feat(vpn): onboarding VPN gateway (#1453)

relates to STACKITTPR-633

Author: s-inter

docs/data-sources/logs_instance.md

@@ -45,4 +45,4 @@ data "stackit_logs_instance" "logs" {
 - `query_range_url` (String) The Logs instance's query range URL
 - `query_url` (String) The Logs instance's query URL
 - `retention_days` (Number) The log retention time in days
-- `status` (String) The status of the Logs instance, possible values: Possible values are: `active`, `deleting`, `reconciling`.
+- `status` (String) The status of the Logs instance. Possible values are: `active`, `deleting`, `reconciling`.

docs/data-sources/vpn_gateway.md

@@ -0,0 +1,57 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "stackit_vpn_gateway Data Source - stackit"
+subcategory: ""
+description: |-
+  VPN Gateway data source schema. Uses the default_region specified in the provider configuration as a fallback in case no region is defined on datasource level.
+---
+
+# stackit_vpn_gateway (Data Source)
+
+VPN Gateway data source schema. Uses the `default_region` specified in the provider configuration as a fallback in case no `region` is defined on datasource level.
+
+## Example Usage
+
+```terraform
+data "stackit_vpn_gateway" "example" {
+  project_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  gateway_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `gateway_id` (String) The server-generated UUID of the VPN gateway.
+- `project_id` (String) STACKIT project ID associated with the VPN gateway.
+
+### Read-Only
+
+- `availability_zones` (Attributes) Availability zones for the two tunnel endpoints. (see [below for nested schema](#nestedatt--availability_zones))
+- `bgp` (Attributes) BGP configuration. Only applicable when routing_type is BGP_ROUTE_BASED. (see [below for nested schema](#nestedatt--bgp))
+- `display_name` (String) A user-friendly name for the VPN gateway.
+- `id` (String) Terraform's internal resource identifier. Structured as "`project_id`,`region`,`gateway_id`".
+- `labels` (Map of String) Map of custom labels (key-value string pairs).
+- `plan_id` (String) The service plan identifier (e.g. `p500`). For guidance on finding available plans, see [List available service plans](https://docs.stackit.cloud/products/network/connectivity-hybrid-multi-cloud/vpn/getting-started/gateway-create/#list-available-service-plans).
+- `region` (String) STACKIT region name the resource is located in. If not defined, the provider region is used.
+- `routing_type` (String) Routing architecture. Possible values are: `POLICY_BASED`, `ROUTE_BASED`, `BGP_ROUTE_BASED`.
+- `state` (String) The current lifecycle state of the gateway. Possible values are: `PENDING`, `READY`, `ERROR`, `DELETING`.
+
+<a id="nestedatt--availability_zones"></a>
+### Nested Schema for `availability_zones`
+
+Read-Only:
+
+- `tunnel1` (String) Availability zone for tunnel 1.
+- `tunnel2` (String) Availability zone for tunnel 2.
+
+
+<a id="nestedatt--bgp"></a>
+### Nested Schema for `bgp`
+
+Read-Only:
+
+- `local_asn` (Number) Local ASN for BGP (private ASN range, 64512-4294967294).
+- `override_advertised_routes` (List of String) List of IPv4 CIDRs to advertise via BGP. If omitted, SNA network ranges are advertised.

docs/index.md

@@ -214,3 +214,4 @@ Note: AWS specific checks must be skipped as they do not work on STACKIT. For de
 - `telemetryrouter_custom_endpoint` (String) Custom endpoint for the Telemetry Router service
 - `token_custom_endpoint` (String) Custom endpoint for the token API, which is used to request access tokens when using the key flow
 - `use_oidc` (Boolean) Enables OIDC for Authentication. This can also be sourced from the `STACKIT_USE_OIDC` Environment Variable. Defaults to `false`.
+- `vpn_custom_endpoint` (String) Custom endpoint for the VPN service

docs/resources/logs_instance.md

@@ -63,4 +63,4 @@ import {
 - `instance_id` (String) The Logs instance ID
 - `query_range_url` (String) The Logs instance's query range URL
 - `query_url` (String) The Logs instance's query URL
-- `status` (String) The status of the Logs instance, possible values: Possible values are: `active`, `deleting`, `reconciling`.
+- `status` (String) The status of the Logs instance. Possible values are: `active`, `deleting`, `reconciling`.

