feat(vpn): onboarding of connection resource and datasource

docs/data-sources/vpn_connection.md

@@ -0,0 +1,147 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "stackit_vpn_connection Data Source - stackit"
+subcategory: ""
+description: |-
+  VPN Connection data source schema. Uses the default_region specified in the provider configuration as a fallback in case no region is defined on datasource level.
+---
+
+# stackit_vpn_connection (Data Source)
+
+VPN Connection data source schema. Uses the `default_region` specified in the provider configuration as a fallback in case no `region` is defined on datasource level.
+
+## Example Usage
+
+```terraform
+data "stackit_vpn_connection" "example" {
+  project_id    = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  gateway_id    = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  connection_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `connection_id` (String) The server-generated UUID of the VPN connection.
+- `gateway_id` (String) The UUID of the parent VPN gateway.
+- `project_id` (String) STACKIT project ID.
+
+### Read-Only
+
+- `display_name` (String) A user-friendly name for the connection.
+- `enabled` (Boolean) Whether this connection is enabled.
+- `id` (String) Terraform's internal resource identifier. Structured as "`project_id`,`region`,`gateway_id`,`connection_id`".
+- `labels` (Map of String) Map of custom labels.
+- `local_subnet` (List of String) List of local IPv4 CIDRs to route through this connection.
+- `region` (String) STACKIT region.
+- `remote_subnet` (List of String) List of remote IPv4 CIDRs accessible via this connection.
+- `static_routes` (List of String) List of static routes (IPv4 CIDRs) for route-based VPN.
+- `tunnel1` (Attributes) (see [below for nested schema](#nestedatt--tunnel1))
+- `tunnel2` (Attributes) (see [below for nested schema](#nestedatt--tunnel2))
+
+<a id="nestedatt--tunnel1"></a>
+### Nested Schema for `tunnel1`
+
+Read-Only:
+
+- `bgp` (Attributes) BGP configuration for this tunnel. (see [below for nested schema](#nestedatt--tunnel1--bgp))
+- `peering` (Attributes) Tunnel interface peering configuration. (see [below for nested schema](#nestedatt--tunnel1--peering))
+- `phase1` (Attributes) IKE Phase 1 configuration. (see [below for nested schema](#nestedatt--tunnel1--phase1))
+- `phase2` (Attributes) IKE Phase 2 configuration. (see [below for nested schema](#nestedatt--tunnel1--phase2))
+- `remote_address` (String) Remote peer IPv4 address for this tunnel.
+
+<a id="nestedatt--tunnel1--bgp"></a>
+### Nested Schema for `tunnel1.bgp`
+
+Read-Only:
+
+- `remote_asn` (Number) Remote AS number.
+
+
+<a id="nestedatt--tunnel1--peering"></a>
+### Nested Schema for `tunnel1.peering`
+
+Read-Only:
+
+- `local_address` (String) Local tunnel interface IPv4 address.
+- `remote_address` (String) Remote tunnel interface IPv4 address.
+
+
+<a id="nestedatt--tunnel1--phase1"></a>
+### Nested Schema for `tunnel1.phase1`
+
+Read-Only:
+
+- `dh_groups` (List of String) Diffie-Hellman groups.
+- `encryption_algorithms` (List of String) Encryption algorithms.
+- `integrity_algorithms` (List of String) Integrity/hash algorithms.
+- `rekey_time` (Number) IKE re-keying time in seconds.
+
+
+<a id="nestedatt--tunnel1--phase2"></a>
+### Nested Schema for `tunnel1.phase2`
+
+Read-Only:
+
+- `dh_groups` (List of String) Diffie-Hellman groups for PFS.
+- `dpd_action` (String) DPD timeout action (clear or restart).
+- `encryption_algorithms` (List of String) Encryption algorithms.
+- `integrity_algorithms` (List of String) Integrity/hash algorithms.
+- `rekey_time` (Number) Child SA re-keying time in seconds.
+- `start_action` (String) Start action (none or start).
+
+
+
+<a id="nestedatt--tunnel2"></a>
+### Nested Schema for `tunnel2`
+
+Read-Only:
+
+- `bgp` (Attributes) BGP configuration for this tunnel. (see [below for nested schema](#nestedatt--tunnel2--bgp))
+- `peering` (Attributes) Tunnel interface peering configuration. (see [below for nested schema](#nestedatt--tunnel2--peering))
+- `phase1` (Attributes) IKE Phase 1 configuration. (see [below for nested schema](#nestedatt--tunnel2--phase1))
+- `phase2` (Attributes) IKE Phase 2 configuration. (see [below for nested schema](#nestedatt--tunnel2--phase2))
+- `remote_address` (String) Remote peer IPv4 address for this tunnel.
