github.com/pulumi/pulumi-aws/sdk/v6@v6.32.0/go/aws/ec2/vpnConnection.go

// Code generated by the Pulumi Terraform Bridge (tfgen) Tool DO NOT EDIT.
// *** WARNING: Do not edit by hand unless you're certain you know what you are doing! ***

package ec2

import (
	"context"
	"reflect"

	"errors"
	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/internal"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

// Manages a Site-to-Site VPN connection. A Site-to-Site VPN connection is an Internet Protocol security (IPsec) VPN connection between a VPC and an on-premises network.
// Any new Site-to-Site VPN connection that you create is an [AWS VPN connection](https://docs.aws.amazon.com/vpn/latest/s2svpn/vpn-categories.html).
//
// > **Note:** The CIDR blocks in the arguments `tunnel1InsideCidr` and `tunnel2InsideCidr` must have a prefix of /30 and be a part of a specific range.
// [Read more about this in the AWS documentation](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_VpnTunnelOptionsSpecification.html).
//
// ## Example Usage
//
// ### EC2 Transit Gateway
//
// <!--Start PulumiCodeChooser -->
// ```go
// package main
//
// import (
//
//	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/ec2"
//	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/ec2transitgateway"
//	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
//
// )
//
//	func main() {
//		pulumi.Run(func(ctx *pulumi.Context) error {
//			example, err := ec2transitgateway.NewTransitGateway(ctx, "example", nil)
//			if err != nil {
//				return err
//			}
//			exampleCustomerGateway, err := ec2.NewCustomerGateway(ctx, "example", &ec2.CustomerGatewayArgs{
//				BgpAsn:    pulumi.String("65000"),
//				IpAddress: pulumi.String("172.0.0.1"),
//				Type:      pulumi.String("ipsec.1"),
//			})
//			if err != nil {
//				return err
//			}
//			_, err = ec2.NewVpnConnection(ctx, "example", &ec2.VpnConnectionArgs{
//				CustomerGatewayId: exampleCustomerGateway.ID(),
//				TransitGatewayId:  example.ID(),
//				Type:              exampleCustomerGateway.Type,
//			})
//			if err != nil {
//				return err
//			}
//			return nil
//		})
//	}
//
// ```
// <!--End PulumiCodeChooser -->
//
// ### Virtual Private Gateway
//
// <!--Start PulumiCodeChooser -->
// ```go
// package main
//
// import (
//
//	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/ec2"
//	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
//
// )
//
//	func main() {
//		pulumi.Run(func(ctx *pulumi.Context) error {
//			vpc, err := ec2.NewVpc(ctx, "vpc", &ec2.VpcArgs{
//				CidrBlock: pulumi.String("10.0.0.0/16"),
//			})
//			if err != nil {
//				return err
//			}
//			vpnGateway, err := ec2.NewVpnGateway(ctx, "vpn_gateway", &ec2.VpnGatewayArgs{
//				VpcId: vpc.ID(),
//			})
//			if err != nil {
//				return err
//			}
//			customerGateway, err := ec2.NewCustomerGateway(ctx, "customer_gateway", &ec2.CustomerGatewayArgs{
//				BgpAsn:    pulumi.String("65000"),
//				IpAddress: pulumi.String("172.0.0.1"),
//				Type:      pulumi.String("ipsec.1"),
//			})
//			if err != nil {
//				return err
//			}
//			_, err = ec2.NewVpnConnection(ctx, "main", &ec2.VpnConnectionArgs{
//				VpnGatewayId:      vpnGateway.ID(),
//				CustomerGatewayId: customerGateway.ID(),
//				Type:              pulumi.String("ipsec.1"),
//				StaticRoutesOnly:  pulumi.Bool(true),
//			})
//			if err != nil {
//				return err
//			}
//			return nil
//		})
//	}
//
// ```
// <!--End PulumiCodeChooser -->
//
// ### AWS Site to Site Private VPN
//
// <!--Start PulumiCodeChooser -->
// ```go
// package main
//
// import (
//
//	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/directconnect"
//	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/ec2"
//	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/ec2transitgateway"
//	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
//
// )
//
//	func main() {
//		pulumi.Run(func(ctx *pulumi.Context) error {
//			exampleGateway, err := directconnect.NewGateway(ctx, "example", &directconnect.GatewayArgs{
//				Name:          pulumi.String("example_ipsec_vpn_example"),
//				AmazonSideAsn: pulumi.String("64512"),
//			})
//			if err != nil {
//				return err
//			}
//			exampleTransitGateway, err := ec2transitgateway.NewTransitGateway(ctx, "example", &ec2transitgateway.TransitGatewayArgs{
//				AmazonSideAsn: pulumi.Int(64513),
//				Description:   pulumi.String("example_ipsec_vpn_example"),
//				TransitGatewayCidrBlocks: pulumi.StringArray{
//					pulumi.String("10.0.0.0/24"),
//				},
//			})
//			if err != nil {
//				return err
//			}
//			exampleCustomerGateway, err := ec2.NewCustomerGateway(ctx, "example", &ec2.CustomerGatewayArgs{
//				BgpAsn:    pulumi.String("64514"),
//				IpAddress: pulumi.String("10.0.0.1"),
//				Type:      pulumi.String("ipsec.1"),
//				Tags: pulumi.StringMap{
//					"Name": pulumi.String("example_ipsec_vpn_example"),
//				},
//			})
//			if err != nil {
//				return err
//			}
//			_, err = directconnect.NewGatewayAssociation(ctx, "example", &directconnect.GatewayAssociationArgs{
//				DxGatewayId:         exampleGateway.ID(),
//				AssociatedGatewayId: exampleTransitGateway.ID(),
//				AllowedPrefixes: pulumi.StringArray{
//					pulumi.String("10.0.0.0/8"),
//				},
//			})
//			if err != nil {
//				return err
//			}
//			example := ec2transitgateway.GetDirectConnectGatewayAttachmentOutput(ctx, ec2transitgateway.GetDirectConnectGatewayAttachmentOutputArgs{
//				TransitGatewayId: exampleTransitGateway.ID(),
//				DxGatewayId:      exampleGateway.ID(),
//			}, nil)
//			_, err = ec2.NewVpnConnection(ctx, "example", &ec2.VpnConnectionArgs{
//				CustomerGatewayId:    exampleCustomerGateway.ID(),
//				OutsideIpAddressType: pulumi.String("PrivateIpv4"),
//				TransitGatewayId:     exampleTransitGateway.ID(),
//				TransportTransitGatewayAttachmentId: example.ApplyT(func(example ec2transitgateway.GetDirectConnectGatewayAttachmentResult) (*string, error) {
//					return &example.Id, nil
//				}).(pulumi.StringPtrOutput),
//				Type: pulumi.String("ipsec.1"),
//				Tags: pulumi.StringMap{
//					"Name": pulumi.String("example_ipsec_vpn_example"),
//				},
//			})
//			if err != nil {
//				return err
//			}
//			return nil
//		})
//	}
//
// ```
// <!--End PulumiCodeChooser -->
//
// ## Import
//
// Using `pulumi import`, import VPN Connections using the VPN connection `id`. For example:
//
// ```sh
// $ pulumi import aws:ec2/vpnConnection:VpnConnection testvpnconnection vpn-40f41529
// ```
type VpnConnection struct {
	pulumi.CustomResourceState

