{ "description": "VPNConnection is the Schema for the VPNConnections API. Manages a Site-to-Site VPN connection. A Site-to-Site VPN connection is an Internet Protocol security (IPsec) VPN connection between a VPC and an on-premises network.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, "kind": { "description": "Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string" }, "metadata": { "type": "object" }, "spec": { "description": "VPNConnectionSpec defines the desired state of VPNConnection", "properties": { "deletionPolicy": { "default": "Delete", "description": "DeletionPolicy specifies what will happen to the underlying external\nwhen this managed resource is deleted - either \"Delete\" or \"Orphan\" the\nexternal resource.\nThis field is planned to be deprecated in favor of the ManagementPolicies\nfield in a future release. Currently, both could be set independently and\nnon-default values would be honored if the feature flag is enabled.\nSee the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223", "enum": [ "Orphan", "Delete" ], "type": "string" }, "forProvider": { "properties": { "customerGatewayId": { "description": "The ID of the customer gateway.", "type": "string" }, "customerGatewayIdRef": { "description": "Reference to a CustomerGateway in ec2 to populate customerGatewayId.", "properties": { "name": { "description": "Name of the referenced object.", "type": "string" }, "policy": { "description": "Policies for referencing.", "properties": { "resolution": { "default": "Required", "description": "Resolution specifies whether resolution of this reference is required.\nThe default is 'Required', which means the reconcile will fail if the\nreference cannot be resolved. 'Optional' means this reference will be\na no-op if it cannot be resolved.", "enum": [ "Required", "Optional" ], "type": "string" }, "resolve": { "description": "Resolve specifies when this reference should be resolved. The default\nis 'IfNotPresent', which will attempt to resolve the reference only when\nthe corresponding field is not present. Use 'Always' to resolve the\nreference on every reconcile.", "enum": [ "Always", "IfNotPresent" ], "type": "string" } }, "type": "object", "additionalProperties": false } }, "required": [ "name" ], "type": "object", "additionalProperties": false }, "customerGatewayIdSelector": { "description": "Selector for a CustomerGateway in ec2 to populate customerGatewayId.", "properties": { "matchControllerRef": { "description": "MatchControllerRef ensures an object with the same controller reference\nas the selecting object is selected.", "type": "boolean" }, "matchLabels": { "additionalProperties": { "type": "string" }, "description": "MatchLabels ensures an object with matching labels is selected.", "type": "object" }, "policy": { "description": "Policies for selection.", "properties": { "resolution": { "default": "Required", "description": "Resolution specifies whether resolution of this reference is required.\nThe default is 'Required', which means the reconcile will fail if the\nreference cannot be resolved. 'Optional' means this reference will be\na no-op if it cannot be resolved.", "enum": [ "Required", "Optional" ], "type": "string" }, "resolve": { "description": "Resolve specifies when this reference should be resolved. The default\nis 'IfNotPresent', which will attempt to resolve the reference only when\nthe corresponding field is not present. Use 'Always' to resolve the\nreference on every reconcile.", "enum": [ "Always", "IfNotPresent" ], "type": "string" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "enableAcceleration": { "description": "Indicate whether to enable acceleration for the VPN connection. Supports only EC2 Transit Gateway.", "type": "boolean" }, "localIpv4NetworkCidr": { "description": "The IPv4 CIDR on the customer gateway (on-premises) side of the VPN connection.", "type": "string" }, "localIpv6NetworkCidr": { "description": "The IPv6 CIDR on the customer gateway (on-premises) side of the VPN connection.", "type": "string" }, "outsideIpAddressType": { "description": "Indicates if a Public S2S VPN or Private S2S VPN over AWS Direct Connect. Valid values are PublicIpv4 | PrivateIpv4", "type": "string" }, "presharedKeyStorage": { "description": "Storage mode for the pre-shared key (PSK). Valid values are Standard (stored in the Site-to-Site VPN service) or SecretsManager (stored in AWS Secrets Manager).", "type": "string" }, "region": { "description": "Region where this resource will be managed. Defaults to the Region set in the provider configuration.\nRegion is the region you'd like your resource to be created in.", "type": "string" }, "remoteIpv4NetworkCidr": { "description": "The IPv4 CIDR on the AWS side of the VPN connection.", "type": "string" }, "remoteIpv6NetworkCidr": { "description": "The IPv6 CIDR on the AWS side of the VPN connection.", "type": "string" }, "staticRoutesOnly": { "description": "Whether the VPN connection uses static routes exclusively. Static routes must be used for devices that don't support BGP.", "type": "boolean" }, "tags": { "additionalProperties": { "type": "string" }, "description": "Key-value map of resource tags.", "type": "object", "x-kubernetes-map-type": "granular" }, "transitGatewayId": { "description": "The ID of the EC2 Transit Gateway.", "type": "string" }, "transitGatewayIdRef": { "description": "Reference to a TransitGateway in ec2 to populate transitGatewayId.", "properties": { "name": { "description": "Name of the referenced object.", "type": "string" }, "policy": { "description": "Policies for referencing.", "properties": { "resolution": { "default": "Required", "description": "Resolution specifies whether resolution of this reference is required.\nThe default is 'Required', which means the reconcile will fail if the\nreference cannot be resolved. 'Optional' means this reference will be\na no-op if it cannot be resolved.", "enum": [ "Required", "Optional" ], "type": "string" }, "resolve": { "description": "Resolve specifies when this reference should be resolved. The default\nis 'IfNotPresent', which will attempt to resolve the reference only when\nthe corresponding field is not present. Use 'Always' to resolve the\nreference on every reconcile.", "enum": [ "Always", "IfNotPresent" ], "type": "string" } }, "type": "object", "additionalProperties": false } }, "required": [ "name" ], "type": "object", "additionalProperties": false }, "transitGatewayIdSelector": { "description": "Selector for a TransitGateway in ec2 to populate transitGatewayId.", "properties": { "matchControllerRef": { "description": "MatchControllerRef ensures an object with the same controller reference\nas the selecting object is selected.", "type": "boolean" }, "matchLabels": { "additionalProperties": { "type": "string" }, "description": "MatchLabels ensures an object with matching labels is selected.", "type": "object" }, "policy": { "description": "Policies for selection.", "properties": { "resolution": { "default": "Required", "description": "Resolution specifies whether resolution of this reference is required.\nThe default is 'Required', which means the reconcile will fail if the\nreference cannot be resolved. 'Optional' means this reference will be\na no-op if it cannot be resolved.", "enum": [ "Required", "Optional" ], "type": "string" }, "resolve": { "description": "Resolve specifies when this reference should be resolved. The default\nis 'IfNotPresent', which will attempt to resolve the reference only when\nthe corresponding field is not present. Use 'Always' to resolve the\nreference on every reconcile.", "enum": [ "Always", "IfNotPresent" ], "type": "string" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "transportTransitGatewayAttachmentId": { "description": ". The attachment ID of the Transit Gateway attachment to Direct Connect Gateway. The ID is obtained through a data source only.", "type": "string" }, "tunnel1DpdTimeoutAction": { "description": "The action to take after DPD timeout occurs for the first VPN tunnel. Specify restart to restart the IKE initiation. Specify clear to end the IKE session. Valid values are clear | none | restart.", "type": "string" }, "tunnel1DpdTimeoutSeconds": { "description": "The number of seconds after which a DPD timeout occurs for the first VPN tunnel. Valid value is equal or higher than 30.", "type": "number" }, "tunnel1EnableTunnelLifecycleControl": { "description": "Turn on or off tunnel endpoint lifecycle control feature for the first VPN tunnel. Valid values are true | false.", "type": "boolean" }, "tunnel1IkeVersions": { "description": "The IKE versions that are permitted for the first VPN tunnel. Valid values are ikev1 | ikev2.