Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unsupported VPN Settings #43

Closed
arjenvri opened this issue Oct 6, 2020 · 4 comments · Fixed by #44
Closed

Unsupported VPN Settings #43

arjenvri opened this issue Oct 6, 2020 · 4 comments · Fixed by #44
Assignees
@jeremmfr
Labels
enhancement New feature or request

Comments

@arjenvri
Copy link
Contributor

arjenvri commented Oct 6, 2020
edited
Loading

Morning,

would it be possible to start supporting these additional settings for SRX VPN configuration?

thank you!
Arjen

set security ike traceoptions file kmd 
set security ike traceoptions file size 1024768
set security ike traceoptions file files 10
set security ike traceoptions flag all

set security ipsec vpn vpn-ipsec df-bit clear
set security ike gateway vpn-gw dead-peer-detection always-send
@jeremmfr
Copy link
Owner

jeremmfr commented Oct 6, 2020

Hi,

  • security ike traceoptions parameters can't be defined as an object (parameters block differentiable with a unique identifier such as a 'name', 'address', a pair 'route' / 'instance', ...) as required by a Terraform resource.
    You need to use another method to add this configuration.
  • df-bit clear can be defined in resource security_ipsec_vpn :
resource junos_security_ipsec_vpn "vpn-ipsec" {
  name = "vpn-ipsec"
  df_bit = "clear"
  ike {
  ...
  }
}
  • For dead-peer-detection always-send, I must add the option on resource junos_security_ike_gateway, upcoming PR.

@jeremmfr jeremmfr self-assigned this Oct 6, 2020
@jeremmfr jeremmfr added the enhancement New feature or request label Oct 6, 2020
jeremmfr added a commit that referenced this issue Oct 8, 2020
@jeremmfr
Fixes #43: add dead-peer-detection.send_mode in security_ike_gatewa…
8927d4d 
…y resource
@jeremmfr jeremmfr mentioned this issue Oct 8, 2020
Merged
@jeremmfr jeremmfr linked a pull request Oct 8, 2020 that will close this issue
Fixes #43: add send_mode and special resources #44
Merged
@tagur87
Copy link
Contributor

tagur87 commented Oct 13, 2020

@jeremmfr -
I have done some more research on what you have mentioned in this and another past issue related to how certain settings(system services ssh & security ike traceoptions) are not able to be configured in terraform because they can't be defined as an object.

I understand the issue, specifically on how there is no unique ID that can be used to identify the object of these settings, and thus we don't have anything to be able to identify the resource "ID" in the state.

I dug into some code from other firewall providers that I am familiar with, and that have similar "settings" that don't work as an object, and it seems there is a pattern that they use to deal with this issue.

Please take a look at the examples below. Both of these resources seem to be similar to how the junos settings system services ssh and security ike traceoptions would need to be configured to work with terraform.

https://github.com/CheckPointSW/terraform-provider-checkpoint/blob/master/checkpoint/resource_checkpoint_management_command_set_api_settings.go#L49

https://github.com/fortinetdev/terraform-provider-fortios/blob/1c670dc9ea42605cde9a763bea460169328c1a52/fortios/resource_firewall_policy.go#L961

I have started to do a proof of concept locally to see what I can come up with, but I wanted to start the dialog to see your thoughts on the above.

Let me know what you think!

Thanks!

jeremmfr added a commit that referenced this issue Oct 13, 2020
@jeremmfr
Fixes #43: add send_mode for dead_peer_detection in resource `sec…
a333aca 
…urity_ike_gateway`
@jeremmfr
Copy link
Owner

@jeremmfr -
I have done some more research on what you have mentioned in this and another past issue related to how certain settings(system services ssh & security ike traceoptions) are not able to be configured in terraform because they can't be defined as an object.

I understand the issue, specifically on how there is no unique ID that can be used to identify the object of these settings, and thus we don't have anything to be able to identify the resource "ID" in the state.

I dug into some code from other firewall providers that I am familiar with, and that have similar "settings" that don't work as an object, and it seems there is a pattern that they use to deal with this issue.

Please take a look at the examples below. Both of these resources seem to be similar to how the junos settings system services ssh and security ike traceoptions would need to be configured to work with terraform.

https://github.com/CheckPointSW/terraform-provider-checkpoint/blob/master/checkpoint/resource_checkpoint_management_command_set_api_settings.go#L49

https://github.com/fortinetdev/terraform-provider-fortios/blob/1c670dc9ea42605cde9a763bea460169328c1a52/fortios/resource_firewall_policy.go#L961

I have started to do a proof of concept locally to see what I can come up with, but I wanted to start the dialog to see your thoughts on the above.

Let me know what you think!

Thanks!

Hi,

It's not juste the ID, it's the concept of terraform resource is an object than can be create/updated/deleted.

But yes I can create a special resource for configure a part of static configuration (not a object) of Junos device.
This special resource have to be created once otherwise there will be the conflicts. Deleting this resource will cause no action.
I will take care of creating this special resource and including parts of configuration requested in issues #26 and #33

Best regards

@jeremmfr
Copy link
Owner

Look release v1.6.0 for your issue

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jeremmfr jeremmfr

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fixes #43: add send_mode and special resources jeremmfr/terraform-provider-junos
3 participants
@jeremmfr @tagur87 @arjenvri