Allows openvpn to be instantiated a second time

Not tagged at this time. Does not make changes to existing vpn.

base/openvpn/certificate.tf

@@ -1,6 +1,6 @@
 #Certificate 
 resource "aws_acm_certificate" "cert" {
-  domain_name       = "openvpn.${var.dns_info["public"]["zone"]}"
+  domain_name       = "${ var.instance_name }.${var.dns_info["public"]["zone"]}"
   validation_method = "DNS"
 
   lifecycle {

base/openvpn/elb.tf

@@ -1,5 +1,5 @@
 resource "aws_lb" "openvpn-nlb" {
-  name               = "openvpn-nlb"
+  name               = "${ var.instance_name }-nlb"
   internal           = false
   load_balancer_type = "network"
   # Not supported for NLB
@@ -63,7 +63,7 @@ resource "aws_lb_listener" "openvpn-nlb-listener-openvpn" {
 #########################
 # Targets
 resource "aws_lb_target_group" "openvpn-nlb-target-https" {
-  name     = "openvpn-nlb-target-https"
+  name = "${ var.instance_name }-nlb-target-https"
   port     = 443
   protocol = "TLS"
   target_type = "instance"
@@ -78,7 +78,7 @@ resource "aws_lb_target_group_attachment" "openvpn-nlb-target-https-instance" {
 }
 
 resource "aws_lb_target_group" "openvpn-nlb-target-openvpn" {
-  name     = "openvpn-nlb-target-openvpn"
+  name = "${ var.instance_name }-nlb-target-openvpn"
   port     = 1194
   protocol = "UDP"
   target_type = "instance"

base/openvpn/main.tf

@@ -171,125 +171,3 @@ data "template_cloudinit_config" "cloud-init" {
   #  content      = "ffbaz"
   #}
 }
-
-resource "aws_security_group" "openvpn_security_group" {
-  name = "openvpn_security_group"
-  description = "Security Group for OpenVPN Instance(s)"
-  vpc_id = var.vpc_id
-  tags = merge(var.standard_tags, var.tags)
-}
-
-resource "aws_security_group_rule" "openvpn-in" {
-  type              = "ingress"
-  from_port         = 1194
-  to_port           = 1194
-  protocol          = "udp"
-  # NOTE: For NLBs, the source IP is the public IP, so the security group must allow public access.
-  cidr_blocks       = [ "0.0.0.0/0" ]
-  security_group_id = aws_security_group.openvpn_security_group.id
-}
-
-resource "aws_security_group_rule" "openvpn-https-in" {
-  type              = "ingress"
-  from_port         = 443
-  to_port           = 443
-  protocol          = "tcp"
-  # NOTE: For NLBs, the source IP is the public IP, so the security group must allow public access.
-  cidr_blocks       = [ "0.0.0.0/0" ]
-  security_group_id = aws_security_group.openvpn_security_group.id
-}
-
-resource "aws_security_group_rule" "openvpn-permissive-out" {
-  # We allow all outbound for openvpn
-  type              = "egress"
-  from_port         = -1
-  to_port           = -1
-  protocol          = "all"
-  cidr_blocks       = [ "10.0.0.0/8" ]
-  security_group_id = aws_security_group.openvpn_security_group.id
-}
-
-# We have specific egress rules, as well, but the list may be incomplete.
-resource "aws_security_group_rule" "openvpn-splunk-out" {
-  type              = "egress"
-  from_port         = 8000
-  to_port           = 8000
-  protocol          = "tcp"
-  cidr_blocks       = [ "10.0.0.0/8" ]
-  security_group_id = aws_security_group.openvpn_security_group.id
-}
-
-resource "aws_security_group_rule" "openvpn-https-out" {
-  type              = "egress"
-  from_port         = 443
-  to_port           = 443
-  protocol          = "tcp"
-  cidr_blocks       = [ "10.0.0.0/8" ]
-  security_group_id = aws_security_group.openvpn_security_group.id
-}
-
-resource "aws_security_group_rule" "openvpn-https-alt-out" {
-  type              = "egress"
-  from_port         = 8443
-  to_port           = 8443
-  protocol          = "tcp"
-  cidr_blocks       = [ "10.0.0.0/8" ]
-  security_group_id = aws_security_group.openvpn_security_group.id
-}
-
-resource "aws_security_group_rule" "openvpn-phantom-out" {
-  type              = "egress"
-  from_port         = 8888
-  to_port           = 8888
-  protocol          = "tcp"
-  cidr_blocks       = [ "10.0.0.0/8" ]
-  security_group_id = aws_security_group.openvpn_security_group.id
-}
-
-resource "aws_security_group_rule" "openvpn-github-ssh-out" {
-  type              = "egress"
-  from_port         = 122
-  to_port           = 122
-  protocol          = "tcp"
-  cidr_blocks       = [ "10.0.0.0/8" ]
-  security_group_id = aws_security_group.openvpn_security_group.id
-}
-
-resource "aws_security_group_rule" "openvpn-ssh-out" {
-  type              = "egress"
-  from_port         = 22
-  to_port           = 22
-  protocol          = "tcp"
-  cidr_blocks       = [ "10.0.0.0/8" ]
-  security_group_id = aws_security_group.openvpn_security_group.id
-}
-
-resource "aws_security_group_rule" "openvpn-nessus-out" {
-  type              = "egress"
-  from_port         = 8834
-  to_port           = 8835
-  protocol          = "tcp"
-  cidr_blocks       = toset(concat(var.cidr_map["vpc-scanners"], var.cidr_map["vpc-private-services"]))
-  security_group_id = aws_security_group.openvpn_security_group.id
-  description       = "Access to Nessus"
-}
-
-resource "aws_security_group_rule" "openvpn-license-server-out" {
-  # Needed for license server check-in.  Seems to be stable IP.
-  type              = "egress"
-  from_port         = 443
-  to_port           = 443
-  protocol          = "tcp"
-  cidr_blocks       = [ "54.183.149.72/32" ]
-  security_group_id = aws_security_group.openvpn_security_group.id
-}
-
-resource "aws_security_group_rule" "openvpn-ldap-out" {
-  type              = "egress"
-  from_port         = 636
-  to_port           = 636
-  protocol          = "tcp"
-  # Yes this has to be 0.0.0.0/0 because our SSL ldap server is provided by OKTA behind a NLB in AWS with non static IP
-  cidr_blocks       = [ "0.0.0.0/0" ]
-  security_group_id = aws_security_group.openvpn_security_group.id
-}

