Created
April 20, 2020 16:30
-
-
Save josephsindel/3b651c4b6b993e1b6f50d42d285bd639 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
terraform { | |
required_version = "~> 0.12.0" | |
} | |
data "terraform_remote_state" "vpc-subnet" { | |
backend = "s3" | |
config = { | |
bucket = "mgmt-us-east1-js-tf-state" | |
region = "us-east-1" | |
key = "mgmt_vpc.tfstate" | |
} | |
} | |
resource "aws_acm_certificate" "client_cert" { | |
private_key = file("${path.root}/${var.cert_dir}/client1.${var.domain}.key") | |
certificate_body = file("${path.root}/${var.cert_dir}/client1.${var.domain}.crt") | |
certificate_chain = file("${path.root}/${var.cert_dir}/ca.crt") | |
} | |
resource "aws_acm_certificate" "server_cert" { | |
private_key = file("${path.root}/${var.cert_dir}/server.key") | |
certificate_body = file("${path.root}/${var.cert_dir}/server.crt") | |
certificate_chain = file("${path.root}/${var.cert_dir}/ca.crt") | |
} | |
resource "aws_ec2_client_vpn_endpoint" "client-vpn-endpoint" { | |
description = "terraform-clientvpn-endpoint" | |
server_certificate_arn = aws_acm_certificate.server_cert.arn | |
client_cidr_block = var.client_cidr_block | |
dns_servers = ["1.1.1.1", "169.254.169.253"] | |
split_tunnel = true | |
authentication_options { | |
type = "certificate-authentication" | |
root_certificate_chain_arn = aws_acm_certificate.client_cert.arn | |
} | |
connection_log_options { | |
enabled = false | |
} | |
tags = { | |
Name = "mgmt-us-east-1-vpn" | |
} | |
} | |
resource "aws_ec2_client_vpn_network_association" "client-vpn-network-association" { | |
client_vpn_endpoint_id = aws_ec2_client_vpn_endpoint.client-vpn-endpoint.id | |
subnet_id = data.terraform_remote_state.vpc-subnet.outputs.pri-subnet | |
} | |
resource "null_resource" "authorize-client-vpn-ingress" { | |
provisioner "local-exec" { | |
command = "aws --region ${var.AWS_REGION} ec2 authorize-client-vpn-ingress --client-vpn-endpoint-id ${aws_ec2_client_vpn_endpoint.client-vpn-endpoint.id} --target-network-cidr 0.0.0.0/0 --authorize-all-groups" | |
} | |
depends_on = [ | |
aws_ec2_client_vpn_endpoint.client-vpn-endpoint, | |
# aws_ec2_client_vpn_network_association.client-vpn-network-association | |
] | |
} | |
resource "null_resource" "create-client-vpn-route" { | |
provisioner "local-exec" { | |
command = "aws --region ${var.AWS_REGION} ec2 create-client-vpn-route --client-vpn-endpoint-id ${aws_ec2_client_vpn_endpoint.client-vpn-endpoint.id} --destination-cidr-block 0.0.0.0/0 --target-vpc-subnet-id ${data.terraform_remote_state.vpc-subnet.outputs.pri-subnet} --description Internet-Access" | |
} | |
depends_on = [ | |
aws_ec2_client_vpn_endpoint.client-vpn-endpoint, | |
null_resource.authorize-client-vpn-ingress | |
] | |
} | |
resource "null_resource" "export-client-config" { | |
provisioner "local-exec" { | |
command = "aws --region ${var.AWS_REGION} ec2 export-client-vpn-client-configuration --client-vpn-endpoint-id ${aws_ec2_client_vpn_endpoint.client-vpn-endpoint.id} --output text>${path.root}/client-config.ovpn" | |
} | |
depends_on = [ | |
aws_ec2_client_vpn_endpoint.client-vpn-endpoint, | |
null_resource.authorize-client-vpn-ingress, | |
null_resource.create-client-vpn-route, | |
aws_ec2_client_vpn_network_association.client-vpn-network-association, | |
] | |
} | |
resource "null_resource" "append-client-config-certs" { | |
provisioner "local-exec" { | |
command = "${path.module}/scripts/client_config_append_certs_path.sh ${path.root} ${var.cert_dir} ${var.domain}" | |
} | |
depends_on = [null_resource.export-client-config] | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment