xdr-terraform-modules/base/aws_client_vpn/lambda.tf

# Lambda function to refuse concurrent connections
data "archive_file" "lambda_connection_authorization" {
  type        = "zip"
  source_file = "${path.module}/files/connection_authorization/connection_handler_disconnect_multiples.py"
  # 0666 results in "more consistent behavior" according to https://registry.terraform.io/providers/hashicorp/archive/latest/docs/data-sources/archive_file
  output_file_mode = "0666"
  output_path      = "${path.module}/files/connection_authorization/connection_handle_with_disconnect.zip"
}

resource "aws_iam_role" "lambda_connection_authorization" {
  name = "awsclientvpn-connection-handler${var.suffix}"
  path = "/lambda/"

  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": "lambda.amazonaws.com"
      },
      "Effect": "Allow",
      "Sid": ""
    }
  ]
}
EOF
}

data "aws_iam_policy_document" "lambda_connection_authorization_policy_doc" {
  statement {
    sid       = ""
    effect    = "Allow"
    # tfsec:ignore:aws-iam-no-policy-wildcards Allows use by the entire account
    resources = ["*"]

    actions = [
      "ec2:DescribeClientVpnConnections",
      "ec2:TerminateClientVpnConnections",
      "logs:CreateLogStream",
      "logs:CreateLogGroup",
      "logs:PutLogEvents",
    ]
  }
}

resource "aws_iam_policy" "lambda_connection_authorization_policy" {
  name   = "awsclientvpn-connection-handler${var.suffix}"
  path   = "/lambda/"
  policy = data.aws_iam_policy_document.lambda_connection_authorization_policy_doc.json
}

resource "aws_iam_role_policy_attachment" "lambda_connection_authorization_policy_attachment" {
  role       = aws_iam_role.lambda_connection_authorization.name
  policy_arn = aws_iam_policy.lambda_connection_authorization_policy.arn
}

# tfsec:ignore:aws-lambda-enable-tracing We do not enable X-Ray Tracing for Lambda
resource "aws_lambda_function" "lambda_connection_authorization" {
	# checkov:skip=CKV_AWS_50: see tfsec ignore X-Ray Tracing
  function_name = "AWSClientVPN-ConnectionHandler${var.suffix}"
  description   = "Only allows one concurrent connection"
  runtime       = "python3.9"
  memory_size   = 128
  publish       = true
  timeout       = 30 # Cannot be changed (maybe can be reduced?)
  filename      = data.archive_file.lambda_connection_authorization.output_path
  role          = aws_iam_role.lambda_connection_authorization.arn
  handler       = "connection_handler_disconnect_multiples.lambda_handler"

  source_code_hash = data.archive_file.lambda_connection_authorization.output_base64sha256

  environment {
    variables = {
      LOGLEVEL       = var.log_level
      MODULELOGLEVEL = var.module_log_level
    }
  }

  tags = merge(local.standard_tags, var.tags)
}


#module "lambda_function" {
#  source = "terraform-aws-modules/lambda/aws"
#
#  function_name = "AWSClientVPN-ConnectionHandler"
#  description   = "Determines whether user is allowed to log in."
#  handler       = "connection_handler.lambda_handler"
#  runtime       = "python3.9"
#  timeout       = 30 # Cannot be changes on a connection handler
#  publish       = true
#
#  source_path = "${path.module}/files/connection_authorization/connection_handler.py"
#
#  attach_policy_json = true
#  policy_json = <<EOF
#{
#     "Version": "2012-10-17",
#     "Statement": [
#       {
#             "Effect": "Allow",
#             "Action": [
#                 "ec2:DescribeClientVpnConnections",
#                 "ec2:TerminateClientVpnConnections"
#             ],
#             "Resource": "*"
#         }
#     ]
#}
#EOF
## The following 3 permissions are autoatically added by the module:
##                 "logs:CreateLogStream",
##                 "logs:CreateLogGroup",
##                 "logs:PutLogEvents",
#  tags = merge(local.standard_tags, var.tags)
#}