Cannot create a classic route based VPN tunnel with Terraform in GCP

Question

What I want to accomplish:

I want Terraform to create a Classic route based VPN tunnel in GCP.

Background:

When setting up a VPN tunnel in GCP there are three options for routing BGP Route based Policy based

When creating a Route based VPN tunnel in GCP you need to specify the remote su.nets. If you are creating a Policy based VPN tunnel you also need to specify local su.nets.

Since I want to create a route based VPN tunnel I only need to provide remote su.nets.

The problem:

However in Terraform, there is no option for the resource "google_compute_vpn_tunnel" that has to do with what routing type to use. Okay maybe its determined by the lack of "local_traffic_selector" and then becomes a route based VPN tunnel. But even if I ommit the "local_traffic_selector" option in my main.tf it is still there in the plan.

' + local_traffic_selector = (known after apply)

Since I have not specified any value for it, Terraform tries to use it with an empty value, which is not possible.

Error: Error creating VpnTunnel: googleapi: Error 400: Invalid value for field 'resource.localTrafficSelector[0]': ''. The local_traffic_selector field cannot be empty for network in custom subnet mode., invalid

  on main.tf line 51, in resource "google_compute_vpn_tunnel" "tunnel1":
  51: resource "google_compute_vpn_tunnel" "tunnel1" {

If I do specify it, the VPN tunnel will be of type Policy based instead of Route based.

Is there no support for Terraform to create a route based classic VPN tunnel in GCP?

Another strange thing is when creating the VPN gateway. When you do it in the GCP console you need to specify what external IP address the VPN gateway have. That is a pretty important property. But Terraform has no option for setting the IP address for the resource "google_compute_vpn_gateway" In the examples here: https://www.terraform.io/docs/providers/google/r/compute_vpn_gateway.html they create an static IP object, but its never assigned to the VPN gateway in the configuration.

Answer 1

 resource "google_compute_vpn_tunnel" "tunnel1" {
   name          = "tunnel1"
   peer_ip       = "15.0.0.120"
   shared_secret = "a secret message"
   local_traffic_selector= ["0.0.0.0/0"]
   remote_traffic_selector=["0.0.0.0/0"] 

Add remote_traffic_selector field as 0.0.0.0/0 and create routes pointing to tunnel independently it will create route based VPN.

Answer 2

According with the documentation of VPN routing policies , the Route Based = Policy based if the local selector is in 0.0.0.0/0

Route based VPN tunnels are similar to tunnels that use policy based routing, except that only the remote IP ranges (right side) are specified. The list of local IP ranges is assumed to be any network (0.0.0.0/0), so you only specify the remote traffic selector.

By the way add local_traffic_selector= ["0.0.0.0/0"] in your tunnel definition, like this ( here in the default example of Terraform )

resource "google_compute_vpn_tunnel" "tunnel1" {
  name          = "tunnel1"
  peer_ip       = "15.0.0.120"
  shared_secret = "a secret message"
  local_traffic_selector= ["0.0.0.0/0"]
  ...

Yes, of course, the created VPN tunnel is set as Policy Based in the GUI but with a local network to 0.0.0.0/0, thus technically equivalent to Route Based config.

About the static IP, it's the standard (and boring) behavior of Terraform. You have to create the static IP with Terraform, for having the state saved in TFSTATE file, and then having the capability to reuse it. Try this:

• Keep only the external ip creation in your main.tf file

resource "google_compute_address" "vpn_static_ip" {
  name   = "my-vpn-ip"
}

• Apply this configuration
• Now add the rest of the configuration
• Apply again the update of the configuration

As you could see, Terraform retrieve the IP from the previous state and reuse it without creating a new IP.

google_compute_address.vpn_static_ip: Refreshing state... [id=******PROJECT_ID*****/us-central1/my-vpn-ip]