Начало Каталог Помощ
Регистрация Вход
AFS
/
xdr-terraform-modules
2
0
Разклонения 0
Файлове Задачи 0 Заявки за сливане 0 Уики
ИН на ревизия: 6a78384995
Клонове Маркери
xdr-terraform-m...
/
base
/
aws_client_vpn
/
vpn.tf

vpn.tf 2.2 KB
История Директен файл

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263 
  1. locals {
    2. 

  2.   # Redundancy count determines how many redundant paths we have in different AZ's.
    3. 

  3.   #  1 is good for testing
    4. 

  4.   #  2 is probably good enough for all other cases
    5. 

  5.   #  length(var.public_subnets) is the max
    6. 

  6.   redundancy_count = 1
    7. 

  7.   #redundancy_count = length(var.public_subnets)
    8. 

  8. }
    9. 

  9. 

  10. resource "aws_ec2_client_vpn_endpoint" "vpn" {
    11. 

  11.   description = "VPN for Employee Access"
    12. 

  12.   client_cidr_block = "172.16.0.0/22"
    13. 

  13.   split_tunnel = var.split_tunnel
    14. 

  14.   server_certificate_arn = aws_acm_certificate.cert.arn
    15. 

  15.   self_service_portal = "enabled" # requires a self_service_saml_provider in authentication_options
    16. 

  16. 

  17.   # TODO: Specify DNS Servers
    18. 

  18.   dns_servers = var.dns_servers
    19. 

  19. 

  20.   # Certificate based authenticaiton requires the certificate be in the same account
    21. 

  21.   #authentication_options {
    22. 

  22.   #  type = "certificate-authentication"
    23. 

  23.   #  root_certificate_chain_arn = "arn:aws-us-gov:acm-pca:us-gov-east-1:701290387780:certificate-authority/cb0ea325-a347-4297-9cb8-2134410c3889"
    24. 

  24.   #}
    25. 

  25. 

  26.   authentication_options {
    27. 

  27.     type = "federated-authentication"
    28. 

  28.     saml_provider_arn = aws_iam_saml_provider.okta.arn
    29. 

  29.     self_service_saml_provider_arn = aws_iam_saml_provider.okta-self-service.arn
    30. 

  30.   }
    31. 

  31. 

  32.   connection_log_options {
    33. 

  33.     enabled = true
    34. 

  34.     cloudwatch_log_group  = aws_cloudwatch_log_group.vpn.name
    35. 

  35.     cloudwatch_log_stream = aws_cloudwatch_log_stream.vpn.name
    36. 

  36.   }
    37. 

  37. 

  38.   # Could not get UDP working on OSX
    39. 

  39.   transport_protocol = "tcp"
    40. 

  40. }
    41. 

  41. 

  42. resource "aws_ec2_client_vpn_network_association" "vpn_subnets" {
    43. 

  43.   count = local.redundancy_count
    44. 

  44. 

  45.   client_vpn_endpoint_id = aws_ec2_client_vpn_endpoint.vpn.id
    46. 

  46.   subnet_id = var.public_subnets[count.index]
    47. 

  47.   security_groups = [aws_security_group.vpn_access.id]
    48. 

  48. 

  49.   lifecycle {
    50. 

  50.     // The issue why we are ignoring changes is that on every change
    51. 

  51.     // terraform screws up most of the vpn assosciations
    52. 

  52.     // see: https://github.com/hashicorp/terraform-provider-aws/issues/14717
    53. 

  53.     ignore_changes = [subnet_id]
    54. 

  54.   }
    55. 

  55. }
    56. 

  56. 

  57. resource "aws_ec2_client_vpn_route" "default" {
    58. 

  58.   count = local.redundancy_count
    59. 

  59.   client_vpn_endpoint_id = aws_ec2_client_vpn_endpoint.vpn.id
    60. 

  60.   #destination_cidr_block = "10.0.0.0/8"
    61. 

  61.   destination_cidr_block = "0.0.0.0/0"
    62. 

  62.   target_vpc_subnet_id   = aws_ec2_client_vpn_network_association.vpn_subnets[count.index].subnet_id
    63. 

  63. }
    64.