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "set" }, "tunnel1InsideCidr": { "description": "The CIDR block of the inside IP addresses for the first VPN tunnel. Valid value is a size /30 CIDR block from the 169.254.0.0/16 range.", "type": "string" }, "tunnel1InsideIpv6Cidr": { "description": "The range of inside IPv6 addresses for the first VPN tunnel. Supports only EC2 Transit Gateway. Valid value is a size /126 CIDR block from the local fd00::/8 range.", "type": "string" }, "tunnel1LogOptions": { "description": "Options for logging VPN tunnel activity. See Log Options below for more details.", "properties": { "cloudwatchLogOptions": { "description": "Options for sending VPN tunnel logs to CloudWatch. See CloudWatch Log Options below for more details.", "properties": { "logEnabled": { "description": "Enable or disable VPN tunnel logging feature. The default is false.", "type": "boolean" }, "logGroupArn": { "description": "The Amazon Resource Name (ARN) of the CloudWatch log group to send logs to.", "type": "string" }, "logOutputFormat": { "description": "Set log format. Default format is json. Possible values are: json and text. The default is json.", "type": "string" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "tunnel1Phase1DhGroupNumbers": { "description": "List of one or more Diffie-Hellman group numbers that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are 2 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24.", "items": { "type": "number" }, "type": "array", "x-kubernetes-list-type": "set" }, "tunnel1Phase1EncryptionAlgorithms": { "description": "List of one or more encryption algorithms that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "set" }, "tunnel1Phase1IntegrityAlgorithms": { "description": "One or more integrity algorithms that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are SHA1 | SHA2-256 | SHA2-384 | SHA2-512.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "set" }, "tunnel1Phase1LifetimeSeconds": { "description": "The lifetime for phase 1 of the IKE negotiation for the first VPN tunnel, in seconds. Valid value is between 900 and 28800.", "type": "number" }, "tunnel1Phase2DhGroupNumbers": { "description": "List of one or more Diffie-Hellman group numbers that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are 2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24.", "items": { "type": "number" }, "type": "array", "x-kubernetes-list-type": "set" }, "tunnel1Phase2EncryptionAlgorithms": { "description": "List of one or more encryption algorithms that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "set" }, "tunnel1Phase2IntegrityAlgorithms": { "description": "List of one or more integrity algorithms that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are SHA1 | SHA2-256 | SHA2-384 | SHA2-512.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "set" }, "tunnel1Phase2LifetimeSeconds": { "description": "The lifetime for phase 2 of the IKE negotiation for the first VPN tunnel, in seconds. Valid value is between 900 and 3600.", "type": "number" }, "tunnel1PresharedKeySecretRef": { "description": "The preshared key of the first VPN tunnel. The preshared key must be between 8 and 64 characters in length and cannot start with zero(0). Allowed characters are alphanumeric characters, periods(.) and underscores(_).", "properties": { "key": { "description": "The key to select.", "type": "string" }, "name": { "description": "Name of the secret.", "type": "string" }, "namespace": { "description": "Namespace of the secret.", "type": "string" } }, "required": [ "key", "name", "namespace" ], "type": "object", "additionalProperties": false }, "tunnel1RekeyFuzzPercentage": { "description": "The percentage of the rekey window for the first VPN tunnel (determined by tunnel1_rekey_margin_time_seconds) during which the rekey time is randomly selected. Valid value is between 0 and 100.", "type": "number" }, "tunnel1RekeyMarginTimeSeconds": { "description": "The margin time, in seconds, before the phase 2 lifetime expires, during which the AWS side of the first VPN connection performs an IKE rekey. The exact time of the rekey is randomly selected based on the value for tunnel1_rekey_fuzz_percentage. Valid value is between 60 and half of tunnel1_phase2_lifetime_seconds.", "type": "number" }, "tunnel1ReplayWindowSize": { "description": "The number of packets in an IKE replay window for the first VPN tunnel. Valid value is between 64 and 2048.", "type": "number" }, "tunnel1StartupAction": { "description": "The action to take when the establishing the tunnel for the first VPN connection. By default, your customer gateway device must initiate the IKE negotiation and bring up the tunnel. Specify start for AWS to initiate the IKE negotiation. Valid values are add | start.", "type": "string" }, "tunnel2DpdTimeoutAction": { "description": "The action to take after DPD timeout occurs for the second VPN tunnel. Specify restart to restart the IKE initiation. Specify clear to end the IKE session. Valid values are clear | none | restart.", "type": "string" }, "tunnel2DpdTimeoutSeconds": { "description": "The number of seconds after which a DPD timeout occurs for the second VPN tunnel. Valid value is equal or higher than 30.", "type": "number" }, "tunnel2EnableTunnelLifecycleControl": { "description": "Turn on or off tunnel endpoint lifecycle control feature for the second VPN tunnel. Valid values are true | false.", "type": "boolean" }, "tunnel2IkeVersions": { "description": "The IKE versions that are permitted for the second VPN tunnel. Valid values are ikev1 | ikev2.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "set" }, "tunnel2InsideCidr": { "description": "The CIDR block of the inside IP addresses for the second VPN tunnel. Valid value is a size /30 CIDR block from the 169.254.0.0/16 range.", "type": "string" }, "tunnel2InsideIpv6Cidr": { "description": "The range of inside IPv6 addresses for the second VPN tunnel. Supports only EC2 Transit Gateway. Valid value is a size /126 CIDR block from the local fd00::/8 range.", "type": "string" }, "tunnel2LogOptions": { "description": "Options for logging VPN tunnel activity. See Log Options below for more details.", "properties": { "cloudwatchLogOptions": { "description": "Options for sending VPN tunnel logs to CloudWatch. See CloudWatch Log Options below for more details.", "properties": { "logEnabled": { "description": "Enable or disable VPN tunnel logging feature. The default is false.", "type": "boolean" }, "logGroupArn": { "description": "The Amazon Resource Name (ARN) of the CloudWatch log group to send logs to.", "type": "string" }, "logOutputFormat": { "description": "Set log format. Default format is json. Possible values are: json and text. The default is json.", "type": "string" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "tunnel2Phase1DhGroupNumbers": { "description": "List of one or more Diffie-Hellman group numbers that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are 2 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24.", "items": { "type": "number" }, "type": "array", "x-kubernetes-list-type": "set" }, "tunnel2Phase1EncryptionAlgorithms": { "description": "List of one or more encryption algorithms that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "set" }, "tunnel2Phase1IntegrityAlgorithms": { "description": "One or more integrity algorithms that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are SHA1 | SHA2-256 | SHA2-384 | SHA2-512.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "set" }, "tunnel2Phase1LifetimeSeconds": { "description": "The lifetime for phase 1 of the IKE negotiation for the second VPN tunnel, in seconds. Valid value is between 900 and 28800.", "type": "number" }, "tunnel2Phase2DhGroupNumbers": { "description": "List of one or more Diffie-Hellman group numbers that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are 2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24.", "items": { "type": "number" }, "type": "array", "x-kubernetes-list-type": "set" }, "tunnel2Phase2EncryptionAlgorithms": { "description": "List of one or more encryption algorithms that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "set" }, "tunnel2Phase2IntegrityAlgorithms": { "description": "List of one or more integrity algorithms that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are SHA1 | SHA2-256 | SHA2-384 | SHA2-512.