Merge pull request #2 from fjdev/feature/vpn-server-configuration

Add VPN Server Configuration

README.md

@@ -20,6 +20,7 @@ No requirements.
 | Name | Type |
 |------|------|
 | [azurerm_point_to_site_vpn_gateway.p2s_vpng](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/point_to_site_vpn_gateway) | resource |
+| [azurerm_vpn_server_configuration.vpnsc](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/vpn_server_configuration) | resource |
 
 ## Inputs
 
@@ -36,7 +37,7 @@ No requirements.
 | <a name="input_scale_unit"></a> [scale\_unit](#input\_scale\_unit) | (Required) The Scale Unit for this Point-to-Site VPN Gateway. | `number` | n/a | yes |
 | <a name="input_tags"></a> [tags](#input\_tags) | (Optional) A mapping of tags to assign to the Point-to-Site VPN Gateway. | `any` | `null` | no |
 | <a name="input_virtual_hub_id"></a> [virtual\_hub\_id](#input\_virtual\_hub\_id) | (Required) The ID of the Virtual Hub where this Point-to-Site VPN Gateway should exist. Changing this forces a new resource to be created. | `string` | n/a | yes |
-| <a name="input_vpn_server_configuration_id"></a> [vpn\_server\_configuration\_id](#input\_vpn\_server\_configuration\_id) | (Required) The ID of the VPN Server Configuration which this Point-to-Site VPN Gateway should use. Changing this forces a new resource to be created. | `string` | n/a | yes |
+| <a name="input_vpn_server_configuration"></a> [vpn\_server\_configuration](#input\_vpn\_server\_configuration) | (Required) A vpn\_server\_configuration block as defined below. | <pre>object({<br>    name                     = string<br>    vpn_authentication_types = string<br>    ipsec_policy = optional(object({<br>      dh_group               = string<br>      ike_encryption         = string<br>      ike_integrity          = string<br>      ipsec_encryption       = string<br>      ipsec_integrity        = string<br>      pfs_group              = string<br>      sa_lifetime_seconds    = number<br>      sa_data_size_kilobytes = number<br>    }))<br>    vpn_protocols = optional(list(string))<br>    azure_active_directory_authentication = optional(object({<br>      audience = string<br>      issuer   = string<br>      tenant   = string<br>    }))<br>    client_root_certificate = optional(map(object({<br>      public_cert_data = string<br>    })))<br>    client_revoked_certificate = optional(map(object({<br>      thumbprint = string<br>    })))<br>    radius = optional(object({<br>      server = map(object({<br>        address = string<br>        secret  = string<br>        score   = number<br>      }))<br>      client_root_certificate = optional(map(object({<br>        thumbprint = string<br>      })))<br>      server_root_certificate = optional(map(object({<br>        public_cert_data = string<br>      })))<br>    }))<br>  })</pre> | n/a | yes |
 
 ## Outputs
 

main.tf

@@ -34,8 +34,8 @@ resource "azurerm_point_to_site_vpn_gateway" "p2s_vpng" {
 
   scale_unit                          = var.scale_unit
   virtual_hub_id                      = var.virtual_hub_id
-  vpn_server_configuration_id         = var.vpn_server_configuration_id
+  vpn_server_configuration_id         = azurerm_vpn_server_configuration.vpnsc.id
   dns_servers                         = var.dns_servers
   routing_preference_internet_enabled = var.routing_preference_internet_enabled
-  tags                                = var.tags
+  tags                                = try(var.tags.point_to_site_vpn_gateway, null)
 }

variables.tf

@@ -34,11 +34,6 @@ variable "virtual_hub_id" {
   description = "(Required) The ID of the Virtual Hub where this Point-to-Site VPN Gateway should exist. Changing this forces a new resource to be created."
 }
 