	// Amazon Resource Name (ARN) of the VPN Connection.
	Arn pulumi.StringOutput `pulumi:"arn"`
	// The ARN of the core network.
	CoreNetworkArn pulumi.StringOutput `pulumi:"coreNetworkArn"`
	// The ARN of the core network attachment.
	CoreNetworkAttachmentArn pulumi.StringOutput `pulumi:"coreNetworkAttachmentArn"`
	// The configuration information for the VPN connection's customer gateway (in the native XML format).
	CustomerGatewayConfiguration pulumi.StringOutput `pulumi:"customerGatewayConfiguration"`
	// The ID of the customer gateway.
	CustomerGatewayId pulumi.StringOutput `pulumi:"customerGatewayId"`
	// Indicate whether to enable acceleration for the VPN connection. Supports only EC2 Transit Gateway.
	EnableAcceleration pulumi.BoolOutput `pulumi:"enableAcceleration"`
	// The IPv4 CIDR on the customer gateway (on-premises) side of the VPN connection.
	LocalIpv4NetworkCidr pulumi.StringOutput `pulumi:"localIpv4NetworkCidr"`
	// The IPv6 CIDR on the customer gateway (on-premises) side of the VPN connection.
	LocalIpv6NetworkCidr pulumi.StringOutput `pulumi:"localIpv6NetworkCidr"`
	// Indicates if a Public S2S VPN or Private S2S VPN over AWS Direct Connect. Valid values are `PublicIpv4 | PrivateIpv4`
	OutsideIpAddressType pulumi.StringOutput `pulumi:"outsideIpAddressType"`
	// The IPv4 CIDR on the AWS side of the VPN connection.
	RemoteIpv4NetworkCidr pulumi.StringOutput `pulumi:"remoteIpv4NetworkCidr"`
	// The IPv6 CIDR on the AWS side of the VPN connection.
	RemoteIpv6NetworkCidr pulumi.StringOutput `pulumi:"remoteIpv6NetworkCidr"`
	// The static routes associated with the VPN connection. Detailed below.
	Routes VpnConnectionRouteTypeArrayOutput `pulumi:"routes"`
	// Whether the VPN connection uses static routes exclusively. Static routes must be used for devices that don't support BGP.
	StaticRoutesOnly pulumi.BoolOutput `pulumi:"staticRoutesOnly"`
	// Tags to apply to the connection. If configured with a provider `defaultTags` configuration block present, tags with matching keys will overwrite those defined at the provider-level.
	Tags pulumi.StringMapOutput `pulumi:"tags"`
	// A map of tags assigned to the resource, including those inherited from the provider `defaultTags` configuration block.
	//
	// Deprecated: Please use `tags` instead.
	TagsAll pulumi.StringMapOutput `pulumi:"tagsAll"`
	// When associated with an EC2 Transit Gateway (`transitGatewayId` argument), the attachment ID. See also the `ec2.Tag` resource for tagging the EC2 Transit Gateway VPN Attachment.
	TransitGatewayAttachmentId pulumi.StringOutput `pulumi:"transitGatewayAttachmentId"`
	// The ID of the EC2 Transit Gateway.
	TransitGatewayId pulumi.StringPtrOutput `pulumi:"transitGatewayId"`
	// . The attachment ID of the Transit Gateway attachment to Direct Connect Gateway. The ID is obtained through a data source only.
	TransportTransitGatewayAttachmentId pulumi.StringPtrOutput `pulumi:"transportTransitGatewayAttachmentId"`
	// The public IP address of the first VPN tunnel.
	Tunnel1Address pulumi.StringOutput `pulumi:"tunnel1Address"`
	// The bgp asn number of the first VPN tunnel.
	Tunnel1BgpAsn pulumi.StringOutput `pulumi:"tunnel1BgpAsn"`
	// The bgp holdtime of the first VPN tunnel.
	Tunnel1BgpHoldtime pulumi.IntOutput `pulumi:"tunnel1BgpHoldtime"`
	// The RFC 6890 link-local address of the first VPN tunnel (Customer Gateway Side).
	Tunnel1CgwInsideAddress pulumi.StringOutput `pulumi:"tunnel1CgwInsideAddress"`
	// The action to take after DPD timeout occurs for the first VPN tunnel. Specify restart to restart the IKE initiation. Specify clear to end the IKE session. Valid values are `clear | none | restart`.
	Tunnel1DpdTimeoutAction pulumi.StringPtrOutput `pulumi:"tunnel1DpdTimeoutAction"`
	// The number of seconds after which a DPD timeout occurs for the first VPN tunnel. Valid value is equal or higher than `30`.
	Tunnel1DpdTimeoutSeconds pulumi.IntPtrOutput `pulumi:"tunnel1DpdTimeoutSeconds"`
	// Turn on or off tunnel endpoint lifecycle control feature for the first VPN tunnel. Valid values are `true | false`.
	Tunnel1EnableTunnelLifecycleControl pulumi.BoolPtrOutput `pulumi:"tunnel1EnableTunnelLifecycleControl"`
	// The IKE versions that are permitted for the first VPN tunnel. Valid values are `ikev1 | ikev2`.
	Tunnel1IkeVersions pulumi.StringArrayOutput `pulumi:"tunnel1IkeVersions"`
	// The CIDR block of the inside IP addresses for the first VPN tunnel. Valid value is a size /30 CIDR block from the 169.254.0.0/16 range.
	Tunnel1InsideCidr pulumi.StringOutput `pulumi:"tunnel1InsideCidr"`
	// The range of inside IPv6 addresses for the first VPN tunnel. Supports only EC2 Transit Gateway. Valid value is a size /126 CIDR block from the local fd00::/8 range.
	Tunnel1InsideIpv6Cidr pulumi.StringOutput `pulumi:"tunnel1InsideIpv6Cidr"`
	// Options for logging VPN tunnel activity. See Log Options below for more details.
	Tunnel1LogOptions VpnConnectionTunnel1LogOptionsOutput `pulumi:"tunnel1LogOptions"`
	// List of one or more Diffie-Hellman group numbers that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are `  2 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 `.
	Tunnel1Phase1DhGroupNumbers pulumi.IntArrayOutput `pulumi:"tunnel1Phase1DhGroupNumbers"`
	// List of one or more encryption algorithms that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are `AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16`.
	Tunnel1Phase1EncryptionAlgorithms pulumi.StringArrayOutput `pulumi:"tunnel1Phase1EncryptionAlgorithms"`
	// One or more integrity algorithms that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are `SHA1 | SHA2-256 | SHA2-384 | SHA2-512`.
	Tunnel1Phase1IntegrityAlgorithms pulumi.StringArrayOutput `pulumi:"tunnel1Phase1IntegrityAlgorithms"`
	// The lifetime for phase 1 of the IKE negotiation for the first VPN tunnel, in seconds. Valid value is between `900` and `28800`.
	Tunnel1Phase1LifetimeSeconds pulumi.IntPtrOutput `pulumi:"tunnel1Phase1LifetimeSeconds"`
	// List of one or more Diffie-Hellman group numbers that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are `2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24`.
	Tunnel1Phase2DhGroupNumbers pulumi.IntArrayOutput `pulumi:"tunnel1Phase2DhGroupNumbers"`
	// List of one or more encryption algorithms that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are `AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16`.
	Tunnel1Phase2EncryptionAlgorithms pulumi.StringArrayOutput `pulumi:"tunnel1Phase2EncryptionAlgorithms"`
	// List of one or more integrity algorithms that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are `SHA1 | SHA2-256 | SHA2-384 | SHA2-512`.
	Tunnel1Phase2IntegrityAlgorithms pulumi.StringArrayOutput `pulumi:"tunnel1Phase2IntegrityAlgorithms"`
	// The lifetime for phase 2 of the IKE negotiation for the first VPN tunnel, in seconds. Valid value is between `900` and `3600`.
	Tunnel1Phase2LifetimeSeconds pulumi.IntPtrOutput `pulumi:"tunnel1Phase2LifetimeSeconds"`
	// The preshared key of the first VPN tunnel. The preshared key must be between 8 and 64 characters in length and cannot start with zero(0). Allowed characters are alphanumeric characters, periods(.) and underscores(_).
	Tunnel1PresharedKey pulumi.StringOutput `pulumi:"tunnel1PresharedKey"`
	// The percentage of the rekey window for the first VPN tunnel (determined by `tunnel1RekeyMarginTimeSeconds`) during which the rekey time is randomly selected. Valid value is between `0` and `100`.
	Tunnel1RekeyFuzzPercentage pulumi.IntPtrOutput `pulumi:"tunnel1RekeyFuzzPercentage"`
	// The margin time, in seconds, before the phase 2 lifetime expires, during which the AWS side of the first VPN connection performs an IKE rekey. The exact time of the rekey is randomly selected based on the value for `tunnel1RekeyFuzzPercentage`. Valid value is between `60` and half of `tunnel1Phase2LifetimeSeconds`.
	Tunnel1RekeyMarginTimeSeconds pulumi.IntPtrOutput `pulumi:"tunnel1RekeyMarginTimeSeconds"`
	// The number of packets in an IKE replay window for the first VPN tunnel. Valid value is between `64` and `2048`.
	Tunnel1ReplayWindowSize pulumi.IntPtrOutput `pulumi:"tunnel1ReplayWindowSize"`
	// The action to take when the establishing the tunnel for the first VPN connection. By default, your customer gateway device must initiate the IKE negotiation and bring up the tunnel. Specify start for AWS to initiate the IKE negotiation. Valid values are `add | start`.
	Tunnel1StartupAction pulumi.StringPtrOutput `pulumi:"tunnel1StartupAction"`
	// The RFC 6890 link-local address of the first VPN tunnel (VPN Gateway Side).
	Tunnel1VgwInsideAddress pulumi.StringOutput `pulumi:"tunnel1VgwInsideAddress"`
	// The public IP address of the second VPN tunnel.
	Tunnel2Address pulumi.StringOutput `pulumi:"tunnel2Address"`
	// The bgp asn number of the second VPN tunnel.
	Tunnel2BgpAsn pulumi.StringOutput `pulumi:"tunnel2BgpAsn"`
	// The bgp holdtime of the second VPN tunnel.
	Tunnel2BgpHoldtime pulumi.IntOutput `pulumi:"tunnel2BgpHoldtime"`
	// The RFC 6890 link-local address of the second VPN tunnel (Customer Gateway Side).
	Tunnel2CgwInsideAddress pulumi.StringOutput `pulumi:"tunnel2CgwInsideAddress"`
	// The action to take after DPD timeout occurs for the second VPN tunnel. Specify restart to restart the IKE initiation. Specify clear to end the IKE session. Valid values are `clear | none | restart`.
	Tunnel2DpdTimeoutAction pulumi.StringPtrOutput `pulumi:"tunnel2DpdTimeoutAction"`
	// The number of seconds after which a DPD timeout occurs for the second VPN tunnel. Valid value is equal or higher than `30`.
	Tunnel2DpdTimeoutSeconds pulumi.IntPtrOutput `pulumi:"tunnel2DpdTimeoutSeconds"`
	// Turn on or off tunnel endpoint lifecycle control feature for the second VPN tunnel. Valid values are `true | false`.
	Tunnel2EnableTunnelLifecycleControl pulumi.BoolPtrOutput `pulumi:"tunnel2EnableTunnelLifecycleControl"`
	// The IKE versions that are permitted for the second VPN tunnel. Valid values are `ikev1 | ikev2`.
	Tunnel2IkeVersions pulumi.StringArrayOutput `pulumi:"tunnel2IkeVersions"`
	// The CIDR block of the inside IP addresses for the second VPN tunnel. Valid value is a size /30 CIDR block from the 169.254.0.0/16 range.
	Tunnel2InsideCidr pulumi.StringOutput `pulumi:"tunnel2InsideCidr"`
	// The range of inside IPv6 addresses for the second VPN tunnel. Supports only EC2 Transit Gateway. Valid value is a size /126 CIDR block from the local fd00::/8 range.
	Tunnel2InsideIpv6Cidr pulumi.StringOutput `pulumi:"tunnel2InsideIpv6Cidr"`
	// Options for logging VPN tunnel activity. See Log Options below for more details.
	Tunnel2LogOptions VpnConnectionTunnel2LogOptionsOutput `pulumi:"tunnel2LogOptions"`
	// List of one or more Diffie-Hellman group numbers that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are `  2 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 `.
	Tunnel2Phase1DhGroupNumbers pulumi.IntArrayOutput `pulumi:"tunnel2Phase1DhGroupNumbers"`
	// List of one or more encryption algorithms that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are `AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16`.
	Tunnel2Phase1EncryptionAlgorithms pulumi.StringArrayOutput `pulumi:"tunnel2Phase1EncryptionAlgorithms"`
	// One or more integrity algorithms that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are `SHA1 | SHA2-256 | SHA2-384 | SHA2-512`.
	Tunnel2Phase1IntegrityAlgorithms pulumi.StringArrayOutput `pulumi:"tunnel2Phase1IntegrityAlgorithms"`
	// The lifetime for phase 1 of the IKE negotiation for the second VPN tunnel, in seconds. Valid value is between `900` and `28800`.
	Tunnel2Phase1LifetimeSeconds pulumi.IntPtrOutput `pulumi:"tunnel2Phase1LifetimeSeconds"`
	// List of one or more Diffie-Hellman group numbers that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are `2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24`.
	Tunnel2Phase2DhGroupNumbers pulumi.IntArrayOutput `pulumi:"tunnel2Phase2DhGroupNumbers"`
	// List of one or more encryption algorithms that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are `AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16`.
	Tunnel2Phase2EncryptionAlgorithms pulumi.StringArrayOutput `pulumi:"tunnel2Phase2EncryptionAlgorithms"`
	// List of one or more integrity algorithms that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are `SHA1 | SHA2-256 | SHA2-384 | SHA2-512`.
	Tunnel2Phase2IntegrityAlgorithms pulumi.StringArrayOutput `pulumi:"tunnel2Phase2IntegrityAlgorithms"`
	// The lifetime for phase 2 of the IKE negotiation for the second VPN tunnel, in seconds. Valid value is between `900` and `3600`.
	Tunnel2Phase2LifetimeSeconds pulumi.IntPtrOutput `pulumi:"tunnel2Phase2LifetimeSeconds"`
	// The preshared key of the second VPN tunnel. The preshared key must be between 8 and 64 characters in length and cannot start with zero(0). Allowed characters are alphanumeric characters, periods(.) and underscores(_).
	Tunnel2PresharedKey pulumi.StringOutput `pulumi:"tunnel2PresharedKey"`
	// The percentage of the rekey window for the second VPN tunnel (determined by `tunnel2RekeyMarginTimeSeconds`) during which the rekey time is randomly selected. Valid value is between `0` and `100`.
	Tunnel2RekeyFuzzPercentage pulumi.IntPtrOutput `pulumi:"tunnel2RekeyFuzzPercentage"`
	// The margin time, in seconds, before the phase 2 lifetime expires, during which the AWS side of the second VPN connection performs an IKE rekey. The exact time of the rekey is randomly selected based on the value for `tunnel2RekeyFuzzPercentage`. Valid value is between `60` and half of `tunnel2Phase2LifetimeSeconds`.
	Tunnel2RekeyMarginTimeSeconds pulumi.IntPtrOutput `pulumi:"tunnel2RekeyMarginTimeSeconds"`
	// The number of packets in an IKE replay window for the second VPN tunnel. Valid value is between `64` and `2048`.
	Tunnel2ReplayWindowSize pulumi.IntPtrOutput `pulumi:"tunnel2ReplayWindowSize"`
	// The action to take when the establishing the tunnel for the second VPN connection. By default, your customer gateway device must initiate the IKE negotiation and bring up the tunnel. Specify start for AWS to initiate the IKE negotiation. Valid values are `add | start`.
	Tunnel2StartupAction pulumi.StringPtrOutput `pulumi:"tunnel2StartupAction"`
	// The RFC 6890 link-local address of the second VPN tunnel (VPN Gateway Side).
	Tunnel2VgwInsideAddress pulumi.StringOutput `pulumi:"tunnel2VgwInsideAddress"`
	// Indicate whether the VPN tunnels process IPv4 or IPv6 traffic. Valid values are `ipv4 | ipv6`. `ipv6` Supports only EC2 Transit Gateway.
	TunnelInsideIpVersion pulumi.StringOutput `pulumi:"tunnelInsideIpVersion"`
	// The type of VPN connection. The only type AWS supports at this time is "ipsec.1".
	Type pulumi.StringOutput `pulumi:"type"`
	// Telemetry for the VPN tunnels. Detailed below.
	VgwTelemetries VpnConnectionVgwTelemetryArrayOutput `pulumi:"vgwTelemetries"`
	// The ID of the Virtual Private Gateway.
	VpnGatewayId pulumi.StringPtrOutput `pulumi:"vpnGatewayId"`
}

// NewVpnConnection registers a new resource with the given unique name, arguments, and options.
func NewVpnConnection(ctx *pulumi.Context,
	name string, args *VpnConnectionArgs, opts ...pulumi.ResourceOption) (*VpnConnection, error) {
	if args == nil {
		return nil, errors.New("missing one or more required arguments")
	}

	if args.CustomerGatewayId == nil {
		return nil, errors.New("invalid value for required argument 'CustomerGatewayId'")
	}
	if args.Type == nil {
		return nil, errors.New("invalid value for required argument 'Type'")
	}
	if args.Tunnel1PresharedKey != nil {
		args.Tunnel1PresharedKey = pulumi.ToSecret(args.Tunnel1PresharedKey).(pulumi.StringPtrInput)
	}
	if args.Tunnel2PresharedKey != nil {
		args.Tunnel2PresharedKey = pulumi.ToSecret(args.Tunnel2PresharedKey).(pulumi.StringPtrInput)
	}
	secrets := pulumi.AdditionalSecretOutputs([]string{
		"customerGatewayConfiguration",
		"tunnel1PresharedKey",
		"tunnel2PresharedKey",
	})
	opts = append(opts, secrets)
	opts = internal.PkgResourceDefaultOpts(opts)
	var resource VpnConnection
	err := ctx.RegisterResource("aws:ec2/vpnConnection:VpnConnection", name, args, &resource, opts...)
	if err != nil {
		return nil, err
	}
	return &resource, nil
}

// GetVpnConnection gets an existing VpnConnection resource's state with the given name, ID, and optional
// state properties that are used to uniquely qualify the lookup (nil if not required).
func GetVpnConnection(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *VpnConnectionState, opts ...pulumi.ResourceOption) (*VpnConnection, error) {
	var resource VpnConnection
	err := ctx.ReadResource("aws:ec2/vpnConnection:VpnConnection", name, id, state, &resource, opts...)
	if err != nil {
		return nil, err
	}
	return &resource, nil
}

// Input properties used for looking up and filtering VpnConnection resources.
type vpnConnectionState struct {
	// Amazon Resource Name (ARN) of the VPN Connection.
	Arn *string `pulumi:"arn"`
	// The ARN of the core network.
	CoreNetworkArn *string `pulumi:"coreNetworkArn"`
	// The ARN of the core network attachment.
	CoreNetworkAttachmentArn *string `pulumi:"coreNetworkAttachmentArn"`
	// The configuration information for the VPN connection's customer gateway (in the native XML format).
	CustomerGatewayConfiguration *string `pulumi:"customerGatewayConfiguration"`
	// The ID of the customer gateway.
	CustomerGatewayId *string `pulumi:"customerGatewayId"`
	// Indicate whether to enable acceleration for the VPN connection. Supports only EC2 Transit Gateway.
	EnableAcceleration *bool `pulumi:"enableAcceleration"`
	// The IPv4 CIDR on the customer gateway (on-premises) side of the VPN connection.
	LocalIpv4NetworkCidr *string `pulumi:"localIpv4NetworkCidr"`
	// The IPv6 CIDR on the customer gateway (on-premises) side of the VPN connection.
	LocalIpv6NetworkCidr *string `pulumi:"localIpv6NetworkCidr"`
	// Indicates if a Public S2S VPN or Private S2S VPN over AWS Direct Connect. Valid values are `PublicIpv4 | PrivateIpv4`
	OutsideIpAddressType *string `pulumi:"outsideIpAddressType"`
	// The IPv4 CIDR on the AWS side of the VPN connection.
	RemoteIpv4NetworkCidr *string `pulumi:"remoteIpv4NetworkCidr"`
	// The IPv6 CIDR on the AWS side of the VPN connection.
	RemoteIpv6NetworkCidr *string `pulumi:"remoteIpv6NetworkCidr"`
	// The static routes associated with the VPN connection. Detailed below.
	Routes []VpnConnectionRouteType `pulumi:"routes"`
	// Whether the VPN connection uses static routes exclusively. Static routes must be used for devices that don't support BGP.
	StaticRoutesOnly *bool `pulumi:"staticRoutesOnly"`
	// Tags to apply to the connection. If configured with a provider `defaultTags` configuration block present, tags with matching keys will overwrite those defined at the provider-level.
	Tags map[string]string `pulumi:"tags"`
	// A map of tags assigned to the resource, including those inherited from the provider `defaultTags` configuration block.
	//
	// Deprecated: Please use `tags` instead.
	TagsAll map[string]string `pulumi:"tagsAll"`
	// When associated with an EC2 Transit Gateway (`transitGatewayId` argument), the attachment ID. See also the `ec2.Tag` resource for tagging the EC2 Transit Gateway VPN Attachment.
	TransitGatewayAttachmentId *string `pulumi:"transitGatewayAttachmentId"`
	// The ID of the EC2 Transit Gateway.
	TransitGatewayId *string `pulumi:"transitGatewayId"`
	// . The attachment ID of the Transit Gateway attachment to Direct Connect Gateway. The ID is obtained through a data source only.
	TransportTransitGatewayAttachmentId *string `pulumi:"transportTransitGatewayAttachmentId"`
	// The public IP address of the first VPN tunnel.
	Tunnel1Address *string `pulumi:"tunnel1Address"`
	// The bgp asn number of the first VPN tunnel.
	Tunnel1BgpAsn *string `pulumi:"tunnel1BgpAsn"`
	// The bgp holdtime of the first VPN tunnel.
	Tunnel1BgpHoldtime *int `pulumi:"tunnel1BgpHoldtime"`
	// The RFC 6890 link-local address of the first VPN tunnel (Customer Gateway Side).
	Tunnel1CgwInsideAddress *string `pulumi:"tunnel1CgwInsideAddress"`
	// The action to take after DPD timeout occurs for the first VPN tunnel. Specify restart to restart the IKE initiation. Specify clear to end the IKE session. Valid values are `clear | none | restart`.
	Tunnel1DpdTimeoutAction *string `pulumi:"tunnel1DpdTimeoutAction"`
	// The number of seconds after which a DPD timeout occurs for the first VPN tunnel. Valid value is equal or higher than `30`.
	Tunnel1DpdTimeoutSeconds *int `pulumi:"tunnel1DpdTimeoutSeconds"`
	// Turn on or off tunnel endpoint lifecycle control feature for the first VPN tunnel. Valid values are `true | false`.
	Tunnel1EnableTunnelLifecycleControl *bool `pulumi:"tunnel1EnableTunnelLifecycleControl"`
	// The IKE versions that are permitted for the first VPN tunnel. Valid values are `ikev1 | ikev2`.
	Tunnel1IkeVersions []string `pulumi:"tunnel1IkeVersions"`
	// The CIDR block of the inside IP addresses for the first VPN tunnel. Valid value is a size /30 CIDR block from the 169.254.0.0/16 range.
	Tunnel1InsideCidr *string `pulumi:"tunnel1InsideCidr"`
	// The range of inside IPv6 addresses for the first VPN tunnel. Supports only EC2 Transit Gateway. Valid value is a size /126 CIDR block from the local fd00::/8 range.
	Tunnel1InsideIpv6Cidr *string `pulumi:"tunnel1InsideIpv6Cidr"`
	// Options for logging VPN tunnel activity. See Log Options below for more details.
	Tunnel1LogOptions *VpnConnectionTunnel1LogOptions `pulumi:"tunnel1LogOptions"`
	// List of one or more Diffie-Hellman group numbers that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are `  2 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 `.
	Tunnel1Phase1DhGroupNumbers []int `pulumi:"tunnel1Phase1DhGroupNumbers"`
	// List of one or more encryption algorithms that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are `AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16`.
	Tunnel1Phase1EncryptionAlgorithms []string `pulumi:"tunnel1Phase1EncryptionAlgorithms"`
	// One or more integrity algorithms that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are `SHA1 | SHA2-256 | SHA2-384 | SHA2-512`.
	Tunnel1Phase1IntegrityAlgorithms []string `pulumi:"tunnel1Phase1IntegrityAlgorithms"`
	// The lifetime for phase 1 of the IKE negotiation for the first VPN tunnel, in seconds. Valid value is between `900` and `28800`.
	Tunnel1Phase1LifetimeSeconds *int `pulumi:"tunnel1Phase1LifetimeSeconds"`
	// List of one or more Diffie-Hellman group numbers that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are `2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24`.
	Tunnel1Phase2DhGroupNumbers []int `pulumi:"tunnel1Phase2DhGroupNumbers"`
	// List of one or more encryption algorithms that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are `AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16`.
	Tunnel1Phase2EncryptionAlgorithms []string `pulumi:"tunnel1Phase2EncryptionAlgorithms"`
	// List of one or more integrity algorithms that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are `SHA1 | SHA2-256 | SHA2-384 | SHA2-512`.
	Tunnel1Phase2IntegrityAlgorithms []string `pulumi:"tunnel1Phase2IntegrityAlgorithms"`
	// The lifetime for phase 2 of the IKE negotiation for the first VPN tunnel, in seconds. Valid value is between `900` and `3600`.
	Tunnel1Phase2LifetimeSeconds *int `pulumi:"tunnel1Phase2LifetimeSeconds"`
	// The preshared key of the first VPN tunnel. The preshared key must be between 8 and 64 characters in length and cannot start with zero(0). Allowed characters are alphanumeric characters, periods(.) and underscores(_).
	Tunnel1PresharedKey *string `pulumi:"tunnel1PresharedKey"`
	// The percentage of the rekey window for the first VPN tunnel (determined by `tunnel1RekeyMarginTimeSeconds`) during which the rekey time is randomly selected. Valid value is between `0` and `100`.
	Tunnel1RekeyFuzzPercentage *int `pulumi:"tunnel1RekeyFuzzPercentage"`
	// The margin time, in seconds, before the phase 2 lifetime expires, during which the AWS side of the first VPN connection performs an IKE rekey. The exact time of the rekey is randomly selected based on the value for `tunnel1RekeyFuzzPercentage`. Valid value is between `60` and half of `tunnel1Phase2LifetimeSeconds`.
	Tunnel1RekeyMarginTimeSeconds *int `pulumi:"tunnel1RekeyMarginTimeSeconds"`
	// The number of packets in an IKE replay window for the first VPN tunnel. Valid value is between `64` and `2048`.
	Tunnel1ReplayWindowSize *int `pulumi:"tunnel1ReplayWindowSize"`
	// The action to take when the establishing the tunnel for the first VPN connection. By default, your customer gateway device must initiate the IKE negotiation and bring up the tunnel. Specify start for AWS to initiate the IKE negotiation. Valid values are `add | start`.
	Tunnel1StartupAction *string `pulumi:"tunnel1StartupAction"`
	// The RFC 6890 link-local address of the first VPN tunnel (VPN Gateway Side).
	Tunnel1VgwInsideAddress *string `pulumi:"tunnel1VgwInsideAddress"`
	// The public IP address of the second VPN tunnel.
	Tunnel2Address *string `pulumi:"tunnel2Address"`
	// The bgp asn number of the second VPN tunnel.
	Tunnel2BgpAsn *string `pulumi:"tunnel2BgpAsn"`
	// The bgp holdtime of the second VPN tunnel.
	Tunnel2BgpHoldtime *int `pulumi:"tunnel2BgpHoldtime"`
	// The RFC 6890 link-local address of the second VPN tunnel (Customer Gateway Side).
	Tunnel2CgwInsideAddress *string `pulumi:"tunnel2CgwInsideAddress"`
	// The action to take after DPD timeout occurs for the second VPN tunnel. Specify restart to restart the IKE initiation. Specify clear to end the IKE session. Valid values are `clear | none | restart`.
	Tunnel2DpdTimeoutAction *string `pulumi:"tunnel2DpdTimeoutAction"`
	// The number of seconds after which a DPD timeout occurs for the second VPN tunnel. Valid value is equal or higher than `30`.
	Tunnel2DpdTimeoutSeconds *int `pulumi:"tunnel2DpdTimeoutSeconds"`
	// Turn on or off tunnel endpoint lifecycle control feature for the second VPN tunnel. Valid values are `true | false`.
	Tunnel2EnableTunnelLifecycleControl *bool `pulumi:"tunnel2EnableTunnelLifecycleControl"`
	// The IKE versions that are permitted for the second VPN tunnel. Valid values are `ikev1 | ikev2`.
	Tunnel2IkeVersions []string `pulumi:"tunnel2IkeVersions"`
	// The CIDR block of the inside IP addresses for the second VPN tunnel. Valid value is a size /30 CIDR block from the 169.254.0.0/16 range.
	Tunnel2InsideCidr *string `pulumi:"tunnel2InsideCidr"`
	// The range of inside IPv6 addresses for the second VPN tunnel. Supports only EC2 Transit Gateway. Valid value is a size /126 CIDR block from the local fd00::/8 range.
	Tunnel2InsideIpv6Cidr *string `pulumi:"tunnel2InsideIpv6Cidr"`
	// Options for logging VPN tunnel activity. See Log Options below for more details.
	Tunnel2LogOptions *VpnConnectionTunnel2LogOptions `pulumi:"tunnel2LogOptions"`
	// List of one or more Diffie-Hellman group numbers that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are `  2 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 `.
	Tunnel2Phase1DhGroupNumbers []int `pulumi:"tunnel2Phase1DhGroupNumbers"`
	// List of one or more encryption algorithms that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are `AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16`.
	Tunnel2Phase1EncryptionAlgorithms []string `pulumi:"tunnel2Phase1EncryptionAlgorithms"`
	// One or more integrity algorithms that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are `SHA1 | SHA2-256 | SHA2-384 | SHA2-512`.
	Tunnel2Phase1IntegrityAlgorithms []string `pulumi:"tunnel2Phase1IntegrityAlgorithms"`
	// The lifetime for phase 1 of the IKE negotiation for the second VPN tunnel, in seconds. Valid value is between `900` and `28800`.
	Tunnel2Phase1LifetimeSeconds *int `pulumi:"tunnel2Phase1LifetimeSeconds"`
	// List of one or more Diffie-Hellman group numbers that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are `2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24`.
	Tunnel2Phase2DhGroupNumbers []int `pulumi:"tunnel2Phase2DhGroupNumbers"`
	// List of one or more encryption algorithms that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are `AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16`.
	Tunnel2Phase2EncryptionAlgorithms []string `pulumi:"tunnel2Phase2EncryptionAlgorithms"`
	// List of one or more integrity algorithms that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are `SHA1 | SHA2-256 | SHA2-384 | SHA2-512`.
	Tunnel2Phase2IntegrityAlgorithms []string `pulumi:"tunnel2Phase2IntegrityAlgorithms"`
	// The lifetime for phase 2 of the IKE negotiation for the second VPN tunnel, in seconds. Valid value is between `900` and `3600`.
	Tunnel2Phase2LifetimeSeconds *int `pulumi:"tunnel2Phase2LifetimeSeconds"`
	// The preshared key of the second VPN tunnel. The preshared key must be between 8 and 64 characters in length and cannot start with zero(0). Allowed characters are alphanumeric characters, periods(.) and underscores(_).
	Tunnel2PresharedKey *string `pulumi:"tunnel2PresharedKey"`
	// The percentage of the rekey window for the second VPN tunnel (determined by `tunnel2RekeyMarginTimeSeconds`) during which the rekey time is randomly selected. Valid value is between `0` and `100`.
	Tunnel2RekeyFuzzPercentage *int `pulumi:"tunnel2RekeyFuzzPercentage"`
	// The margin time, in seconds, before the phase 2 lifetime expires, during which the AWS side of the second VPN connection performs an IKE rekey. The exact time of the rekey is randomly selected based on the value for `tunnel2RekeyFuzzPercentage`. Valid value is between `60` and half of `tunnel2Phase2LifetimeSeconds`.
	Tunnel2RekeyMarginTimeSeconds *int `pulumi:"tunnel2RekeyMarginTimeSeconds"`
	// The number of packets in an IKE replay window for the second VPN tunnel. Valid value is between `64` and `2048`.
	Tunnel2ReplayWindowSize *int `pulumi:"tunnel2ReplayWindowSize"`
	// The action to take when the establishing the tunnel for the second VPN connection. By default, your customer gateway device must initiate the IKE negotiation and bring up the tunnel. Specify start for AWS to initiate the IKE negotiation. Valid values are `add | start`.
	Tunnel2StartupAction *string `pulumi:"tunnel2StartupAction"`
	// The RFC 6890 link-local address of the second VPN tunnel (VPN Gateway Side).
	Tunnel2VgwInsideAddress *string `pulumi:"tunnel2VgwInsideAddress"`
	// Indicate whether the VPN tunnels process IPv4 or IPv6 traffic. Valid values are `ipv4 | ipv6`. `ipv6` Supports only EC2 Transit Gateway.
	TunnelInsideIpVersion *string `pulumi:"tunnelInsideIpVersion"`
	// The type of VPN connection. The only type AWS supports at this time is "ipsec.1".
	Type *string `pulumi:"type"`
	// Telemetry for the VPN tunnels. Detailed below.
	VgwTelemetries []VpnConnectionVgwTelemetry `pulumi:"vgwTelemetries"`
	// The ID of the Virtual Private Gateway.
	VpnGatewayId *string `pulumi:"vpnGatewayId"`
}

