Up-to-date reference of API arguments for EVPN connection you can get at documentation portal
opentelekomcloud_enterprise_vpn_connection_v5¶
Manages a VPN connection resource within OpenTelekomCloud.
Example Usage¶
Basic Usage¶
variable "name" {}
variable "peer_subnet" {}
variable "gateway_id" {}
variable "gateway_ip" {}
variable "customer_gateway_id" {}
resource "opentelekomcloud_enterprise_vpn_connection_v5" "conn" {
name = var.name
gateway_id = var.gateway_id
gateway_ip = var.gateway_ip
customer_gateway_id = var.customer_gateway_id
peer_subnets = [var.peer_subnet]
vpn_type = "static"
psk = "Test@123"
}
VPN connection with policy¶
variable "name" {}
variable "peer_subnet" {}
variable "gateway_id" {}
variable "gateway_ip" {}
variable "customer_gateway_id" {}
resource "opentelekomcloud_enterprise_vpn_connection_v5" "policy" {
name = var.name
gateway_id = var.gateway_id
gateway_ip = var.gateway_ip
customer_gateway_id = var.customer_gateway_id
peer_subnets = [var.peer_subnet]
vpn_type = "static"
psk = "Test@123"
ikepolicy {
authentication_algorithm = "sha2-256"
authentication_method = "pre-share"
encryption_algorithm = "aes-128"
ike_version = "v2"
lifetime_seconds = 86400
}
ipsecpolicy {
authentication_algorithm = "sha2-256"
encapsulation_mode = "tunnel"
encryption_algorithm = "aes-128"
lifetime_seconds = 3600
pfs = "group14"
transform_protocol = "esp"
}
}
Argument Reference¶
The following arguments are supported:
name- (Required, String) The name of the VPN connection.gateway_id- (Required, String, ForceNew) The VPN gateway ID.Changing this parameter will create a new resource.
gateway_ip- (Required, String, ForceNew) The VPN gateway IP ID.When
network_typeof the VPN gateway is set topublic, set this parameter to the EIP IDs of the VPN gateway.When
network_typeof the VPN gateway is set toprivate, set this parameter to the private IP addresses of the VPN gateway.Changing this parameter will create a new resource.
vpn_type- (Required, String, ForceNew) The connection type. The value can bepolicy,staticorbgp.Changing this parameter will create a new resource.
customer_gateway_id- (Required, String) The customer gateway ID.psk- (Required, String) The pre-shared key.peer_subnets- (Optional, List) The CIDR list of customer subnets. This parameter must be empty when theattachment_typeof the VPN gateway is set toerandvpn_typeis set topolicyorbgp. This parameter is mandatory in other scenarios.tunnel_local_address- (Optional, String) The local tunnel address.tunnel_peer_address- (Optional, String) The peer tunnel address.enable_nqa- (Optional, Bool) Whether to enable NQA check. Defaults tofalse.ikepolicy- (Optional, List) The IKE policy configurations. The ikepolicy structure is documented below.ipsecpolicy- (Optional, List) The IPsec policy configurations. The ipsecpolicy structure is documented below.policy_rules- (Optional, List) The policy rules. Only works when vpn_type is set topolicyThe policy_rules structure is documented below.tags- (Optional, Map) Specifies the tags of the VPN connection.ha_role- (Optional, String, ForceNew) Specifies the mode of the VPN connection. The valid values aremasterandslave, defaults tomaster. This parameter is optional when you create a connection for a VPN gateway inactive-activemode. When you create a connection for a VPN gateway inactive-standbymode,masterindicates the active connection, andslaveindicates the standby connection. Inactive-activemode, this field must be set tomasterfor the connection established using the active EIP or active private IP address of the VPN gateway, and must be set toslavefor the connection established using active EIP 2 or active private IP address 2 of the VPN gateway.Changing this parameter will create a new resource.
