Skip to content

feat(vpn): Onboarding VPN Connection #1487

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
s-inter wants to merge 3 commits into
base: main
Choose a base branch
from
Draft

feat(vpn): Onboarding VPN Connection #1487

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
81f4a05
feat(vpn): Onboarding VPN Connection
s-inter Jun 10, 2026
ae56f79
upgrade vpn sdk version
Manuelvaas Jun 11, 2026
fffc1a2
add labels and preSharedKey
Manuelvaas Jun 11, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
147 changes: 147 additions & 0 deletions docs/data-sources/vpn_connection.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,147 @@
---
# generated by https://github.com/hashicorp/terraform-plugin-docs
page_title: "stackit_vpn_connection Data Source - stackit"
subcategory: ""
description: |-
VPN Connection data source schema. Uses the default_region specified in the provider configuration as a fallback in case no region is defined on datasource level.
---

# stackit_vpn_connection (Data Source)

VPN Connection data source schema. Uses the `default_region` specified in the provider configuration as a fallback in case no `region` is defined on datasource level.

## Example Usage

```terraform
data "stackit_vpn_connection" "example" {
project_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
gateway_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
connection_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
}
```

<!-- schema generated by tfplugindocs -->
## Schema

### Required

- `connection_id` (String) The server-generated UUID of the VPN connection.
- `gateway_id` (String) The UUID of the parent VPN gateway.
- `project_id` (String) STACKIT project ID.

### Read-Only

- `display_name` (String) A user-friendly name for the connection.
- `enabled` (Boolean) Whether this connection is enabled.
- `id` (String) Terraform's internal resource identifier. Structured as "`project_id`,`region`,`gateway_id`,`connection_id`".
- `labels` (Map of String) Map of custom labels.
- `local_subnet` (List of String) List of local IPv4 CIDRs to route through this connection.
- `region` (String) STACKIT region.
- `remote_subnet` (List of String) List of remote IPv4 CIDRs accessible via this connection.
- `static_routes` (List of String) List of static routes (IPv4 CIDRs) for route-based VPN.
- `tunnel1` (Attributes) (see [below for nested schema](#nestedatt--tunnel1))
- `tunnel2` (Attributes) (see [below for nested schema](#nestedatt--tunnel2))

<a id="nestedatt--tunnel1"></a>
### Nested Schema for `tunnel1`

Read-Only:

- `bgp` (Attributes) BGP configuration for this tunnel. (see [below for nested schema](#nestedatt--tunnel1--bgp))
- `peering` (Attributes) Tunnel interface peering configuration. (see [below for nested schema](#nestedatt--tunnel1--peering))
- `phase1` (Attributes) IKE Phase 1 configuration. (see [below for nested schema](#nestedatt--tunnel1--phase1))
- `phase2` (Attributes) IKE Phase 2 configuration. (see [below for nested schema](#nestedatt--tunnel1--phase2))
- `remote_address` (String) Remote peer IPv4 address for this tunnel.

<a id="nestedatt--tunnel1--bgp"></a>
### Nested Schema for `tunnel1.bgp`

Read-Only:

- `remote_asn` (Number) Remote AS number.


<a id="nestedatt--tunnel1--peering"></a>
### Nested Schema for `tunnel1.peering`

Read-Only:

- `local_address` (String) Local tunnel interface IPv4 address.
- `remote_address` (String) Remote tunnel interface IPv4 address.


<a id="nestedatt--tunnel1--phase1"></a>
### Nested Schema for `tunnel1.phase1`

Read-Only:

- `dh_groups` (List of String) Diffie-Hellman groups.
- `encryption_algorithms` (List of String) Encryption algorithms.
- `integrity_algorithms` (List of String) Integrity/hash algorithms.
- `rekey_time` (Number) IKE re-keying time in seconds.


<a id="nestedatt--tunnel1--phase2"></a>
### Nested Schema for `tunnel1.phase2`

Read-Only:

- `dh_groups` (List of String) Diffie-Hellman groups for PFS.
- `dpd_action` (String) DPD timeout action (clear or restart).
- `encryption_algorithms` (List of String) Encryption algorithms.
- `integrity_algorithms` (List of String) Integrity/hash algorithms.
- `rekey_time` (Number) Child SA re-keying time in seconds.
- `start_action` (String) Start action (none or start).