type VpnConnectionState struct {
	// Amazon Resource Name (ARN) of the VPN Connection.
	Arn pulumi.StringPtrInput
	// The ARN of the core network.
	CoreNetworkArn pulumi.StringPtrInput
	// The ARN of the core network attachment.
	CoreNetworkAttachmentArn pulumi.StringPtrInput
	// The configuration information for the VPN connection's customer gateway (in the native XML format).
	CustomerGatewayConfiguration pulumi.StringPtrInput
	// The ID of the customer gateway.
	CustomerGatewayId pulumi.StringPtrInput
	// Indicate whether to enable acceleration for the VPN connection. Supports only EC2 Transit Gateway.
	EnableAcceleration pulumi.BoolPtrInput
	// The IPv4 CIDR on the customer gateway (on-premises) side of the VPN connection.
	LocalIpv4NetworkCidr pulumi.StringPtrInput
	// The IPv6 CIDR on the customer gateway (on-premises) side of the VPN connection.
	LocalIpv6NetworkCidr pulumi.StringPtrInput
	// Indicates if a Public S2S VPN or Private S2S VPN over AWS Direct Connect. Valid values are `PublicIpv4 | PrivateIpv4`
	OutsideIpAddressType pulumi.StringPtrInput
	// The IPv4 CIDR on the AWS side of the VPN connection.
	RemoteIpv4NetworkCidr pulumi.StringPtrInput
	// The IPv6 CIDR on the AWS side of the VPN connection.
	RemoteIpv6NetworkCidr pulumi.StringPtrInput
	// The static routes associated with the VPN connection. Detailed below.
	Routes VpnConnectionRouteTypeArrayInput
	// Whether the VPN connection uses static routes exclusively. Static routes must be used for devices that don't support BGP.
	StaticRoutesOnly pulumi.BoolPtrInput
	// Tags to apply to the connection. If configured with a provider `defaultTags` configuration block present, tags with matching keys will overwrite those defined at the provider-level.
	Tags pulumi.StringMapInput
	// A map of tags assigned to the resource, including those inherited from the provider `defaultTags` configuration block.
	//
	// Deprecated: Please use `tags` instead.
	TagsAll pulumi.StringMapInput
	// When associated with an EC2 Transit Gateway (`transitGatewayId` argument), the attachment ID. See also the `ec2.Tag` resource for tagging the EC2 Transit Gateway VPN Attachment.
	TransitGatewayAttachmentId pulumi.StringPtrInput
	// The ID of the EC2 Transit Gateway.
	TransitGatewayId pulumi.StringPtrInput
	// . The attachment ID of the Transit Gateway attachment to Direct Connect Gateway. The ID is obtained through a data source only.
	TransportTransitGatewayAttachmentId pulumi.StringPtrInput
	// The public IP address of the first VPN tunnel.
	Tunnel1Address pulumi.StringPtrInput
	// The bgp asn number of the first VPN tunnel.
	Tunnel1BgpAsn pulumi.StringPtrInput
	// The bgp holdtime of the first VPN tunnel.
	Tunnel1BgpHoldtime pulumi.IntPtrInput
	// The RFC 6890 link-local address of the first VPN tunnel (Customer Gateway Side).
	Tunnel1CgwInsideAddress pulumi.StringPtrInput
	// The action to take after DPD timeout occurs for the first VPN tunnel. Specify restart to restart the IKE initiation. Specify clear to end the IKE session. Valid values are `clear | none | restart`.
	Tunnel1DpdTimeoutAction pulumi.StringPtrInput
	// The number of seconds after which a DPD timeout occurs for the first VPN tunnel. Valid value is equal or higher than `30`.
	Tunnel1DpdTimeoutSeconds pulumi.IntPtrInput
	// Turn on or off tunnel endpoint lifecycle control feature for the first VPN tunnel. Valid values are `true | false`.
	Tunnel1EnableTunnelLifecycleControl pulumi.BoolPtrInput
	// The IKE versions that are permitted for the first VPN tunnel. Valid values are `ikev1 | ikev2`.
	Tunnel1IkeVersions pulumi.StringArrayInput
	// The CIDR block of the inside IP addresses for the first VPN tunnel. Valid value is a size /30 CIDR block from the 169.254.0.0/16 range.
	Tunnel1InsideCidr pulumi.StringPtrInput
	// The range of inside IPv6 addresses for the first VPN tunnel. Supports only EC2 Transit Gateway. Valid value is a size /126 CIDR block from the local fd00::/8 range.
	Tunnel1InsideIpv6Cidr pulumi.StringPtrInput
	// Options for logging VPN tunnel activity. See Log Options below for more details.
	Tunnel1LogOptions VpnConnectionTunnel1LogOptionsPtrInput
	// List of one or more Diffie-Hellman group numbers that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are `  2 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 `.
	Tunnel1Phase1DhGroupNumbers pulumi.IntArrayInput
	// List of one or more encryption algorithms that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are `AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16`.
	Tunnel1Phase1EncryptionAlgorithms pulumi.StringArrayInput
	// One or more integrity algorithms that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are `SHA1 | SHA2-256 | SHA2-384 | SHA2-512`.
	Tunnel1Phase1IntegrityAlgorithms pulumi.StringArrayInput
	// The lifetime for phase 1 of the IKE negotiation for the first VPN tunnel, in seconds. Valid value is between `900` and `28800`.
	Tunnel1Phase1LifetimeSeconds pulumi.IntPtrInput
	// List of one or more Diffie-Hellman group numbers that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are `2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24`.
	Tunnel1Phase2DhGroupNumbers pulumi.IntArrayInput
	// List of one or more encryption algorithms that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are `AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16`.
	Tunnel1Phase2EncryptionAlgorithms pulumi.StringArrayInput
	// List of one or more integrity algorithms that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are `SHA1 | SHA2-256 | SHA2-384 | SHA2-512`.
	Tunnel1Phase2IntegrityAlgorithms pulumi.StringArrayInput
	// The lifetime for phase 2 of the IKE negotiation for the first VPN tunnel, in seconds. Valid value is between `900` and `3600`.
	Tunnel1Phase2LifetimeSeconds pulumi.IntPtrInput
	// The preshared key of the first VPN tunnel. The preshared key must be between 8 and 64 characters in length and cannot start with zero(0). Allowed characters are alphanumeric characters, periods(.) and underscores(_).
	Tunnel1PresharedKey pulumi.StringPtrInput
	// The percentage of the rekey window for the first VPN tunnel (determined by `tunnel1RekeyMarginTimeSeconds`) during which the rekey time is randomly selected. Valid value is between `0` and `100`.
	Tunnel1RekeyFuzzPercentage pulumi.IntPtrInput
	// The margin time, in seconds, before the phase 2 lifetime expires, during which the AWS side of the first VPN connection performs an IKE rekey. The exact time of the rekey is randomly selected based on the value for `tunnel1RekeyFuzzPercentage`. Valid value is between `60` and half of `tunnel1Phase2LifetimeSeconds`.
	Tunnel1RekeyMarginTimeSeconds pulumi.IntPtrInput
	// The number of packets in an IKE replay window for the first VPN tunnel. Valid value is between `64` and `2048`.
	Tunnel1ReplayWindowSize pulumi.IntPtrInput
	// The action to take when the establishing the tunnel for the first VPN connection. By default, your customer gateway device must initiate the IKE negotiation and bring up the tunnel. Specify start for AWS to initiate the IKE negotiation. Valid values are `add | start`.
	Tunnel1StartupAction pulumi.StringPtrInput
	// The RFC 6890 link-local address of the first VPN tunnel (VPN Gateway Side).
	Tunnel1VgwInsideAddress pulumi.StringPtrInput
	// The public IP address of the second VPN tunnel.
	Tunnel2Address pulumi.StringPtrInput
	// The bgp asn number of the second VPN tunnel.
	Tunnel2BgpAsn pulumi.StringPtrInput
	// The bgp holdtime of the second VPN tunnel.
	Tunnel2BgpHoldtime pulumi.IntPtrInput
	// The RFC 6890 link-local address of the second VPN tunnel (Customer Gateway Side).
	Tunnel2CgwInsideAddress pulumi.StringPtrInput
	// The action to take after DPD timeout occurs for the second VPN tunnel. Specify restart to restart the IKE initiation. Specify clear to end the IKE session. Valid values are `clear | none | restart`.
	Tunnel2DpdTimeoutAction pulumi.StringPtrInput
	// The number of seconds after which a DPD timeout occurs for the second VPN tunnel. Valid value is equal or higher than `30`.
	Tunnel2DpdTimeoutSeconds pulumi.IntPtrInput
	// Turn on or off tunnel endpoint lifecycle control feature for the second VPN tunnel. Valid values are `true | false`.
	Tunnel2EnableTunnelLifecycleControl pulumi.BoolPtrInput
	// The IKE versions that are permitted for the second VPN tunnel. Valid values are `ikev1 | ikev2`.
	Tunnel2IkeVersions pulumi.StringArrayInput
	// The CIDR block of the inside IP addresses for the second VPN tunnel. Valid value is a size /30 CIDR block from the 169.254.0.0/16 range.
	Tunnel2InsideCidr pulumi.StringPtrInput
	// The range of inside IPv6 addresses for the second VPN tunnel. Supports only EC2 Transit Gateway. Valid value is a size /126 CIDR block from the local fd00::/8 range.
	Tunnel2InsideIpv6Cidr pulumi.StringPtrInput
	// Options for logging VPN tunnel activity. See Log Options below for more details.
	Tunnel2LogOptions VpnConnectionTunnel2LogOptionsPtrInput
	// List of one or more Diffie-Hellman group numbers that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are `  2 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 `.
	Tunnel2Phase1DhGroupNumbers pulumi.IntArrayInput
	// List of one or more encryption algorithms that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are `AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16`.
	Tunnel2Phase1EncryptionAlgorithms pulumi.StringArrayInput
	// One or more integrity algorithms that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are `SHA1 | SHA2-256 | SHA2-384 | SHA2-512`.
	Tunnel2Phase1IntegrityAlgorithms pulumi.StringArrayInput
	// The lifetime for phase 1 of the IKE negotiation for the second VPN tunnel, in seconds. Valid value is between `900` and `28800`.
	Tunnel2Phase1LifetimeSeconds pulumi.IntPtrInput
	// List of one or more Diffie-Hellman group numbers that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are `2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24`.
	Tunnel2Phase2DhGroupNumbers pulumi.IntArrayInput
	// List of one or more encryption algorithms that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are `AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16`.
	Tunnel2Phase2EncryptionAlgorithms pulumi.StringArrayInput
	// List of one or more integrity algorithms that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are `SHA1 | SHA2-256 | SHA2-384 | SHA2-512`.
	Tunnel2Phase2IntegrityAlgorithms pulumi.StringArrayInput
	// The lifetime for phase 2 of the IKE negotiation for the second VPN tunnel, in seconds. Valid value is between `900` and `3600`.
	Tunnel2Phase2LifetimeSeconds pulumi.IntPtrInput
	// The preshared key of the second VPN tunnel. The preshared key must be between 8 and 64 characters in length and cannot start with zero(0). Allowed characters are alphanumeric characters, periods(.) and underscores(_).
	Tunnel2PresharedKey pulumi.StringPtrInput
	// The percentage of the rekey window for the second VPN tunnel (determined by `tunnel2RekeyMarginTimeSeconds`) during which the rekey time is randomly selected. Valid value is between `0` and `100`.
	Tunnel2RekeyFuzzPercentage pulumi.IntPtrInput
	// The margin time, in seconds, before the phase 2 lifetime expires, during which the AWS side of the second VPN connection performs an IKE rekey. The exact time of the rekey is randomly selected based on the value for `tunnel2RekeyFuzzPercentage`. Valid value is between `60` and half of `tunnel2Phase2LifetimeSeconds`.
	Tunnel2RekeyMarginTimeSeconds pulumi.IntPtrInput
	// The number of packets in an IKE replay window for the second VPN tunnel. Valid value is between `64` and `2048`.
	Tunnel2ReplayWindowSize pulumi.IntPtrInput
	// The action to take when the establishing the tunnel for the second VPN connection. By default, your customer gateway device must initiate the IKE negotiation and bring up the tunnel. Specify start for AWS to initiate the IKE negotiation. Valid values are `add | start`.
	Tunnel2StartupAction pulumi.StringPtrInput
	// The RFC 6890 link-local address of the second VPN tunnel (VPN Gateway Side).
	Tunnel2VgwInsideAddress pulumi.StringPtrInput
	// Indicate whether the VPN tunnels process IPv4 or IPv6 traffic. Valid values are `ipv4 | ipv6`. `ipv6` Supports only EC2 Transit Gateway.
	TunnelInsideIpVersion pulumi.StringPtrInput
	// The type of VPN connection. The only type AWS supports at this time is "ipsec.1".
	Type pulumi.StringPtrInput
	// Telemetry for the VPN tunnels. Detailed below.
	VgwTelemetries VpnConnectionVgwTelemetryArrayInput
	// The ID of the Virtual Private Gateway.
	VpnGatewayId pulumi.StringPtrInput
}

func (VpnConnectionState) ElementType() reflect.Type {
	return reflect.TypeOf((*vpnConnectionState)(nil)).Elem()
}