docs/resources/vpn_gateway.md

@@ -0,0 +1,76 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "stackit_vpn_gateway Resource - stackit"
+subcategory: ""
+description: |-
+  VPN Gateway resource schema. Uses the default_region specified in the provider configuration as a fallback in case no region is defined on resource level.
+---
+
+# stackit_vpn_gateway (Resource)
+
+VPN Gateway resource schema. Uses the `default_region` specified in the provider configuration as a fallback in case no `region` is defined on resource level.
+
+## Example Usage
+
+```terraform
+resource "stackit_vpn_gateway" "example" {
+  project_id   = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  display_name = "example-vpn-gateway"
+  plan_id      = "p500"
+  routing_type = "ROUTE_BASED"
+
+  availability_zones = {
+    tunnel1 = "eu01-1"
+    tunnel2 = "eu01-2"
+  }
+}
+
+# Only use the import statement, if you want to import an existing VPN gateway
+import {
+  to = stackit_vpn_gateway.example
+  id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,eu01,xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `availability_zones` (Attributes) Availability zones for the two tunnel endpoints. (see [below for nested schema](#nestedatt--availability_zones))
+- `display_name` (String) A user-friendly name for the VPN gateway.
+- `plan_id` (String) The service plan identifier (e.g. `p500`). For guidance on finding available plans, see [List available service plans](https://docs.stackit.cloud/products/network/connectivity-hybrid-multi-cloud/vpn/getting-started/gateway-create/#list-available-service-plans).
+- `project_id` (String) STACKIT project ID associated with the VPN gateway.
+- `routing_type` (String) Routing architecture. Possible values are: `POLICY_BASED`, `ROUTE_BASED`, `BGP_ROUTE_BASED`.
+
+### Optional
+
+- `bgp` (Attributes) BGP configuration. Only applicable when routing_type is BGP_ROUTE_BASED. (see [below for nested schema](#nestedatt--bgp))
+- `labels` (Map of String) Map of custom labels (key-value string pairs).
+- `region` (String) STACKIT region name the resource is located in. If not defined, the provider region is used.
+
+### Read-Only
+
+- `gateway_id` (String) The server-generated UUID of the VPN gateway.
+- `id` (String) Terraform's internal resource identifier. Structured as "`project_id`,`region`,`gateway_id`".
+- `state` (String) The current lifecycle state of the gateway. Possible values are: `PENDING`, `READY`, `ERROR`, `DELETING`.
+
+<a id="nestedatt--availability_zones"></a>
+### Nested Schema for `availability_zones`
+
+Required:
+
+- `tunnel1` (String) Availability zone for tunnel 1.
+- `tunnel2` (String) Availability zone for tunnel 2.
+
+
+<a id="nestedatt--bgp"></a>
+### Nested Schema for `bgp`
+
+Required:
+
+- `local_asn` (Number) Local ASN for BGP (private ASN range, 64512-4294967294).
+
+Optional:
+
+- `override_advertised_routes` (List of String) List of IPv4 CIDRs to advertise via BGP. If omitted, SNA network ranges are advertised.

examples/data-sources/stackit_vpn_gateway/data-source.tf

@@ -0,0 +1,4 @@
+data "stackit_vpn_gateway" "example" {
+  project_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  gateway_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+}

examples/resources/stackit_vpn_gateway/resource.tf

@@ -0,0 +1,17 @@
+resource "stackit_vpn_gateway" "example" {
+  project_id   = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+  display_name = "example-vpn-gateway"
+  plan_id      = "p500"
+  routing_type = "ROUTE_BASED"
+
+  availability_zones = {
+    tunnel1 = "eu01-1"
+    tunnel2 = "eu01-2"
+  }
+}
+
+# Only use the import statement, if you want to import an existing VPN gateway
+import {
+  to = stackit_vpn_gateway.example
+  id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,eu01,xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+}

go.mod

@@ -46,6 +46,7 @@ require (
 	github.com/stackitcloud/stackit-sdk-go/services/sqlserverflex v1.11.0
 	github.com/stackitcloud/stackit-sdk-go/services/telemetrylink v0.2.0
 	github.com/stackitcloud/stackit-sdk-go/services/telemetryrouter v0.3.0
+	github.com/stackitcloud/stackit-sdk-go/services/vpn v0.14.0
 	github.com/teambition/rrule-go v1.8.2
 	golang.org/x/mod v0.36.0
 )

go.sum

@@ -738,6 +738,8 @@ github.com/stackitcloud/stackit-sdk-go/services/telemetrylink v0.2.0 h1:U1mQoCk0
 github.com/stackitcloud/stackit-sdk-go/services/telemetrylink v0.2.0/go.mod h1:hgw8janWmDfP2bnuZensxqcAePr49BX5ug8Rq85o+h8=
 github.com/stackitcloud/stackit-sdk-go/services/telemetryrouter v0.3.0 h1:MEvzGItcbig+9A4JvK2E5W6/mqXDPafiGkDZ1BprBAI=
 github.com/stackitcloud/stackit-sdk-go/services/telemetryrouter v0.3.0/go.mod h1:WUmgKtwpe90Yq3YbgNxc2clTTULVxCu0ha6lMTjUnII=
+github.com/stackitcloud/stackit-sdk-go/services/vpn v0.14.0 h1:LMgbzhPunuelsIsfyEj/5O/aYfNcg/eGHsnZ7AZOhYg=
+github.com/stackitcloud/stackit-sdk-go/services/vpn v0.14.0/go.mod h1:toIjQk1dhxdUFVyCWJJja0w/0nFpDid8MWX0ukQfvfo=
 github.com/stbenjam/no-sprintf-host-port v0.3.1 h1:AyX7+dxI4IdLBPtDbsGAyqiTSLpCP9hWRrXQDU4Cm/g=
 github.com/stbenjam/no-sprintf-host-port v0.3.1/go.mod h1:ODbZesTCHMVKthBHskvUUexdcNHAQRXk9NpSsL8p/HQ=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=

stackit/internal/core/core.go

@@ -74,6 +74,7 @@ type ProviderData struct {
 	ServiceAccountCustomEndpoint    string
 	TelemetryLinkCustomEndpoint     string
 	TelemetryRouterCustomEndpoint   string
+	VpnCustomEndpoint               string
 	EnableBetaResources             bool
 	Experiments                     []string