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "set" }, "tunnel2Phase2LifetimeSeconds": { "description": "The lifetime for phase 2 of the IKE negotiation for the second VPN tunnel, in seconds. Valid value is between 900 and 3600.", "type": "number" }, "tunnel2PresharedKeySecretRef": { "description": "The preshared key of the second VPN tunnel. The preshared key must be between 8 and 64 characters in length and cannot start with zero(0). Allowed characters are alphanumeric characters, periods(.) and underscores(_).", "properties": { "key": { "description": "The key to select.", "type": "string" }, "name": { "description": "Name of the secret.", "type": "string" }, "namespace": { "description": "Namespace of the secret.", "type": "string" } }, "required": [ "key", "name", "namespace" ], "type": "object", "additionalProperties": false }, "tunnel2RekeyFuzzPercentage": { "description": "The percentage of the rekey window for the second VPN tunnel (determined by tunnel2_rekey_margin_time_seconds) during which the rekey time is randomly selected. Valid value is between 0 and 100.", "type": "number" }, "tunnel2RekeyMarginTimeSeconds": { "description": "The margin time, in seconds, before the phase 2 lifetime expires, during which the AWS side of the second VPN connection performs an IKE rekey. The exact time of the rekey is randomly selected based on the value for tunnel2_rekey_fuzz_percentage. Valid value is between 60 and half of tunnel2_phase2_lifetime_seconds.", "type": "number" }, "tunnel2ReplayWindowSize": { "description": "The number of packets in an IKE replay window for the second VPN tunnel. Valid value is between 64 and 2048.", "type": "number" }, "tunnel2StartupAction": { "description": "The action to take when the establishing the tunnel for the second VPN connection. By default, your customer gateway device must initiate the IKE negotiation and bring up the tunnel. Specify start for AWS to initiate the IKE negotiation. Valid values are add | start.", "type": "string" }, "tunnelInsideIpVersion": { "description": "Indicate whether the VPN tunnels process IPv4 or IPv6 traffic. Valid values are ipv4 | ipv6. ipv6 Supports only EC2 Transit Gateway.", "type": "string" }, "type": { "description": "The type of VPN connection. The only type AWS supports at this time is \"ipsec.1\".", "type": "string" }, "typeRef": { "description": "Reference to a CustomerGateway in ec2 to populate type.", "properties": { "name": { "description": "Name of the referenced object.", "type": "string" }, "policy": { "description": "Policies for referencing.", "properties": { "resolution": { "default": "Required", "description": "Resolution specifies whether resolution of this reference is required.\nThe default is 'Required', which means the reconcile will fail if the\nreference cannot be resolved. 'Optional' means this reference will be\na no-op if it cannot be resolved.", "enum": [ "Required", "Optional" ], "type": "string" }, "resolve": { "description": "Resolve specifies when this reference should be resolved. The default\nis 'IfNotPresent', which will attempt to resolve the reference only when\nthe corresponding field is not present. Use 'Always' to resolve the\nreference on every reconcile.", "enum": [ "Always", "IfNotPresent" ], "type": "string" } }, "type": "object", "additionalProperties": false } }, "required": [ "name" ], "type": "object", "additionalProperties": false }, "typeSelector": { "description": "Selector for a CustomerGateway in ec2 to populate type.", "properties": { "matchControllerRef": { "description": "MatchControllerRef ensures an object with the same controller reference\nas the selecting object is selected.", "type": "boolean" }, "matchLabels": { "additionalProperties": { "type": "string" }, "description": "MatchLabels ensures an object with matching labels is selected.", "type": "object" }, "policy": { "description": "Policies for selection.", "properties": { "resolution": { "default": "Required", "description": "Resolution specifies whether resolution of this reference is required.\nThe default is 'Required', which means the reconcile will fail if the\nreference cannot be resolved. 'Optional' means this reference will be\na no-op if it cannot be resolved.", "enum": [ "Required", "Optional" ], "type": "string" }, "resolve": { "description": "Resolve specifies when this reference should be resolved. The default\nis 'IfNotPresent', which will attempt to resolve the reference only when\nthe corresponding field is not present. Use 'Always' to resolve the\nreference on every reconcile.", "enum": [ "Always", "IfNotPresent" ], "type": "string" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "vpnGatewayId": { "description": "The ID of the Virtual Private Gateway.", "type": "string" }, "vpnGatewayIdRef": { "description": "Reference to a VPNGateway in ec2 to populate vpnGatewayId.", "properties": { "name": { "description": "Name of the referenced object.", "type": "string" }, "policy": { "description": "Policies for referencing.", "properties": { "resolution": { "default": "Required", "description": "Resolution specifies whether resolution of this reference is required.\nThe default is 'Required', which means the reconcile will fail if the\nreference cannot be resolved. 'Optional' means this reference will be\na no-op if it cannot be resolved.", "enum": [ "Required", "Optional" ], "type": "string" }, "resolve": { "description": "Resolve specifies when this reference should be resolved. The default\nis 'IfNotPresent', which will attempt to resolve the reference only when\nthe corresponding field is not present. Use 'Always' to resolve the\nreference on every reconcile.", "enum": [ "Always", "IfNotPresent" ], "type": "string" } }, "type": "object", "additionalProperties": false } }, "required": [ "name" ], "type": "object", "additionalProperties": false }, "vpnGatewayIdSelector": { "description": "Selector for a VPNGateway in ec2 to populate vpnGatewayId.", "properties": { "matchControllerRef": { "description": "MatchControllerRef ensures an object with the same controller reference\nas the selecting object is selected.", "type": "boolean" }, "matchLabels": { "additionalProperties": { "type": "string" }, "description": "MatchLabels ensures an object with matching labels is selected.", "type": "object" }, "policy": { "description": "Policies for selection.", "properties": { "resolution": { "default": "Required", "description": "Resolution specifies whether resolution of this reference is required.\nThe default is 'Required', which means the reconcile will fail if the\nreference cannot be resolved. 'Optional' means this reference will be\na no-op if it cannot be resolved.", "enum": [ "Required", "Optional" ], "type": "string" }, "resolve": { "description": "Resolve specifies when this reference should be resolved. The default\nis 'IfNotPresent', which will attempt to resolve the reference only when\nthe corresponding field is not present. Use 'Always' to resolve the\nreference on every reconcile.", "enum": [ "Always", "IfNotPresent" ], "type": "string" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false } }, "required": [ "region" ], "type": "object", "additionalProperties": false }, "initProvider": { "description": "THIS IS A BETA FIELD. It will be honored\nunless the Management Policies feature flag is disabled.\nInitProvider holds the same fields as ForProvider, with the exception\nof Identifier and other resource reference fields. The fields that are\nin InitProvider are merged into ForProvider when the resource is created.\nThe same fields are also added to the terraform ignore_changes hook, to\navoid updating them after creation. This is useful for fields that are\nrequired on creation, but we do not desire to update them after creation,\nfor example because of an external controller is managing them, like an\nautoscaler.", "properties": { "customerGatewayId": { "description": "The ID of the customer gateway.", "type": "string" }, "customerGatewayIdRef": { "description": "Reference to a CustomerGateway in ec2 to populate customerGatewayId.", "properties": { "name": { "description": "Name of the referenced object.", "type": "string" }, "policy": { "description": "Policies for referencing.", "properties": { "resolution": { "default": "Required", "description": "Resolution specifies whether resolution of this reference is required.\nThe default is 'Required', which means the reconcile will fail if the\nreference cannot be resolved. 