type vpnConnectionArgs struct {
	// The ID of the customer gateway.
	CustomerGatewayId string `pulumi:"customerGatewayId"`
	// Indicate whether to enable acceleration for the VPN connection. Supports only EC2 Transit Gateway.
	EnableAcceleration *bool `pulumi:"enableAcceleration"`
	// The IPv4 CIDR on the customer gateway (on-premises) side of the VPN connection.
	LocalIpv4NetworkCidr *string `pulumi:"localIpv4NetworkCidr"`
	// The IPv6 CIDR on the customer gateway (on-premises) side of the VPN connection.
	LocalIpv6NetworkCidr *string `pulumi:"localIpv6NetworkCidr"`
	// Indicates if a Public S2S VPN or Private S2S VPN over AWS Direct Connect. Valid values are `PublicIpv4 | PrivateIpv4`
	OutsideIpAddressType *string `pulumi:"outsideIpAddressType"`
	// The IPv4 CIDR on the AWS side of the VPN connection.
	RemoteIpv4NetworkCidr *string `pulumi:"remoteIpv4NetworkCidr"`
	// The IPv6 CIDR on the AWS side of the VPN connection.
	RemoteIpv6NetworkCidr *string `pulumi:"remoteIpv6NetworkCidr"`
	// Whether the VPN connection uses static routes exclusively. Static routes must be used for devices that don't support BGP.
	StaticRoutesOnly *bool `pulumi:"staticRoutesOnly"`
	// Tags to apply to the connection. If configured with a provider `defaultTags` configuration block present, tags with matching keys will overwrite those defined at the provider-level.
	Tags map[string]string `pulumi:"tags"`
	// The ID of the EC2 Transit Gateway.
	TransitGatewayId *string `pulumi:"transitGatewayId"`
	// . The attachment ID of the Transit Gateway attachment to Direct Connect Gateway. The ID is obtained through a data source only.
	TransportTransitGatewayAttachmentId *string `pulumi:"transportTransitGatewayAttachmentId"`
	// The action to take after DPD timeout occurs for the first VPN tunnel. Specify restart to restart the IKE initiation. Specify clear to end the IKE session. Valid values are `clear | none | restart`.
	Tunnel1DpdTimeoutAction *string `pulumi:"tunnel1DpdTimeoutAction"`
	// The number of seconds after which a DPD timeout occurs for the first VPN tunnel. Valid value is equal or higher than `30`.
	Tunnel1DpdTimeoutSeconds *int `pulumi:"tunnel1DpdTimeoutSeconds"`
	// Turn on or off tunnel endpoint lifecycle control feature for the first VPN tunnel. Valid values are `true | false`.
	Tunnel1EnableTunnelLifecycleControl *bool `pulumi:"tunnel1EnableTunnelLifecycleControl"`
	// The IKE versions that are permitted for the first VPN tunnel. Valid values are `ikev1 | ikev2`.
	Tunnel1IkeVersions []string `pulumi:"tunnel1IkeVersions"`
	// The CIDR block of the inside IP addresses for the first VPN tunnel. Valid value is a size /30 CIDR block from the 169.254.0.0/16 range.
	Tunnel1InsideCidr *string `pulumi:"tunnel1InsideCidr"`
	// The range of inside IPv6 addresses for the first VPN tunnel. Supports only EC2 Transit Gateway. Valid value is a size /126 CIDR block from the local fd00::/8 range.
	Tunnel1InsideIpv6Cidr *string `pulumi:"tunnel1InsideIpv6Cidr"`
	// Options for logging VPN tunnel activity. See Log Options below for more details.
	Tunnel1LogOptions *VpnConnectionTunnel1LogOptions `pulumi:"tunnel1LogOptions"`
	// List of one or more Diffie-Hellman group numbers that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are `  2 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 `.
	Tunnel1Phase1DhGroupNumbers []int `pulumi:"tunnel1Phase1DhGroupNumbers"`
	// List of one or more encryption algorithms that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are `AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16`.
	Tunnel1Phase1EncryptionAlgorithms []string `pulumi:"tunnel1Phase1EncryptionAlgorithms"`
	// One or more integrity algorithms that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are `SHA1 | SHA2-256 | SHA2-384 | SHA2-512`.
	Tunnel1Phase1IntegrityAlgorithms []string `pulumi:"tunnel1Phase1IntegrityAlgorithms"`
	// The lifetime for phase 1 of the IKE negotiation for the first VPN tunnel, in seconds. Valid value is between `900` and `28800`.
	Tunnel1Phase1LifetimeSeconds *int `pulumi:"tunnel1Phase1LifetimeSeconds"`
	// List of one or more Diffie-Hellman group numbers that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are `2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24`.
	Tunnel1Phase2DhGroupNumbers []int `pulumi:"tunnel1Phase2DhGroupNumbers"`
	// List of one or more encryption algorithms that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are `AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16`.
	Tunnel1Phase2EncryptionAlgorithms []string `pulumi:"tunnel1Phase2EncryptionAlgorithms"`
	// List of one or more integrity algorithms that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are `SHA1 | SHA2-256 | SHA2-384 | SHA2-512`.
	Tunnel1Phase2IntegrityAlgorithms []string `pulumi:"tunnel1Phase2IntegrityAlgorithms"`
	// The lifetime for phase 2 of the IKE negotiation for the first VPN tunnel, in seconds. Valid value is between `900` and `3600`.
	Tunnel1Phase2LifetimeSeconds *int `pulumi:"tunnel1Phase2LifetimeSeconds"`
	// The preshared key of the first VPN tunnel. The preshared key must be between 8 and 64 characters in length and cannot start with zero(0). Allowed characters are alphanumeric characters, periods(.) and underscores(_).
	Tunnel1PresharedKey *string `pulumi:"tunnel1PresharedKey"`
	// The percentage of the rekey window for the first VPN tunnel (determined by `tunnel1RekeyMarginTimeSeconds`) during which the rekey time is randomly selected. Valid value is between `0` and `100`.
	Tunnel1RekeyFuzzPercentage *int `pulumi:"tunnel1RekeyFuzzPercentage"`
	// The margin time, in seconds, before the phase 2 lifetime expires, during which the AWS side of the first VPN connection performs an IKE rekey. The exact time of the rekey is randomly selected based on the value for `tunnel1RekeyFuzzPercentage`. Valid value is between `60` and half of `tunnel1Phase2LifetimeSeconds`.
	Tunnel1RekeyMarginTimeSeconds *int `pulumi:"tunnel1RekeyMarginTimeSeconds"`
	// The number of packets in an IKE replay window for the first VPN tunnel. Valid value is between `64` and `2048`.
	Tunnel1ReplayWindowSize *int `pulumi:"tunnel1ReplayWindowSize"`
	// The action to take when the establishing the tunnel for the first VPN connection. By default, your customer gateway device must initiate the IKE negotiation and bring up the tunnel. Specify start for AWS to initiate the IKE negotiation. Valid values are `add | start`.
	Tunnel1StartupAction *string `pulumi:"tunnel1StartupAction"`
	// The action to take after DPD timeout occurs for the second VPN tunnel. Specify restart to restart the IKE initiation. Specify clear to end the IKE session. Valid values are `clear | none | restart`.
	Tunnel2DpdTimeoutAction *string `pulumi:"tunnel2DpdTimeoutAction"`
	// The number of seconds after which a DPD timeout occurs for the second VPN tunnel. Valid value is equal or higher than `30`.
	Tunnel2DpdTimeoutSeconds *int `pulumi:"tunnel2DpdTimeoutSeconds"`
	// Turn on or off tunnel endpoint lifecycle control feature for the second VPN tunnel. Valid values are `true | false`.
	Tunnel2EnableTunnelLifecycleControl *bool `pulumi:"tunnel2EnableTunnelLifecycleControl"`
	// The IKE versions that are permitted for the second VPN tunnel. Valid values are `ikev1 | ikev2`.
	Tunnel2IkeVersions []string `pulumi:"tunnel2IkeVersions"`
	// The CIDR block of the inside IP addresses for the second VPN tunnel. Valid value is a size /30 CIDR block from the 169.254.0.0/16 range.
	Tunnel2InsideCidr *string `pulumi:"tunnel2InsideCidr"`
	// The range of inside IPv6 addresses for the second VPN tunnel. Supports only EC2 Transit Gateway. Valid value is a size /126 CIDR block from the local fd00::/8 range.
	Tunnel2InsideIpv6Cidr *string `pulumi:"tunnel2InsideIpv6Cidr"`
	// Options for logging VPN tunnel activity. See Log Options below for more details.
	Tunnel2LogOptions *VpnConnectionTunnel2LogOptions `pulumi:"tunnel2LogOptions"`
	// List of one or more Diffie-Hellman group numbers that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are `  2 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 `.
	Tunnel2Phase1DhGroupNumbers []int `pulumi:"tunnel2Phase1DhGroupNumbers"`
	// List of one or more encryption algorithms that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are `AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16`.
	Tunnel2Phase1EncryptionAlgorithms []string `pulumi:"tunnel2Phase1EncryptionAlgorithms"`
	// One or more integrity algorithms that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are `SHA1 | SHA2-256 | SHA2-384 | SHA2-512`.
	Tunnel2Phase1IntegrityAlgorithms []string `pulumi:"tunnel2Phase1IntegrityAlgorithms"`
	// The lifetime for phase 1 of the IKE negotiation for the second VPN tunnel, in seconds. Valid value is between `900` and `28800`.
	Tunnel2Phase1LifetimeSeconds *int `pulumi:"tunnel2Phase1LifetimeSeconds"`
	// List of one or more Diffie-Hellman group numbers that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are `2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24`.
	Tunnel2Phase2DhGroupNumbers []int `pulumi:"tunnel2Phase2DhGroupNumbers"`
	// List of one or more encryption algorithms that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are `AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16`.
	Tunnel2Phase2EncryptionAlgorithms []string `pulumi:"tunnel2Phase2EncryptionAlgorithms"`
	// List of one or more integrity algorithms that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are `SHA1 | SHA2-256 | SHA2-384 | SHA2-512`.
	Tunnel2Phase2IntegrityAlgorithms []string `pulumi:"tunnel2Phase2IntegrityAlgorithms"`
	// The lifetime for phase 2 of the IKE negotiation for the second VPN tunnel, in seconds. Valid value is between `900` and `3600`.
	Tunnel2Phase2LifetimeSeconds *int `pulumi:"tunnel2Phase2LifetimeSeconds"`
	// The preshared key of the second VPN tunnel. The preshared key must be between 8 and 64 characters in length and cannot start with zero(0). Allowed characters are alphanumeric characters, periods(.) and underscores(_).
	Tunnel2PresharedKey *string `pulumi:"tunnel2PresharedKey"`
	// The percentage of the rekey window for the second VPN tunnel (determined by `tunnel2RekeyMarginTimeSeconds`) during which the rekey time is randomly selected. Valid value is between `0` and `100`.
	Tunnel2RekeyFuzzPercentage *int `pulumi:"tunnel2RekeyFuzzPercentage"`
	// The margin time, in seconds, before the phase 2 lifetime expires, during which the AWS side of the second VPN connection performs an IKE rekey. The exact time of the rekey is randomly selected based on the value for `tunnel2RekeyFuzzPercentage`. Valid value is between `60` and half of `tunnel2Phase2LifetimeSeconds`.
	Tunnel2RekeyMarginTimeSeconds *int `pulumi:"tunnel2RekeyMarginTimeSeconds"`
	// The number of packets in an IKE replay window for the second VPN tunnel. Valid value is between `64` and `2048`.
	Tunnel2ReplayWindowSize *int `pulumi:"tunnel2ReplayWindowSize"`
	// The action to take when the establishing the tunnel for the second VPN connection. By default, your customer gateway device must initiate the IKE negotiation and bring up the tunnel. Specify start for AWS to initiate the IKE negotiation. Valid values are `add | start`.
	Tunnel2StartupAction *string `pulumi:"tunnel2StartupAction"`
	// Indicate whether the VPN tunnels process IPv4 or IPv6 traffic. Valid values are `ipv4 | ipv6`. `ipv6` Supports only EC2 Transit Gateway.
	TunnelInsideIpVersion *string `pulumi:"tunnelInsideIpVersion"`
	// The type of VPN connection. The only type AWS supports at this time is "ipsec.1".
	Type string `pulumi:"type"`
	// The ID of the Virtual Private Gateway.
	VpnGatewayId *string `pulumi:"vpnGatewayId"`
}

