diff --git a/README.md b/README.md
index 19688b7..220507d 100644
--- a/README.md
+++ b/README.md
@@ -20,6 +20,7 @@ No requirements.
| Name | Type |
|------|------|
| [azurerm_point_to_site_vpn_gateway.p2s_vpng](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/point_to_site_vpn_gateway) | resource |
+| [azurerm_vpn_server_configuration.vpnsc](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/vpn_server_configuration) | resource |
## Inputs
@@ -36,7 +37,7 @@ No requirements.
| [scale\_unit](#input\_scale\_unit) | (Required) The Scale Unit for this Point-to-Site VPN Gateway. | `number` | n/a | yes |
| [tags](#input\_tags) | (Optional) A mapping of tags to assign to the Point-to-Site VPN Gateway. | `any` | `null` | no |
| [virtual\_hub\_id](#input\_virtual\_hub\_id) | (Required) The ID of the Virtual Hub where this Point-to-Site VPN Gateway should exist. Changing this forces a new resource to be created. | `string` | n/a | yes |
-| [vpn\_server\_configuration\_id](#input\_vpn\_server\_configuration\_id) | (Required) The ID of the VPN Server Configuration which this Point-to-Site VPN Gateway should use. Changing this forces a new resource to be created. | `string` | n/a | yes |
+| [vpn\_server\_configuration](#input\_vpn\_server\_configuration) | (Required) A vpn\_server\_configuration block as defined below. | object({
name = string
vpn_authentication_types = string
ipsec_policy = optional(object({
dh_group = string
ike_encryption = string
ike_integrity = string
ipsec_encryption = string
ipsec_integrity = string
pfs_group = string
sa_lifetime_seconds = number
sa_data_size_kilobytes = number
}))
vpn_protocols = optional(list(string))
azure_active_directory_authentication = optional(object({
audience = string
issuer = string
tenant = string
}))
client_root_certificate = optional(map(object({
public_cert_data = string
})))
client_revoked_certificate = optional(map(object({
thumbprint = string
})))
radius = optional(object({
server = map(object({
address = string
secret = string
score = number
}))
client_root_certificate = optional(map(object({
thumbprint = string
})))
server_root_certificate = optional(map(object({
public_cert_data = string
})))
}))
}) | n/a | yes |
## Outputs
diff --git a/main.tf b/main.tf
index bc41ef1..6102b2a 100644
--- a/main.tf
+++ b/main.tf
@@ -34,8 +34,8 @@ resource "azurerm_point_to_site_vpn_gateway" "p2s_vpng" {
scale_unit = var.scale_unit
virtual_hub_id = var.virtual_hub_id
- vpn_server_configuration_id = var.vpn_server_configuration_id
+ vpn_server_configuration_id = azurerm_vpn_server_configuration.vpnsc.id
dns_servers = var.dns_servers
routing_preference_internet_enabled = var.routing_preference_internet_enabled
- tags = var.tags
+ tags = try(var.tags.point_to_site_vpn_gateway, null)
}
diff --git a/variables.tf b/variables.tf
index f204f78..8712ad3 100644
--- a/variables.tf
+++ b/variables.tf
@@ -34,11 +34,6 @@ variable "virtual_hub_id" {
description = "(Required) The ID of the Virtual Hub where this Point-to-Site VPN Gateway should exist. Changing this forces a new resource to be created."
}
-variable "vpn_server_configuration_id" {
- type = string
- description = "(Required) The ID of the VPN Server Configuration which this Point-to-Site VPN Gateway should use. Changing this forces a new resource to be created."
-}
-
variable "dns_servers" {
type = list(string)
default = null
@@ -62,3 +57,46 @@ variable "tags" {
default = null
description = "(Optional) A mapping of tags to assign to the Point-to-Site VPN Gateway."
