Recently I needed a quick way to spin-up a VPN Gateway and generate the openvpn config clients could use to connect.
There is a good guide to generating the necessary certificates and manually editing the openvpn config you can download from the portal in the official docs.
Being a sucker for punishment I wondered if I could automate the process (mainly because I always forget the openssl commands) and secondly it was to be run by someone else (not me) so I wanted it to be as simple as possible.
Warning: Please take time to understand the limitations of this certificate generation before production use (TF State file containing CA private keys) and review the limitations in the TLS provider for Terraform.
1. Create the Root CA 2. Use that to generate a client cert 3. Output the client cert for use in the openvpn config file 4. Inject the CA into the Azure VPN configuration and create it 5. Run a script to fetch the Azure VPN OpenVPN configuration file (as this contains the Pre-shared key we don’t set) then inject the client cert we outputted from the Terraform. 6. Connect
One gotcha – The TLS provider only outputs standard pems. Azure VPN requires the CA to be in a specific format outputted by the following command.
As a result there is a null_resource and local_file resource to handle this translation.
So all you should need is Terraform, Bash, OpenSSL and Azure CLI – not perfect but it’s the best I could do! (This is currently a working draft – please use with caution).
I recently upgrade my machine and and installed the latest Ubuntu 20.04 as part of that.
Very smugly I fired it up the new install and, as I use devcontainers, looked forward to not installing lots of devtools as the Dockerfile in each project had all the tooling needed for VSCode to spin up and get going.
Sadly it wasn’t that smooth. After spinning up a project which uses terraform I found an odd message when running terraform plan
Terraform has a provider model which uses GRPC to talk between the CLI and the individual providers. Random is one of the HashiCorp made providers so it’s a really odd one to see a bug in.
Initially I assumed that the downloaded provider was corrupted. Nope, clearing the download and retrying didn’t help.
So assuming I’d messed something up I:
Tried changing the docker image using by the devcontainer. Nope. Same problem.
Different versions of terraform. Nope. Same problem.
Updated the Docker version I was using. Nope. Same problem.
Restarted the machine. Nope. Same problem.
Now feeling quite frustrated I finally remembered a trick I’d used lots when building my own terraform providers. I enabled debug logging on the terraform CLI.