IBM-Cloud · sridhargk · Jul 9, 2025 · Aug 5, 2025 · Aug 6, 2025 · Aug 18, 2025
@@ -417,6 +417,11 @@ func dataSourceIBMTransitGatewayConnectionsRead(d *schema.ResourceData, meta int
 					tgConn[tgrGREtunnels] = rGREtunnels
 				}
 			}
+
+			if instance.Cidr != nil {
+				tgConn[tgCidr] = *instance.Cidr
+			}
+
 			connections = append(connections, tgConn)
 		}
 		startSub = flex.GetNext(listTGConnections.Next)

@@ -45,6 +45,7 @@ const (
 	tgGreTunnelId                       = "tunnel_id"
 	tgGreTunnelStatus                   = "status"
 	tgconTunnelName                     = "name"
+	tgCidr                              = "cidr"
 )
 
 func ResourceIBMTransitGatewayConnection() *schema.Resource {
@@ -82,7 +83,7 @@ func ResourceIBMTransitGatewayConnection() *schema.Resource {
 				Required:     true,
 				ForceNew:     true,
 				ValidateFunc: validate.InvokeValidator("ibm_tg_connection", tgNetworkType),
-				Description:  "Defines what type of network is connected via this connection. Allowable values (classic,directlink,vpc,gre_tunnel,unbound_gre_tunnel,power_virtual_server,redundant_gre)",
+				Description:  "Defines what type of network is connected via this connection. Allowable values (classic,directlink,vpc,gre_tunnel,unbound_gre_tunnel,power_virtual_server,redundant_gre,vpn_gateway)",
 			},
 			tgName: {
 				Type:         schema.TypeString,
@@ -152,7 +153,7 @@ func ResourceIBMTransitGatewayConnection() *schema.Resource {
 				Type:        schema.TypeString,
 				Optional:    true,
 				ForceNew:    true,
-				Description: "Location of GRE tunnel. This field only applies to network type 'gre_tunnel' and 'unbound_gre_tunnel' connections.",
+				Description: "Location of connection. This field only applies to network type 'gre_tunnel' and 'unbound_gre_tunnel' connections and optional for network type 'vpn_gateway' connections",
 			},
 			tgCreatedAt: {
 				Type:        schema.TypeString,
@@ -269,13 +270,19 @@ func ResourceIBMTransitGatewayConnection() *schema.Resource {
 					},
 				},
 			},
+			tgCidr: {
+				Type:        schema.TypeString,
+				Optional:    true,
+				ForceNew:    true,
+				Description: "The network_type 'vpn_gateway' connections use 'cidr' to specify the CIDR to use for the VPN GRE tunnels",
+			},
 		},
 	}
 }
 func ResourceIBMTransitGatewayConnectionValidator() *validate.ResourceValidator {
 
 	validateSchema := make([]validate.ValidateSchema, 0)
-	networkType := "classic, directlink, vpc, gre_tunnel, unbound_gre_tunnel, power_virtual_server,redundant_gre"
+	networkType := "classic, directlink, vpc, gre_tunnel, unbound_gre_tunnel, power_virtual_server, redundant_gre, vpn_gateway"
 	validateSchema = append(validateSchema,
 		validate.ValidateSchema{
 			Identifier:                 tgNetworkType,
@@ -357,6 +364,10 @@ func resourceIBMTransitGatewayConnectionCreate(d *schema.ResourceData, meta inte
 		zoneIdentity.Name = &zoneName
 		createTransitGatewayConnectionOptions.SetZone(zoneIdentity)
 	}
+	if _, ok := d.GetOk(tgCidr); ok {
+		cidr := d.Get(tgCidr).(string)
+		createTransitGatewayConnectionOptions.SetCidr(cidr)
+	}
 
 	if _, ok := d.GetOk(tgDefaultPrefixFilter); ok {
 		if "redundant_gre" == networkType {
@@ -521,6 +532,14 @@ func resourceIBMTransitGatewayConnectionRead(d *schema.ResourceData, meta interf
 		d.Set(tgDefaultPrefixFilter, *instance.PrefixFiltersDefault)
 	}
 