// The set of arguments for constructing a VpnConnection resource.
type VpnConnectionArgs struct {
	// The ID of the customer gateway.
	CustomerGatewayId pulumi.StringInput
	// Indicate whether to enable acceleration for the VPN connection. Supports only EC2 Transit Gateway.
	EnableAcceleration pulumi.BoolPtrInput
	// The IPv4 CIDR on the customer gateway (on-premises) side of the VPN connection.
	LocalIpv4NetworkCidr pulumi.StringPtrInput
	// The IPv6 CIDR on the customer gateway (on-premises) side of the VPN connection.
	LocalIpv6NetworkCidr pulumi.StringPtrInput
	// Indicates if a Public S2S VPN or Private S2S VPN over AWS Direct Connect. Valid values are `PublicIpv4 | PrivateIpv4`
	OutsideIpAddressType pulumi.StringPtrInput
	// The IPv4 CIDR on the AWS side of the VPN connection.
	RemoteIpv4NetworkCidr pulumi.StringPtrInput
	// The IPv6 CIDR on the AWS side of the VPN connection.
	RemoteIpv6NetworkCidr pulumi.StringPtrInput
	// Whether the VPN connection uses static routes exclusively. Static routes must be used for devices that don't support BGP.
	StaticRoutesOnly pulumi.BoolPtrInput
	// Tags to apply to the connection. If configured with a provider `defaultTags` configuration block present, tags with matching keys will overwrite those defined at the provider-level.
	Tags pulumi.StringMapInput
	// The ID of the EC2 Transit Gateway.
	TransitGatewayId pulumi.StringPtrInput
	// . The attachment ID of the Transit Gateway attachment to Direct Connect Gateway. The ID is obtained through a data source only.
	TransportTransitGatewayAttachmentId pulumi.StringPtrInput
	// The action to take after DPD timeout occurs for the first VPN tunnel. Specify restart to restart the IKE initiation. Specify clear to end the IKE session. Valid values are `clear | none | restart`.
	Tunnel1DpdTimeoutAction pulumi.StringPtrInput
	// The number of seconds after which a DPD timeout occurs for the first VPN tunnel. Valid value is equal or higher than `30`.
	Tunnel1DpdTimeoutSeconds pulumi.IntPtrInput
	// Turn on or off tunnel endpoint lifecycle control feature for the first VPN tunnel. Valid values are `true | false`.
	Tunnel1EnableTunnelLifecycleControl pulumi.BoolPtrInput
	// The IKE versions that are permitted for the first VPN tunnel. Valid values are `ikev1 | ikev2`.
	Tunnel1IkeVersions pulumi.StringArrayInput
	// The CIDR block of the inside IP addresses for the first VPN tunnel. Valid value is a size /30 CIDR block from the 169.254.0.0/16 range.
	Tunnel1InsideCidr pulumi.StringPtrInput
	// The range of inside IPv6 addresses for the first VPN tunnel. Supports only EC2 Transit Gateway. Valid value is a size /126 CIDR block from the local fd00::/8 range.
	Tunnel1InsideIpv6Cidr pulumi.StringPtrInput
	// Options for logging VPN tunnel activity. See Log Options below for more details.
	Tunnel1LogOptions VpnConnectionTunnel1LogOptionsPtrInput
	// List of one or more Diffie-Hellman group numbers that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are `  2 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 `.
	Tunnel1Phase1DhGroupNumbers pulumi.IntArrayInput
	// List of one or more encryption algorithms that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are `AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16`.
	Tunnel1Phase1EncryptionAlgorithms pulumi.StringArrayInput
	// One or more integrity algorithms that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are `SHA1 | SHA2-256 | SHA2-384 | SHA2-512`.
	Tunnel1Phase1IntegrityAlgorithms pulumi.StringArrayInput
	// The lifetime for phase 1 of the IKE negotiation for the first VPN tunnel, in seconds. Valid value is between `900` and `28800`.
	Tunnel1Phase1LifetimeSeconds pulumi.IntPtrInput
	// List of one or more Diffie-Hellman group numbers that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are `2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24`.
	Tunnel1Phase2DhGroupNumbers pulumi.IntArrayInput
	// List of one or more encryption algorithms that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are `AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16`.
	Tunnel1Phase2EncryptionAlgorithms pulumi.StringArrayInput
	// List of one or more integrity algorithms that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are `SHA1 | SHA2-256 | SHA2-384 | SHA2-512`.
	Tunnel1Phase2IntegrityAlgorithms pulumi.StringArrayInput
	// The lifetime for phase 2 of the IKE negotiation for the first VPN tunnel, in seconds. Valid value is between `900` and `3600`.
	Tunnel1Phase2LifetimeSeconds pulumi.IntPtrInput
	// The preshared key of the first VPN tunnel. The preshared key must be between 8 and 64 characters in length and cannot start with zero(0). Allowed characters are alphanumeric characters, periods(.) and underscores(_).
	Tunnel1PresharedKey pulumi.StringPtrInput
	// The percentage of the rekey window for the first VPN tunnel (determined by `tunnel1RekeyMarginTimeSeconds`) during which the rekey time is randomly selected. Valid value is between `0` and `100`.
	Tunnel1RekeyFuzzPercentage pulumi.IntPtrInput
	// The margin time, in seconds, before the phase 2 lifetime expires, during which the AWS side of the first VPN connection performs an IKE rekey. The exact time of the rekey is randomly selected based on the value for `tunnel1RekeyFuzzPercentage`. Valid value is between `60` and half of `tunnel1Phase2LifetimeSeconds`.
	Tunnel1RekeyMarginTimeSeconds pulumi.IntPtrInput
	// The number of packets in an IKE replay window for the first VPN tunnel. Valid value is between `64` and `2048`.
	Tunnel1ReplayWindowSize pulumi.IntPtrInput
	// The action to take when the establishing the tunnel for the first VPN connection. By default, your customer gateway device must initiate the IKE negotiation and bring up the tunnel. Specify start for AWS to initiate the IKE negotiation. Valid values are `add | start`.
	Tunnel1StartupAction pulumi.StringPtrInput
	// The action to take after DPD timeout occurs for the second VPN tunnel. Specify restart to restart the IKE initiation. Specify clear to end the IKE session. Valid values are `clear | none | restart`.
	Tunnel2DpdTimeoutAction pulumi.StringPtrInput
	// The number of seconds after which a DPD timeout occurs for the second VPN tunnel. Valid value is equal or higher than `30`.
	Tunnel2DpdTimeoutSeconds pulumi.IntPtrInput
	// Turn on or off tunnel endpoint lifecycle control feature for the second VPN tunnel. Valid values are `true | false`.
	Tunnel2EnableTunnelLifecycleControl pulumi.BoolPtrInput
	// The IKE versions that are permitted for the second VPN tunnel. Valid values are `ikev1 | ikev2`.
	Tunnel2IkeVersions pulumi.StringArrayInput
	// The CIDR block of the inside IP addresses for the second VPN tunnel. Valid value is a size /30 CIDR block from the 169.254.0.0/16 range.
	Tunnel2InsideCidr pulumi.StringPtrInput
	// The range of inside IPv6 addresses for the second VPN tunnel. Supports only EC2 Transit Gateway. Valid value is a size /126 CIDR block from the local fd00::/8 range.
	Tunnel2InsideIpv6Cidr pulumi.StringPtrInput
	// Options for logging VPN tunnel activity. See Log Options below for more details.
	Tunnel2LogOptions VpnConnectionTunnel2LogOptionsPtrInput
	// List of one or more Diffie-Hellman group numbers that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are `  2 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 `.
	Tunnel2Phase1DhGroupNumbers pulumi.IntArrayInput
	// List of one or more encryption algorithms that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are `AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16`.
	Tunnel2Phase1EncryptionAlgorithms pulumi.StringArrayInput
	// One or more integrity algorithms that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are `SHA1 | SHA2-256 | SHA2-384 | SHA2-512`.
	Tunnel2Phase1IntegrityAlgorithms pulumi.StringArrayInput
	// The lifetime for phase 1 of the IKE negotiation for the second VPN tunnel, in seconds. Valid value is between `900` and `28800`.
	Tunnel2Phase1LifetimeSeconds pulumi.IntPtrInput
	// List of one or more Diffie-Hellman group numbers that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are `2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24`.
	Tunnel2Phase2DhGroupNumbers pulumi.IntArrayInput
	// List of one or more encryption algorithms that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are `AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16`.
	Tunnel2Phase2EncryptionAlgorithms pulumi.StringArrayInput
	// List of one or more integrity algorithms that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are `SHA1 | SHA2-256 | SHA2-384 | SHA2-512`.
	Tunnel2Phase2IntegrityAlgorithms pulumi.StringArrayInput
	// The lifetime for phase 2 of the IKE negotiation for the second VPN tunnel, in seconds. Valid value is between `900` and `3600`.
	Tunnel2Phase2LifetimeSeconds pulumi.IntPtrInput
	// The preshared key of the second VPN tunnel. The preshared key must be between 8 and 64 characters in length and cannot start with zero(0). Allowed characters are alphanumeric characters, periods(.) and underscores(_).
	Tunnel2PresharedKey pulumi.StringPtrInput
	// The percentage of the rekey window for the second VPN tunnel (determined by `tunnel2RekeyMarginTimeSeconds`) during which the rekey time is randomly selected. Valid value is between `0` and `100`.
	Tunnel2RekeyFuzzPercentage pulumi.IntPtrInput
	// The margin time, in seconds, before the phase 2 lifetime expires, during which the AWS side of the second VPN connection performs an IKE rekey. The exact time of the rekey is randomly selected based on the value for `tunnel2RekeyFuzzPercentage`. Valid value is between `60` and half of `tunnel2Phase2LifetimeSeconds`.
	Tunnel2RekeyMarginTimeSeconds pulumi.IntPtrInput
	// The number of packets in an IKE replay window for the second VPN tunnel. Valid value is between `64` and `2048`.
	Tunnel2ReplayWindowSize pulumi.IntPtrInput
	// The action to take when the establishing the tunnel for the second VPN connection. By default, your customer gateway device must initiate the IKE negotiation and bring up the tunnel. Specify start for AWS to initiate the IKE negotiation. Valid values are `add | start`.
	Tunnel2StartupAction pulumi.StringPtrInput
	// Indicate whether the VPN tunnels process IPv4 or IPv6 traffic. Valid values are `ipv4 | ipv6`. `ipv6` Supports only EC2 Transit Gateway.
	TunnelInsideIpVersion pulumi.StringPtrInput
	// The type of VPN connection. The only type AWS supports at this time is "ipsec.1".
	Type pulumi.StringInput
	// The ID of the Virtual Private Gateway.
	VpnGatewayId pulumi.StringPtrInput
}

func (VpnConnectionArgs) ElementType() reflect.Type {
	return reflect.TypeOf((*vpnConnectionArgs)(nil)).Elem()
}

type VpnConnectionInput interface {
	pulumi.Input

	ToVpnConnectionOutput() VpnConnectionOutput
	ToVpnConnectionOutputWithContext(ctx context.Context) VpnConnectionOutput
}

func (*VpnConnection) ElementType() reflect.Type {
	return reflect.TypeOf((**VpnConnection)(nil)).Elem()
}

func (i *VpnConnection) ToVpnConnectionOutput() VpnConnectionOutput {
	return i.ToVpnConnectionOutputWithContext(context.Background())
}

func (i *VpnConnection) ToVpnConnectionOutputWithContext(ctx context.Context) VpnConnectionOutput {
	return pulumi.ToOutputWithContext(ctx, i).(VpnConnectionOutput)
}

// VpnConnectionArrayInput is an input type that accepts VpnConnectionArray and VpnConnectionArrayOutput values.
// You can construct a concrete instance of `VpnConnectionArrayInput` via:
//
//	VpnConnectionArray{ VpnConnectionArgs{...} }
type VpnConnectionArrayInput interface {
	pulumi.Input

	ToVpnConnectionArrayOutput() VpnConnectionArrayOutput
	ToVpnConnectionArrayOutputWithContext(context.Context) VpnConnectionArrayOutput
}

type VpnConnectionArray []VpnConnectionInput

func (VpnConnectionArray) ElementType() reflect.Type {
	return reflect.TypeOf((*[]*VpnConnection)(nil)).Elem()
}

func (i VpnConnectionArray) ToVpnConnectionArrayOutput() VpnConnectionArrayOutput {
	return i.ToVpnConnectionArrayOutputWithContext(context.Background())
}

func (i VpnConnectionArray) ToVpnConnectionArrayOutputWithContext(ctx context.Context) VpnConnectionArrayOutput {
	return pulumi.ToOutputWithContext(ctx, i).(VpnConnectionArrayOutput)
}

// VpnConnectionMapInput is an input type that accepts VpnConnectionMap and VpnConnectionMapOutput values.
// You can construct a concrete instance of `VpnConnectionMapInput` via:
//
//	VpnConnectionMap{ "key": VpnConnectionArgs{...} }
type VpnConnectionMapInput interface {
	pulumi.Input

	ToVpnConnectionMapOutput() VpnConnectionMapOutput
	ToVpnConnectionMapOutputWithContext(context.Context) VpnConnectionMapOutput
}

type VpnConnectionMap map[string]VpnConnectionInput

func (VpnConnectionMap) ElementType() reflect.Type {
	return reflect.TypeOf((*map[string]*VpnConnection)(nil)).Elem()
}

func (i VpnConnectionMap) ToVpnConnectionMapOutput() VpnConnectionMapOutput {
	return i.ToVpnConnectionMapOutputWithContext(context.Background())
}

func (i VpnConnectionMap) ToVpnConnectionMapOutputWithContext(ctx context.Context) VpnConnectionMapOutput {
	return pulumi.ToOutputWithContext(ctx, i).(VpnConnectionMapOutput)
}

type VpnConnectionOutput struct{ *pulumi.OutputState }

func (VpnConnectionOutput) ElementType() reflect.Type {
	return reflect.TypeOf((**VpnConnection)(nil)).Elem()
}

func (o VpnConnectionOutput) ToVpnConnectionOutput() VpnConnectionOutput {
	return o
}

func (o VpnConnectionOutput) ToVpnConnectionOutputWithContext(ctx context.Context) VpnConnectionOutput {
	return o
}

// Amazon Resource Name (ARN) of the VPN Connection.
func (o VpnConnectionOutput) Arn() pulumi.StringOutput {
	return o.ApplyT(func(v *VpnConnection) pulumi.StringOutput { return v.Arn }).(pulumi.StringOutput)
}

// The ARN of the core network.
func (o VpnConnectionOutput) CoreNetworkArn() pulumi.StringOutput {
	return o.ApplyT(func(v *VpnConnection) pulumi.StringOutput { return v.CoreNetworkArn }).(pulumi.StringOutput)
}

// The ARN of the core network attachment.
func (o VpnConnectionOutput) CoreNetworkAttachmentArn() pulumi.StringOutput {
	return o.ApplyT(func(v *VpnConnection) pulumi.StringOutput { return v.CoreNetworkAttachmentArn }).(pulumi.StringOutput)
}

// The configuration information for the VPN connection's customer gateway (in the native XML format).
func (o VpnConnectionOutput) CustomerGatewayConfiguration() pulumi.StringOutput {
	return o.ApplyT(func(v *VpnConnection) pulumi.StringOutput { return v.CustomerGatewayConfiguration }).(pulumi.StringOutput)
}

// The ID of the customer gateway.
func (o VpnConnectionOutput) CustomerGatewayId() pulumi.StringOutput {
	return o.ApplyT(func(v *VpnConnection) pulumi.StringOutput { return v.CustomerGatewayId }).(pulumi.StringOutput)
}

// Indicate whether to enable acceleration for the VPN connection. Supports only EC2 Transit Gateway.
func (o VpnConnectionOutput) EnableAcceleration() pulumi.BoolOutput {
	return o.ApplyT(func(v *VpnConnection) pulumi.BoolOutput { return v.EnableAcceleration }).(pulumi.BoolOutput)
}

// The IPv4 CIDR on the customer gateway (on-premises) side of the VPN connection.
func (o VpnConnectionOutput) LocalIpv4NetworkCidr() pulumi.StringOutput {
	return o.ApplyT(func(v *VpnConnection) pulumi.StringOutput { return v.LocalIpv4NetworkCidr }).(pulumi.StringOutput)
}

// The IPv6 CIDR on the customer gateway (on-premises) side of the VPN connection.
func (o VpnConnectionOutput) LocalIpv6NetworkCidr() pulumi.StringOutput {
	return o.ApplyT(func(v *VpnConnection) pulumi.StringOutput { return v.LocalIpv6NetworkCidr }).(pulumi.StringOutput)
}