'Optional' means this reference will be\na no-op if it cannot be resolved.", "enum": [ "Required", "Optional" ], "type": "string" }, "resolve": { "description": "Resolve specifies when this reference should be resolved. The default\nis 'IfNotPresent', which will attempt to resolve the reference only when\nthe corresponding field is not present. Use 'Always' to resolve the\nreference on every reconcile.", "enum": [ "Always", "IfNotPresent" ], "type": "string" } }, "type": "object", "additionalProperties": false } }, "required": [ "name" ], "type": "object", "additionalProperties": false }, "customerGatewayIdSelector": { "description": "Selector for a CustomerGateway in ec2 to populate customerGatewayId.", "properties": { "matchControllerRef": { "description": "MatchControllerRef ensures an object with the same controller reference\nas the selecting object is selected.", "type": "boolean" }, "matchLabels": { "additionalProperties": { "type": "string" }, "description": "MatchLabels ensures an object with matching labels is selected.", "type": "object" }, "policy": { "description": "Policies for selection.", "properties": { "resolution": { "default": "Required", "description": "Resolution specifies whether resolution of this reference is required.\nThe default is 'Required', which means the reconcile will fail if the\nreference cannot be resolved. 'Optional' means this reference will be\na no-op if it cannot be resolved.", "enum": [ "Required", "Optional" ], "type": "string" }, "resolve": { "description": "Resolve specifies when this reference should be resolved. The default\nis 'IfNotPresent', which will attempt to resolve the reference only when\nthe corresponding field is not present. Use 'Always' to resolve the\nreference on every reconcile.", "enum": [ "Always", "IfNotPresent" ], "type": "string" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "enableAcceleration": { "description": "Indicate whether to enable acceleration for the VPN connection. Supports only EC2 Transit Gateway.", "type": "boolean" }, "localIpv4NetworkCidr": { "description": "The IPv4 CIDR on the customer gateway (on-premises) side of the VPN connection.", "type": "string" }, "localIpv6NetworkCidr": { "description": "The IPv6 CIDR on the customer gateway (on-premises) side of the VPN connection.", "type": "string" }, "outsideIpAddressType": { "description": "Indicates if a Public S2S VPN or Private S2S VPN over AWS Direct Connect. Valid values are PublicIpv4 | PrivateIpv4", "type": "string" }, "presharedKeyStorage": { "description": "Storage mode for the pre-shared key (PSK). Valid values are Standard (stored in the Site-to-Site VPN service) or SecretsManager (stored in AWS Secrets Manager).", "type": "string" }, "remoteIpv4NetworkCidr": { "description": "The IPv4 CIDR on the AWS side of the VPN connection.", "type": "string" }, "remoteIpv6NetworkCidr": { "description": "The IPv6 CIDR on the AWS side of the VPN connection.", "type": "string" }, "staticRoutesOnly": { "description": "Whether the VPN connection uses static routes exclusively. Static routes must be used for devices that don't support BGP.", "type": "boolean" }, "tags": { "additionalProperties": { "type": "string" }, "description": "Key-value map of resource tags.", "type": "object", "x-kubernetes-map-type": "granular" }, "transitGatewayId": { "description": "The ID of the EC2 Transit Gateway.", "type": "string" }, "transitGatewayIdRef": { "description": "Reference to a TransitGateway in ec2 to populate transitGatewayId.", "properties": { "name": { "description": "Name of the referenced object.", "type": "string" }, "policy": { "description": "Policies for referencing.", "properties": { "resolution": { "default": "Required", "description": "Resolution specifies whether resolution of this reference is required.\nThe default is 'Required', which means the reconcile will fail if the\nreference cannot be resolved. 'Optional' means this reference will be\na no-op if it cannot be resolved.", "enum": [ "Required", "Optional" ], "type": "string" }, "resolve": { "description": "Resolve specifies when this reference should be resolved. The default\nis 'IfNotPresent', which will attempt to resolve the reference only when\nthe corresponding field is not present. Use 'Always' to resolve the\nreference on every reconcile.", "enum": [ "Always", "IfNotPresent" ], "type": "string" } }, "type": "object", "additionalProperties": false } }, "required": [ "name" ], "type": "object", "additionalProperties": false }, "transitGatewayIdSelector": { "description": "Selector for a TransitGateway in ec2 to populate transitGatewayId.", "properties": { "matchControllerRef": { "description": "MatchControllerRef ensures an object with the same controller reference\nas the selecting object is selected.", "type": "boolean" }, "matchLabels": { "additionalProperties": { "type": "string" }, "description": "MatchLabels ensures an object with matching labels is selected.", "type": "object" }, "policy": { "description": "Policies for selection.", "properties": { "resolution": { "default": "Required", "description": "Resolution specifies whether resolution of this reference is required.\nThe default is 'Required', which means the reconcile will fail if the\nreference cannot be resolved. 'Optional' means this reference will be\na no-op if it cannot be resolved.", "enum": [ "Required", "Optional" ], "type": "string" }, "resolve": { "description": "Resolve specifies when this reference should be resolved. The default\nis 'IfNotPresent', which will attempt to resolve the reference only when\nthe corresponding field is not present. Use 'Always' to resolve the\nreference on every reconcile.", "enum": [ "Always", "IfNotPresent" ], "type": "string" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "transportTransitGatewayAttachmentId": { "description": ". The attachment ID of the Transit Gateway attachment to Direct Connect Gateway. The ID is obtained through a data source only.", "type": "string" }, "tunnel1DpdTimeoutAction": { "description": "The action to take after DPD timeout occurs for the first VPN tunnel. Specify restart to restart the IKE initiation. Specify clear to end the IKE session. Valid values are clear | none | restart.", "type": "string" }, "tunnel1DpdTimeoutSeconds": { "description": "The number of seconds after which a DPD timeout occurs for the first VPN tunnel. Valid value is equal or higher than 30.", "type": "number" }, "tunnel1EnableTunnelLifecycleControl": { "description": "Turn on or off tunnel endpoint lifecycle control feature for the first VPN tunnel. Valid values are true | false.", "type": "boolean" }, "tunnel1IkeVersions": { "description": "The IKE versions that are permitted for the first VPN tunnel. Valid values are ikev1 | ikev2.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "set" }, "tunnel1InsideCidr": { "description": "The CIDR block of the inside IP addresses for the first VPN tunnel. Valid value is a size /30 CIDR block from the 169.254.0.0/16 range.", "type": "string" }, "tunnel1InsideIpv6Cidr": { "description": "The range of inside IPv6 addresses for the first VPN tunnel. Supports only EC2 Transit Gateway. Valid value is a size /126 CIDR block from the local fd00::/8 range.", "type": "string" }, "tunnel1LogOptions": { "description": "Options for logging VPN tunnel activity. See Log Options below for more details.", "properties": { "cloudwatchLogOptions": { "description": "Options for sending VPN tunnel logs to CloudWatch. See CloudWatch Log Options below for more details.", "properties": { "logEnabled": { "description": "Enable or disable VPN tunnel logging feature. The default is false.", "type": "boolean" }, "logGroupArn": { "description": "The Amazon Resource Name (ARN) of the CloudWatch log group to send logs to.", "type": "string" }, "logOutputFormat": { "description": "Set log format. Default format is json. Possible values are: json and text. The default is json.", "type": "string" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "tunnel1Phase1DhGroupNumbers": { "description": "List of one or more Diffie-Hellman group numbers that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are 2 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24.", "items": { "type": "number" }, "type": "array", "x-kubernetes-list-type": "set" }, "tunnel1Phase1EncryptionAlgorithms": { "description": "List of one or more encryption algorithms that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "set" }, "tunnel1Phase1IntegrityAlgorithms": { "description": "One or more integrity algorithms that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are SHA1 | SHA2-256 | SHA2-384 | SHA2-512.