+	if instance.Zone != nil {
+		d.Set(tgZone, *instance.Zone)
+	}
+
+	if instance.Cidr != nil {
+		d.Set(tgCidr, *instance.Cidr)
+	}
+
 	d.Set(tgConnectionId, *instance.ID)
 	d.Set(tgGatewayId, gatewayId)
 	getTransitGatewayOptions := &transitgatewayapisv1.GetTransitGatewayOptions{
@@ -552,7 +571,7 @@ func resourceIBMTransitGatewayConnectionRead(d *schema.ResourceData, meta interf
 		if rGREtunnel.RemoteTunnelIp != nil {
 			tunnel[tgRemoteTunnelIp] = *rGREtunnel.RemoteTunnelIp
 		}
-		if rGREtunnel.Mtu != nil {
+		if rGREtunnel.Mtu != nil && *instance.NetworkType != "vpn_gateway" {
 			tunnel[tgMtu] = *rGREtunnel.Mtu
 		}
 		if rGREtunnel.RemoteBgpAsn != nil {
@@ -562,7 +581,11 @@ func resourceIBMTransitGatewayConnectionRead(d *schema.ResourceData, meta interf
 			tunnel[tgconTunnelName] = *rGREtunnel.Name
 		}
 		if rGREtunnel.Zone.Name != nil {
-			tunnel[tgZone] = *rGREtunnel.Zone.Name
+			if *instance.NetworkType != "vpn_gateway" {
+				tunnel[tgZone] = *rGREtunnel.Zone
+			} else {
+				tunnel[tgZone] = *rGREtunnel.Zone.Name
+			}
 		}
 		if rGREtunnel.LocalBgpAsn != nil {
 			tunnel[tgLocalBgpAsn] = *rGREtunnel.LocalBgpAsn

@@ -25,6 +25,7 @@ func TestAccIBMTransitGatewayConnection_basic(t *testing.T) {
 	gatewayName := fmt.Sprintf("tg-gateway-name-%d", acctest.RandIntRange(10, 100))
 	updateVcName := fmt.Sprintf("newtg-connection-name-%d", acctest.RandIntRange(10, 100))
 	vpcName := fmt.Sprintf("vpc-name-%d", acctest.RandIntRange(10, 100))
+	vpnGatewayName := fmt.Sprintf("vpn-gateway-%d", acctest.RandIntRange(10, 100))
 	dlGatewayName := fmt.Sprintf("dl-gateway-name-%d", acctest.RandIntRange(10, 100))
 	resource.Test(t, resource.TestCase{
 		PreCheck:     func() { acc.TestAccPreCheck(t) },
@@ -93,6 +94,15 @@ func TestAccIBMTransitGatewayConnection_basic(t *testing.T) {
 					resource.TestCheckResourceAttr("ibm_tg_connection.test_tg_powervs_connection", "name", tgConnectionName),
 				),
 			},
+			// tg vpn gateway test
+			{
+				//Create test case
+				Config: testAccCheckIBMTransitGatewayVPNGatewayConnectionConfig(vpnGatewayName, gatewayName, tgConnectionName),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckIBMTransitGatewayConnectionExists("ibm_tg_connection.test_tg_vpn_connection", tgConnection),
+					resource.TestCheckResourceAttr("ibm_tg_connection.test_tg_vpn_connection", "name", tgConnectionName),
+				),
+			},
 		},
 	},
 	)
@@ -244,6 +254,26 @@ resource "ibm_tg_connection" "test_tg_powervs_connection"{
 	  `, gatewayName, powerVSConnName, acc.Tg_power_vs_network_id)
 }
 
+func testAccCheckIBMTransitGatewayVPNGatewayConnectionConfig(vpnGatewayName, transitGatewayName, connectionName string) string {
+	return fmt.Sprintf(`	
+		data "ibm_is_vpn_gateway" "test_tg_vpn_gateway" {
+			vpn_gateway_name = "%s"
+		} 
+
+		data "ibm_tg_gateway" "test_tg_gateway"{
+			name="%s"
+		}	 
+
+		resource "ibm_tg_connection" "test_tg_vpn_gateway_connection"{
+			gateway = "${ibm_tg_gateway.test_tg_gateway.id}"
+			network_type = "vpn_gateway"
+			name = "%s"
+			network_id = "${ibm_is_vpn_gateway.test_tg_vpn_gateway.crn}"
+			cidr = "192.168.100.0/24"
+		}	   
+	  `, vpnGatewayName, transitGatewayName, connectionName)
+}
+
 func transitgatewayClient(meta interface{}) (*transitgatewayapisv1.TransitGatewayApisV1, error) {
 	sess, err := meta.(conns.ClientSession).TransitGatewayV1API()
 	return sess, err

@@ -50,7 +50,7 @@ In addition to the argument reference list, you can access the following attribu
   - `base_connection_id` - (String) The ID of a network_type `classic` connection a tunnel is configured over.  This field applies to network type `gre_tunnel` or `unbound_gre_tunnel` connections.
   - `base_network_type` - (String) The type of network the unbound gre tunnel is targeting. This field is required for network type `unbound_gre_tunnel`.
   - `name` - (String) The user-defined name for the transit gateway connection.
-  - `network_type` - (String) The type of network connected with the connection. Possible values are `classic`, `directlink`, `vpc`, `gre_tunnel`,  `unbound_gre_tunnel`, or `power_virtual_server`.
+  - `network_type` - (String) The type of network connected with the connection. Possible values are `classic`, `directlink`, `vpc`, `gre_tunnel`,  `unbound_gre_tunnel`, `vpn_gateway`, or `power_virtual_server`.
   - `network_account_id` - (String) The ID of the network connected account. This is used if the network is in a different account than the gateway.
   - `network_id` - (String) The ID of the network being connected with the connection.
   - `local_bgp_asn` - (Integer) The local network BGP ASN. This field only applies to network type '`gre_tunnel` connections.

@@ -57,12 +57,13 @@ Review the argument references that you can specify for your resource.
 - `local_tunnel_ip` - (Optional, Forces new resource, String) - The local tunnel IP address. This field is required for and only applicable to type gre_tunnel connections.
 - `name` -  (Optional, String) Enter a name. If the name is not given, the default name is provided based on the network type, such as `vpc` for network type VPC and `classic` for network type classic.
 - `network_account_id` - (Optional, Forces new resource, String) The ID of the network connected account. This is used if the network is in a different account than the gateway.
-- `network_type` - (Required, Forces new resource, String) Enter the network type. Allowed values are `classic`, `directlink`, `gre_tunnel`, `unbound_gre_tunnel`,  `vpc`, and `power_virtual_server`.
+- `network_type` - (Required, Forces new resource, String) Enter the network type. Allowed values are `classic`, `directlink`, `gre_tunnel`, `unbound_gre_tunnel`,  `vpc`, `vpn_gateway`, and `power_virtual_server`.
 - `network_id` -  (Optional, Forces new resource, String) Enter the ID of the network being connected through this connection. This parameter is required for network type `vpc` and `directlink`, the CRN of the VPC or direct link gateway to be connected. This field is required to be unspecified for network type `classic`. For example, `crn:v1:bluemix:public:is:us-south:a/123456::vpc:4727d842-f94f-4a2d-824a-9bc9b02c523b`.
 - `remote_bgp_asn` - (Optional, Forces new resource, Integer) - The remote network BGP ASN (will be generated for the connection if not specified). This field only applies to network type `gre_tunnel` and `unbound_gre_tunnel` connections.
 - `remote_gateway_ip` - (Optional, Forces new resource, String) - The remote gateway IP address. This field only applies to network type `gre_tunnel` and `unbound_gre_tunnel` connections.
 - `remote_tunnel_ip` - (Optional, Forces new resource, String) - The remote tunnel IP address. This field only applies to network type `gre_tunnel` and `unbound_gre_tunnel` connections.
-- `zone` - (Optional, Forces new resource, String) - The location of the GRE tunnel. This field only applies to network type `gre_tunnel` and `unbound_gre_tunnel` connections.
+- `zone` - (Optional, Forces new resource, String) - The location of connections. This field only applies to network type `gre_tunnel` and `unbound_gre_tunnel` connections and optional for network type `vpn_gateway` connections.
+- `cidr` - (Optional, String) - network_type `vpn_gateway` connections use `cidr` to specify the CIDR to use for the VPN GRE tunnels. This field is required for network type `vpn_gateway` connections.
 - `tunnels` - (Optional, List) List of GRE tunnels for a transit gateway redundant GRE tunnel connection. This field is required for 'redundant_gre' connections.
 Nested scheme for `tunnel`:
   - `name` - (Required, String) The user-defined name for this tunnel connection.