github.com/recobe182/terraform@v0.8.5-0.20170117231232-49ab22a935b7/builtin/providers/google/resource_compute_vpn_tunnel.go (about)

     1  package google
     2  
     3  import (
     4  	"bytes"
     5  	"fmt"
     6  	"log"
     7  	"net"
     8  
     9  	"github.com/hashicorp/terraform/helper/schema"
    10  
    11  	"google.golang.org/api/compute/v1"
    12  	"google.golang.org/api/googleapi"
    13  )
    14  
    15  func resourceComputeVpnTunnel() *schema.Resource {
    16  	return &schema.Resource{
    17  		// Unfortunately, the VPNTunnelService does not support update
    18  		// operations. This is why everything is marked forcenew
    19  		Create: resourceComputeVpnTunnelCreate,
    20  		Read:   resourceComputeVpnTunnelRead,
    21  		Delete: resourceComputeVpnTunnelDelete,
    22  
    23  		Schema: map[string]*schema.Schema{
    24  			"name": &schema.Schema{
    25  				Type:     schema.TypeString,
    26  				Required: true,
    27  				ForceNew: true,
    28  			},
    29  
    30  			"peer_ip": &schema.Schema{
    31  				Type:         schema.TypeString,
    32  				Required:     true,
    33  				ForceNew:     true,
    34  				ValidateFunc: validatePeerAddr,
    35  			},
    36  
    37  			"shared_secret": &schema.Schema{
    38  				Type:     schema.TypeString,
    39  				Required: true,
    40  				ForceNew: true,
    41  			},
    42  
    43  			"target_vpn_gateway": &schema.Schema{
    44  				Type:     schema.TypeString,
    45  				Required: true,
    46  				ForceNew: true,
    47  			},
    48  
    49  			"description": &schema.Schema{
    50  				Type:     schema.TypeString,
    51  				Optional: true,
    52  				ForceNew: true,
    53  			},
    54  
    55  			"detailed_status": &schema.Schema{
    56  				Type:     schema.TypeString,
    57  				Computed: true,
    58  			},
    59  
    60  			"ike_version": &schema.Schema{
    61  				Type:     schema.TypeInt,
    62  				Optional: true,
    63  				Default:  2,
    64  				ForceNew: true,
    65  			},
    66  
    67  			"local_traffic_selector": &schema.Schema{
    68  				Type:     schema.TypeSet,
    69  				Optional: true,
    70  				ForceNew: true,
    71  				Elem:     &schema.Schema{Type: schema.TypeString},
    72  				Set:      schema.HashString,
    73  			},
    74  
    75  			"project": &schema.Schema{
    76  				Type:     schema.TypeString,
    77  				Optional: true,
    78  				ForceNew: true,
    79  			},
    80  
    81  			"region": &schema.Schema{
    82  				Type:     schema.TypeString,
    83  				Optional: true,
    84  				ForceNew: true,
    85  			},
    86  
    87  			"self_link": &schema.Schema{
    88  				Type:     schema.TypeString,
    89  				Computed: true,
    90  			},
    91  		},
    92  	}
    93  }
    94  
    95  func resourceComputeVpnTunnelCreate(d *schema.ResourceData, meta interface{}) error {
    96  	config := meta.(*Config)
    97  
    98  	region, err := getRegion(d, config)
    99  	if err != nil {
   100  		return err
   101  	}
   102  
   103  	project, err := getProject(d, config)
   104  	if err != nil {
   105  		return err
   106  	}
   107  
   108  	name := d.Get("name").(string)
   109  	peerIp := d.Get("peer_ip").(string)
   110  	sharedSecret := d.Get("shared_secret").(string)
   111  	targetVpnGateway := d.Get("target_vpn_gateway").(string)
   112  	ikeVersion := d.Get("ike_version").(int)
   113  
   114  	if ikeVersion < 1 || ikeVersion > 2 {
   115  		return fmt.Errorf("Only IKE version 1 or 2 supported, not %d", ikeVersion)
   116  	}
   117  
   118  	// Build up the list of sources
   119  	var localTrafficSelectors []string
