Giter Site home page Giter Site logo

terraform-ibm-modules / terraform-ibm-client-to-site-vpn Goto Github PK

View Code? Open in Web Editor NEW
0.0 16.0 3.0 1.24 MB

Creates a client-to-site VPN gateway in a VPC

License: Apache License 2.0

HCL 72.93% Go 20.21% Shell 6.86%
core-team ibm-cloud terraform terraform-module vpn client-to-site graduated supported deployable-architecture

terraform-ibm-client-to-site-vpn's People

Contributors

aashiq-j avatar aayush-abhyarthi avatar akocbek avatar iamar7 avatar jojustin avatar khuzaima05 avatar kierramarie avatar matthewlemmond avatar mounika-nalla avatar ocofaigh avatar rajatagarwal-ibm avatar renovate-bot avatar shemau avatar sirspidey avatar terraform-ibm-modules-ops avatar vburckhardt avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

ccmitchellusa fghoraishi

terraform-ibm-client-to-site-vpn's Issues

Update SLZ DA extension to support HA

Description

Update the current SLZ DA extension at https://github.com/terraform-ibm-modules/terraform-ibm-client-to-site-vpn/tree/main/extensions/landing-zone to support HA. I think maybe we default it to HA by passing 2 subnets to the VPN, but customers will want the ability to choose which subnets to use, so need to provide the ability to do that as an override if we automatically assign 2 subnets by default.
NOTE: updates may be required to diagrams and ibm_catalog.json metadata

New or affected modules

none

By submitting this issue, you agree to follow our Code of Conduct

Disable rotation for private cert + extend ttl

Description

client to site gateway is not currently able to pick up rotated certs from SM. current config rotates every 4 weeks which means that connectivity breaks 4 weeks after running the examples in the module.

Suggest to bump the default - feedback from some consumers to take into consideration:

  • Root CA: 10 years
  • Intermediate CA: 3 years
  • TLS Private Cert: 12 months

New or affected modules

https://github.com/terraform-ibm-modules/terraform-ibm-secrets-manager-private-cert , https://github.com/terraform-ibm-modules/terraform-ibm-secrets-manager-private-cert-engine , client-to-site module

By submitting this issue, you agree to follow our Code of Conduct

Review all client to site DA related documentation

The client to site DA has 1 flavor currently:

  • standard (I think we should move it into a solutions folder to be consistent with all other DAs)

The following items will need to be reviewed and updated where required:

  • DA variable descriptions (in the DA's variables.tf file)
  • The information in the ibm_catalog.json (labels, descriptions, features etc). Are we happy with the flavor naming?

Fix transparency of c2s image diagram

https://github.com/terraform-ibm-modules/terraform-ibm-client-to-site-vpn/blob/main/extensions/landing-zone/c2s-basic.drawio.svg

currently does not display right with dark theme

image

Affected modules

Terraform CLI and Terraform provider versions

  • Terraform version:
  • Provider version:

Terraform output

Debug output

Expected behavior

Actual behavior

Steps to reproduce (including links and screen captures)

  1. Run terraform apply

Anything else

By submitting this issue, you agree to follow our Code of Conduct

[terraform-ibm-client-to-site-vpn] Intermittent timing issue with security group

Intermittently, the landing-zone example fails with the error: Could not find the security group 'default security group' for the given VPN server. Below you can see the full output, and attached is a provider trace log.
This is more than likely a timing issue, because it passes on re-apply, so a simple sleep may suffice here...

