Skip to content

Add support to google_compute_vpn_tunnel for write-only shared_secret argument. #23058

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
andreaso opened this issue May 28, 2025 · 2 comments · May be fixed by GoogleCloudPlatform/magic-modules#14138
Open

Add support to google_compute_vpn_tunnel for write-only shared_secret argument. #23058

andreaso opened this issue May 28, 2025 · 2 comments · May be fixed by GoogleCloudPlatform/magic-modules#14138
Labels
enhancement forward/review In review; remove label to forward service/compute-vpn

Comments

@andreaso
Copy link

andreaso commented May 28, 2025
edited
Loading

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
  • Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment.
  • If an issue is assigned to a user, that user is claiming responsibility for the issue.
  • Customers working with a Google Technical Account Manager or Customer Engineer can ask them to reach out internally to expedite investigation and resolution of this issue.

Description

It would be great if the compute_vpn_tunnel's shared_secret optionally could be provided as a Write-only argument.

Especially when both sides of the VPN are configured using the same Terraform workspace it would fit perfectly to have the IPSec pre-shared key provided by ephemeral.random_password as there's then really no need for anyone to actually access that secret.

(Yes, that would of course require the corresponding write-only argument to be supported by the provider resource used for the other side of the VPN tunnel.)

New or Affected Resource(s)

  • google_compute_vpn_tunnel

Potential Terraform Configuration

locals {
  ipsec_secret_version = 1
}

ephemeral "random_password" "ipsec" {
  length  = 32
  special = false
}

resource "google_compute_vpn_tunnel" "tunnel" {
  name                     = "tunnel-tunnel"
  shared_secret_wo         = ephemeral.random_password.ipsec.result
  shared_secret_wo_version = local.ipsec_secret_version
  ...
}

resource "other_provider_vpn_connection" "tunnel" {
  name                     = "tunnel-tunnel"
  preshared_key_wo         = ephemeral.random_password.ipsec.result
  preshared_key_wo_version = local.ipsec_secret_version
  ...
}

References
@github-actions github-actions bot added forward/review In review; remove label to forward service/compute-vpn labels May 28, 2025
@ramonvermeulen
Copy link

ramonvermeulen commented May 28, 2025
edited
Loading

Thanks for submitting this issue! I pick this up, will take a look at this and probably do a draft implementation over the next week.

One thing I notice is that the resource also has a shared_secret_hash output, thinking of what value this should be for a write-only shared_secret, e.g. is the hash also considered a secret? (doesn't say anything about this in the API docs, but maybe better to also not write to state when shared_secret is WO).

@andreaso
Copy link
Author

andreaso commented May 28, 2025
edited
Loading

Gut wise I'd lean towards it being safe enough to provide a shared_secret_hash attribute also based on a shared_secret_wo write-only argument. Might even turn out to be a bit more useful in those cases.

There's also the somewhat more tautological argument that since the shared_secret_hash attribute isn't marked as sensitive there's no need to treat it as sensitive.

Yet with the whole concept of write-only arguments still being new and fresh it probably won't hurt to get an input from someone more authoritative, whoever that might be.

@ramonvermeulen ramonvermeulen linked a pull request May 29, 2025 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement forward/review In review; remove label to forward service/compute-vpn
Projects
None yet
Milestone
No milestone
2 participants
@andreaso @ramonvermeulen