+
+<a id="nestedatt--tunnel2--bgp"></a>
+### Nested Schema for `tunnel2.bgp`
+
+Read-Only:
+
+- `remote_asn` (Number) Remote AS number.
+
+
+<a id="nestedatt--tunnel2--peering"></a>
+### Nested Schema for `tunnel2.peering`
+
+Read-Only:
+
+- `local_address` (String) Local tunnel interface IPv4 address.
+- `remote_address` (String) Remote tunnel interface IPv4 address.
+
+
+<a id="nestedatt--tunnel2--phase1"></a>
+### Nested Schema for `tunnel2.phase1`
+
+Read-Only:
+
+- `dh_groups` (List of String) Diffie-Hellman groups.
+- `encryption_algorithms` (List of String) Encryption algorithms.
+- `integrity_algorithms` (List of String) Integrity/hash algorithms.
+- `rekey_time` (Number) IKE re-keying time in seconds.
+
+
+<a id="nestedatt--tunnel2--phase2"></a>
+### Nested Schema for `tunnel2.phase2`
+
+Read-Only:
+
+- `dh_groups` (List of String) Diffie-Hellman groups for PFS.
+- `dpd_action` (String) DPD timeout action (clear or restart).
+- `encryption_algorithms` (List of String) Encryption algorithms.
+- `integrity_algorithms` (List of String) Integrity/hash algorithms.
+- `rekey_time` (Number) Child SA re-keying time in seconds.
+- `start_action` (String) Start action (none or start).

docs/resources/vpn_connection.md

@@ -0,0 +1,218 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "stackit_vpn_connection Resource - stackit"
+subcategory: ""
+description: |-
+  VPN Connection resource schema. Uses the default_region specified in the provider configuration as a fallback in case no region is defined on resource level.
+---
+
+# stackit_vpn_connection (Resource)
+
+VPN Connection resource schema. Uses the `default_region` specified in the provider configuration as a fallback in case no `region` is defined on resource level.
+
+## Example Usage
+
+```terraform
+resource "stackit_vpn_connection" "example" {
+  project_id   = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  gateway_id   = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  display_name = "example-vpn-connection"
+
+  tunnel1 = {
+    remote_address    = "198.51.100.10"
+    pre_shared_key_wo = "example-super-secret-key-tunnel1"
+
+    phase1 = {
+      dh_groups             = ["ecp384"]
+      encryption_algorithms = ["aes256"]
+      integrity_algorithms  = ["sha2_384"]
+    }
+
+    phase2 = {
+      dh_groups             = ["ecp384"]
+      encryption_algorithms = ["aes256"]
+      integrity_algorithms  = ["sha2_384"]
+    }
+  }
+
+  tunnel2 = {
+    remote_address    = "203.0.113.10"
+    pre_shared_key_wo = "example-super-secret-key-tunnel2"
+
+    phase1 = {
+      dh_groups             = ["ecp384"]
+      encryption_algorithms = ["aes256"]
+      integrity_algorithms  = ["sha2_384"]
+    }
+
+    phase2 = {
+      dh_groups             = ["ecp384"]
+      encryption_algorithms = ["aes256"]
+      integrity_algorithms  = ["sha2_384"]
+    }
+  }
+}
+
+# Only use the import statement, if you want to import an existing VPN connection
+import {
+  to = stackit_vpn_connection.example
+  id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,eu01,xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `display_name` (String) A user-friendly name for the connection. Must start and end with an alphanumeric character, may contain hyphens, and be 1-63 characters long.
+- `gateway_id` (String) The UUID of the parent VPN gateway.
+- `project_id` (String) STACKIT project ID.
+- `tunnel1` (Attributes) Configuration for the IPsec tunnel1 
+
+~> Write-Only argument `pre_shared_key_wo` is available to use in place of `pre_shared_key`. Write-Only arguments are supported in HashiCorp Terraform 1.11.0 and later. [Learn more](https://developer.hashicorp.com/terraform/language/resources/ephemeral#write-only-arguments). (see [below for nested schema](#nestedatt--tunnel1))
+- `tunnel2` (Attributes) Configuration for the IPsec tunnel2 
+
+~> Write-Only argument `pre_shared_key_wo` is available to use in place of `pre_shared_key`. Write-Only arguments are supported in HashiCorp Terraform 1.11.0 and later. [Learn more](https://developer.hashicorp.com/terraform/language/resources/ephemeral#write-only-arguments). (see [below for nested schema](#nestedatt--tunnel2))
+
+### Optional
+
+- `enabled` (Boolean) Whether this connection is enabled. Defaults to true.