module.vpn.ibm_iam_access_group.cts_vpn_access_group[0]: Creating...
ibm_is_network_acl_rule.allow_vpn_inbound[0]: Creating...
ibm_is_vpc_address_prefix.client_to_site_address_prefixes: Creating...
ibm_is_network_acl_rule.allow_vpn_outbound[0]: Creating...
module.client_to_site_sg.ibm_is_security_group.sg[0]: Creating...
ibm_is_network_acl.client_to_site_vpn_acl: Creating...
module.vpn.ibm_iam_access_group.cts_vpn_access_group[0]: Creation complete after 0s [id=AccessGroupId-531a0430-8539-4d79-9579-462f5abaa9b0]
module.vpn.ibm_iam_access_group_policy.cts_vpn_access_group_policy[0]: Creating...
module.vpn.ibm_iam_authorization_policy.policy[0]: Creating...
module.secrets_manager_group.ibm_sm_secret_group.secret_group: Creating...
ibm_is_network_acl_rule.allow_vpn_inbound[0]: Creation complete after 1s [id=r006-45825ed9-f474-40ca-a293-f55f9171aed9/36c4ddca-6981-42d9-a52a-5814f39e7c61]
ibm_is_network_acl_rule.allow_vpn_outbound[0]: Creation complete after 1s [id=r006-45825ed9-f474-40ca-a293-f55f9171aed9/9cb4bdc1-6b45-42ab-95cc-c12c77750e00]
module.vpn.ibm_iam_authorization_policy.policy[0]: Creation complete after 1s [id=82a09bf0-b219-4a50-8a7c-197cc5b4be0b]
module.vpn.ibm_iam_access_group_policy.cts_vpn_access_group_policy[0]: Creation complete after 2s [id=AccessGroupId-531a0430-8539-4d79-9579-462f5abaa9b0/8468a062-38e2-4ee6-81fe-262ee7779e7d]
ibm_is_vpc_address_prefix.client_to_site_address_prefixes: Creation complete after 3s [id=r006-1efe576c-2b56-410d-8828-413f1c4ea8c3/r006-ccf3933a-a5df-4c2a-ab3a-8001e7a972a7]
module.secrets_manager_group.ibm_sm_secret_group.secret_group: Creation complete after 3s [id=us-south/79c6d411-c18f-4670-b009-b0044a238667/e170aa10-9941-62d0-03e0-3cd87b99215b]
module.secrets_manager_private_certificate.ibm_sm_private_certificate.secrets_manager_private_certificate: Creating...
ibm_is_network_acl.client_to_site_vpn_acl: Creation complete after 4s [id=r006-0de737c5-7398-4a3c-851f-42e01d405d98]
module.client_to_site_sg.ibm_is_security_group.sg[0]: Creation complete after 4s [id=r006-3e2eacd2-7cc9-4bac-bf8c-4a7031382ebf]
module.client_to_site_sg.ibm_is_security_group_rule.security_group_rule[1]: Creating...
module.client_to_site_sg.ibm_is_security_group_rule.security_group_rule[3]: Creating...
module.client_to_site_sg.ibm_is_security_group_rule.security_group_rule[2]: Creating...
module.client_to_site_sg.ibm_is_security_group_rule.security_group_rule[0]: Creating...
module.client_to_site_sg.ibm_is_security_group_rule.security_group_rule[4]: Creating...
ibm_is_subnet.client_to_site_subnet: Creating...
module.client_to_site_sg.ibm_is_security_group_rule.security_group_rule[1]: Creation complete after 2s [id=r006-3e2eacd2-7cc9-4bac-bf8c-4a7031382ebf.r006-a9f6de8d-8290-4f6d-88a5-83a29ce7124b]
module.secrets_manager_private_certificate.ibm_sm_private_certificate.secrets_manager_private_certificate: Creation complete after 3s [id=us-south/79c6d411-c18f-4670-b009-b0044a238667/9bce2b0d-f73e-2d07-1c57-6374e7652132]
module.client_to_site_sg.ibm_is_security_group_rule.security_group_rule[3]: Creation complete after 3s [id=r006-3e2eacd2-7cc9-4bac-bf8c-4a7031382ebf.r006-3fb1f156-799e-4e54-9fb5-0e63ccf629a4]
module.client_to_site_sg.ibm_is_security_group_rule.security_group_rule[0]: Creation complete after 5s [id=r006-3e2eacd2-7cc9-4bac-bf8c-4a7031382ebf.r006-916d9981-8133-4ce1-9d6f-b87c84bbfe83]
