fix(terraform): switch VPN gateway defaults to AZ SKUs

docs/infrastructure/vpn.md

@@ -49,9 +49,11 @@ Deployment takes 20-30 minutes for the VPN Gateway.
 | Variable                                 | Description                  | Default                |
 |------------------------------------------|------------------------------|------------------------|
 | `gateway_subnet_address_prefix`          | GatewaySubnet CIDR (min /27) | `10.0.3.0/27`          |
-| `vpn_gateway_config.sku`                 | Gateway SKU                  | `VpnGw1`               |
+| `vpn_gateway_config.sku`                 | Gateway SKU                  | `VpnGw1AZ`             |
 | `vpn_gateway_config.client_address_pool` | P2S client IP range          | `["192.168.200.0/24"]` |
-| `aad_auth_config.enabled`                | Enable Azure AD auth         | `true`                 |
+| `aad_auth_config.should_enable`          | Enable Azure AD auth         | `true`                 |
+
+Non-AZ VPN Gateway SKUs are being deprecated by Azure. Use the AZ equivalents (`VpnGw1AZ`, `VpnGw2AZ`, `VpnGw3AZ`) to avoid portal warnings and unplanned SKU updates outside Terraform.
 
 ## 🔐 Authentication Options
 
@@ -61,7 +63,7 @@ Enabled by default. Users authenticate with their Azure AD credentials via the A
 
 ```hcl
 aad_auth_config = {
-  enabled = true
+  should_enable = true
 }
 ```
 
@@ -71,7 +73,7 @@ For environments without Azure AD integration:
 
 ```hcl
 aad_auth_config = {
-  enabled = false
+  should_enable = false
 }
 root_certificate_public_data = "MIIC5jCCAc6g..." # Base64-encoded cert
 ```

infrastructure/terraform/modules/vpn/tests/outputs.tftest.hcl

@@ -38,8 +38,8 @@ run "outputs_without_sites" {
   }
 
   assert {
-    condition     = output.vpn_gateway.sku == "VpnGw1"
-    error_message = "vpn_gateway.sku should default to VpnGw1"
+    condition     = output.vpn_gateway.sku == "VpnGw1AZ"
+    error_message = "vpn_gateway.sku should default to VpnGw1AZ"
   }
 
   assert {
@@ -79,8 +79,8 @@ run "outputs_with_sites" {
   }
 
   assert {
-    condition     = output.vpn_gateway.sku == "VpnGw1"
-    error_message = "vpn_gateway.sku should default to VpnGw1"
+    condition     = output.vpn_gateway.sku == "VpnGw1AZ"
+    error_message = "vpn_gateway.sku should default to VpnGw1AZ"
   }
 
   assert {

infrastructure/terraform/modules/vpn/variables.tf

@@ -39,16 +39,16 @@ variable "should_enable_nat_gateway" {
 
 variable "vpn_gateway_config" {
   type = object({
-    sku                 = optional(string, "VpnGw1")
+    sku                 = optional(string, "VpnGw1AZ")
     generation          = optional(string, "Generation1")
     client_address_pool = optional(list(string), ["192.168.200.0/24"])
   })
   description = "VPN Gateway configuration including SKU, generation, and P2S client address pool"
   default     = {}
 
   validation {
-    condition     = contains(["VpnGw1", "VpnGw2", "VpnGw3", "VpnGw1AZ", "VpnGw2AZ", "VpnGw3AZ"], var.vpn_gateway_config.sku)
-    error_message = "vpn_gateway_config.sku must be a valid VPN Gateway SKU."
+    condition     = contains(["VpnGw1AZ", "VpnGw2AZ", "VpnGw3AZ"], var.vpn_gateway_config.sku)
+    error_message = "vpn_gateway_config.sku must be an AZ VPN Gateway SKU: VpnGw1AZ, VpnGw2AZ, or VpnGw3AZ."
   }
 }
 

infrastructure/terraform/vpn/tests/validation.tftest.hcl

@@ -64,3 +64,27 @@ run "invalid_sku_rejected" {
 
   expect_failures = [var.vpn_gateway_config]
 }
+
+// ============================================================
+// Valid VPN Gateway SKU
+// ============================================================
+
+run "valid_az_sku_accepted" {
+  command = plan
+
+  variables {
+    resource_prefix = "test"
+    environment     = "dev"
+    instance        = "001"
+    location        = "westus3"
+    vpn_gateway_config = {
+      sku        = "VpnGw2AZ"
+      generation = "Generation2"
+    }
+  }
+
+  assert {
+    condition     = output.vpn_gateway.sku == "VpnGw2AZ"
+    error_message = "Standalone VPN deployment should accept valid AZ SKU VpnGw2AZ"
+  }
+}

infrastructure/terraform/vpn/variables.tf

@@ -66,16 +66,16 @@ variable "gateway_subnet_address_prefix" {
 
 variable "vpn_gateway_config" {
   type = object({
-    sku                 = optional(string, "VpnGw1")
+    sku                 = optional(string, "VpnGw1AZ")
     generation          = optional(string, "Generation1")
     client_address_pool = optional(list(string), ["192.168.200.0/24"])
   })
   description = "VPN Gateway configuration including SKU, generation, and P2S client address pool"
   default     = {}
 
   validation {
-    condition     = contains(["VpnGw1", "VpnGw2", "VpnGw3", "VpnGw1AZ", "VpnGw2AZ", "VpnGw3AZ"], var.vpn_gateway_config.sku)
-    error_message = "vpn_gateway_config.sku must be a valid VPN Gateway SKU."
+    condition     = contains(["VpnGw1AZ", "VpnGw2AZ", "VpnGw3AZ"], var.vpn_gateway_config.sku)
+    error_message = "vpn_gateway_config.sku must be an AZ VPN Gateway SKU: VpnGw1AZ, VpnGw2AZ, or VpnGw3AZ."
   }
 }