+- `labels` (Map of String) Map of custom labels.
+- `local_subnet` (List of String) List of local IPv4 CIDRs to route through this connection. Optional for route-based and BGP configurations (defaults to 0.0.0.0/0). Mandatory for policy-based.
+- `region` (String) STACKIT region.
+- `remote_subnet` (List of String) List of remote IPv4 CIDRs accessible via this connection. Optional for route-based and BGP configurations (defaults to 0.0.0.0/0). Mandatory for policy-based.
+- `static_routes` (List of String) List of static routes (IPv4 CIDRs) for route-based VPN. Mandatory for ROUTE_BASED gateways.
+
+### Read-Only
+
+- `connection_id` (String) The server-generated UUID of the VPN connection.
+- `id` (String) Terraform's internal resource identifier. Structured as "`project_id`,`region`,`gateway_id`,`connection_id`".
+
+<a id="nestedatt--tunnel1"></a>
+### Nested Schema for `tunnel1`
+
+Required:
+
+- `phase1` (Attributes) (see [below for nested schema](#nestedatt--tunnel1--phase1))
+- `phase2` (Attributes) (see [below for nested schema](#nestedatt--tunnel1--phase2))
+- `remote_address` (String) Remote IPv4 address for the tunnel endpoint.
+
+Optional:
+
+- `bgp` (Attributes) (see [below for nested schema](#nestedatt--tunnel1--bgp))
+- `peering` (Attributes) (see [below for nested schema](#nestedatt--tunnel1--peering))
+- `pre_shared_key` (String, Sensitive) Pre-shared key for the IPsec tunnel. Minimum 20 characters. Write-only argument `pre_shared_key_wo` should be preferred.
+- `pre_shared_key_wo` (String, Sensitive, [Write-only](https://developer.hashicorp.com/terraform/language/resources/ephemeral#write-only-arguments)) Pre-shared key for the IPsec tunnel. Minimum 20 characters. Write-only - never stored in state and never returned by the API. To rotate the key, update this value AND increment pre_shared_key_wo_version. Changing this field alone will NOT trigger an update.
+- `pre_shared_key_wo_version` (Number) User-managed rotation counter for the pre-shared key. Must be incremented every time pre_shared_key_wo is changed. Terraform diffs this field to detect key rotations - changing pre_shared_key_wo alone will NOT trigger an update because it is write-only and never stored in state.
+
+<a id="nestedatt--tunnel1--phase1"></a>
+### Nested Schema for `tunnel1.phase1`
+
+Required:
+
+- `encryption_algorithms` (List of String) Encryption algorithms for Phase 1. Possible values are: `aes256`, `aes128gcm16`, `aes256gcm16`.
+- `integrity_algorithms` (List of String) Integrity algorithms for Phase 1. Possible values are: `sha1`, `sha2_256`, `sha2_384`.
+
+Optional:
+
+- `dh_groups` (List of String) Diffie-Hellman groups for key exchange. Possible values are: `modp1024`, `modp2048`, `ecp256`, `ecp384`, `modp2048s256`.
+- `rekey_time` (Number) Time to schedule an IKE re-keying in seconds. Range: 900-28800. Default: 14400.
+
+
+<a id="nestedatt--tunnel1--phase2"></a>
+### Nested Schema for `tunnel1.phase2`
+
+Required:
+
+- `encryption_algorithms` (List of String) Encryption algorithms for Phase 2. Possible values are: `aes256`, `aes128gcm16`, `aes256gcm16`.
+- `integrity_algorithms` (List of String) Integrity algorithms for Phase 2. Possible values are: `sha1`, `sha2_256`, `sha2_384`.
+
+Optional:
+
+- `dh_groups` (List of String) Diffie-Hellman groups for Phase 2. Possible values are: `modp1024`, `modp2048`, `ecp256`, `ecp384`, `modp2048s256`.
+- `dpd_action` (String) Action to perform on DPD timeout. Default: 'restart'. Possible values are: `clear`, `restart`.
+- `rekey_time` (Number) Time to schedule a Child SA re-keying in seconds. Range: 900-3600. Default: 3600.
+- `start_action` (String) Action to perform after loading the connection configuration. Default: 'start'. Possible values are: `none`, `start`.