-variable "vpn_server_configuration_id" {
-  type        = string
-  description = "(Required) The ID of the VPN Server Configuration which this Point-to-Site VPN Gateway should use. Changing this forces a new resource to be created."
-}
-
 variable "dns_servers" {
   type        = list(string)
   default     = null
@@ -62,3 +57,46 @@ variable "tags" {
   default     = null
   description = "(Optional) A mapping of tags to assign to the Point-to-Site VPN Gateway."
 }
+
+variable "vpn_server_configuration" {
+  type = object({
+    name                     = string
+    vpn_authentication_types = string
+    ipsec_policy = optional(object({
+      dh_group               = string
+      ike_encryption         = string
+      ike_integrity          = string
+      ipsec_encryption       = string
+      ipsec_integrity        = string
+      pfs_group              = string
+      sa_lifetime_seconds    = number
+      sa_data_size_kilobytes = number
+    }))
+    vpn_protocols = optional(list(string))
+    azure_active_directory_authentication = optional(object({
+      audience = string
+      issuer   = string
+      tenant   = string
+    }))
+    client_root_certificate = optional(map(object({
+      public_cert_data = string
+    })))
+    client_revoked_certificate = optional(map(object({
+      thumbprint = string
+    })))
+    radius = optional(object({
+      server = map(object({
+        address = string
+        secret  = string
+        score   = number
+      }))
+      client_root_certificate = optional(map(object({
+        thumbprint = string
+      })))
+      server_root_certificate = optional(map(object({
+        public_cert_data = string
+      })))
+    }))
+  })
+  description = "(Required) A vpn_server_configuration block as defined below."
+}

vpn_server_configuration.tf

@@ -0,0 +1,86 @@
+resource "azurerm_vpn_server_configuration" "vpnsc" {
+  name                     = var.vpn_server_configuration.name
+  resource_group_name      = var.deploy_resource_group ? module.resource_group[0].name : var.resource_group_name
+  location                 = var.location
+  vpn_authentication_types = var.vpn_server_configuration.vpn_authentication_types
+
+  dynamic "ipsec_policy" {
+    for_each = var.vpn_server_configuration.ipsec_policy != null ? [var.vpn_server_configuration.ipsec_policy] : []
+
+    content {
+      dh_group               = ipsec_policy.value.dh_group
+      ike_encryption         = ipsec_policy.value.ike_encryption
+      ike_integrity          = ipsec_policy.value.ike_integrity
+      ipsec_encryption       = ipsec_policy.value.ipsec_encryption
+      ipsec_integrity        = ipsec_policy.value.ipsec_integrity
+      pfs_group              = ipsec_policy.value.pfs_group
+      sa_lifetime_seconds    = ipsec_policy.value.sa_lifetime_seconds
+      sa_data_size_kilobytes = ipsec_policy.value.sa_data_size_kilobytes
+    }
+  }
+
+  vpn_protocols = var.vpn_server_configuration.vpn_protocols
+  tags          = try(var.tags.vpn_server_configuration, null)
+
+  dynamic "azure_active_directory_authentication" {
+    for_each = var.vpn_server_configuration.vpn_authentication_types == "AAD" ? [var.vpn_server_configuration.azure_active_directory_authentication] : []
+
+    content {
+      audience = azure_active_directory_authentication.value.audience
+      issuer   = azure_active_directory_authentication.value.issuer
+      tenant   = azure_active_directory_authentication.value.tenant
+    }
+  }
+
+  dynamic "client_root_certificate" {
+    for_each = var.vpn_server_configuration.vpn_authentication_types == "Certificate" ? var.vpn_server_configuration.client_root_certificate : {}
+
+    content {
+      name             = client_root_certificate.key
+      public_cert_data = client_root_certificate.value.publipublic_cert_data
+    }
+  }
+
+  dynamic "client_revoked_certificate" {
+    for_each = var.vpn_server_configuration.vpn_authentication_types == "Certificate" && var.vpn_server_configuration.client_revoked_certificate != null ? var.vpn_server_configuration.client_revoked_certificate : {}
+
+    content {
+      name       = client_revoked_certificate.key
+      thumbprint = client_revoked_certificate.value.thumbprint
+    }
+  }
+
+  dynamic "radius" {
+    for_each = var.vpn_server_configuration.vpn_authentication_types == "Radius" && var.vpn_server_configuration.radius != null ? [var.vpn_server_configuration.radius] : []
+
+    content {
+      dynamic "server" {
+        for_each = radius.value.server
+
+        content {
+          address = server.value.address
+          secret  = server.value.secret
+          score   = server.value.score
+        }
+      }
+
+      dynamic "client_root_certificate" {
+        for_each = radius.value.client_root_certificate != null ? radius.value.client_root_certificate : {}
+
+        content {
+          name       = client_root_certificate.key
+          thumbprint = client_root_certificate.value.thumbprint
+        }
+      }
+
+      dynamic "server_root_certificate" {
+        for_each = radius.value.server_root_certificate != null ? radius.value.server_root_certificate : {}
+
+        content {
+          name             = server_root_certificate.key
+          public_cert_data = server_root_certificate.value.public_cert_data
+        }
+      }
+    }
+  }
+}