Allow "SHA384" value for "integrity_algorithm" in resource azurerm_vpn_gateway_connection

[tovstcn]

Is there an existing issue for this?

• I have searched the existing issues

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

v1.6.0

AzureRM Provider Version

3.96.0

Affected Resource(s)/Data Source(s)

azurerm_vpn_gateway_connection

Terraform Configuration Files

resource "azurerm_vpn_gateway_connection" "connection" {

### unrelated code

  vpn_link {
    name                 = "Link"
    egress_nat_rule_ids  = []
    ingress_nat_rule_ids = []
    vpn_site_link_id     = azurerm_vpn_site.site.link[0].id
    shared_key           = data.azurerm_key_vault_secret.presharedkey.value

    ipsec_policy {
      encryption_algorithm     = "AES256"
      integrity_algorithm      = "SHA384"
      dh_group                 = "ECP384"
      ike_encryption_algorithm = "GCMAES256"
      ike_integrity_algorithm  = "GCMAES256"
      pfs_group                = "ECP384"
      sa_data_size_kb          = "0"
      sa_lifetime_sec          = "45000"
    }
  }
}

Debug Output/Panic Output

Error: expected vpn_link.0.ipsec_policy.0.integrity_algorithm to be one of ["GCMAES192" "GCMAES128" "GCMAES256" "MD5" "SHA1" "SHA256"], got SHA384

Expected Behaviour

succesful plan / apply with integrity_algorithm "SHA384" since Azure allows the value for this argument when configuring it through the portal.

Actual Behaviour

Failed plan with error:

expected vpn_link.0.ipsec_policy.0.integrity_algorithm to be one of ["GCMAES192" "GCMAES128" "GCMAES256" "MD5" "SHA1" "SHA256"], got SHA384

Steps to Reproduce

1. terraform apply with code:

    ipsec_policy {
      dh_group                 = "ECP384"
      encryption_algorithm     = "AES256"
      integrity_algorithm      = "SHA384"
      ike_encryption_algorithm = "GCMAES256"
      ike_integrity_algorithm  = "GCMAES256"
      pfs_group                = "ECP384"
      sa_data_size_kb          = "0"
      sa_lifetime_sec          = "45000"
    }

Important Factoids

No response

References

https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/vpn_gateway_connection

[neil-yechenwei]

Thanks for raising this issue. Seems this feature has been supported by TF. Please set it with the property ike_integrity_algorithm. See more details from https://learn.microsoft.com/en-us/azure/vpn-gateway/ipsec-ike-policy-howto#cryptographic-algorithms--key-strengths.

[rcskosir]

Thank you for taking the time to raise this! I am going to close this with @neil-yechenwei‘s response as an answer. If that is not the case, please provide additional information about the feature request that differentiates it from what @neil-yechenwei shared, thanks!

[tovstcn]

Thanks for the replies. @rcskosir ike_integrity_algorithm represents the algorithm in phase 2. What we require is the integrity algorithm for phase 1, which is represented byintegrity_algorithmWe add both phase 2 and phase 1 during the set-up, but for the phase 1 it is not allowed to add SHA384, so we have to override it by going to the portal and change it there.

[rcskosir]

@tovstcn for the additional information, I'll go ahead and reopen this feature request.