+
+
+<a id="nestedatt--tunnel1--bgp"></a>
+### Nested Schema for `tunnel1.bgp`
+
+Required:
+
+- `remote_asn` (Number) Remote ASN for BGP peering (private ASN range, 64512-4294967294).
+
+
+<a id="nestedatt--tunnel1--peering"></a>
+### Nested Schema for `tunnel1.peering`
+
+Required:
+
+- `local_address` (String) Local tunnel interface IPv4 address.
+- `remote_address` (String) Remote tunnel interface IPv4 address.
+
+
+
+<a id="nestedatt--tunnel2"></a>
+### Nested Schema for `tunnel2`
+
+Required:
+
+- `phase1` (Attributes) (see [below for nested schema](#nestedatt--tunnel2--phase1))
+- `phase2` (Attributes) (see [below for nested schema](#nestedatt--tunnel2--phase2))
+- `remote_address` (String) Remote IPv4 address for the tunnel endpoint.
+
+Optional:
+
+- `bgp` (Attributes) (see [below for nested schema](#nestedatt--tunnel2--bgp))
+- `peering` (Attributes) (see [below for nested schema](#nestedatt--tunnel2--peering))
+- `pre_shared_key` (String, Sensitive) Pre-shared key for the IPsec tunnel. Minimum 20 characters. Write-only argument `pre_shared_key_wo` should be preferred.
+- `pre_shared_key_wo` (String, Sensitive, [Write-only](https://developer.hashicorp.com/terraform/language/resources/ephemeral#write-only-arguments)) Pre-shared key for the IPsec tunnel. Minimum 20 characters. Write-only - never stored in state and never returned by the API. To rotate the key, update this value AND increment pre_shared_key_wo_version. Changing this field alone will NOT trigger an update.
+- `pre_shared_key_wo_version` (Number) User-managed rotation counter for the pre-shared key. Must be incremented every time pre_shared_key_wo is changed. Terraform diffs this field to detect key rotations - changing pre_shared_key_wo alone will NOT trigger an update because it is write-only and never stored in state.
+
+<a id="nestedatt--tunnel2--phase1"></a>
+### Nested Schema for `tunnel2.phase1`
+
+Required:
+
+- `encryption_algorithms` (List of String) Encryption algorithms for Phase 1. Possible values are: `aes256`, `aes128gcm16`, `aes256gcm16`.
+- `integrity_algorithms` (List of String) Integrity algorithms for Phase 1. Possible values are: `sha1`, `sha2_256`, `sha2_384`.
+
+Optional:
+
+- `dh_groups` (List of String) Diffie-Hellman groups for key exchange. Possible values are: `modp1024`, `modp2048`, `ecp256`, `ecp384`, `modp2048s256`.
+- `rekey_time` (Number) Time to schedule an IKE re-keying in seconds. Range: 900-28800. Default: 14400.
+
+
+<a id="nestedatt--tunnel2--phase2"></a>
+### Nested Schema for `tunnel2.phase2`
+
+Required:
+
+- `encryption_algorithms` (List of String) Encryption algorithms for Phase 2. Possible values are: `aes256`, `aes128gcm16`, `aes256gcm16`.
+- `integrity_algorithms` (List of String) Integrity algorithms for Phase 2. Possible values are: `sha1`, `sha2_256`, `sha2_384`.
+
+Optional:
+
+- `dh_groups` (List of String) Diffie-Hellman groups for Phase 2. Possible values are: `modp1024`, `modp2048`, `ecp256`, `ecp384`, `modp2048s256`.
+- `dpd_action` (String) Action to perform on DPD timeout. Default: 'restart'. Possible values are: `clear`, `restart`.
+- `rekey_time` (Number) Time to schedule a Child SA re-keying in seconds. Range: 900-3600. Default: 3600.
+- `start_action` (String) Action to perform after loading the connection configuration. Default: 'start'. Possible values are: `none`, `start`.
+
+
+<a id="nestedatt--tunnel2--bgp"></a>
+### Nested Schema for `tunnel2.bgp`
+
+Required:
+
+- `remote_asn` (Number) Remote ASN for BGP peering (private ASN range, 64512-4294967294).
+
+
+<a id="nestedatt--tunnel2--peering"></a>
+### Nested Schema for `tunnel2.peering`
+
+Required:
+
+- `local_address` (String) Local tunnel interface IPv4 address.
+- `remote_address` (String) Remote tunnel interface IPv4 address.

examples/data-sources/stackit_vpn_connection/data-source.tf

@@ -0,0 +1,5 @@
+data "stackit_vpn_connection" "example" {
+  project_id    = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  gateway_id    = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  connection_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+}