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "set" }, "tunnel1Phase1LifetimeSeconds": { "description": "The lifetime for phase 1 of the IKE negotiation for the first VPN tunnel, in seconds. Valid value is between 900 and 28800.", "type": "number" }, "tunnel1Phase2DhGroupNumbers": { "description": "List of one or more Diffie-Hellman group numbers that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are 2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24.", "items": { "type": "number" }, "type": "array", "x-kubernetes-list-type": "set" }, "tunnel1Phase2EncryptionAlgorithms": { "description": "List of one or more encryption algorithms that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "set" }, "tunnel1Phase2IntegrityAlgorithms": { "description": "List of one or more integrity algorithms that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are SHA1 | SHA2-256 | SHA2-384 | SHA2-512.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "set" }, "tunnel1Phase2LifetimeSeconds": { "description": "The lifetime for phase 2 of the IKE negotiation for the first VPN tunnel, in seconds. Valid value is between 900 and 3600.", "type": "number" }, "tunnel1PresharedKeySecretRef": { "description": "The preshared key of the first VPN tunnel. The preshared key must be between 8 and 64 characters in length and cannot start with zero(0). Allowed characters are alphanumeric characters, periods(.) and underscores(_).", "properties": { "key": { "description": "The key to select.", "type": "string" }, "name": { "description": "Name of the secret.", "type": "string" }, "namespace": { "description": "Namespace of the secret.", "type": "string" } }, "required": [ "key", "name", "namespace" ], "type": "object", "additionalProperties": false }, "tunnel1RekeyFuzzPercentage": { "description": "The percentage of the rekey window for the first VPN tunnel (determined by tunnel1_rekey_margin_time_seconds) during which the rekey time is randomly selected. Valid value is between 0 and 100.", "type": "number" }, "tunnel1RekeyMarginTimeSeconds": { "description": "The margin time, in seconds, before the phase 2 lifetime expires, during which the AWS side of the first VPN connection performs an IKE rekey. The exact time of the rekey is randomly selected based on the value for tunnel1_rekey_fuzz_percentage. Valid value is between 60 and half of tunnel1_phase2_lifetime_seconds.", "type": "number" }, "tunnel1ReplayWindowSize": { "description": "The number of packets in an IKE replay window for the first VPN tunnel. Valid value is between 64 and 2048.", "type": "number" }, "tunnel1StartupAction": { "description": "The action to take when the establishing the tunnel for the first VPN connection. By default, your customer gateway device must initiate the IKE negotiation and bring up the tunnel. Specify start for AWS to initiate the IKE negotiation. Valid values are add | start.", "type": "string" }, "tunnel2DpdTimeoutAction": { "description": "The action to take after DPD timeout occurs for the second VPN tunnel. Specify restart to restart the IKE initiation. Specify clear to end the IKE session. Valid values are clear | none | restart.", "type": "string" }, "tunnel2DpdTimeoutSeconds": { "description": "The number of seconds after which a DPD timeout occurs for the second VPN tunnel. Valid value is equal or higher than 30.", "type": "number" }, "tunnel2EnableTunnelLifecycleControl": { "description": "Turn on or off tunnel endpoint lifecycle control feature for the second VPN tunnel. Valid values are true | false.", "type": "boolean" }, "tunnel2IkeVersions": { "description": "The IKE versions that are permitted for the second VPN tunnel. Valid values are ikev1 | ikev2.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "set" }, "tunnel2InsideCidr": { "description": "The CIDR block of the inside IP addresses for the second VPN tunnel. Valid value is a size /30 CIDR block from the 169.254.0.0/16 range.", "type": "string" }, "tunnel2InsideIpv6Cidr": { "description": "The range of inside IPv6 addresses for the second VPN tunnel. Supports only EC2 Transit Gateway. Valid value is a size /126 CIDR block from the local fd00::/8 range.", "type": "string" }, "tunnel2LogOptions": { "description": "Options for logging VPN tunnel activity. See Log Options below for more details.", "properties": { "cloudwatchLogOptions": { "description": "Options for sending VPN tunnel logs to CloudWatch. See CloudWatch Log Options below for more details.", "properties": { "logEnabled": { "description": "Enable or disable VPN tunnel logging feature. The default is false.", "type": "boolean" }, "logGroupArn": { "description": "The Amazon Resource Name (ARN) of the CloudWatch log group to send logs to.", "type": "string" }, "logOutputFormat": { "description": "Set log format. Default format is json. Possible values are: json and text. The default is json.", "type": "string" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "tunnel2Phase1DhGroupNumbers": { "description": "List of one or more Diffie-Hellman group numbers that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are 2 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24.", "items": { "type": "number" }, "type": "array", "x-kubernetes-list-type": "set" }, "tunnel2Phase1EncryptionAlgorithms": { "description": "List of one or more encryption algorithms that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "set" }, "tunnel2Phase1IntegrityAlgorithms": { "description": "One or more integrity algorithms that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are SHA1 | SHA2-256 | SHA2-384 | SHA2-512.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "set" }, "tunnel2Phase1LifetimeSeconds": { "description": "The lifetime for phase 1 of the IKE negotiation for the second VPN tunnel, in seconds. Valid value is between 900 and 28800.", "type": "number" }, "tunnel2Phase2DhGroupNumbers": { "description": "List of one or more Diffie-Hellman group numbers that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are 2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24.", "items": { "type": "number" }, "type": "array", "x-kubernetes-list-type": "set" }, "tunnel2Phase2EncryptionAlgorithms": { "description": "List of one or more encryption algorithms that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "set" }, "tunnel2Phase2IntegrityAlgorithms": { "description": "List of one or more integrity algorithms that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are SHA1 | SHA2-256 | SHA2-384 | SHA2-512.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "set" }, "tunnel2Phase2LifetimeSeconds": { "description": "The lifetime for phase 2 of the IKE negotiation for the second VPN tunnel, in seconds. Valid value is between 900 and 3600.", "type": "number" }, "tunnel2PresharedKeySecretRef": { "description": "The preshared key of the second VPN tunnel. The preshared key must be between 8 and 64 characters in length and cannot start with zero(0). Allowed characters are alphanumeric characters, periods(.) and underscores(_).", "properties": { "key": { "description": "The key to select.", "type": "string" }, "name": { "description": "Name of the secret.", "type": "string" }, "namespace": { "description": "Namespace of the secret.", "type": "string" } }, "required": [ "key", "name", "namespace" ], "type": "object", "additionalProperties": false }, "tunnel2RekeyFuzzPercentage": { "description": "The percentage of the rekey window for the second VPN tunnel (determined by tunnel2_rekey_margin_time_seconds) during which the rekey time is randomly selected. Valid value is between 0 and 100.", "type": "number" }, "tunnel2RekeyMarginTimeSeconds": { "description": "The margin time, in seconds, before the phase 2 lifetime expires, during which the AWS side of the second VPN connection performs an IKE rekey. The exact time of the rekey is randomly selected based on the value for tunnel2_rekey_fuzz_percentage. Valid value is between 60 and half of tunnel2_phase2_lifetime_seconds.", "type": "number" }, "tunnel2ReplayWindowSize": { "description": "The number of packets in an IKE replay window for the second VPN tunnel. Valid value is between 64 and 2048.", "type": "number" }, "tunnel2StartupAction": { "description": "The action to take when the establishing the tunnel for the second VPN connection. By default, your customer gateway device must initiate the IKE negotiation and bring up the tunnel. Specify start for AWS to initiate the IKE negotiation. Valid values are add | start.", "type": "string" }, "tunnelInsideIpVersion": { "description": "Indicate whether the VPN tunnels process IPv4 or IPv6 traffic. Valid values are ipv4 | ipv6. ipv6 Supports only EC2 Transit Gateway.", "type": "string" }, "type": { "description": "The type of VPN connection. The only type AWS supports at this time is \"ipsec.1\".", "type": "string" }, "typeRef": { "description": "Reference to a CustomerGateway in ec2 to populate type.", "properties": { "name": { "description": "Name of the referenced object.", "type": "string" }, "policy": { "description": "Policies for referencing.", "properties": { "resolution": { "default": "Required", "description": "Resolution specifies whether resolution of this reference is required.