-
Notifications
You must be signed in to change notification settings - Fork 0
/
main.tf
169 lines (131 loc) · 4.43 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
################################################################################
## defaults
################################################################################
terraform {
required_version = ">= 1.3, < 2.0.0"
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 4.0"
}
}
}
provider "aws" {
region = var.region
}
module "tags" {
source = "sourcefuse/arc-tags/aws"
version = "1.2.3"
environment = var.environment
project = var.project_name
extra_tags = {
Example = "True"
RepoPath = "github.com/sourcefuse/terraform-aws-refarch-vpn"
}
}
################################################################################
## lookups
################################################################################
data "aws_vpc" "this" {
filter {
name = "tag:Name"
values = var.vpc_name_override != null ? [var.vpc_name_override] : [
"${var.namespace}-${var.environment}-vpc"
]
}
}
data "aws_subnets" "private" {
filter {
name = "vpc-id"
values = [data.aws_vpc.this.id]
}
filter {
name = "tag:Name"
values = length(var.private_subnet_names_override) > 0 ? var.private_subnet_names_override : [
"${var.namespace}-${var.environment}-private-subnet-private-${var.region}a",
"${var.namespace}-${var.environment}-private-subnet-private-${var.region}b"
]
}
}
################################################################################
## certs
################################################################################
module "self_signed_cert_ca" {
source = "git::https://github.com/cloudposse/terraform-aws-ssm-tls-self-signed-cert.git?ref=1.3.0"
attributes = ["self", "signed", "cert", "ca"]
enabled = true
namespace = var.namespace
stage = var.environment
name = "demo"
secret_path_format = var.secret_path_format
subject = {
common_name = "${var.namespace}-${var.environment}"
organization = var.namespace
}
basic_constraints = {
ca = true
}
allowed_uses = [
"crl_signing",
"cert_signing",
]
certificate_backends = ["SSM"]
}
data "aws_ssm_parameter" "ca_key" {
name = module.self_signed_cert_ca.certificate_key_path
depends_on = [
module.self_signed_cert_ca
]
}
module "self_signed_cert_root" {
source = "git::https://github.com/cloudposse/terraform-aws-ssm-tls-self-signed-cert.git?ref=1.3.0"
enabled = true
attributes = ["self", "signed", "cert", "root"]
namespace = var.namespace
stage = var.environment
name = "demo"
secret_path_format = var.secret_path_format
subject = {
common_name = "${var.namespace}-${var.environment}.arc-vpn-example.client"
organization = var.namespace
}
basic_constraints = {
ca = false
}
allowed_uses = [
"key_encipherment",
"digital_signature",
"client_auth",
]
certificate_backends = ["ACM", "SSM"]
use_locally_signed = true
certificate_chain = {
cert_pem = module.self_signed_cert_ca.certificate_pem,
private_key_pem = join("", data.aws_ssm_parameter.ca_key[*].value)
}
}
################################################################################
## vpn
################################################################################
module "vpn" {
source = "sourcefuse/arc-vpn/aws"
version = "1.0.0" # pin the correct version
vpc_id = data.aws_vpc.this.id
authentication_options_type = "certificate-authentication"
authentication_options_root_certificate_chain_arn = module.self_signed_cert_root.certificate_arn
## access
client_vpn_authorize_all_groups = true
client_vpn_subnet_ids = data.aws_subnets.private.ids
client_vpn_target_network_cidr = data.aws_vpc.this.cidr_block
## self signed certificate
create_self_signed_server_cert = true
self_signed_server_cert_server_common_name = "${var.namespace}-${var.environment}.arc-vpn-example.client"
self_signed_server_cert_organization_name = var.namespace
self_signed_server_cert_ca_pem = module.self_signed_cert_ca.certificate_pem
self_signed_server_cert_private_ca_key_pem = join("", data.aws_ssm_parameter.ca_key[*].value)
## client vpn
client_cidr = cidrsubnet(data.aws_vpc.this.cidr_block, 6, 1)
client_vpn_name = "${var.namespace}-${var.environment}-client-vpn-example"
client_vpn_gateway_name = "${var.namespace}-${var.environment}-vpn-gateway-example"
tags = module.tags.tags
}