3 years ago · f20c904da9
--- a/base/aws_client_vpn/files/saml-metadata-okta-self-service-test.xml
+++ b/base/aws_client_vpn/files/saml-metadata-okta-self-service-test.xml
@@ -0,0 +1,17 @@
 
				+<?xml version="1.0" encoding="UTF-8"?><md:EntityDescriptor entityID="http://www.okta.com/exkaxov6qes1CQBC0297" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"><md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"><md:KeyDescriptor use="signing"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIDqjCCApKgAwIBAgIGAWrbB00GMA0GCSqGSIb3DQEBCwUAMIGVMQswCQYDVQQGEwJVUzETMBEG
			
 
				+A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU
			
 
				+MBIGA1UECwwLU1NPUHJvdmlkZXIxFjAUBgNVBAMMDW1kci1tdWx0aXBhc3MxHDAaBgkqhkiG9w0B
			
 
				+CQEWDWluZm9Ab2t0YS5jb20wHhcNMTkwNTIxMTUzMzA5WhcNMjkwNTIxMTUzNDA5WjCBlTELMAkG
			
 
				+A1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTAL
			
 
				+BgNVBAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRYwFAYDVQQDDA1tZHItbXVsdGlwYXNz
			
 
				+MRwwGgYJKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
			
 
				+CgKCAQEAjVWbGnlG3G858/K0b8jVw5OFAef+eFWNmjD6eAfGMgOzQ3ZhJmZ5TAFxaUaH15Q7Vi10
			
 
				+p/zKHo8rZAurh31r35ED9JT+45J/IsDtOUK55quSEeh4d0Ih7NTBXgP5yEsSa7YVqBL4mI450JRr
			
 
				+8BTTfatUP0/TRxSx92QxlNhLi0jYmGtgzQ/3TeTEWIzZKntTkX7Arn42Dt7JkCdI+ElEfcNQYV3l
			
 
				+//Olv0TEVFasbmIb8iNgVOi+ssq5UyqAjoWYJOc2VvkerUE9FDs7DkC3S1/sXR72vpTfXpz1fW+x
			
 
				+/aHJjgwXgB2SW9fZk8CQjqEI5s6QCMBsHSOhU+xDkbzAnwIDAQABMA0GCSqGSIb3DQEBCwUAA4IB
			
 
				+AQCKqio8wrvhbkGRptCD6sEnRmC7/NBE133tIv7Z3R/Cve8DgO3GcKKrCUh+gZJLFV3eWw95FTWW
			
 
				+MY7KrYEd353mKP8hL7mEc+qSmWuwfFw+6JePHsNDiFKCY2PfzbWgsG9nX7T6H7n8cn2hzVn4gBmb
			
 
				+8TAXei+x0id9h24oSvtISZhMg+ED72c0BbO4wPZOQeisXPO4vugdRdbyB5wvIU2ILHb7WJnDNSai
			
 
				+XSHqKUBigvQua2KSjh+GW7fMlvRbDkYxq3okj6sZlyCLN79IM4NZgKfCC4t8FoUA9ofIDUV9u70G
			
 
				++Utb6eeVogPzFlv4LuMRAEKbnV9G3yyDbxYsEcpY</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://mdr-multipass.okta.com/app/mdr-multipass_awsclientvpnselfservice_1/exkaxov6qes1CQBC0297/sso/saml"/><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://mdr-multipass.okta.com/app/mdr-multipass_awsclientvpnselfservice_1/exkaxov6qes1CQBC0297/sso/saml"/></md:IDPSSODescriptor></md:EntityDescriptor>
			
--- a/base/aws_client_vpn/outputs.tf
+++ b/base/aws_client_vpn/outputs.tf
@@ -0,0 +1,20 @@
 
				+output "WARNING" {
			
 
				+  value = "WARNING: Recreating the endpoint may require intervention from the zScalar team. (Not yet known for sure)"
			
 
				+}
			
 
				+
			
 
				+# For finding out what's really available:
			
 
				+#output "endpoint_details" {
			
 
				+#  value = aws_ec2_client_vpn_endpoint.vpn
			
 
				+#}
			
 
				+
			
 
				+output "dns_name" {
			
 
				+  value = aws_ec2_client_vpn_endpoint.vpn.dns_name
			
 
				+}
			
 
				+
			
 
				+output "vpn_id" {
			
 
				+  value = aws_ec2_client_vpn_endpoint.vpn.id
			
 
				+}
			
 
				+
			
 
				+output "self_service_url" {
			
 
				+  value = "https://gov.self-service.clientvpn.amazonaws.com/endpoints/${ aws_ec2_client_vpn_endpoint.vpn.id }"
			