\nThe default is 'Required', which means the reconcile will fail if the\nreference cannot be resolved. 'Optional' means this reference will be\na no-op if it cannot be resolved.", "enum": [ "Required", "Optional" ], "type": "string" }, "resolve": { "description": "Resolve specifies when this reference should be resolved. The default\nis 'IfNotPresent', which will attempt to resolve the reference only when\nthe corresponding field is not present. Use 'Always' to resolve the\nreference on every reconcile.", "enum": [ "Always", "IfNotPresent" ], "type": "string" } }, "type": "object", "additionalProperties": false } }, "required": [ "name" ], "type": "object", "additionalProperties": false }, "typeSelector": { "description": "Selector for a CustomerGateway in ec2 to populate type.", "properties": { "matchControllerRef": { "description": "MatchControllerRef ensures an object with the same controller reference\nas the selecting object is selected.", "type": "boolean" }, "matchLabels": { "additionalProperties": { "type": "string" }, "description": "MatchLabels ensures an object with matching labels is selected.", "type": "object" }, "policy": { "description": "Policies for selection.", "properties": { "resolution": { "default": "Required", "description": "Resolution specifies whether resolution of this reference is required.\nThe default is 'Required', which means the reconcile will fail if the\nreference cannot be resolved. 'Optional' means this reference will be\na no-op if it cannot be resolved.", "enum": [ "Required", "Optional" ], "type": "string" }, "resolve": { "description": "Resolve specifies when this reference should be resolved. The default\nis 'IfNotPresent', which will attempt to resolve the reference only when\nthe corresponding field is not present. Use 'Always' to resolve the\nreference on every reconcile.", "enum": [ "Always", "IfNotPresent" ], "type": "string" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "vpnGatewayId": { "description": "The ID of the Virtual Private Gateway.", "type": "string" }, "vpnGatewayIdRef": { "description": "Reference to a VPNGateway in ec2 to populate vpnGatewayId.", "properties": { "name": { "description": "Name of the referenced object.", "type": "string" }, "policy": { "description": "Policies for referencing.", "properties": { "resolution": { "default": "Required", "description": "Resolution specifies whether resolution of this reference is required.\nThe default is 'Required', which means the reconcile will fail if the\nreference cannot be resolved. 'Optional' means this reference will be\na no-op if it cannot be resolved.", "enum": [ "Required", "Optional" ], "type": "string" }, "resolve": { "description": "Resolve specifies when this reference should be resolved. The default\nis 'IfNotPresent', which will attempt to resolve the reference only when\nthe corresponding field is not present. Use 'Always' to resolve the\nreference on every reconcile.", "enum": [ "Always", "IfNotPresent" ], "type": "string" } }, "type": "object", "additionalProperties": false } }, "required": [ "name" ], "type": "object", "additionalProperties": false }, "vpnGatewayIdSelector": { "description": "Selector for a VPNGateway in ec2 to populate vpnGatewayId.", "properties": { "matchControllerRef": { "description": "MatchControllerRef ensures an object with the same controller reference\nas the selecting object is selected.", "type": "boolean" }, "matchLabels": { "additionalProperties": { "type": "string" }, "description": "MatchLabels ensures an object with matching labels is selected.", "type": "object" }, "policy": { "description": "Policies for selection.", "properties": { "resolution": { "default": "Required", "description": "Resolution specifies whether resolution of this reference is required.\nThe default is 'Required', which means the reconcile will fail if the\nreference cannot be resolved. 'Optional' means this reference will be\na no-op if it cannot be resolved.", "enum": [ "Required", "Optional" ], "type": "string" }, "resolve": { "description": "Resolve specifies when this reference should be resolved. The default\nis 'IfNotPresent', which will attempt to resolve the reference only when\nthe corresponding field is not present. Use 'Always' to resolve the\nreference on every reconcile.", "enum": [ "Always", "IfNotPresent" ], "type": "string" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "managementPolicies": { "default": [ "*" ], "description": "THIS IS A BETA FIELD. It is on by default but can be opted out\nthrough a Crossplane feature flag.\nManagementPolicies specify the array of actions Crossplane is allowed to\ntake on the managed and external resources.\nThis field is planned to replace the DeletionPolicy field in a future\nrelease. Currently, both could be set independently and non-default\nvalues would be honored if the feature flag is enabled. If both are\ncustom, the DeletionPolicy field will be ignored.\nSee the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223\nand this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md", "items": { "description": "A ManagementAction represents an action that the Crossplane controllers\ncan take on an external resource.", "enum": [ "Observe", "Create", "Update", "Delete", "LateInitialize", "*" ], "type": "string" }, "type": "array" }, "providerConfigRef": { "default": { "name": "default" }, "description": "ProviderConfigReference specifies how the provider that will be used to\ncreate, observe, update, and delete this managed resource should be\nconfigured.", "properties": { "name": { "description": "Name of the referenced object.", "type": "string" }, "policy": { "description": "Policies for referencing.", "properties": { "resolution": { "default": "Required", "description": "Resolution specifies whether resolution of this reference is required.\nThe default is 'Required', which means the reconcile will fail if the\nreference cannot be resolved. 'Optional' means this reference will be\na no-op if it cannot be resolved.", "enum": [ "Required", "Optional" ], "type": "string" }, "resolve": { "description": "Resolve specifies when this reference should be resolved. The default\nis 'IfNotPresent', which will attempt to resolve the reference only when\nthe corresponding field is not present. Use 'Always' to resolve the\nreference on every reconcile.", "enum": [ "Always", "IfNotPresent" ], "type": "string" } }, "type": "object", "additionalProperties": false } }, "required": [ "name" ], "type": "object", "additionalProperties": false }, "writeConnectionSecretToRef": { "description": "WriteConnectionSecretToReference specifies the namespace and name of a\nSecret to which any connection details for this managed resource should\nbe written. Connection details frequently include the endpoint, username,\nand password required to connect to the managed resource.", "properties": { "name": { "description": "Name of the secret.", "type": "string" }, "namespace": { "description": "Namespace of the secret.", "type": "string" } }, "required": [ "name", "namespace" ], "type": "object", "additionalProperties": false } }, "required": [ "forProvider" ], "type": "object", "additionalProperties": false }, "status": { "description": "VPNConnectionStatus defines the observed state of VPNConnection.", "properties": { "atProvider": { "properties": { "arn": { "description": "Amazon Resource Name (ARN) of the VPN Connection.", "type": "string" }, "coreNetworkArn": { "description": "The ARN of the core network.", "type": "string" }, "coreNetworkAttachmentArn": { "description": "The ARN of the core network attachment.", "type": "string" }, "customerGatewayId": { "description": "The ID of the customer gateway.", "type": "string" }, "enableAcceleration": { "description": "Indicate whether to enable acceleration for the VPN connection. Supports only EC2 Transit Gateway.", "type": "boolean" }, "id": { "description": "The amazon-assigned ID of the VPN connection.", "type": "string" }, "localIpv4NetworkCidr": { "description": "The IPv4 CIDR on the customer gateway (on-premises) side of the VPN connection.", "type": "string" }, "localIpv6NetworkCidr": { "description": "The IPv6 CIDR on the customer gateway (on-premises) side of the VPN connection.", "type": "string" }, "outsideIpAddressType": { "description": "Indicates if a Public S2S VPN or Private S2S VPN over AWS Direct Connect. Valid values are PublicIpv4 | PrivateIpv4", "type": "string" }, "presharedKeyArn": { "description": "ARN of the Secrets Manager secret storing the pre-shared key(s) for the VPN connection. Note that even if it returns a valid Secrets Manager ARN, the pre-shared key(s) will not be stored in Secrets Manager unless the preshared_key_storage argument is set to SecretsManager.", "type": "string" }, "presharedKeyStorage": { "description": "Storage mode for the pre-shared key (PSK). Valid values are Standard (stored in the Site-to-Site VPN service) or SecretsManager (stored in AWS Secrets Manager).", "type": "string" }, "region": { "description": "Region where this resource will be managed. Defaults to the Region set in the provider configuration.