// Indicates if a Public S2S VPN or Private S2S VPN over AWS Direct Connect. Valid values are `PublicIpv4 | PrivateIpv4`
func (o VpnConnectionOutput) OutsideIpAddressType() pulumi.StringOutput {
	return o.ApplyT(func(v *VpnConnection) pulumi.StringOutput { return v.OutsideIpAddressType }).(pulumi.StringOutput)
}

// The IPv4 CIDR on the AWS side of the VPN connection.
func (o VpnConnectionOutput) RemoteIpv4NetworkCidr() pulumi.StringOutput {
	return o.ApplyT(func(v *VpnConnection) pulumi.StringOutput { return v.RemoteIpv4NetworkCidr }).(pulumi.StringOutput)
}

// The IPv6 CIDR on the AWS side of the VPN connection.
func (o VpnConnectionOutput) RemoteIpv6NetworkCidr() pulumi.StringOutput {
	return o.ApplyT(func(v *VpnConnection) pulumi.StringOutput { return v.RemoteIpv6NetworkCidr }).(pulumi.StringOutput)
}

// The static routes associated with the VPN connection. Detailed below.
func (o VpnConnectionOutput) Routes() VpnConnectionRouteTypeArrayOutput {
	return o.ApplyT(func(v *VpnConnection) VpnConnectionRouteTypeArrayOutput { return v.Routes }).(VpnConnectionRouteTypeArrayOutput)
}

// Whether the VPN connection uses static routes exclusively. Static routes must be used for devices that don't support BGP.
func (o VpnConnectionOutput) StaticRoutesOnly() pulumi.BoolOutput {
	return o.ApplyT(func(v *VpnConnection) pulumi.BoolOutput { return v.StaticRoutesOnly }).(pulumi.BoolOutput)
}

// Tags to apply to the connection. If configured with a provider `defaultTags` configuration block present, tags with matching keys will overwrite those defined at the provider-level.
func (o VpnConnectionOutput) Tags() pulumi.StringMapOutput {
	return o.ApplyT(func(v *VpnConnection) pulumi.StringMapOutput { return v.Tags }).(pulumi.StringMapOutput)
}

// A map of tags assigned to the resource, including those inherited from the provider `defaultTags` configuration block.
//
// Deprecated: Please use `tags` instead.
func (o VpnConnectionOutput) TagsAll() pulumi.StringMapOutput {
	return o.ApplyT(func(v *VpnConnection) pulumi.StringMapOutput { return v.TagsAll }).(pulumi.StringMapOutput)
}

// When associated with an EC2 Transit Gateway (`transitGatewayId` argument), the attachment ID. See also the `ec2.Tag` resource for tagging the EC2 Transit Gateway VPN Attachment.
func (o VpnConnectionOutput) TransitGatewayAttachmentId() pulumi.StringOutput {
	return o.ApplyT(func(v *VpnConnection) pulumi.StringOutput { return v.TransitGatewayAttachmentId }).(pulumi.StringOutput)
}

// The ID of the EC2 Transit Gateway.
func (o VpnConnectionOutput) TransitGatewayId() pulumi.StringPtrOutput {
	return o.ApplyT(func(v *VpnConnection) pulumi.StringPtrOutput { return v.TransitGatewayId }).(pulumi.StringPtrOutput)
}

// . The attachment ID of the Transit Gateway attachment to Direct Connect Gateway. The ID is obtained through a data source only.
func (o VpnConnectionOutput) TransportTransitGatewayAttachmentId() pulumi.StringPtrOutput {
	return o.ApplyT(func(v *VpnConnection) pulumi.StringPtrOutput { return v.TransportTransitGatewayAttachmentId }).(pulumi.StringPtrOutput)
}

// The public IP address of the first VPN tunnel.
func (o VpnConnectionOutput) Tunnel1Address() pulumi.StringOutput {
	return o.ApplyT(func(v *VpnConnection) pulumi.StringOutput { return v.Tunnel1Address }).(pulumi.StringOutput)
}

// The bgp asn number of the first VPN tunnel.
func (o VpnConnectionOutput) Tunnel1BgpAsn() pulumi.StringOutput {
	return o.ApplyT(func(v *VpnConnection) pulumi.StringOutput { return v.Tunnel1BgpAsn }).(pulumi.StringOutput)
}

// The bgp holdtime of the first VPN tunnel.
func (o VpnConnectionOutput) Tunnel1BgpHoldtime() pulumi.IntOutput {
	return o.ApplyT(func(v *VpnConnection) pulumi.IntOutput { return v.Tunnel1BgpHoldtime }).(pulumi.IntOutput)
}

// The RFC 6890 link-local address of the first VPN tunnel (Customer Gateway Side).
func (o VpnConnectionOutput) Tunnel1CgwInsideAddress() pulumi.StringOutput {
	return o.ApplyT(func(v *VpnConnection) pulumi.StringOutput { return v.Tunnel1CgwInsideAddress }).(pulumi.StringOutput)
}

// The action to take after DPD timeout occurs for the first VPN tunnel. Specify restart to restart the IKE initiation. Specify clear to end the IKE session. Valid values are `clear | none | restart`.
func (o VpnConnectionOutput) Tunnel1DpdTimeoutAction() pulumi.StringPtrOutput {
	return o.ApplyT(func(v *VpnConnection) pulumi.StringPtrOutput { return v.Tunnel1DpdTimeoutAction }).(pulumi.StringPtrOutput)
}

// The number of seconds after which a DPD timeout occurs for the first VPN tunnel. Valid value is equal or higher than `30`.
func (o VpnConnectionOutput) Tunnel1DpdTimeoutSeconds() pulumi.IntPtrOutput {
	return o.ApplyT(func(v *VpnConnection) pulumi.IntPtrOutput { return v.Tunnel1DpdTimeoutSeconds }).(pulumi.IntPtrOutput)
}

// Turn on or off tunnel endpoint lifecycle control feature for the first VPN tunnel. Valid values are `true | false`.
func (o VpnConnectionOutput) Tunnel1EnableTunnelLifecycleControl() pulumi.BoolPtrOutput {
	return o.ApplyT(func(v *VpnConnection) pulumi.BoolPtrOutput { return v.Tunnel1EnableTunnelLifecycleControl }).(pulumi.BoolPtrOutput)
}

// The IKE versions that are permitted for the first VPN tunnel. Valid values are `ikev1 | ikev2`.
func (o VpnConnectionOutput) Tunnel1IkeVersions() pulumi.StringArrayOutput {
	return o.ApplyT(func(v *VpnConnection) pulumi.StringArrayOutput { return v.Tunnel1IkeVersions }).(pulumi.StringArrayOutput)
}

// The CIDR block of the inside IP addresses for the first VPN tunnel. Valid value is a size /30 CIDR block from the 169.254.0.0/16 range.
func (o VpnConnectionOutput) Tunnel1InsideCidr() pulumi.StringOutput {
	return o.ApplyT(func(v *VpnConnection) pulumi.StringOutput { return v.Tunnel1InsideCidr }).(pulumi.StringOutput)
}

// The range of inside IPv6 addresses for the first VPN tunnel. Supports only EC2 Transit Gateway. Valid value is a size /126 CIDR block from the local fd00::/8 range.
func (o VpnConnectionOutput) Tunnel1InsideIpv6Cidr() pulumi.StringOutput {
	return o.ApplyT(func(v *VpnConnection) pulumi.StringOutput { return v.Tunnel1InsideIpv6Cidr }).(pulumi.StringOutput)
}

// Options for logging VPN tunnel activity. See Log Options below for more details.
func (o VpnConnectionOutput) Tunnel1LogOptions() VpnConnectionTunnel1LogOptionsOutput {
	return o.ApplyT(func(v *VpnConnection) VpnConnectionTunnel1LogOptionsOutput { return v.Tunnel1LogOptions }).(VpnConnectionTunnel1LogOptionsOutput)
}

// List of one or more Diffie-Hellman group numbers that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are `  2 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 `.
func (o VpnConnectionOutput) Tunnel1Phase1DhGroupNumbers() pulumi.IntArrayOutput {
	return o.ApplyT(func(v *VpnConnection) pulumi.IntArrayOutput { return v.Tunnel1Phase1DhGroupNumbers }).(pulumi.IntArrayOutput)
}

// List of one or more encryption algorithms that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are `AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16`.
func (o VpnConnectionOutput) Tunnel1Phase1EncryptionAlgorithms() pulumi.StringArrayOutput {
	return o.ApplyT(func(v *VpnConnection) pulumi.StringArrayOutput { return v.Tunnel1Phase1EncryptionAlgorithms }).(pulumi.StringArrayOutput)
}

// One or more integrity algorithms that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are `SHA1 | SHA2-256 | SHA2-384 | SHA2-512`.
func (o VpnConnectionOutput) Tunnel1Phase1IntegrityAlgorithms() pulumi.StringArrayOutput {
	return o.ApplyT(func(v *VpnConnection) pulumi.StringArrayOutput { return v.Tunnel1Phase1IntegrityAlgorithms }).(pulumi.StringArrayOutput)
}

// The lifetime for phase 1 of the IKE negotiation for the first VPN tunnel, in seconds. Valid value is between `900` and `28800`.
func (o VpnConnectionOutput) Tunnel1Phase1LifetimeSeconds() pulumi.IntPtrOutput {
	return o.ApplyT(func(v *VpnConnection) pulumi.IntPtrOutput { return v.Tunnel1Phase1LifetimeSeconds }).(pulumi.IntPtrOutput)
}

// List of one or more Diffie-Hellman group numbers that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are `2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24`.
func (o VpnConnectionOutput) Tunnel1Phase2DhGroupNumbers() pulumi.IntArrayOutput {
	return o.ApplyT(func(v *VpnConnection) pulumi.IntArrayOutput { return v.Tunnel1Phase2DhGroupNumbers }).(pulumi.IntArrayOutput)
}

// List of one or more encryption algorithms that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are `AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16`.
func (o VpnConnectionOutput) Tunnel1Phase2EncryptionAlgorithms() pulumi.StringArrayOutput {
	return o.ApplyT(func(v *VpnConnection) pulumi.StringArrayOutput { return v.Tunnel1Phase2EncryptionAlgorithms }).(pulumi.StringArrayOutput)
}

// List of one or more integrity algorithms that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are `SHA1 | SHA2-256 | SHA2-384 | SHA2-512`.
func (o VpnConnectionOutput) Tunnel1Phase2IntegrityAlgorithms() pulumi.StringArrayOutput {
	return o.ApplyT(func(v *VpnConnection) pulumi.StringArrayOutput { return v.Tunnel1Phase2IntegrityAlgorithms }).(pulumi.StringArrayOutput)
}

// The lifetime for phase 2 of the IKE negotiation for the first VPN tunnel, in seconds. Valid value is between `900` and `3600`.
func (o VpnConnectionOutput) Tunnel1Phase2LifetimeSeconds() pulumi.IntPtrOutput {
	return o.ApplyT(func(v *VpnConnection) pulumi.IntPtrOutput { return v.Tunnel1Phase2LifetimeSeconds }).(pulumi.IntPtrOutput)
}

// The preshared key of the first VPN tunnel. The preshared key must be between 8 and 64 characters in length and cannot start with zero(0). Allowed characters are alphanumeric characters, periods(.) and underscores(_).
func (o VpnConnectionOutput) Tunnel1PresharedKey() pulumi.StringOutput {
	return o.ApplyT(func(v *VpnConnection) pulumi.StringOutput { return v.Tunnel1PresharedKey }).(pulumi.StringOutput)
}

// The percentage of the rekey window for the first VPN tunnel (determined by `tunnel1RekeyMarginTimeSeconds`) during which the rekey time is randomly selected. Valid value is between `0` and `100`.
func (o VpnConnectionOutput) Tunnel1RekeyFuzzPercentage() pulumi.IntPtrOutput {
	return o.ApplyT(func(v *VpnConnection) pulumi.IntPtrOutput { return v.Tunnel1RekeyFuzzPercentage }).(pulumi.IntPtrOutput)
}

// The margin time, in seconds, before the phase 2 lifetime expires, during which the AWS side of the first VPN connection performs an IKE rekey. The exact time of the rekey is randomly selected based on the value for `tunnel1RekeyFuzzPercentage`. Valid value is between `60` and half of `tunnel1Phase2LifetimeSeconds`.
func (o VpnConnectionOutput) Tunnel1RekeyMarginTimeSeconds() pulumi.IntPtrOutput {
	return o.ApplyT(func(v *VpnConnection) pulumi.IntPtrOutput { return v.Tunnel1RekeyMarginTimeSeconds }).(pulumi.IntPtrOutput)
}

// The number of packets in an IKE replay window for the first VPN tunnel. Valid value is between `64` and `2048`.
func (o VpnConnectionOutput) Tunnel1ReplayWindowSize() pulumi.IntPtrOutput {
	return o.ApplyT(func(v *VpnConnection) pulumi.IntPtrOutput { return v.Tunnel1ReplayWindowSize }).(pulumi.IntPtrOutput)
}

// The action to take when the establishing the tunnel for the first VPN connection. By default, your customer gateway device must initiate the IKE negotiation and bring up the tunnel. Specify start for AWS to initiate the IKE negotiation. Valid values are `add | start`.
func (o VpnConnectionOutput) Tunnel1StartupAction() pulumi.StringPtrOutput {
	return o.ApplyT(func(v *VpnConnection) pulumi.StringPtrOutput { return v.Tunnel1StartupAction }).(pulumi.StringPtrOutput)
}

// The RFC 6890 link-local address of the first VPN tunnel (VPN Gateway Side).
func (o VpnConnectionOutput) Tunnel1VgwInsideAddress() pulumi.StringOutput {
	return o.ApplyT(func(v *VpnConnection) pulumi.StringOutput { return v.Tunnel1VgwInsideAddress }).(pulumi.StringOutput)
}