 
				+}
			
--- a/base/aws_client_vpn/saml.tf
+++ b/base/aws_client_vpn/saml.tf
@@ -3,3 +3,9 @@ resource "aws_iam_saml_provider" "okta" {
 
				   saml_metadata_document = file("files/saml-metadata-okta-${var.environment}.xml")
			
 
				   tags = merge(var.standard_tags, var.tags)
			
 
				 }
			
 
				+
			
 
				+resource "aws_iam_saml_provider" "okta-self-service" {
			
 
				+  name                   = "okta_aws_vpn_self_service"
			
 
				+  saml_metadata_document = file("files/saml-metadata-okta-self-service-${var.environment}.xml")
			
 
				+  tags = merge(var.standard_tags, var.tags)
			
 
				+}
			
--- a/base/aws_client_vpn/vars.tf
+++ b/base/aws_client_vpn/vars.tf
@@ -1,3 +1,8 @@
 
				+variable "split_tunnel" {
			
 
				+  type = bool
			
 
				+  description = "Whether or not to split tunnel."
			
 
				+}
			
 
				+
			
 
				 variable "dns_name" {
			
 
				   type = string
			
 
				   description = "Used for the certificate"
			
--- a/base/aws_client_vpn/vpn.tf
+++ b/base/aws_client_vpn/vpn.tf
@@ -1,9 +1,18 @@
 
				+locals {
			
 
				+  # Redundancy count determines how many redundant paths we have in different AZ's.
			
 
				+  #  1 is good for testing
			
 
				+  #  2 is probably good enough for all other cases
			
 
				+  #  length(var.public_subnets) is the max
			
 
				+  redundancy_count = 1
			
 
				+  #redundancy_count = length(var.public_subnets)
			
 
				+}
			
 
				+
			
 
				 resource "aws_ec2_client_vpn_endpoint" "vpn" {
			
 
				   description = "VPN for Employee Access"
			
 
				   client_cidr_block = "172.16.0.0/22"
			
 
				-  split_tunnel = true
			
 
				+  split_tunnel = var.split_tunnel
			
 
				   server_certificate_arn = aws_acm_certificate.cert.arn
			
 
				-  self_service_portal = "disabled" # requires a self_service_saml_provider in authentication_options
			
 
				+  self_service_portal = "enabled" # requires a self_service_saml_provider in authentication_options
			
 
				 
			
 
				   # TODO: Specify DNS Servers
			
 
				   dns_servers = var.dns_servers
			
@@ -17,6 +26,7 @@ resource "aws_ec2_client_vpn_endpoint" "vpn" {
 
				   authentication_options {
			
 
				     type = "federated-authentication"
			
 
				     saml_provider_arn = aws_iam_saml_provider.okta.arn
			
 
				+    self_service_saml_provider_arn = aws_iam_saml_provider.okta-self-service.arn
			
 
				   }
			
 
				 
			
 
				   connection_log_options {
			
@@ -32,8 +42,7 @@ resource "aws_ec2_client_vpn_endpoint" "vpn" {
 
				 }
			
 
				 
			
 
				 resource "aws_ec2_client_vpn_network_association" "vpn_subnets" {
			
 
				-  count = length(var.public_subnets)
			
 
				-  #count = 1 # we don't need the redundancy for now
			
 
				+  count = local.redundancy_count
			
 
				 
			
 
				   client_vpn_endpoint_id = aws_ec2_client_vpn_endpoint.vpn.id
			
 
				   subnet_id = var.public_subnets[count.index]
			
@@ -48,8 +57,7 @@ resource "aws_ec2_client_vpn_network_association" "vpn_subnets" {
 
				 }
			
 
				 
			
 
				 resource "aws_ec2_client_vpn_route" "default" {
			
 
				-  count = length(var.public_subnets)
			
 
				-  #count = 1 # we don't need the redundancy for now
			
 
				+  count = local.redundancy_count
			
 
				   client_vpn_endpoint_id = aws_ec2_client_vpn_endpoint.vpn.id
			
 
				   destination_cidr_block = "10.0.0.0/8"
			
 
				   target_vpc_subnet_id   = aws_ec2_client_vpn_network_association.vpn_subnets[count.index].subnet_id
			
--- a/base/standard_vpc/security-groups.tf
+++ b/base/standard_vpc/security-groups.tf
@@ -13,8 +13,8 @@ module "aws_endpoints_sg" {
 
				   tags        = merge(var.standard_tags, var.tags)
			
 
				   vpc_id      = module.vpc.vpc_id
			
 
				 
			
 
				-  ingress_cidr_blocks = [ module.vpc.vpc_cidr_block ]
			
 
				-  egress_cidr_blocks = [ module.vpc.vpc_cidr_block ]
			
 
				+  ingress_cidr_blocks = [ "10.0.0.0/8" ]
			
 
				+  egress_cidr_blocks = [ "10.0.0.0/8" ]
			
 
				   egress_ipv6_cidr_blocks = [ ]
			
 
				 
			
 
				   egress_rules = [ "all-all" ]