github.com/telepresenceio/telepresence/v2@v2.20.0-pro.6.0.20240517030216-236ea954e789/test-infra/aws-vpn/vpn.tf

github.com/telepresenceio/telepresence/v2@v2.20.0-pro.6.0.20240517030216-236ea954e789/test-infra/aws-vpn/vpn.tf (about)

     1  resource "aws_acm_certificate" "vpn_client_root" {
     2    private_key       = file("certs/VPNCert.key")
     3    certificate_body  = file("certs/VPNCert.crt")
     4    certificate_chain = file("certs/ca-chain.crt")
     5  
     6    tags = local.global_tags
     7  }
     8  
     9  resource "aws_security_group" "vpn_access" {
    10    vpc_id = aws_vpc.main.id
    11    name   = "${var.child_subdomain}-${local.prefix}-vpn-sg"
    12  
    13    ingress {
    14      from_port   = 443
    15      protocol    = "UDP"
    16      to_port     = 443
    17      cidr_blocks = ["0.0.0.0/0"]
    18      description = "Incoming VPN connection"
    19    }
    20  
    21    egress {
    22      from_port   = 0
    23      protocol    = "-1"
    24      to_port     = 0
    25      cidr_blocks = ["0.0.0.0/0"]
    26    }
    27  
    28    tags = local.global_tags
    29  }
    30  
    31  resource "aws_ec2_client_vpn_endpoint" "vpn" {
    32    description            = "VPN endpoint for ${local.prefix}.${var.child_subdomain}.${var.parent_domain}"
    33    client_cidr_block      = var.vpn_client_cidr
    34    split_tunnel           = var.split_tunnel
    35    server_certificate_arn = aws_acm_certificate_validation.vpn_server.certificate_arn
    36    dns_servers            = [cidrhost(var.vpc_cidr, 2)]
    37  
    38    authentication_options {
    39      type                       = "certificate-authentication"
    40      root_certificate_chain_arn = aws_acm_certificate.vpn_client_root.arn
    41    }
    42  
    43    connection_log_options {
    44      enabled = false
    45    }
    46  
    47    tags = local.global_tags
    48  }
    49  
    50  output "vpn_id" {
    51    value = aws_ec2_client_vpn_endpoint.vpn.id
    52  }
    53  
    54  resource "aws_ec2_client_vpn_route" "internet_access" {
    55    count                  = var.split_tunnel ? 0 : length(aws_subnet.sn_az)
    56    client_vpn_endpoint_id = aws_ec2_client_vpn_endpoint.vpn.id
    57    destination_cidr_block = "0.0.0.0/0"
    58    # These are routed to the internet anyway via aws_route_table.rt so this will ensure that outbound traffic
    59    # manages to leave.
    60    target_vpc_subnet_id = aws_subnet.sn_az[count.index].id
    61  }
    62  
    63  resource "aws_ec2_client_vpn_network_association" "vpn_subnets" {
    64    count = length(aws_subnet.sn_az)
    65  
    66    client_vpn_endpoint_id = aws_ec2_client_vpn_endpoint.vpn.id
    67    subnet_id              = aws_subnet.sn_az[count.index].id
    68    security_groups        = [aws_security_group.vpn_access.id]
    69  
    70    lifecycle {
    71      // The issue why we are ignoring changes is that on every change
    72      // terraform screws up most of the vpn assosciations
    73      // see: https://github.com/hashicorp/terraform-provider-aws/issues/14717
    74      ignore_changes = [subnet_id]
    75    }
    76  }
    77  
    78  resource "aws_ec2_client_vpn_authorization_rule" "vpn_auth_rule" {
    79    client_vpn_endpoint_id = aws_ec2_client_vpn_endpoint.vpn.id
    80    target_network_cidr    = "0.0.0.0/0"
    81    authorize_all_groups   = true
    82  }