// The public IP address of the second VPN tunnel.
func (o VpnConnectionOutput) Tunnel2Address() pulumi.StringOutput {
	return o.ApplyT(func(v *VpnConnection) pulumi.StringOutput { return v.Tunnel2Address }).(pulumi.StringOutput)
}

// The bgp asn number of the second VPN tunnel.
func (o VpnConnectionOutput) Tunnel2BgpAsn() pulumi.StringOutput {
	return o.ApplyT(func(v *VpnConnection) pulumi.StringOutput { return v.Tunnel2BgpAsn }).(pulumi.StringOutput)
}

// The bgp holdtime of the second VPN tunnel.
func (o VpnConnectionOutput) Tunnel2BgpHoldtime() pulumi.IntOutput {
	return o.ApplyT(func(v *VpnConnection) pulumi.IntOutput { return v.Tunnel2BgpHoldtime }).(pulumi.IntOutput)
}

// The RFC 6890 link-local address of the second VPN tunnel (Customer Gateway Side).
func (o VpnConnectionOutput) Tunnel2CgwInsideAddress() pulumi.StringOutput {
	return o.ApplyT(func(v *VpnConnection) pulumi.StringOutput { return v.Tunnel2CgwInsideAddress }).(pulumi.StringOutput)
}

// The action to take after DPD timeout occurs for the second VPN tunnel. Specify restart to restart the IKE initiation. Specify clear to end the IKE session. Valid values are `clear | none | restart`.
func (o VpnConnectionOutput) Tunnel2DpdTimeoutAction() pulumi.StringPtrOutput {
	return o.ApplyT(func(v *VpnConnection) pulumi.StringPtrOutput { return v.Tunnel2DpdTimeoutAction }).(pulumi.StringPtrOutput)
}

// The number of seconds after which a DPD timeout occurs for the second VPN tunnel. Valid value is equal or higher than `30`.
func (o VpnConnectionOutput) Tunnel2DpdTimeoutSeconds() pulumi.IntPtrOutput {
	return o.ApplyT(func(v *VpnConnection) pulumi.IntPtrOutput { return v.Tunnel2DpdTimeoutSeconds }).(pulumi.IntPtrOutput)
}

// Turn on or off tunnel endpoint lifecycle control feature for the second VPN tunnel. Valid values are `true | false`.
func (o VpnConnectionOutput) Tunnel2EnableTunnelLifecycleControl() pulumi.BoolPtrOutput {
	return o.ApplyT(func(v *VpnConnection) pulumi.BoolPtrOutput { return v.Tunnel2EnableTunnelLifecycleControl }).(pulumi.BoolPtrOutput)
}

// The IKE versions that are permitted for the second VPN tunnel. Valid values are `ikev1 | ikev2`.
func (o VpnConnectionOutput) Tunnel2IkeVersions() pulumi.StringArrayOutput {
	return o.ApplyT(func(v *VpnConnection) pulumi.StringArrayOutput { return v.Tunnel2IkeVersions }).(pulumi.StringArrayOutput)
}

// The CIDR block of the inside IP addresses for the second VPN tunnel. Valid value is a size /30 CIDR block from the 169.254.0.0/16 range.
func (o VpnConnectionOutput) Tunnel2InsideCidr() pulumi.StringOutput {
	return o.ApplyT(func(v *VpnConnection) pulumi.StringOutput { return v.Tunnel2InsideCidr }).(pulumi.StringOutput)
}

// The range of inside IPv6 addresses for the second VPN tunnel. Supports only EC2 Transit Gateway. Valid value is a size /126 CIDR block from the local fd00::/8 range.
func (o VpnConnectionOutput) Tunnel2InsideIpv6Cidr() pulumi.StringOutput {
	return o.ApplyT(func(v *VpnConnection) pulumi.StringOutput { return v.Tunnel2InsideIpv6Cidr }).(pulumi.StringOutput)
}

// Options for logging VPN tunnel activity. See Log Options below for more details.
func (o VpnConnectionOutput) Tunnel2LogOptions() VpnConnectionTunnel2LogOptionsOutput {
	return o.ApplyT(func(v *VpnConnection) VpnConnectionTunnel2LogOptionsOutput { return v.Tunnel2LogOptions }).(VpnConnectionTunnel2LogOptionsOutput)
}

// List of one or more Diffie-Hellman group numbers that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are `  2 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 `.
func (o VpnConnectionOutput) Tunnel2Phase1DhGroupNumbers() pulumi.IntArrayOutput {
	return o.ApplyT(func(v *VpnConnection) pulumi.IntArrayOutput { return v.Tunnel2Phase1DhGroupNumbers }).(pulumi.IntArrayOutput)
}

// List of one or more encryption algorithms that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are `AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16`.
func (o VpnConnectionOutput) Tunnel2Phase1EncryptionAlgorithms() pulumi.StringArrayOutput {
	return o.ApplyT(func(v *VpnConnection) pulumi.StringArrayOutput { return v.Tunnel2Phase1EncryptionAlgorithms }).(pulumi.StringArrayOutput)
}

// One or more integrity algorithms that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are `SHA1 | SHA2-256 | SHA2-384 | SHA2-512`.
func (o VpnConnectionOutput) Tunnel2Phase1IntegrityAlgorithms() pulumi.StringArrayOutput {
	return o.ApplyT(func(v *VpnConnection) pulumi.StringArrayOutput { return v.Tunnel2Phase1IntegrityAlgorithms }).(pulumi.StringArrayOutput)
}

// The lifetime for phase 1 of the IKE negotiation for the second VPN tunnel, in seconds. Valid value is between `900` and `28800`.
func (o VpnConnectionOutput) Tunnel2Phase1LifetimeSeconds() pulumi.IntPtrOutput {
	return o.ApplyT(func(v *VpnConnection) pulumi.IntPtrOutput { return v.Tunnel2Phase1LifetimeSeconds }).(pulumi.IntPtrOutput)
}

// List of one or more Diffie-Hellman group numbers that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are `2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24`.
func (o VpnConnectionOutput) Tunnel2Phase2DhGroupNumbers() pulumi.IntArrayOutput {
	return o.ApplyT(func(v *VpnConnection) pulumi.IntArrayOutput { return v.Tunnel2Phase2DhGroupNumbers }).(pulumi.IntArrayOutput)
}

// List of one or more encryption algorithms that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are `AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16`.
func (o VpnConnectionOutput) Tunnel2Phase2EncryptionAlgorithms() pulumi.StringArrayOutput {
	return o.ApplyT(func(v *VpnConnection) pulumi.StringArrayOutput { return v.Tunnel2Phase2EncryptionAlgorithms }).(pulumi.StringArrayOutput)
}

// List of one or more integrity algorithms that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are `SHA1 | SHA2-256 | SHA2-384 | SHA2-512`.
func (o VpnConnectionOutput) Tunnel2Phase2IntegrityAlgorithms() pulumi.StringArrayOutput {
	return o.ApplyT(func(v *VpnConnection) pulumi.StringArrayOutput { return v.Tunnel2Phase2IntegrityAlgorithms }).(pulumi.StringArrayOutput)
}

// The lifetime for phase 2 of the IKE negotiation for the second VPN tunnel, in seconds. Valid value is between `900` and `3600`.
func (o VpnConnectionOutput) Tunnel2Phase2LifetimeSeconds() pulumi.IntPtrOutput {
	return o.ApplyT(func(v *VpnConnection) pulumi.IntPtrOutput { return v.Tunnel2Phase2LifetimeSeconds }).(pulumi.IntPtrOutput)
}

// The preshared key of the second VPN tunnel. The preshared key must be between 8 and 64 characters in length and cannot start with zero(0). Allowed characters are alphanumeric characters, periods(.) and underscores(_).
func (o VpnConnectionOutput) Tunnel2PresharedKey() pulumi.StringOutput {
	return o.ApplyT(func(v *VpnConnection) pulumi.StringOutput { return v.Tunnel2PresharedKey }).(pulumi.StringOutput)
}

// The percentage of the rekey window for the second VPN tunnel (determined by `tunnel2RekeyMarginTimeSeconds`) during which the rekey time is randomly selected. Valid value is between `0` and `100`.
func (o VpnConnectionOutput) Tunnel2RekeyFuzzPercentage() pulumi.IntPtrOutput {
	return o.ApplyT(func(v *VpnConnection) pulumi.IntPtrOutput { return v.Tunnel2RekeyFuzzPercentage }).(pulumi.IntPtrOutput)
}

// The margin time, in seconds, before the phase 2 lifetime expires, during which the AWS side of the second VPN connection performs an IKE rekey. The exact time of the rekey is randomly selected based on the value for `tunnel2RekeyFuzzPercentage`. Valid value is between `60` and half of `tunnel2Phase2LifetimeSeconds`.
func (o VpnConnectionOutput) Tunnel2RekeyMarginTimeSeconds() pulumi.IntPtrOutput {
	return o.ApplyT(func(v *VpnConnection) pulumi.IntPtrOutput { return v.Tunnel2RekeyMarginTimeSeconds }).(pulumi.IntPtrOutput)
}

// The number of packets in an IKE replay window for the second VPN tunnel. Valid value is between `64` and `2048`.
func (o VpnConnectionOutput) Tunnel2ReplayWindowSize() pulumi.IntPtrOutput {
	return o.ApplyT(func(v *VpnConnection) pulumi.IntPtrOutput { return v.Tunnel2ReplayWindowSize }).(pulumi.IntPtrOutput)
}

// The action to take when the establishing the tunnel for the second VPN connection. By default, your customer gateway device must initiate the IKE negotiation and bring up the tunnel. Specify start for AWS to initiate the IKE negotiation. Valid values are `add | start`.
func (o VpnConnectionOutput) Tunnel2StartupAction() pulumi.StringPtrOutput {
	return o.ApplyT(func(v *VpnConnection) pulumi.StringPtrOutput { return v.Tunnel2StartupAction }).(pulumi.StringPtrOutput)
}

// The RFC 6890 link-local address of the second VPN tunnel (VPN Gateway Side).
func (o VpnConnectionOutput) Tunnel2VgwInsideAddress() pulumi.StringOutput {
	return o.ApplyT(func(v *VpnConnection) pulumi.StringOutput { return v.Tunnel2VgwInsideAddress }).(pulumi.StringOutput)
}

// Indicate whether the VPN tunnels process IPv4 or IPv6 traffic. Valid values are `ipv4 | ipv6`. `ipv6` Supports only EC2 Transit Gateway.
func (o VpnConnectionOutput) TunnelInsideIpVersion() pulumi.StringOutput {
	return o.ApplyT(func(v *VpnConnection) pulumi.StringOutput { return v.TunnelInsideIpVersion }).(pulumi.StringOutput)
}

// The type of VPN connection. The only type AWS supports at this time is "ipsec.1".
func (o VpnConnectionOutput) Type() pulumi.StringOutput {
	return o.ApplyT(func(v *VpnConnection) pulumi.StringOutput { return v.Type }).(pulumi.StringOutput)
}

// Telemetry for the VPN tunnels. Detailed below.
func (o VpnConnectionOutput) VgwTelemetries() VpnConnectionVgwTelemetryArrayOutput {
	return o.ApplyT(func(v *VpnConnection) VpnConnectionVgwTelemetryArrayOutput { return v.VgwTelemetries }).(VpnConnectionVgwTelemetryArrayOutput)
}

// The ID of the Virtual Private Gateway.
func (o VpnConnectionOutput) VpnGatewayId() pulumi.StringPtrOutput {
	return o.ApplyT(func(v *VpnConnection) pulumi.StringPtrOutput { return v.VpnGatewayId }).(pulumi.StringPtrOutput)
}

type VpnConnectionArrayOutput struct{ *pulumi.OutputState }

func (VpnConnectionArrayOutput) ElementType() reflect.Type {
	return reflect.TypeOf((*[]*VpnConnection)(nil)).Elem()
}

func (o VpnConnectionArrayOutput) ToVpnConnectionArrayOutput() VpnConnectionArrayOutput {
	return o
}

func (o VpnConnectionArrayOutput) ToVpnConnectionArrayOutputWithContext(ctx context.Context) VpnConnectionArrayOutput {
	return o
}

func (o VpnConnectionArrayOutput) Index(i pulumi.IntInput) VpnConnectionOutput {
	return pulumi.All(o, i).ApplyT(func(vs []interface{}) *VpnConnection {
		return vs[0].([]*VpnConnection)[vs[1].(int)]
	}).(VpnConnectionOutput)
}

type VpnConnectionMapOutput struct{ *pulumi.OutputState }

func (VpnConnectionMapOutput) ElementType() reflect.Type {
	return reflect.TypeOf((*map[string]*VpnConnection)(nil)).Elem()
}

func (o VpnConnectionMapOutput) ToVpnConnectionMapOutput() VpnConnectionMapOutput {
	return o
}

func (o VpnConnectionMapOutput) ToVpnConnectionMapOutputWithContext(ctx context.Context) VpnConnectionMapOutput {
	return o
}

func (o VpnConnectionMapOutput) MapIndex(k pulumi.StringInput) VpnConnectionOutput {
	return pulumi.All(o, k).ApplyT(func(vs []interface{}) *VpnConnection {
		return vs[0].(map[string]*VpnConnection)[vs[1].(string)]
	}).(VpnConnectionOutput)
}

func init() {
	pulumi.RegisterInputType(reflect.TypeOf((*VpnConnectionInput)(nil)).Elem(), &VpnConnection{})
	pulumi.RegisterInputType(reflect.TypeOf((*VpnConnectionArrayInput)(nil)).Elem(), VpnConnectionArray{})
	pulumi.RegisterInputType(reflect.TypeOf((*VpnConnectionMapInput)(nil)).Elem(), VpnConnectionMap{})
	pulumi.RegisterOutputType(VpnConnectionOutput{})
	pulumi.RegisterOutputType(VpnConnectionArrayOutput{})
	pulumi.RegisterOutputType(VpnConnectionMapOutput{})
}