   120  	if v := d.Get("local_traffic_selector").(*schema.Set); v.Len() > 0 {
   121  		localTrafficSelectors = make([]string, v.Len())
   122  		for i, v := range v.List() {
   123  			localTrafficSelectors[i] = v.(string)
   124  		}
   125  	}
   126  
   127  	vpnTunnelsService := compute.NewVpnTunnelsService(config.clientCompute)
   128  
   129  	vpnTunnel := &compute.VpnTunnel{
   130  		Name:                 name,
   131  		PeerIp:               peerIp,
   132  		SharedSecret:         sharedSecret,
   133  		TargetVpnGateway:     targetVpnGateway,
   134  		IkeVersion:           int64(ikeVersion),
   135  		LocalTrafficSelector: localTrafficSelectors,
   136  	}
   137  
   138  	if v, ok := d.GetOk("description"); ok {
   139  		vpnTunnel.Description = v.(string)
   140  	}
   141  
   142  	op, err := vpnTunnelsService.Insert(project, region, vpnTunnel).Do()
   143  	if err != nil {
   144  		return fmt.Errorf("Error Inserting VPN Tunnel %s : %s", name, err)
   145  	}
   146  
   147  	err = computeOperationWaitRegion(config, op, project, region, "Inserting VPN Tunnel")
   148  	if err != nil {
   149  		return fmt.Errorf("Error Waiting to Insert VPN Tunnel %s: %s", name, err)
   150  	}
   151  
   152  	return resourceComputeVpnTunnelRead(d, meta)
   153  }
   154  
   155  func resourceComputeVpnTunnelRead(d *schema.ResourceData, meta interface{}) error {
   156  	config := meta.(*Config)
   157  
   158  	region, err := getRegion(d, config)
   159  	if err != nil {
   160  		return err
   161  	}
   162  
   163  	project, err := getProject(d, config)
   164  	if err != nil {
   165  		return err
   166  	}
   167  
   168  	name := d.Get("name").(string)
   169  
   170  	vpnTunnelsService := compute.NewVpnTunnelsService(config.clientCompute)
   171  
   172  	vpnTunnel, err := vpnTunnelsService.Get(project, region, name).Do()
   173  	if err != nil {
   174  		if gerr, ok := err.(*googleapi.Error); ok && gerr.Code == 404 {
   175  			log.Printf("[WARN] Removing VPN Tunnel %q because it's gone", d.Get("name").(string))
   176  			// The resource doesn't exist anymore
   177  			d.SetId("")
   178  
   179  			return nil
   180  		}
   181  
   182  		return fmt.Errorf("Error Reading VPN Tunnel %s: %s", name, err)
   183  	}
   184  
   185  	d.Set("detailed_status", vpnTunnel.DetailedStatus)
   186  	d.Set("self_link", vpnTunnel.SelfLink)
   187  
   188  	d.SetId(name)
   189  
   190  	return nil
   191  }
   192  
   193  func resourceComputeVpnTunnelDelete(d *schema.ResourceData, meta interface{}) error {
   194  	config := meta.(*Config)
   195  
   196  	region, err := getRegion(d, config)
   197  	if err != nil {
   198  		return err
   199  	}
   200  
   201  	project, err := getProject(d, config)
   202  	if err != nil {
   203  		return err
   204  	}
   205  
   206  	name := d.Get("name").(string)
   207  
   208  	vpnTunnelsService := compute.NewVpnTunnelsService(config.clientCompute)
   209  
   210  	op, err := vpnTunnelsService.Delete(project, region, name).Do()
   211  	if err != nil {
   212  		return fmt.Errorf("Error Reading VPN Tunnel %s: %s", name, err)
   213  	}
   214  
   215  	err = computeOperationWaitRegion(config, op, project, region, "Deleting VPN Tunnel")
   216  	if err != nil {
   217  		return fmt.Errorf("Error Waiting to Delete VPN Tunnel %s: %s", name, err)
   218  	}
   219  
   220  	return nil
   221  }
   222  
   223  // validatePeerAddr returns false if a tunnel's peer_ip property
   224  // is invalid. Currently, only addresses that collide with RFC
   225  // 5735 (https://tools.ietf.org/html/rfc5735) fail validation.
