AFS
/
xdr-terraform-modules


			
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115
							# Lambda function to refuse concurrent connections
data "archive_file" "lambda_connection_authorization" {
  type        = "zip"
  source_file = "${path.module}/files/connection_authorization/connection_handler_disconnect_multiples.py"
  # 0666 results in "more consistent behavior" according to https://registry.terraform.io/providers/hashicorp/archive/latest/docs/data-sources/archive_file
  output_file_mode = "0666"
  output_path      = "${path.module}/files/connection_authorization/connection_handle_with_disconnect.zip"
}

resource "aws_iam_role" "lambda_connection_authorization" {
  name = "awsclientvpn-connection-handler${var.suffix}"
  path = "/lambda/"

  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": "lambda.amazonaws.com"
      },
      "Effect": "Allow",
      "Sid": ""
    }
  ]
}
EOF
}

data "aws_iam_policy_document" "lambda_connection_authorization_policy_doc" {
  statement {
    sid       = ""
    effect    = "Allow"
    resources = ["*"]

    actions = [
      "ec2:DescribeClientVpnConnections",
      "ec2:TerminateClientVpnConnections",
      "logs:CreateLogStream",
      "logs:CreateLogGroup",
      "logs:PutLogEvents",
    ]
  }
}

resource "aws_iam_policy" "lambda_connection_authorization_policy" {
  name   = "awsclientvpn-connection-handler${var.suffix}"
  path   = "/lambda/"
  policy = data.aws_iam_policy_document.lambda_connection_authorization_policy_doc.json
}

resource "aws_iam_role_policy_attachment" "lambda_connection_authorization_policy_attachment" {
  role       = aws_iam_role.lambda_connection_authorization.name
  policy_arn = aws_iam_policy.lambda_connection_authorization_policy.arn
}

resource "aws_lambda_function" "lambda_connection_authorization" {
  function_name = "AWSClientVPN-ConnectionHandler${var.suffix}"
  description   = "Only allows one concurrent connection"
  runtime       = "python3.9"
  memory_size   = 128
  publish       = true
  timeout       = 30 # Cannot be changed (maybe can be reduced?)
  filename      = data.archive_file.lambda_connection_authorization.output_path
  role          = aws_iam_role.lambda_connection_authorization.arn
  handler       = "connection_handler_disconnect_multiples.lambda_handler"

  source_code_hash = data.archive_file.lambda_connection_authorization.output_base64sha256

  environment {
    variables = {
      LOGLEVEL       = var.log_level
      MODULELOGLEVEL = var.module_log_level
    }
  }

  tags = merge(local.standard_tags, var.tags)
}


#module "lambda_function" {
#  source = "terraform-aws-modules/lambda/aws"
#
#  function_name = "AWSClientVPN-ConnectionHandler"
#  description   = "Determines whether user is allowed to log in."
#  handler       = "connection_handler.lambda_handler"
#  runtime       = "python3.9"
#  timeout       = 30 # Cannot be changes on a connection handler
#  publish       = true
#
#  source_path = "${path.module}/files/connection_authorization/connection_handler.py"
#
#  attach_policy_json = true
#  policy_json = <<EOF
#{
#     "Version": "2012-10-17",
#     "Statement": [
#       {
#             "Effect": "Allow",
#             "Action": [
#                 "ec2:DescribeClientVpnConnections",
#                 "ec2:TerminateClientVpnConnections"
#             ],
#             "Resource": "*"
#         }
#     ]
#}
#EOF
## The following 3 permissions are autoatically added by the module:
##                 "logs:CreateLogStream",
##                 "logs:CreateLogGroup",
##                 "logs:PutLogEvents",
#  tags = merge(local.standard_tags, var.tags)
#}