Inicio Explorar Axuda
Rexistro Iniciar sesión
AFS
/
xdr-terraform-modules
2
0
Fork 0
Ficheiros Incidencias 0 Pull Requests 0 Wiki
Árbore: 07944127ec
Ramas Etiquetas
xdr-terraform-m...
/
base
/
aws_client_vpn
/
vpn.tf

vpn.tf 2.0 KB
Histórico Raw

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556 
  1. resource "aws_ec2_client_vpn_endpoint" "vpn" {
    2. 

  2.   description = "VPN for Employee Access"
    3. 

  3.   client_cidr_block = "172.16.0.0/22"
    4. 

  4.   split_tunnel = true
    5. 

  5.   server_certificate_arn = aws_acm_certificate.cert.arn
    6. 

  6.   self_service_portal = "disabled" # requires a self_service_saml_provider in authentication_options
    7. 

  7. 

  8.   # TODO: Specify DNS Servers
    9. 

  9.   dns_servers = var.dns_servers
    10. 

  10. 

  11.   # Certificate based authenticaiton requires the certificate be in the same account
    12. 

  12.   #authentication_options {
    13. 

  13.   #  type = "certificate-authentication"
    14. 

  14.   #  root_certificate_chain_arn = "arn:aws-us-gov:acm-pca:us-gov-east-1:701290387780:certificate-authority/cb0ea325-a347-4297-9cb8-2134410c3889"
    15. 

  15.   #}
    16. 

  16. 

  17.   authentication_options {
    18. 

  18.     type = "federated-authentication"
    19. 

  19.     saml_provider_arn = aws_iam_saml_provider.okta.arn
    20. 

  20.   }
    21. 

  21. 

  22.   connection_log_options {
    23. 

  23.     enabled = true
    24. 

  24.     cloudwatch_log_group  = aws_cloudwatch_log_group.vpn.name
    25. 

  25.     cloudwatch_log_stream = aws_cloudwatch_log_stream.vpn.name
    26. 

  26.   }
    27. 

  27. 

  28.   # Possible required with zscalar?
    29. 

  29.   transport_protocol = "udp"
    30. 

  30. 

  31.   tags = merge(var.standard_tags, var.tags)
    32. 

  32. }
    33. 

  33. 

  34. resource "aws_ec2_client_vpn_network_association" "vpn_subnets" {
    35. 

  35.   count = length(var.public_subnets)
    36. 

  36.   #count = 1 # we don't need the redundancy for now
    37. 

  37. 

  38.   client_vpn_endpoint_id = aws_ec2_client_vpn_endpoint.vpn.id
    39. 

  39.   subnet_id = var.public_subnets[count.index]
    40. 

  40.   security_groups = [aws_security_group.vpn_access.id]
    41. 

  41. 

  42.   lifecycle {
    43. 

  43.     // The issue why we are ignoring changes is that on every change
    44. 

  44.     // terraform screws up most of the vpn assosciations
    45. 

  45.     // see: https://github.com/hashicorp/terraform-provider-aws/issues/14717
    46. 

  46.     ignore_changes = [subnet_id]
    47. 

  47.   }
    48. 

  48. }
    49. 

  49. 

  50. resource "aws_ec2_client_vpn_route" "default" {
    51. 

  51.   count = length(var.public_subnets)
    52. 

  52.   #count = 1 # we don't need the redundancy for now
    53. 

  53.   client_vpn_endpoint_id = aws_ec2_client_vpn_endpoint.vpn.id
    54. 

  54.   destination_cidr_block = "10.0.0.0/8"
    55. 

  55.   target_vpc_subnet_id   = aws_ec2_client_vpn_network_association.vpn_subnets[count.index].subnet_id
    56. 

  56. }
    57.