authentication_algorithm- (Optional, String) The authentication algorithm. The value can besha1,md5,sha2-256,sha2-384,sha2-512. Defaults tosha2-256.sha1andmd5are less secure, please use them with caution.encryption_algorithm- (Optional, String) The encryption algorithm. The value can be3des,aes-128,aes-192,aes-256,aes-128-gcm-16,aes-256-gcm-16,aes-128-gcm-128,aes-256-gcm-128. Defaults toaes-128.3desis less secure, please use it with caution.ike_version- (Optional, String) The IKE negotiation version. The value can bev1andv2. Defaults tov2.lifetime_seconds- (Optional, Int) The life cycle of SA in seconds. The value ranges from60to604,800. Defaults to86,400. When the life cycle expires, IKE SA will be automatically updated.local_id_type- (Optional, String) The local ID type. The value can beiporfqdn. Defaults toip.local_id- (Optional, String) The local ID.peer_id_type- (Optional, String) The peer ID type. The value can beip,fqdn. Defaults toip.peer_id- (Optional, String) The peer ID.phase_one_negotiation_mode- (Optional, String) The negotiation mode, only works when the ike_version is v1. The value can bemainoraggressive. Defaults tomain.authentication_method- (Optional, String, ForceNew) The authentication method during IKE negotiation. The value can bepre-share. Defaults topre-share.dh_group- (Optional, String) Specifies the DH group used for key exchange in phase 1. The value can begroup1,group2,group5,group14,group15,group16,group19,group20, orgroup21. Exercise caution when usinggroup1,group2,group5, orgroup14as they have low security. Defaults togroup15.dpd- (Optional, List) Specifies the dead peer detection (DPD) object. The dpd structure is documented below.
timeout- (Optional, Int) Specifies the interval for retransmitting DPD packets. The value ranges from2to60, in seconds. Defaults to15.interval- (Optional, Int) Specifies the DPD idle timeout period. The value ranges from10to3,600, in seconds. Defaults to30.msg- (Optional, String) Specifies the format of DPD packets. The value can be:seq-hash-notify: indicates that the payload of DPD packets is in the sequence of hash-notify;seq-notify-hash: indicates that the payload of DPD packets is in the sequence of notify-hash;
Defaults to
seq-hash-notify.
The ipsecpolicy block supports:
authentication_algorithm- (Optional, String) The authentication algorithm. The value can besha1,md5,sha2-256,sha2-384,sha2-512. Defaults tosha2-256.sha1andmd5are less secure, please use them with caution.encryption_algorithm- (Optional, String) The encryption algorithm. The value can be3des,aes-128,aes-192,aes-256,aes-128-gcm-16,aes-256-gcm-16,aes-128-gcm-128,aes-256-gcm-128. Defaults toaes-128. `3des** is less secure, please use it with caution.pfs- (Optional, String) The DH key group used by PFS. The value can begroup1,group2,group5,group14group16,group19,group20,group21. Defaults togroup14.lifetime_seconds- (Optional, Int) The lifecycle time of Ipsec tunnel in seconds. The value ranges from60to604,800. Defaults to3600.transform_protocol- (Optional, String) The transform protocol. Onlyespsupported for now. Defaults toesp.encapsulation_mode- (Optional, String) The encapsulation mode, onlytunnelsupported for now. Defaults totunnel.
The policy_rules block supports:
destination- (Optional, List) The list of destination CIDRs.source- (Optional, String) The source CIDR.
Attribute Reference¶
In addition to all arguments above, the following attributes are exported:
id- The resource ID.status- The status of the VPN connection.created_at- The create time.updated_at- The update time.region- Specifies the region in which resource is created.
Timeouts¶
This resource provides the following timeouts configuration options:
create- Default is 10 minutes.update- Default is 10 minutes.delete- Default is 10 minutes.
Import¶
The connection can be imported using the id, e.g.
$ terraform import opentelekomcloud_enterprise_vpn_connection_v5.conn <id>