base/openvpn/security-groups.tf

@@ -0,0 +1,121 @@
+resource "aws_security_group" "openvpn_security_group" {
+  name_prefix = "${ var.instance_name }_security_group"
+  description = "Security Group for OpenVPN Instance(s)"
+  vpc_id = var.vpc_id
+  tags = merge(var.standard_tags, var.tags)
+}
+
+resource "aws_security_group_rule" "openvpn-in" {
+  type              = "ingress"
+  from_port         = 1194
+  to_port           = 1194
+  protocol          = "udp"
+  # NOTE: For NLBs, the source IP is the public IP, so the security group must allow public access.
+  cidr_blocks       = [ "0.0.0.0/0" ]
+  security_group_id = aws_security_group.openvpn_security_group.id
+}
+
+resource "aws_security_group_rule" "openvpn-https-in" {
+  type              = "ingress"
+  from_port         = 443
+  to_port           = 443
+  protocol          = "tcp"
+  # NOTE: For NLBs, the source IP is the public IP, so the security group must allow public access.
+  cidr_blocks       = [ "0.0.0.0/0" ]
+  security_group_id = aws_security_group.openvpn_security_group.id
+}
+
+resource "aws_security_group_rule" "openvpn-permissive-out" {
+  # We allow all outbound for openvpn
+  type              = "egress"
+  from_port         = -1
+  to_port           = -1
+  protocol          = "all"
+  cidr_blocks       = [ "10.0.0.0/8" ]
+  security_group_id = aws_security_group.openvpn_security_group.id
+}
+
+# We have specific egress rules, as well, but the list may be incomplete.
+resource "aws_security_group_rule" "openvpn-splunk-out" {
+  type              = "egress"
+  from_port         = 8000
+  to_port           = 8000
+  protocol          = "tcp"
+  cidr_blocks       = [ "10.0.0.0/8" ]
+  security_group_id = aws_security_group.openvpn_security_group.id
+}
+
+resource "aws_security_group_rule" "openvpn-https-out" {
+  type              = "egress"
+  from_port         = 443
+  to_port           = 443
+  protocol          = "tcp"
+  cidr_blocks       = [ "10.0.0.0/8" ]
+  security_group_id = aws_security_group.openvpn_security_group.id
+}
+
+resource "aws_security_group_rule" "openvpn-https-alt-out" {
+  type              = "egress"
+  from_port         = 8443
+  to_port           = 8443
+  protocol          = "tcp"
+  cidr_blocks       = [ "10.0.0.0/8" ]
+  security_group_id = aws_security_group.openvpn_security_group.id
+}
+
+resource "aws_security_group_rule" "openvpn-phantom-out" {
+  type              = "egress"
+  from_port         = 8888
+  to_port           = 8888
+  protocol          = "tcp"
+  cidr_blocks       = [ "10.0.0.0/8" ]
+  security_group_id = aws_security_group.openvpn_security_group.id
+}
+
+resource "aws_security_group_rule" "openvpn-github-ssh-out" {
+  type              = "egress"
+  from_port         = 122
+  to_port           = 122
+  protocol          = "tcp"
+  cidr_blocks       = [ "10.0.0.0/8" ]
+  security_group_id = aws_security_group.openvpn_security_group.id
+}
+
+resource "aws_security_group_rule" "openvpn-ssh-out" {
+  type              = "egress"
+  from_port         = 22
+  to_port           = 22
+  protocol          = "tcp"
+  cidr_blocks       = [ "10.0.0.0/8" ]
+  security_group_id = aws_security_group.openvpn_security_group.id
+}
+
+resource "aws_security_group_rule" "openvpn-nessus-out" {
+  type              = "egress"
+  from_port         = 8834
+  to_port           = 8835
+  protocol          = "tcp"
+  cidr_blocks       = toset(concat(var.cidr_map["vpc-scanners"], var.cidr_map["vpc-private-services"]))
+  security_group_id = aws_security_group.openvpn_security_group.id
+  description       = "Access to Nessus"
+}
+
+resource "aws_security_group_rule" "openvpn-license-server-out" {
+  # Needed for license server check-in.  Seems to be stable IP.
+  type              = "egress"
+  from_port         = 443
+  to_port           = 443
+  protocol          = "tcp"
+  cidr_blocks       = [ "54.183.149.72/32" ]
+  security_group_id = aws_security_group.openvpn_security_group.id
+}
+
+resource "aws_security_group_rule" "openvpn-ldap-out" {
+  type              = "egress"
+  from_port         = 636
+  to_port           = 636
+  protocol          = "tcp"
+  # Yes this has to be 0.0.0.0/0 because our SSL ldap server is provided by OKTA behind a NLB in AWS with non static IP
+  cidr_blocks       = [ "0.0.0.0/0" ]
+  security_group_id = aws_security_group.openvpn_security_group.id
+}