connection_route.default[0]: 1 error(s) occurred:

* aws_vpn_connection_route.default.0: Error creating VPN connection route: MissingParameter: The request must contain the parameter vpnConnectionId
	status code: 400, request id: e9bd7aa6-eb69-4900-994d-f7c53f73516a

It looks like its failing right here, but I'm not sure yet why the connection is not being found?

Hi! I see the small bug with terraform 1.0.9, could anyone mark the output as sensitive? Thank you!╷
│ Error: Output refers to sensitive values │ │ on outputs.tf line 113: │ 113: output "vpn_connection_customer_gateway_configuration" {

it cannot use a computed resource output (e.g. random_password.my_shared_key.result) as input for the shared key

Is this an anti-pattern or should the module be able to support that?

Description

When you try to change the IP for a customer gateway resource, following error is encountered:

Error: error deleting EC2 Customer Gateway (cgw-abcde): IncorrectState: The customer gateway is in use. status code: 400, request id: 1234xyz

I think adding a create_before_destroy to the customer gateway resource should fix it.

Thanks for all the hard work.
It seems you can modify the tunnel details in the AWS gui.
Things like phase 1 and phase 2 encryption settings etc.
See https://docs.aws.amazon.com/vpn/latest/s2svpn/VPNTunnels.html

Is your request related to a new offering from AWS?

No

Is your request related to a problem? Please describe.

No

Describe the solution you'd like.

The module has 4 implementations of aws_vpn_connection however 95% of the code in each resource is identical. With only a few differing lines. These seem to center around 4 differnt variables creating several flavours tunnel1_preshared_key, tunnel2_preshared_key, tunnel1_inside_cidr, tunnel2_inside_cidr. These variables are then used to form 4 flavours

• default - No preshared keys or inside cidrs
• tunnel - no preshared keys but inside cidrs
• preshared - preshared keys but no inside cidrs
• preshared_tunnel - preshared keys and inside cidrs.

This issue is raised to consider reducing the complexity of the flavours and module and make the code DRY to reduce having to make new changes in several places in the code. My general idea is to always pass these variables however with a conditional that checks the value and if its an empty string then pass a null value. However this functionality would only work for versions of terraform V0.12.0 onwards as documented in https://github.com/hashicorp/terraform/releases/tag/v0.12.0

Nullable argument values: It is now possible to use a conditional expression like var.foo != "" ? var.foo : null to conditionally leave an argument value unset, whereas before Terraform required the configuration author to provide a specific default value in this case. Assigning null to an argument is equivalent to omitting that argument entirely.

An example might look like:

  tunnel1_inside_cidr = var.tunnel1_inside_cidr != "" ? var.tunnel1_inside_cidr : null
  tunnel2_inside_cidr = var.tunnel2_inside_cidr != "" ? var.tunnel2_inside_cidr : null

  tunnel1_preshared_key = var.tunnel1_preshared_key != "" ? var.tunnel1_preshared_key : null
  tunnel2_preshared_key = var.tunnel2_preshared_key != "" ? var.tunnel2_preshared_key : null

This could mean we only need to define aws_vpn_connection resource and remove a lot of the repeated code and the local variables. I have not tested any of this. I wanted to float the idea here first before refactoring any of the code. By testing the variables against an empty string we keep the interface of the module intact. This should keep the module backwards compatible with any calling code.

Describe alternatives you've considered.

If we wanted to remove the empty string ternary check when setting the attribute in the resource we could change the default from "" to null but this would not be backwards compatible.

Additional context

If the community feels there is value in this I am happy to pick up the work and refactor and submit a PR for it.

module.vpn_gateway.aws_vpn_connection.preshared Attempts to compute a new ID each run, and also also forces new resource based on preshared keys. Is this expected behaviour? The state objects looks perfectly fine to me.

Description

Is there a reason why dpd_timeout_seconds is not set (for both tunnels) in the preshared and tunnel_preshared resources?

⚠️ Note

The 2 variables are set in the default and tunnel resources:

  tunnel1_dpd_timeout_seconds = var.tunnel1_dpd_timeout_seconds
  tunnel2_dpd_timeout_seconds = var.tunnel2_dpd_timeout_seconds

Versions

• Module version: 2.12.1
• Terraform version: 1.2.2
• Provider version(s): aws 3.7.3

Expected behavior

The 2 variable are set in all the 4 resources.