<a id="nestedatt--tunnel2"></a>
### Nested Schema for `tunnel2`

Read-Only:

- `bgp` (Attributes) BGP configuration for this tunnel. (see [below for nested schema](#nestedatt--tunnel2--bgp))
- `peering` (Attributes) Tunnel interface peering configuration. (see [below for nested schema](#nestedatt--tunnel2--peering))
- `phase1` (Attributes) IKE Phase 1 configuration. (see [below for nested schema](#nestedatt--tunnel2--phase1))
- `phase2` (Attributes) IKE Phase 2 configuration. (see [below for nested schema](#nestedatt--tunnel2--phase2))
- `remote_address` (String) Remote peer IPv4 address for this tunnel.

<a id="nestedatt--tunnel2--bgp"></a>
### Nested Schema for `tunnel2.bgp`

Read-Only:

- `remote_asn` (Number) Remote AS number.


<a id="nestedatt--tunnel2--peering"></a>
### Nested Schema for `tunnel2.peering`

Read-Only:

- `local_address` (String) Local tunnel interface IPv4 address.
- `remote_address` (String) Remote tunnel interface IPv4 address.


<a id="nestedatt--tunnel2--phase1"></a>
### Nested Schema for `tunnel2.phase1`

Read-Only:

- `dh_groups` (List of String) Diffie-Hellman groups.
- `encryption_algorithms` (List of String) Encryption algorithms.
- `integrity_algorithms` (List of String) Integrity/hash algorithms.
- `rekey_time` (Number) IKE re-keying time in seconds.


<a id="nestedatt--tunnel2--phase2"></a>
### Nested Schema for `tunnel2.phase2`

Read-Only:

- `dh_groups` (List of String) Diffie-Hellman groups for PFS.
- `dpd_action` (String) DPD timeout action (clear or restart).
- `encryption_algorithms` (List of String) Encryption algorithms.
- `integrity_algorithms` (List of String) Integrity/hash algorithms.
- `rekey_time` (Number) Child SA re-keying time in seconds.
- `start_action` (String) Start action (none or start).
218 changes: 218 additions & 0 deletions docs/resources/vpn_connection.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,218 @@
---
# generated by https://github.com/hashicorp/terraform-plugin-docs
page_title: "stackit_vpn_connection Resource - stackit"
subcategory: ""
description: |-
VPN Connection resource schema. Uses the default_region specified in the provider configuration as a fallback in case no region is defined on resource level.
---

# stackit_vpn_connection (Resource)

VPN Connection resource schema. Uses the `default_region` specified in the provider configuration as a fallback in case no `region` is defined on resource level.

## Example Usage

```terraform
resource "stackit_vpn_connection" "example" {
project_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
gateway_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
display_name = "example-vpn-connection"

tunnel1 = {
remote_address = "198.51.100.10"
pre_shared_key_wo = "example-super-secret-key-tunnel1"

phase1 = {
dh_groups = ["ecp384"]
encryption_algorithms = ["aes256"]
integrity_algorithms = ["sha2_384"]
}

phase2 = {
dh_groups = ["ecp384"]
encryption_algorithms = ["aes256"]
integrity_algorithms = ["sha2_384"]
}
}

tunnel2 = {
remote_address = "203.0.113.10"
pre_shared_key_wo = "example-super-secret-key-tunnel2"

phase1 = {
dh_groups = ["ecp384"]
encryption_algorithms = ["aes256"]
integrity_algorithms = ["sha2_384"]
}

phase2 = {
dh_groups = ["ecp384"]
encryption_algorithms = ["aes256"]
integrity_algorithms = ["sha2_384"]
}
}
}

# Only use the import statement, if you want to import an existing VPN connection
import {
to = stackit_vpn_connection.example
id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,eu01,xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
}
```

<!-- schema generated by tfplugindocs -->
## Schema

### Required

- `display_name` (String) A user-friendly name for the connection. Must start and end with an alphanumeric character, may contain hyphens, and be 1-63 characters long.
- `gateway_id` (String) The UUID of the parent VPN gateway.
- `project_id` (String) STACKIT project ID.
- `tunnel1` (Attributes) Configuration for the IPsec tunnel.

-> **Note:** Write-Only argument `pre_shared_key_wo` is available to use in place of `pre_shared_key`. Write-Only arguments are supported in HashiCorp Terraform 1.11.0 and later. [Learn more](https://developer.hashicorp.com/terraform/language/resources/ephemeral#write-only-arguments). (see [below for nested schema](#nestedatt--tunnel1))
- `tunnel2` (Attributes) Configuration for the IPsec tunnel.