module.client_to_site_sg.ibm_is_security_group_rule.security_group_rule[4]: Creation complete after 7s [id=r006-3e2eacd2-7cc9-4bac-bf8c-4a7031382ebf.r006-074c440e-7159-40a7-b92c-d6c270e8a997]
module.client_to_site_sg.ibm_is_security_group_rule.security_group_rule[2]: Creation complete after 8s [id=r006-3e2eacd2-7cc9-4bac-bf8c-4a7031382ebf.r006-a00cacf2-0220-4afe-a18f-dab7fc1eff67]
ibm_is_subnet.client_to_site_subnet: Still creating... [10s elapsed]
ibm_is_subnet.client_to_site_subnet: Creation complete after 15s [id=0717-ab6764e5-ee50-4ce7-8305-35eac3ee71f4]
module.vpn.ibm_is_vpn_server.vpn: Creating...
╷
│ Error: [ERROR] CreateVPNServerWithContext failed Could not find the security group 'default security group' for the given VPN server.
│ {
│     "StatusCode": 404,
│     "Headers": {
│         "Cache-Control": [
│             "max-age=0, no-cache, no-store, must-revalidate"
│         ],
│         "Cf-Cache-Status": [
│             "DYNAMIC"
│         ],
│         "Cf-Ray": [
│             "7edefe49c8129585-DUB"
│         ],
│         "Content-Security-Policy": [
│             "frame-ancestors 'none'; default-src 'self'; form-action 'self'"
│         ],
│         "Content-Type": [
│             "application/json; charset=utf-8"
│         ],
│         "Date": [
│             "Fri, 28 Jul 2023 17:55:31 GMT"
│         ],
│         "Expires": [
│             "-1"
│         ],
│         "Pragma": [
│             "no-cache"
│         ],
│         "Server": [
│             "cloudflare"
│         ],
│         "Strict-Transport-Security": [
│             "max-age=31536000; includeSubDomains"
│         ],
│         "Transaction-Id": [
│             "c2ddba80-2ffd-9d09-9537-b622f5c2ff3b"
│         ],
│         "Vary": [
│             "Accept-Encoding"
│         ],
│         "X-Content-Type-Options": [
│             "nosniff"
│         ],
│         "X-Correlation-Id": [
│             "c2ddba80-2ffd-9d09-9537-b622f5c2ff3b"
│         ],
│         "X-Envoy-Upstream-Service-Time": [
│             "2721"
│         ],
│         "X-Request-Id": [
│             "c2ddba80-2ffd-9d09-9537-b622f5c2ff3b"
│         ],
│         "X-Xss-Protection": [
│             "1; mode=block"
│         ]
│     },
│     "Result": {
│         "errors": [
│             {
│                 "code": "vpn_server_security_group_not_found",
│                 "message": "Could not find the security group 'default security group' for the given VPN server.",
│                 "more_info": "https://cloud.ibm.com/docs/infrastructure/vpc/errors.html#vpn_server_security_group_not_found",
│                 "target": {
│                     "name": "",
│                     "type": ""
│                 }
│             }
│         ],
│         "trace": "c2ddba80-2ffd-9d09-9537-b622f5c2ff3b"
│     },
│     "RawResult": null
│ }
│ 
│ 
│   with module.vpn.ibm_is_vpn_server.vpn,
│   on ../../main.tf line 50, in resource "ibm_is_vpn_server" "vpn":
│   50: resource "ibm_is_vpn_server" "vpn" {
│

Trace log:
trace1.log

Review client to site DA diagram

Review the diagram(s) in the reference-architectures directory...

  • Do they contain accurate relevant information
  • Are they using approved icons / objects?

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.