\nRegion is the region you'd like your resource to be created in.", "type": "string" }, "remoteIpv4NetworkCidr": { "description": "The IPv4 CIDR on the AWS side of the VPN connection.", "type": "string" }, "remoteIpv6NetworkCidr": { "description": "The IPv6 CIDR on the AWS side of the VPN connection.", "type": "string" }, "routes": { "description": "The static routes associated with the VPN connection. Detailed below.", "items": { "properties": { "destinationCidrBlock": { "description": "The CIDR block associated with the local subnet of the customer data center.", "type": "string" }, "source": { "description": "Indicates how the routes were provided.", "type": "string" }, "state": { "description": "The current state of the static route.", "type": "string" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "staticRoutesOnly": { "description": "Whether the VPN connection uses static routes exclusively. Static routes must be used for devices that don't support BGP.", "type": "boolean" }, "tags": { "additionalProperties": { "type": "string" }, "description": "Key-value map of resource tags.", "type": "object", "x-kubernetes-map-type": "granular" }, "tagsAll": { "additionalProperties": { "type": "string" }, "description": "A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.", "type": "object", "x-kubernetes-map-type": "granular" }, "transitGatewayAttachmentId": { "description": "When associated with an EC2 Transit Gateway (transit_gateway_id argument), the attachment ID. See also the aws_ec2_tag resource for tagging the EC2 Transit Gateway VPN Attachment.", "type": "string" }, "transitGatewayId": { "description": "The ID of the EC2 Transit Gateway.", "type": "string" }, "transportTransitGatewayAttachmentId": { "description": ". The attachment ID of the Transit Gateway attachment to Direct Connect Gateway. The ID is obtained through a data source only.", "type": "string" }, "tunnel1Address": { "description": "The public IP address of the first VPN tunnel.", "type": "string" }, "tunnel1BgpAsn": { "description": "The bgp asn number of the first VPN tunnel.", "type": "string" }, "tunnel1BgpHoldtime": { "description": "The bgp holdtime of the first VPN tunnel.", "type": "number" }, "tunnel1CgwInsideAddress": { "description": "The RFC 6890 link-local address of the first VPN tunnel (Customer Gateway Side).", "type": "string" }, "tunnel1DpdTimeoutAction": { "description": "The action to take after DPD timeout occurs for the first VPN tunnel. Specify restart to restart the IKE initiation. Specify clear to end the IKE session. Valid values are clear | none | restart.", "type": "string" }, "tunnel1DpdTimeoutSeconds": { "description": "The number of seconds after which a DPD timeout occurs for the first VPN tunnel. Valid value is equal or higher than 30.", "type": "number" }, "tunnel1EnableTunnelLifecycleControl": { "description": "Turn on or off tunnel endpoint lifecycle control feature for the first VPN tunnel. Valid values are true | false.", "type": "boolean" }, "tunnel1IkeVersions": { "description": "The IKE versions that are permitted for the first VPN tunnel. Valid values are ikev1 | ikev2.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "set" }, "tunnel1InsideCidr": { "description": "The CIDR block of the inside IP addresses for the first VPN tunnel. Valid value is a size /30 CIDR block from the 169.254.0.0/16 range.", "type": "string" }, "tunnel1InsideIpv6Cidr": { "description": "The range of inside IPv6 addresses for the first VPN tunnel. Supports only EC2 Transit Gateway. Valid value is a size /126 CIDR block from the local fd00::/8 range.", "type": "string" }, "tunnel1LogOptions": { "description": "Options for logging VPN tunnel activity. See Log Options below for more details.", "properties": { "cloudwatchLogOptions": { "description": "Options for sending VPN tunnel logs to CloudWatch. See CloudWatch Log Options below for more details.", "properties": { "logEnabled": { "description": "Enable or disable VPN tunnel logging feature. The default is false.", "type": "boolean" }, "logGroupArn": { "description": "The Amazon Resource Name (ARN) of the CloudWatch log group to send logs to.", "type": "string" }, "logOutputFormat": { "description": "Set log format. Default format is json. Possible values are: json and text. The default is json.", "type": "string" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "tunnel1Phase1DhGroupNumbers": { "description": "List of one or more Diffie-Hellman group numbers that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are 2 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24.", "items": { "type": "number" }, "type": "array", "x-kubernetes-list-type": "set" }, "tunnel1Phase1EncryptionAlgorithms": { "description": "List of one or more encryption algorithms that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "set" }, "tunnel1Phase1IntegrityAlgorithms": { "description": "One or more integrity algorithms that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are SHA1 | SHA2-256 | SHA2-384 | SHA2-512.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "set" }, "tunnel1Phase1LifetimeSeconds": { "description": "The lifetime for phase 1 of the IKE negotiation for the first VPN tunnel, in seconds. Valid value is between 900 and 28800.", "type": "number" }, "tunnel1Phase2DhGroupNumbers": { "description": "List of one or more Diffie-Hellman group numbers that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are 2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24.", "items": { "type": "number" }, "type": "array", "x-kubernetes-list-type": "set" }, "tunnel1Phase2EncryptionAlgorithms": { "description": "List of one or more encryption algorithms that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "set" }, "tunnel1Phase2IntegrityAlgorithms": { "description": "List of one or more integrity algorithms that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are SHA1 | SHA2-256 | SHA2-384 | SHA2-512.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "set" }, "tunnel1Phase2LifetimeSeconds": { "description": "The lifetime for phase 2 of the IKE negotiation for the first VPN tunnel, in seconds. Valid value is between 900 and 3600.", "type": "number" }, "tunnel1RekeyFuzzPercentage": { "description": "The percentage of the rekey window for the first VPN tunnel (determined by tunnel1_rekey_margin_time_seconds) during which the rekey time is randomly selected. Valid value is between 0 and 100.", "type": "number" }, "tunnel1RekeyMarginTimeSeconds": { "description": "The margin time, in seconds, before the phase 2 lifetime expires, during which the AWS side of the first VPN connection performs an IKE rekey. The exact time of the rekey is randomly selected based on the value for tunnel1_rekey_fuzz_percentage. Valid value is between 60 and half of tunnel1_phase2_lifetime_seconds.", "type": "number" }, "tunnel1ReplayWindowSize": { "description": "The number of packets in an IKE replay window for the first VPN tunnel. Valid value is between 64 and 2048.", "type": "number" }, "tunnel1StartupAction": { "description": "The action to take when the establishing the tunnel for the first VPN connection. By default, your customer gateway device must initiate the IKE negotiation and bring up the tunnel. Specify start for AWS to initiate the IKE negotiation. Valid values are add | start.", "type": "string" }, "tunnel1VgwInsideAddress": { "description": "The RFC 6890 link-local address of the first VPN tunnel (VPN Gateway Side).", "type": "string" }, "tunnel2Address": { "description": "The public IP address of the second VPN tunnel.", "type": "string" }, "tunnel2BgpAsn": { "description": "The bgp asn number of the second VPN tunnel.", "type": "string" }, "tunnel2BgpHoldtime": { "description": "The bgp holdtime of the second VPN tunnel.", "type": "number" }, "tunnel2CgwInsideAddress": { "description": "The RFC 6890 link-local address of the second VPN tunnel (Customer Gateway Side).", "type": "string" }, "tunnel2DpdTimeoutAction": { "description": "The action to take after DPD timeout occurs for the second VPN tunnel. Specify restart to restart the IKE initiation. Specify clear to end the IKE session. Valid values are clear | none | restart.", "type": "string" }, "tunnel2DpdTimeoutSeconds": { "description": "The number of seconds after which a DPD timeout occurs for the second VPN tunnel. Valid value is equal or higher than 30.", "type": "number" }, "tunnel2EnableTunnelLifecycleControl": { "description": "Turn on or off tunnel endpoint lifecycle control feature for the second VPN tunnel. Valid values are true | false.", "type": "boolean" }, "tunnel2IkeVersions": { "description": "The IKE versions that are permitted for the second VPN tunnel. Valid values are ikev1 | ikev2.