-> **Note:** Write-Only argument `pre_shared_key_wo` is available to use in place of `pre_shared_key`. Write-Only arguments are supported in HashiCorp Terraform 1.11.0 and later. [Learn more](https://developer.hashicorp.com/terraform/language/resources/ephemeral#write-only-arguments). (see [below for nested schema](#nestedatt--tunnel2))

### Optional

- `enabled` (Boolean) Whether this connection is enabled. Defaults to true.
- `labels` (Map of String) Map of custom labels.
- `local_subnet` (List of String) List of local IPv4 CIDRs to route through this connection. Optional for route-based and BGP configurations (defaults to 0.0.0.0/0). Mandatory for policy-based.
- `region` (String) STACKIT region.
- `remote_subnet` (List of String) List of remote IPv4 CIDRs accessible via this connection. Optional for route-based and BGP configurations (defaults to 0.0.0.0/0). Mandatory for policy-based.
- `static_routes` (List of String) List of static routes (IPv4 CIDRs) for route-based VPN. Mandatory for ROUTE_BASED gateways.

### Read-Only

- `connection_id` (String) The server-generated UUID of the VPN connection.
- `id` (String) Terraform's internal resource identifier. Structured as "`project_id`,`region`,`gateway_id`,`connection_id`".

<a id="nestedatt--tunnel1"></a>
### Nested Schema for `tunnel1`

Required:

- `phase1` (Attributes) (see [below for nested schema](#nestedatt--tunnel1--phase1))
- `phase2` (Attributes) (see [below for nested schema](#nestedatt--tunnel1--phase2))
- `pre_shared_key` (String, Sensitive) Pre-shared key for the IPsec tunnel. Minimum 20 characters. Write-only argument `pre_shared_key_wo` should be preferred.
- `pre_shared_key_wo` (String, Sensitive, [Write-only](https://developer.hashicorp.com/terraform/language/resources/ephemeral#write-only-arguments)) Pre-shared key for the IPsec tunnel. Minimum 20 characters. Write-only - never stored in state and never returned by the API. To rotate the key, update this value AND increment pre_shared_key_wo_version. Changing this field alone will NOT trigger an update.
- `remote_address` (String) Remote IPv4 address for the tunnel endpoint.

Optional:

- `bgp` (Attributes) (see [below for nested schema](#nestedatt--tunnel1--bgp))
- `peering` (Attributes) (see [below for nested schema](#nestedatt--tunnel1--peering))
- `pre_shared_key_wo_version` (Number) User-managed rotation counter for the pre-shared key. Must be incremented every time pre_shared_key_wo is changed. Terraform diffs this field to detect key rotations - changing pre_shared_key_wo alone will NOT trigger an update because it is write-only and never stored in state.

<a id="nestedatt--tunnel1--phase1"></a>
### Nested Schema for `tunnel1.phase1`

Required:

- `encryption_algorithms` (List of String) Encryption algorithms for Phase 1. Possible values are: `aes256`, `aes128gcm16`, `aes256gcm16`.
- `integrity_algorithms` (List of String) Integrity algorithms for Phase 1. Possible values are: `sha1`, `sha2_256`, `sha2_384`.

Optional:

- `dh_groups` (List of String) Diffie-Hellman groups for key exchange. Possible values are: `modp1024`, `modp2048`, `ecp256`, `ecp384`, `modp2048s256`.
- `rekey_time` (Number) Time to schedule an IKE re-keying in seconds. Range: 900-28800. Default: 14400.


<a id="nestedatt--tunnel1--phase2"></a>
### Nested Schema for `tunnel1.phase2`

Required:

- `encryption_algorithms` (List of String) Encryption algorithms for Phase 2. Possible values are: `aes256`, `aes128gcm16`, `aes256gcm16`.
- `integrity_algorithms` (List of String) Integrity algorithms for Phase 2. Possible values are: `sha1`, `sha2_256`, `sha2_384`.

Optional:

- `dh_groups` (List of String) Diffie-Hellman groups for Phase 2. Possible values are: `modp1024`, `modp2048`, `ecp256`, `ecp384`, `modp2048s256`.
- `dpd_action` (String) Action to perform on DPD timeout. Default: 'restart'. Possible values are: `clear`, `restart`.
- `rekey_time` (Number) Time to schedule a Child SA re-keying in seconds. Range: 900-3600. Default: 3600.
- `start_action` (String) Action to perform after loading the connection configuration. Default: 'start'. Possible values are: `none`, `start`.