   226  func validatePeerAddr(i interface{}, val string) ([]string, []error) {
   227  	ip := net.ParseIP(i.(string))
   228  	if ip == nil {
   229  		return nil, []error{fmt.Errorf("could not parse %q to IP address", val)}
   230  	}
   231  	for _, test := range invalidPeerAddrs {
   232  		if bytes.Compare(ip, test.from) >= 0 && bytes.Compare(ip, test.to) <= 0 {
   233  			return nil, []error{fmt.Errorf("address is invalid (is between %q and %q, conflicting with RFC5735)", test.from, test.to)}
   234  		}
   235  	}
   236  	return nil, nil
   237  }
   238  
   239  // invalidPeerAddrs is a collection of IP addres ranges that represent
   240  // a conflict with RFC 5735 (https://tools.ietf.org/html/rfc5735#page-3).
   241  // CIDR range notations in the RFC were converted to a (from, to) pair
   242  // for easy checking with bytes.Compare.
   243  var invalidPeerAddrs = []struct {
   244  	from net.IP
   245  	to   net.IP
   246  }{
   247  	{
   248  		from: net.ParseIP("0.0.0.0"),
   249  		to:   net.ParseIP("0.255.255.255"),
   250  	},
   251  	{
   252  		from: net.ParseIP("10.0.0.0"),
   253  		to:   net.ParseIP("10.255.255.255"),
   254  	},
   255  	{
   256  		from: net.ParseIP("127.0.0.0"),
   257  		to:   net.ParseIP("127.255.255.255"),
   258  	},
   259  	{
   260  		from: net.ParseIP("169.254.0.0"),
   261  		to:   net.ParseIP("169.254.255.255"),
   262  	},
   263  	{
   264  		from: net.ParseIP("172.16.0.0"),
   265  		to:   net.ParseIP("172.31.255.255"),
   266  	},
   267  	{
   268  		from: net.ParseIP("192.0.0.0"),
   269  		to:   net.ParseIP("192.0.0.255"),
   270  	},
   271  	{
   272  		from: net.ParseIP("192.0.2.0"),
   273  		to:   net.ParseIP("192.0.2.255"),
   274  	},
   275  	{
   276  		from: net.ParseIP("192.88.99.0"),
   277  		to:   net.ParseIP("192.88.99.255"),
   278  	},
   279  	{
   280  		from: net.ParseIP("192.168.0.0"),
   281  		to:   net.ParseIP("192.168.255.255"),
   282  	},
   283  	{
   284  		from: net.ParseIP("198.18.0.0"),
   285  		to:   net.ParseIP("198.19.255.255"),
   286  	},
   287  	{
   288  		from: net.ParseIP("198.51.100.0"),
   289  		to:   net.ParseIP("198.51.100.255"),
   290  	},
   291  	{
   292  		from: net.ParseIP("203.0.113.0"),
   293  		to:   net.ParseIP("203.0.113.255"),
   294  	},
   295  	{
   296  		from: net.ParseIP("224.0.0.0"),
   297  		to:   net.ParseIP("239.255.255.255"),
   298  	},
   299  	{
   300  		from: net.ParseIP("240.0.0.0"),
   301  		to:   net.ParseIP("255.255.255.255"),
   302  	},
   303  	{
   304  		from: net.ParseIP("255.255.255.255"),
   305  		to:   net.ParseIP("255.255.255.255"),
   306  	},
   307  }