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "set" }, "tunnel2InsideCidr": { "description": "The CIDR block of the inside IP addresses for the second VPN tunnel. Valid value is a size /30 CIDR block from the 169.254.0.0/16 range.", "type": "string" }, "tunnel2InsideIpv6Cidr": { "description": "The range of inside IPv6 addresses for the second VPN tunnel. Supports only EC2 Transit Gateway. Valid value is a size /126 CIDR block from the local fd00::/8 range.", "type": "string" }, "tunnel2LogOptions": { "description": "Options for logging VPN tunnel activity. See Log Options below for more details.", "properties": { "cloudwatchLogOptions": { "description": "Options for sending VPN tunnel logs to CloudWatch. See CloudWatch Log Options below for more details.", "properties": { "logEnabled": { "description": "Enable or disable VPN tunnel logging feature. The default is false.", "type": "boolean" }, "logGroupArn": { "description": "The Amazon Resource Name (ARN) of the CloudWatch log group to send logs to.", "type": "string" }, "logOutputFormat": { "description": "Set log format. Default format is json. Possible values are: json and text. The default is json.", "type": "string" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "tunnel2Phase1DhGroupNumbers": { "description": "List of one or more Diffie-Hellman group numbers that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are 2 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24.", "items": { "type": "number" }, "type": "array", "x-kubernetes-list-type": "set" }, "tunnel2Phase1EncryptionAlgorithms": { "description": "List of one or more encryption algorithms that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "set" }, "tunnel2Phase1IntegrityAlgorithms": { "description": "One or more integrity algorithms that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are SHA1 | SHA2-256 | SHA2-384 | SHA2-512.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "set" }, "tunnel2Phase1LifetimeSeconds": { "description": "The lifetime for phase 1 of the IKE negotiation for the second VPN tunnel, in seconds. Valid value is between 900 and 28800.", "type": "number" }, "tunnel2Phase2DhGroupNumbers": { "description": "List of one or more Diffie-Hellman group numbers that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are 2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24.", "items": { "type": "number" }, "type": "array", "x-kubernetes-list-type": "set" }, "tunnel2Phase2EncryptionAlgorithms": { "description": "List of one or more encryption algorithms that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "set" }, "tunnel2Phase2IntegrityAlgorithms": { "description": "List of one or more integrity algorithms that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are SHA1 | SHA2-256 | SHA2-384 | SHA2-512.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "set" }, "tunnel2Phase2LifetimeSeconds": { "description": "The lifetime for phase 2 of the IKE negotiation for the second VPN tunnel, in seconds. Valid value is between 900 and 3600.", "type": "number" }, "tunnel2RekeyFuzzPercentage": { "description": "The percentage of the rekey window for the second VPN tunnel (determined by tunnel2_rekey_margin_time_seconds) during which the rekey time is randomly selected. Valid value is between 0 and 100.", "type": "number" }, "tunnel2RekeyMarginTimeSeconds": { "description": "The margin time, in seconds, before the phase 2 lifetime expires, during which the AWS side of the second VPN connection performs an IKE rekey. The exact time of the rekey is randomly selected based on the value for tunnel2_rekey_fuzz_percentage. Valid value is between 60 and half of tunnel2_phase2_lifetime_seconds.", "type": "number" }, "tunnel2ReplayWindowSize": { "description": "The number of packets in an IKE replay window for the second VPN tunnel. Valid value is between 64 and 2048.", "type": "number" }, "tunnel2StartupAction": { "description": "The action to take when the establishing the tunnel for the second VPN connection. By default, your customer gateway device must initiate the IKE negotiation and bring up the tunnel. Specify start for AWS to initiate the IKE negotiation. Valid values are add | start.", "type": "string" }, "tunnel2VgwInsideAddress": { "description": "The RFC 6890 link-local address of the second VPN tunnel (VPN Gateway Side).", "type": "string" }, "tunnelInsideIpVersion": { "description": "Indicate whether the VPN tunnels process IPv4 or IPv6 traffic. Valid values are ipv4 | ipv6. ipv6 Supports only EC2 Transit Gateway.", "type": "string" }, "type": { "description": "The type of VPN connection. The only type AWS supports at this time is \"ipsec.1\".", "type": "string" }, "vgwTelemetry": { "description": "Telemetry for the VPN tunnels. Detailed below.", "items": { "properties": { "acceptedRouteCount": { "description": "The number of accepted routes.", "type": "number" }, "certificateArn": { "description": "The Amazon Resource Name (ARN) of the VPN tunnel endpoint certificate.", "type": "string" }, "lastStatusChange": { "description": "The date and time of the last change in status.", "type": "string" }, "outsideIpAddress": { "description": "The Internet-routable IP address of the virtual private gateway's outside interface.", "type": "string" }, "status": { "description": "The status of the VPN tunnel.", "type": "string" }, "statusMessage": { "description": "If an error occurs, a description of the error.", "type": "string" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "vpnGatewayId": { "description": "The ID of the Virtual Private Gateway.", "type": "string" } }, "type": "object", "additionalProperties": false }, "conditions": { "description": "Conditions of the resource.", "items": { "description": "A Condition that may apply to a resource.", "properties": { "lastTransitionTime": { "description": "LastTransitionTime is the last time this condition transitioned from one\nstatus to another.", "format": "date-time", "type": "string" }, "message": { "description": "A Message containing details about this condition's last transition from\none status to another, if any.", "type": "string" }, "observedGeneration": { "description": "ObservedGeneration represents the .metadata.generation that the condition was set based upon.\nFor instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\nwith respect to the current state of the instance.", "format": "int64", "type": "integer" }, "reason": { "description": "A Reason for this condition's last transition from one status to another.", "type": "string" }, "status": { "description": "Status of this condition; is it currently True, False, or Unknown?", "type": "string" }, "type": { "description": "Type of this condition. At most one of each condition type may apply to\na resource at any point in time.", "type": "string" } }, "required": [ "lastTransitionTime", "reason", "status", "type" ], "type": "object", "additionalProperties": false }, "type": "array", "x-kubernetes-list-map-keys": [ "type" ], "x-kubernetes-list-type": "map" }, "observedGeneration": { "description": "ObservedGeneration is the latest metadata.generation\nwhich resulted in either a ready state, or stalled due to error\nit can not recover from without human intervention.", "format": "int64", "type": "integer" } }, "type": "object", "additionalProperties": false } }, "required": [ "spec" ], "type": "object" }