Skip to content

Instantly share code, notes, and snippets.

@josephsindel

josephsindel/gist:3b651c4b6b993e1b6f50d42d285bd639

Created April 20, 2020 16:30
Show Gist options
  • Save josephsindel/3b651c4b6b993e1b6f50d42d285bd639 to your computer and use it in GitHub Desktop.
Save josephsindel/3b651c4b6b993e1b6f50d42d285bd639 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
gistfile1.txt
terraform {
required_version = "~> 0.12.0"
}
data "terraform_remote_state" "vpc-subnet" {
backend = "s3"
config = {
bucket = "mgmt-us-east1-js-tf-state"
region = "us-east-1"
key = "mgmt_vpc.tfstate"
}
}
resource "aws_acm_certificate" "client_cert" {
private_key = file("${path.root}/${var.cert_dir}/client1.${var.domain}.key")
certificate_body = file("${path.root}/${var.cert_dir}/client1.${var.domain}.crt")
certificate_chain = file("${path.root}/${var.cert_dir}/ca.crt")
}
resource "aws_acm_certificate" "server_cert" {
private_key = file("${path.root}/${var.cert_dir}/server.key")
certificate_body = file("${path.root}/${var.cert_dir}/server.crt")
certificate_chain = file("${path.root}/${var.cert_dir}/ca.crt")
}
resource "aws_ec2_client_vpn_endpoint" "client-vpn-endpoint" {
description = "terraform-clientvpn-endpoint"
server_certificate_arn = aws_acm_certificate.server_cert.arn
client_cidr_block = var.client_cidr_block
dns_servers = ["1.1.1.1", "169.254.169.253"]
split_tunnel = true
authentication_options {
type = "certificate-authentication"
root_certificate_chain_arn = aws_acm_certificate.client_cert.arn
}
connection_log_options {
enabled = false
}
tags = {
Name = "mgmt-us-east-1-vpn"
}
}
resource "aws_ec2_client_vpn_network_association" "client-vpn-network-association" {
client_vpn_endpoint_id = aws_ec2_client_vpn_endpoint.client-vpn-endpoint.id
subnet_id = data.terraform_remote_state.vpc-subnet.outputs.pri-subnet
}
resource "null_resource" "authorize-client-vpn-ingress" {
provisioner "local-exec" {
command = "aws --region ${var.AWS_REGION} ec2 authorize-client-vpn-ingress --client-vpn-endpoint-id ${aws_ec2_client_vpn_endpoint.client-vpn-endpoint.id} --target-network-cidr 0.0.0.0/0 --authorize-all-groups"
}
depends_on = [
aws_ec2_client_vpn_endpoint.client-vpn-endpoint,
# aws_ec2_client_vpn_network_association.client-vpn-network-association
]
}
resource "null_resource" "create-client-vpn-route" {
provisioner "local-exec" {
command = "aws --region ${var.AWS_REGION} ec2 create-client-vpn-route --client-vpn-endpoint-id ${aws_ec2_client_vpn_endpoint.client-vpn-endpoint.id} --destination-cidr-block 0.0.0.0/0 --target-vpc-subnet-id ${data.terraform_remote_state.vpc-subnet.outputs.pri-subnet} --description Internet-Access"
}
depends_on = [
aws_ec2_client_vpn_endpoint.client-vpn-endpoint,
null_resource.authorize-client-vpn-ingress
]
}
resource "null_resource" "export-client-config" {
provisioner "local-exec" {
command = "aws --region ${var.AWS_REGION} ec2 export-client-vpn-client-configuration --client-vpn-endpoint-id ${aws_ec2_client_vpn_endpoint.client-vpn-endpoint.id} --output text>${path.root}/client-config.ovpn"
}
depends_on = [
aws_ec2_client_vpn_endpoint.client-vpn-endpoint,
null_resource.authorize-client-vpn-ingress,
null_resource.create-client-vpn-route,
aws_ec2_client_vpn_network_association.client-vpn-network-association,
]
}
resource "null_resource" "append-client-config-certs" {
provisioner "local-exec" {
command = "${path.module}/scripts/client_config_append_certs_path.sh ${path.root} ${var.cert_dir} ${var.domain}"
}
depends_on = [null_resource.export-client-config]
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment