-
Notifications
You must be signed in to change notification settings - Fork 8
/
Copy pathmain.tf
133 lines (120 loc) · 4.68 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
locals {
create_self_signed_cert = var.certificate_arn == null ? true : false
}
# A Client VPN endpoint supports 1024-bit and 2048-bit RSA key sizes only.
resource "tls_private_key" "this" {
count = local.create_self_signed_cert ? 1 : 0
algorithm = "RSA"
rsa_bits = 2048
}
resource "tls_self_signed_cert" "this" {
count = local.create_self_signed_cert ? 1 : 0
private_key_pem = tls_private_key.this[0].private_key_pem
subject {
common_name = var.tls_subject_common_name
}
validity_period_hours = var.tls_validity_period_hours
allowed_uses = [
"key_encipherment",
"digital_signature",
"server_auth",
"ipsec_end_system",
"ipsec_tunnel",
"any_extended",
"cert_signing"
]
}
resource "aws_acm_certificate" "this" {
count = local.create_self_signed_cert ? 1 : 0
private_key = tls_private_key.this[0].private_key_pem
certificate_body = tls_self_signed_cert.this[0].cert_pem
tags = merge(
{
Name = var.tls_subject_common_name
},
var.tags,
)
}
data "aws_vpc" "this" {
id = var.endpoint_vpc_id
}
resource "aws_cloudwatch_log_group" "this" {
name = "${var.cloudwatch_log_group_name_prefix}${var.endpoint_name}"
retention_in_days = var.cloudwatch_log_group_retention_in_days
tags = var.tags
}
resource "aws_cloudwatch_log_stream" "this" {
log_group_name = aws_cloudwatch_log_group.this.name
name = "connection-log"
}
resource "aws_security_group" "this" {
name = "client-vpn-endpoint-${var.endpoint_name}"
description = "Egress All. Used for other groups where VPN access is required. "
vpc_id = var.endpoint_vpc_id
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
tags = var.tags
}
resource "aws_ec2_client_vpn_endpoint" "this_sso" {
count = var.create_endpoint ? 1 : 0
description = var.endpoint_name
vpc_id = var.endpoint_vpc_id
server_certificate_arn = var.certificate_arn != null ? var.certificate_arn : aws_acm_certificate.this[0].arn
client_cidr_block = var.endpoint_client_cidr_block
split_tunnel = var.enable_split_tunnel
transport_protocol = var.transport_protocol
dns_servers = var.use_vpc_internal_dns ? [cidrhost(data.aws_vpc.this.cidr_block, 2)] : var.dns_servers
security_group_ids = [aws_security_group.this.id]
authentication_options {
type = "federated-authentication"
saml_provider_arn = var.saml_provider_arn
}
connection_log_options {
enabled = true
cloudwatch_log_group = aws_cloudwatch_log_group.this.name
cloudwatch_log_stream = aws_cloudwatch_log_stream.this.name
}
tags = merge(
{
Name = var.endpoint_name
},
var.tags,
)
}
resource "aws_ec2_client_vpn_network_association" "this_sso" {
for_each = toset([ for subnet in var.endpoint_subnets : subnet if var.create_endpoint])
client_vpn_endpoint_id = aws_ec2_client_vpn_endpoint.this_sso[0].id
subnet_id = each.value
}
resource "aws_ec2_client_vpn_authorization_rule" "this_sso_to_dns" {
count = var.create_endpoint && var.use_vpc_internal_dns ? 1 : 0
client_vpn_endpoint_id = aws_ec2_client_vpn_endpoint.this_sso[0].id
target_network_cidr = "${cidrhost(data.aws_vpc.this.cidr_block, 2)}/32"
authorize_all_groups = true
description = "Authorization for ${var.endpoint_name} to DNS"
}
resource "aws_ec2_client_vpn_authorization_rule" "this" {
for_each = var.create_endpoint ? var.authorization_rules : {}
client_vpn_endpoint_id = aws_ec2_client_vpn_endpoint.this_sso[0].id
target_network_cidr = split(",", each.value)[0]
access_group_id = split(",", each.value)[1]
description = "Rule name: ${each.key}"
}
resource "aws_ec2_client_vpn_authorization_rule" "this_all_groups" {
for_each = var.create_endpoint ? var.authorization_rules_all_groups : {}
client_vpn_endpoint_id = aws_ec2_client_vpn_endpoint.this_sso[0].id
target_network_cidr = each.value
authorize_all_groups = true
description = "Rule name: ${each.key}"
}
resource "aws_ec2_client_vpn_route" "this_sso" {
for_each = var.create_endpoint ? { for r in var.additional_routes : "${r.subnet_id}:${r.destination_cidr_block}" => r } : {}
client_vpn_endpoint_id = aws_ec2_client_vpn_endpoint.this_sso[0].id
destination_cidr_block = each.value.destination_cidr_block
target_vpc_subnet_id = aws_ec2_client_vpn_network_association.this_sso[each.value.subnet_id].subnet_id
description = "From ${each.value.subnet_id} to ${each.value.destination_cidr_block}"
}