Add generation support to VPN connections

Author: heroku-johnny

docs/resources/space_vpn_connection.md

@@ -13,17 +13,19 @@ Provides a resource for creating a VPN connection between a network and a Heroku
 ## Example Usage
 
 ```hcl-terraform
-// Create a new Heroku space
+// Create a new Heroku space (Cedar generation)
 resource "heroku_space" "default" {
   name         = "test-space"
   organization = "my-company"
   region       = "virginia"
+  generation   = "cedar"
 }
 
 // Connect the Heroku space to another network with a VPN
 resource "heroku_space_vpn_connection" "office" {
   name           = "office"
   space          = heroku_space.default.id
+  generation     = "cedar"  # Must match space generation
   public_ip      = "203.0.113.1"
   routable_cidrs = ["192.168.1.0/24"]
 }
@@ -35,13 +37,15 @@ The following arguments are supported:
 
 * `name` - (Required) The name of the VPN connection.
 * `space` - (Required) The ID of the Heroku Private Space where the VPN connection will be established.
+* `generation` - (Optional) The generation of the space for VPN connection. Valid values are `cedar` and `fir`. Defaults to `cedar` for backward compatibility. Note: VPN connections are not supported for `fir` generation spaces. Cannot be changed after creation.
 * `public_ip` - (Required) The public IP address of the VPN endpoint on the network where the VPN connection will be established.
 * `routable_cidrs` - (Required) A list of IPv4 CIDR blocks used by the network where the VPN connection will be established.
 
 ## Attributes Reference
 
 The following attributes are exported:
 
+* `generation` - The generation of the space for VPN connection (`cedar` or `fir`).
 * `space_cidr_block` - The CIDR block for the Heroku Private Space. The network where the VPN will be established should be configured to route traffic destined for this CIDR block over the VPN link.
 * `ike_version` - The IKE version used to setup the IPsec tunnel.
 * `tunnels` - Details about each VPN tunnel endpoint.

heroku/resource_heroku_space_vpn_connection.go

@@ -9,14 +9,16 @@ import (
 
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation"
 	heroku "github.com/heroku/heroku-go/v6"
 )
 
 func resourceHerokuSpaceVPNConnection() *schema.Resource {
 	return &schema.Resource{
-		Create: resourceHerokuSpaceVPNConnectionCreate,
-		Read:   resourceHerokuSpaceVPNConnectionRead,
-		Delete: resourceHerokuSpaceVPNConnectionDelete,
+		Create:        resourceHerokuSpaceVPNConnectionCreate,
+		Read:          resourceHerokuSpaceVPNConnectionRead,
+		Delete:        resourceHerokuSpaceVPNConnectionDelete,
+		CustomizeDiff: resourceHerokuSpaceVPNConnectionCustomizeDiff,
 
 		Importer: &schema.ResourceImporter{
 			State: schema.ImportStatePassthrough,
@@ -29,6 +31,15 @@ func resourceHerokuSpaceVPNConnection() *schema.Resource {
 				ForceNew: true,
 			},
 
+			"generation": {
+				Type:         schema.TypeString,
+				Optional:     true,
+				Default:      "cedar",
+				ForceNew:     true,
+				ValidateFunc: validation.StringInSlice([]string{"cedar", "fir"}, false),
+				Description:  "Generation of the space for VPN connection. Defaults to cedar for backward compatibility.",
+			},
+
 			"name": {
 				Type:     schema.TypeString,
 				Required: true,
@@ -190,3 +201,20 @@ func spaceVPNConnectionStateRefreshFunc(client *heroku.Service, space, connectio
 		return vpn, vpn.Status, nil
 	}
 }
+
+// resourceHerokuSpaceVPNConnectionCustomizeDiff validates generation-specific feature support during plan phase
+func resourceHerokuSpaceVPNConnectionCustomizeDiff(ctx context.Context, diff *schema.ResourceDiff, v interface{}) error {
+	generation, generationExists := diff.GetOk("generation")
+
+	// Only validate if generation field is present
+	if generationExists {
+		generationStr := generation.(string)
+
+		// Check if VPN connections are supported for this generation
+		if !IsFeatureSupported(generationStr, "space", "vpn_connection") {
+			return fmt.Errorf("VPN connections are not supported for %s generation spaces", generationStr)
+		}
+	}
+
+	return nil
+}

heroku/resource_heroku_space_vpn_connection_test.go

@@ -86,3 +86,52 @@ resource "heroku_space_vpn_connection" "foobar" {
 }
 `, spaceConfig)
 }
+
+func TestHerokuSpaceVPNConnectionGeneration(t *testing.T) {
+	tests := []struct {
+		name        string
+		generation  string
+		expectError bool
+		description string
+	}{
+		{
+			name:        "Cedar generation should be supported",
+			generation:  "cedar",
+			expectError: false,
+			description: "Cedar supports VPN connections",
+		},
+		{
+			name:        "Fir generation should be unsupported",
+			generation:  "fir",
+			expectError: true,
+			description: "Fir does not support VPN connections",
+		},
+		{
+			name:        "Default generation (cedar) should be supported",
+			generation:  "", // Will default to cedar
+			expectError: false,
+			description: "Default cedar generation supports VPN connections",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Test the feature support logic
+			generation := tt.generation
+			if generation == "" {
+				generation = "cedar" // Default
+			}
+
+			supported := IsFeatureSupported(generation, "space", "vpn_connection")
+			shouldError := !supported
+
+			if shouldError != tt.expectError {
+				t.Errorf("Expected error: %t, but got: %t for generation %s",
+					tt.expectError, shouldError, generation)
+			}
+
+			t.Logf("✅ Generation: %s, Supported: %t, ShouldError: %t",
+				generation, supported, shouldError)
+		})
+	}
+}