Actual behavior

Cannot set the DPD timeout for the preshared and tunnel_preshared

More info

Related to unresolved issue - #59

Version of module 3.0.1
❯ terraform --version
Terraform v1.3.4
on darwin_amd64

• provider registry.terraform.io/hashicorp/aws v4.39.0

Error message after apply

│ Error: Output refers to sensitive values
│
│ on outputs.tf line 81:
│ 81: output "vpn_connection_customer_gateway_configuration" {
│
│ To reduce the risk of accidentally exporting sensitive data that was
│ intended to be only internal, Terraform requires that any root module
│ output containing sensitive data be explicitly marked as sensitive, to
│ confirm your intent.
│
│ If you do intend to export this data, annotate the output value as
│ sensitive by adding the following argument:
│ sensitive = true

We use this module and also have manual assets, can I use this module with the older assets by importing them? I'm not sure how to map them?

hey mate,

have a look, maybe helps: https://github.com/ellerbrock/tf-aws-vpn-connection

cheers maik

Description

I was using this module earlier and it was working perfectly however upgrading to v2.12 adds an error related to IPv6 configuration, which I am not using.

Rolling back to v2.11.1 solves the issue.

Error

Error: Missing required argument
│
│ with module.aws-gcp-vpn-tunnels.module.vpn_gateway.aws_vpn_connection.tunnel_preshared[0],
│ on .terraform/modules/aws-gcp-vpn-tunnels.vpn_gateway/main.tf line 304, in resource "aws_vpn_connection" "tunnel_preshared":
│ 304: local_ipv6_network_cidr = var.local_ipv6_network_cidr
│
│ "local_ipv6_network_cidr": all of
│ local_ipv6_network_cidr,transit_gateway_id must be specified

I was reviewing the complete-vpn-gateway-with-static-routes example and noticed a minor problem.

I'm pretty sure the variable vpc_private_subnets should be used to define the private subnets in the vpc module, but it's used to define the public subnets instead (see here).

Thanks for the hard work.

When working with direct connect and wanting to create a private IP VPN, you need to configure the "Outside IP address type" to "PrivateIpv4" and choose the Direct Connect Transit Gateway attachment.

Can you please add this feature?

When creating the VPN Connection, the "Name" tag is pre-configured to be:
"VPN Connection between VPC vpc-xxxxxx and Customer Gateway cgw-xxxx"

If a "Name" tag is provided in the tags variable for the module, the error:

╷
│ Error: Provider produced inconsistent final plan
│
│ When expanding the plan for module.infra.module.vpn_gateway[0].aws_vpn_connection.default[0] to include new values learned so far during apply,
│ provider "registry.terraform.io/hashicorp/aws" produced an invalid new value for .tags_all: new element "Name" has appeared.
│
│ This is a bug in the provider, which should be reported in the provider's own issue tracker.
╵
╷

Versions

• Terraform: 1.0.11
• Provider(s):

• provider registry.terraform.io/hashicorp/aws v3.65.0
• provider registry.terraform.io/hashicorp/random v3.1.0
• provider registry.terraform.io/hashicorp/tls v3.1.0
• provider registry.terraform.io/vancluever/acme v2.6.0

• Module:
• terraform-aws-modules/vpn-gateway/aws version 2.11.0

Expected behavior

The "Name" tag for the VPN connection should use the tags.Name provided instead of defining its own.

Actual behavior

An error was produced as above.

Terraform v0.12.20
provider.aws v2.47.0

if i do:

• git clone https://github.com/terraform-aws-modules/terraform-aws-vpn-gateway.git
• cd terraform-aws-vpn-gateway/examples/complete-vpn-connection-transit-gateway
• terraform init
• terraform plan

i get the error message down below.

terraform plan
Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but will not be
persisted to local or remote state storage.

Error: Invalid template interpolation value

  on ../../main.tf line 13, in locals:
  13:   connection_identifier = var.connect_to_transit_gateway ? "TGW ${var.transit_gateway_id}" : "VPC ${var.vpc_id}"
    |----------------
    | var.vpc_id is null

The expression result is null. Cannot include a null value in a string
template.```