From 93728e53a42c5bb5cc0c8655d73532746c5c85a1 Mon Sep 17 00:00:00 2001 From: Francisco Date: Wed, 18 Mar 2026 17:23:23 +0000 Subject: [PATCH 1/2] =?UTF-8?q?fix(infrastructure):=20update=20VPN=20Gatew?= =?UTF-8?q?ay=20SKU=20to=20AZ=20equivalents=20=F0=9F=94=92=20-=20Generated?= =?UTF-8?q?=20by=20Copilot?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- docs/infrastructure/vpn.md | 10 ++++++---- infrastructure/terraform/modules/vpn/variables.tf | 6 +++--- infrastructure/terraform/vpn/variables.tf | 6 +++--- 3 files changed, 12 insertions(+), 10 deletions(-) diff --git a/docs/infrastructure/vpn.md b/docs/infrastructure/vpn.md index 5946c646..d55ba5c9 100644 --- a/docs/infrastructure/vpn.md +++ b/docs/infrastructure/vpn.md @@ -49,9 +49,11 @@ Deployment takes 20-30 minutes for the VPN Gateway. | Variable | Description | Default | |------------------------------------------|------------------------------|------------------------| | `gateway_subnet_address_prefix` | GatewaySubnet CIDR (min /27) | `10.0.3.0/27` | -| `vpn_gateway_config.sku` | Gateway SKU | `VpnGw1` | +| `vpn_gateway_config.sku` | Gateway SKU | `VpnGw1AZ` | | `vpn_gateway_config.client_address_pool` | P2S client IP range | `["192.168.200.0/24"]` | -| `aad_auth_config.enabled` | Enable Azure AD auth | `true` | +| `aad_auth_config.should_enable` | Enable Azure AD auth | `true` | + +Non-AZ VPN Gateway SKUs are being deprecated by Azure. Use the AZ equivalents (`VpnGw1AZ`, `VpnGw2AZ`, `VpnGw3AZ`) to avoid portal warnings and unplanned SKU updates outside Terraform. ## 🔐 Authentication Options @@ -61,7 +63,7 @@ Enabled by default. Users authenticate with their Azure AD credentials via the A ```hcl aad_auth_config = { - enabled = true + should_enable = true } ``` @@ -71,7 +73,7 @@ For environments without Azure AD integration: ```hcl aad_auth_config = { - enabled = false + should_enable = false } root_certificate_public_data = "MIIC5jCCAc6g..." # Base64-encoded cert ``` diff --git a/infrastructure/terraform/modules/vpn/variables.tf b/infrastructure/terraform/modules/vpn/variables.tf index 3f236cd6..65ab8e02 100644 --- a/infrastructure/terraform/modules/vpn/variables.tf +++ b/infrastructure/terraform/modules/vpn/variables.tf @@ -39,7 +39,7 @@ variable "should_enable_nat_gateway" { variable "vpn_gateway_config" { type = object({ - sku = optional(string, "VpnGw1") + sku = optional(string, "VpnGw1AZ") generation = optional(string, "Generation1") client_address_pool = optional(list(string), ["192.168.200.0/24"]) }) @@ -47,8 +47,8 @@ variable "vpn_gateway_config" { default = {} validation { - condition = contains(["VpnGw1", "VpnGw2", "VpnGw3", "VpnGw1AZ", "VpnGw2AZ", "VpnGw3AZ"], var.vpn_gateway_config.sku) - error_message = "vpn_gateway_config.sku must be a valid VPN Gateway SKU." + condition = contains(["VpnGw1AZ", "VpnGw2AZ", "VpnGw3AZ"], var.vpn_gateway_config.sku) + error_message = "vpn_gateway_config.sku must be an AZ VPN Gateway SKU: VpnGw1AZ, VpnGw2AZ, or VpnGw3AZ." } } diff --git a/infrastructure/terraform/vpn/variables.tf b/infrastructure/terraform/vpn/variables.tf index 5c217288..e927e8ee 100644 --- a/infrastructure/terraform/vpn/variables.tf +++ b/infrastructure/terraform/vpn/variables.tf @@ -66,7 +66,7 @@ variable "gateway_subnet_address_prefix" { variable "vpn_gateway_config" { type = object({ - sku = optional(string, "VpnGw1") + sku = optional(string, "VpnGw1AZ") generation = optional(string, "Generation1") client_address_pool = optional(list(string), ["192.168.200.0/24"]) }) @@ -74,8 +74,8 @@ variable "vpn_gateway_config" { default = {} validation { - condition = contains(["VpnGw1", "VpnGw2", "VpnGw3", "VpnGw1AZ", "VpnGw2AZ", "VpnGw3AZ"], var.vpn_gateway_config.sku) - error_message = "vpn_gateway_config.sku must be a valid VPN Gateway SKU." + condition = contains(["VpnGw1AZ", "VpnGw2AZ", "VpnGw3AZ"], var.vpn_gateway_config.sku) + error_message = "vpn_gateway_config.sku must be an AZ VPN Gateway SKU: VpnGw1AZ, VpnGw2AZ, or VpnGw3AZ." } } From e72e9c5b465f59e446c7a0c50a274f300cf8c0bf Mon Sep 17 00:00:00 2001 From: Francisco Date: Thu, 19 Mar 2026 10:36:27 +0000 Subject: [PATCH 2/2] fix(infrastructure): update VPN Gateway SKU assertions to AZ equivalents MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 🔒 - Generated by Copilot --- .../modules/vpn/tests/outputs.tftest.hcl | 8 +++---- .../terraform/vpn/tests/validation.tftest.hcl | 24 +++++++++++++++++++ 2 files changed, 28 insertions(+), 4 deletions(-) diff --git a/infrastructure/terraform/modules/vpn/tests/outputs.tftest.hcl b/infrastructure/terraform/modules/vpn/tests/outputs.tftest.hcl index 793739db..9030c9e8 100644 --- a/infrastructure/terraform/modules/vpn/tests/outputs.tftest.hcl +++ b/infrastructure/terraform/modules/vpn/tests/outputs.tftest.hcl @@ -38,8 +38,8 @@ run "outputs_without_sites" { } assert { - condition = output.vpn_gateway.sku == "VpnGw1" - error_message = "vpn_gateway.sku should default to VpnGw1" + condition = output.vpn_gateway.sku == "VpnGw1AZ" + error_message = "vpn_gateway.sku should default to VpnGw1AZ" } assert { @@ -79,8 +79,8 @@ run "outputs_with_sites" { } assert { - condition = output.vpn_gateway.sku == "VpnGw1" - error_message = "vpn_gateway.sku should default to VpnGw1" + condition = output.vpn_gateway.sku == "VpnGw1AZ" + error_message = "vpn_gateway.sku should default to VpnGw1AZ" } assert { diff --git a/infrastructure/terraform/vpn/tests/validation.tftest.hcl b/infrastructure/terraform/vpn/tests/validation.tftest.hcl index fe0fb739..696d6a6a 100644 --- a/infrastructure/terraform/vpn/tests/validation.tftest.hcl +++ b/infrastructure/terraform/vpn/tests/validation.tftest.hcl @@ -64,3 +64,27 @@ run "invalid_sku_rejected" { expect_failures = [var.vpn_gateway_config] } + +// ============================================================ +// Valid VPN Gateway SKU +// ============================================================ + +run "valid_az_sku_accepted" { + command = plan + + variables { + resource_prefix = "test" + environment = "dev" + instance = "001" + location = "westus3" + vpn_gateway_config = { + sku = "VpnGw2AZ" + generation = "Generation2" + } + } + + assert { + condition = output.vpn_gateway.sku == "VpnGw2AZ" + error_message = "Standalone VPN deployment should accept valid AZ SKU VpnGw2AZ" + } +}