<a id="nestedatt--tunnel1--bgp"></a>
### Nested Schema for `tunnel1.bgp`

Required:

- `remote_asn` (Number) Remote ASN for BGP peering (private ASN range, 64512-4294967294).


<a id="nestedatt--tunnel1--peering"></a>
### Nested Schema for `tunnel1.peering`

Required:

- `local_address` (String) Local tunnel interface IPv4 address.
- `remote_address` (String) Remote tunnel interface IPv4 address.



<a id="nestedatt--tunnel2"></a>
### Nested Schema for `tunnel2`

Required:

- `phase1` (Attributes) (see [below for nested schema](#nestedatt--tunnel2--phase1))
- `phase2` (Attributes) (see [below for nested schema](#nestedatt--tunnel2--phase2))
- `pre_shared_key` (String, Sensitive) Pre-shared key for the IPsec tunnel. Minimum 20 characters. Write-only argument `pre_shared_key_wo` should be preferred.
- `pre_shared_key_wo` (String, Sensitive, [Write-only](https://developer.hashicorp.com/terraform/language/resources/ephemeral#write-only-arguments)) Pre-shared key for the IPsec tunnel. Minimum 20 characters. Write-only - never stored in state and never returned by the API. To rotate the key, update this value AND increment pre_shared_key_wo_version. Changing this field alone will NOT trigger an update.
- `remote_address` (String) Remote IPv4 address for the tunnel endpoint.

Optional:

- `bgp` (Attributes) (see [below for nested schema](#nestedatt--tunnel2--bgp))
- `peering` (Attributes) (see [below for nested schema](#nestedatt--tunnel2--peering))
- `pre_shared_key_wo_version` (Number) User-managed rotation counter for the pre-shared key. Must be incremented every time pre_shared_key_wo is changed. Terraform diffs this field to detect key rotations - changing pre_shared_key_wo alone will NOT trigger an update because it is write-only and never stored in state.

<a id="nestedatt--tunnel2--phase1"></a>
### Nested Schema for `tunnel2.phase1`

Required:

- `encryption_algorithms` (List of String) Encryption algorithms for Phase 1. Possible values are: `aes256`, `aes128gcm16`, `aes256gcm16`.
- `integrity_algorithms` (List of String) Integrity algorithms for Phase 1. Possible values are: `sha1`, `sha2_256`, `sha2_384`.

Optional:

- `dh_groups` (List of String) Diffie-Hellman groups for key exchange. Possible values are: `modp1024`, `modp2048`, `ecp256`, `ecp384`, `modp2048s256`.
- `rekey_time` (Number) Time to schedule an IKE re-keying in seconds. Range: 900-28800. Default: 14400.


<a id="nestedatt--tunnel2--phase2"></a>
### Nested Schema for `tunnel2.phase2`

Required:

- `encryption_algorithms` (List of String) Encryption algorithms for Phase 2. Possible values are: `aes256`, `aes128gcm16`, `aes256gcm16`.
- `integrity_algorithms` (List of String) Integrity algorithms for Phase 2. Possible values are: `sha1`, `sha2_256`, `sha2_384`.

Optional:

- `dh_groups` (List of String) Diffie-Hellman groups for Phase 2. Possible values are: `modp1024`, `modp2048`, `ecp256`, `ecp384`, `modp2048s256`.
- `dpd_action` (String) Action to perform on DPD timeout. Default: 'restart'. Possible values are: `clear`, `restart`.
- `rekey_time` (Number) Time to schedule a Child SA re-keying in seconds. Range: 900-3600. Default: 3600.
- `start_action` (String) Action to perform after loading the connection configuration. Default: 'start'. Possible values are: `none`, `start`.


<a id="nestedatt--tunnel2--bgp"></a>
### Nested Schema for `tunnel2.bgp`

Required:

- `remote_asn` (Number) Remote ASN for BGP peering (private ASN range, 64512-4294967294).


<a id="nestedatt--tunnel2--peering"></a>
### Nested Schema for `tunnel2.peering`

Required:

- `local_address` (String) Local tunnel interface IPv4 address.
- `remote_address` (String) Remote tunnel interface IPv4 address.
5 changes: 5 additions & 0 deletions examples/data-sources/stackit_vpn_connection/data-source.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
data "stackit_vpn_connection" "example" {
project_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
gateway_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
connection_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
}
Loading
Loading