}
+
+variable "vpn_server_configuration" {
+ type = object({
+ name = string
+ vpn_authentication_types = string
+ ipsec_policy = optional(object({
+ dh_group = string
+ ike_encryption = string
+ ike_integrity = string
+ ipsec_encryption = string
+ ipsec_integrity = string
+ pfs_group = string
+ sa_lifetime_seconds = number
+ sa_data_size_kilobytes = number
+ }))
+ vpn_protocols = optional(list(string))
+ azure_active_directory_authentication = optional(object({
+ audience = string
+ issuer = string
+ tenant = string
+ }))
+ client_root_certificate = optional(map(object({
+ public_cert_data = string
+ })))
+ client_revoked_certificate = optional(map(object({
+ thumbprint = string
+ })))
+ radius = optional(object({
+ server = map(object({
+ address = string
+ secret = string
+ score = number
+ }))
+ client_root_certificate = optional(map(object({
+ thumbprint = string
+ })))
+ server_root_certificate = optional(map(object({
+ public_cert_data = string
+ })))
+ }))
+ })
+ description = "(Required) A vpn_server_configuration block as defined below."
+}
diff --git a/vpn_server_configuration.tf b/vpn_server_configuration.tf
new file mode 100644
index 0000000..f5db12d
--- /dev/null
+++ b/vpn_server_configuration.tf
@@ -0,0 +1,86 @@
+resource "azurerm_vpn_server_configuration" "vpnsc" {
+ name = var.vpn_server_configuration.name
+ resource_group_name = var.deploy_resource_group ? module.resource_group[0].name : var.resource_group_name
+ location = var.location
+ vpn_authentication_types = var.vpn_server_configuration.vpn_authentication_types
+
+ dynamic "ipsec_policy" {
+ for_each = var.vpn_server_configuration.ipsec_policy != null ? [var.vpn_server_configuration.ipsec_policy] : []
+
+ content {
+ dh_group = ipsec_policy.value.dh_group
+ ike_encryption = ipsec_policy.value.ike_encryption
+ ike_integrity = ipsec_policy.value.ike_integrity
+ ipsec_encryption = ipsec_policy.value.ipsec_encryption
+ ipsec_integrity = ipsec_policy.value.ipsec_integrity
+ pfs_group = ipsec_policy.value.pfs_group
+ sa_lifetime_seconds = ipsec_policy.value.sa_lifetime_seconds
+ sa_data_size_kilobytes = ipsec_policy.value.sa_data_size_kilobytes
+ }
+ }
+
+ vpn_protocols = var.vpn_server_configuration.vpn_protocols
+ tags = try(var.tags.vpn_server_configuration, null)
+
+ dynamic "azure_active_directory_authentication" {
+ for_each = var.vpn_server_configuration.vpn_authentication_types == "AAD" ? [var.vpn_server_configuration.azure_active_directory_authentication] : []
+
+ content {
+ audience = azure_active_directory_authentication.value.audience
+ issuer = azure_active_directory_authentication.value.issuer
+ tenant = azure_active_directory_authentication.value.tenant
+ }
+ }
+
+ dynamic "client_root_certificate" {
+ for_each = var.vpn_server_configuration.vpn_authentication_types == "Certificate" ? var.vpn_server_configuration.client_root_certificate : {}
+
+ content {
+ name = client_root_certificate.key
+ public_cert_data = client_root_certificate.value.publipublic_cert_data
+ }
+ }
+
+ dynamic "client_revoked_certificate" {
+ for_each = var.vpn_server_configuration.vpn_authentication_types == "Certificate" && var.vpn_server_configuration.client_revoked_certificate != null ? var.vpn_server_configuration.client_revoked_certificate : {}
+
+ content {
+ name = client_revoked_certificate.key
+ thumbprint = client_revoked_certificate.value.thumbprint
+ }
+ }
+
+ dynamic "radius" {
+ for_each = var.vpn_server_configuration.vpn_authentication_types == "Radius" && var.vpn_server_configuration.radius != null ? [var.vpn_server_configuration.radius] : []
+
+ content {
+ dynamic "server" {
+ for_each = radius.value.server
+
+ content {
+ address = server.value.address
+ secret = server.value.secret
+ score = server.value.score
+ }
+ }
+
+ dynamic "client_root_certificate" {
+ for_each = radius.value.client_root_certificate != null ? radius.value.client_root_certificate : {}
+
+ content {
+ name = client_root_certificate.key
+ thumbprint = client_root_certificate.value.thumbprint
+ }
+ }
+
+ dynamic "server_root_certificate" {
+ for_each = radius.value.server_root_certificate != null ? radius.value.server_root_certificate : {}
+
+ content {
+ name = server_root_certificate.key
+ public_cert_data = server_root_certificate.value.public_cert_data
+ }
+ }
+ }
+ }
+}