chore: updating the codebase

appvia · Apr 24, 2024 · f76ff1b · f76ff1b
1 parent bfad261
commit f76ff1b
Show file tree

Hide file tree

Showing 9 changed files with 25 additions and 18 deletions.
diff --git a/.gitignore b/.gitignore
@@ -30,3 +30,9 @@ terraform.rc
 .DS_Store
 todo.md
 
+# SAML files 
+AWS_Client_VPN-saml-metadata.xml
+AWS_VPN_Portal-saml-metadata.xml
+
+# Appvia test files 
+appvia.tfvars
diff --git a/README.md b/README.md
@@ -117,7 +117,6 @@ When adding a new group to SSO, there are following steps to complete:
 
 | Name | Type |
 |------|------|
-| [aws_ec2_client_vpn_network_association.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_client_vpn_network_association) | resource |
 | [aws_iam_saml_provider.vpn](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_saml_provider) | resource |
 | [aws_iam_saml_provider.vpn_portal](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_saml_provider) | resource |
 
@@ -127,14 +126,15 @@ When adding a new group to SSO, there are following steps to complete:
 |------|-------------|------|---------|:--------:|
 | <a name="input_authorization_rules"></a> [authorization\_rules](#input\_authorization\_rules) | Authorization rules for the VPN | <pre>list(object({<br>    access_group_id     = string<br>    description         = string<br>    name                = string<br>    target_network_cidr = string<br>  }))</pre> | n/a | yes |
 | <a name="input_name"></a> [name](#input\_name) | Name of the VPN | `string` | n/a | yes |
-| <a name="input_public_subnet_ids"></a> [public\_subnet\_ids](#input\_public\_subnet\_ids) | IDs of the public subnets to use for the VPN | `list(string)` | n/a | yes |
 | <a name="input_saml_provider_document"></a> [saml\_provider\_document](#input\_saml\_provider\_document) | Document for the SAML provider | `string` | n/a | yes |
 | <a name="input_saml_provider_portal_document"></a> [saml\_provider\_portal\_document](#input\_saml\_provider\_portal\_document) | Document for the SAML provider portal | `string` | n/a | yes |
 | <a name="input_tags"></a> [tags](#input\_tags) | Tags to apply to all resources | `map(string)` | n/a | yes |
 | <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | ID of the VPC to use for the VPN | `string` | n/a | yes |
 | <a name="input_vpn_log_stream_name"></a> [vpn\_log\_stream\_name](#input\_vpn\_log\_stream\_name) | Name of the CloudWatch log stream for the VPN | `string` | n/a | yes |
 | <a name="input_vpn_org_name"></a> [vpn\_org\_name](#input\_vpn\_org\_name) | Name of the organization for the VPN | `string` | n/a | yes |
 | <a name="input_client_cidr"></a> [client\_cidr](#input\_client\_cidr) | CIDR block for the VPN clients | `string` | `"172.16.0.0/16"` | no |
+| <a name="input_enable_vpn"></a> [enable\_vpn](#input\_enable\_vpn) | Whether to enable and deploy the VPN (useful do to dependency of this module) | `bool` | `false` | no |
+| <a name="input_public_subnet_ids"></a> [public\_subnet\_ids](#input\_public\_subnet\_ids) | IDs of the public subnets to use for the VPN | `list(string)` | `[]` | no |
 | <a name="input_saml_provider_name"></a> [saml\_provider\_name](#input\_saml\_provider\_name) | Name of the SAML provider | `string` | `"Client_VPN"` | no |
 | <a name="input_saml_provider_portal_name"></a> [saml\_provider\_portal\_name](#input\_saml\_provider\_portal\_name) | Name of the SAML provider portal | `string` | `"Client_VPN_Portal"` | no |
 | <a name="input_vpn_log_retention"></a> [vpn\_log\_retention](#input\_vpn\_log\_retention) | Number of days to retain VPN logs | `number` | `7` | no |

diff --git a/examples/basic/README.md b/examples/basic/README.md
@@ -30,14 +30,14 @@
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_name"></a> [name](#input\_name) | Name of the VPN | `string` | n/a | yes |
 | <a name="input_tags"></a> [tags](#input\_tags) | Tags to apply to all resources | `map(string)` | n/a | yes |
 | <a name="input_transit_gateway_id"></a> [transit\_gateway\_id](#input\_transit\_gateway\_id) | ID of the transit gateway to use for the VPC | `string` | n/a | yes |
 | <a name="input_vpn_log_stream_name"></a> [vpn\_log\_stream\_name](#input\_vpn\_log\_stream\_name) | Name of the CloudWatch log stream for the VPN | `string` | n/a | yes |
 | <a name="input_vpn_org_name"></a> [vpn\_org\_name](#input\_vpn\_org\_name) | Name of the organization for the VPN | `string` | n/a | yes |
 | <a name="input_availability_zones"></a> [availability\_zones](#input\_availability\_zones) | Amount of availability zones to use for the VPC | `number` | `2` | no |
 | <a name="input_client_cidr"></a> [client\_cidr](#input\_client\_cidr) | CIDR block for the VPN clients | `string` | `"172.16.0.0/16"` | no |
 | <a name="input_ipam_pool_id"></a> [ipam\_pool\_id](#input\_ipam\_pool\_id) | The ID of the IPAM pool to use for the VPC | `string` | `null` | no |
+| <a name="input_name"></a> [name](#input\_name) | Name of the VPN | `string` | `"vpn"` | no |
 | <a name="input_private_subnet_netmask"></a> [private\_subnet\_netmask](#input\_private\_subnet\_netmask) | Netmask length for the private subnets | `number` | `25` | no |
 | <a name="input_public_subnet_netmask"></a> [public\_subnet\_netmask](#input\_public\_subnet\_netmask) | Netmask length for the public subnets | `number` | `25` | no |
 | <a name="input_saml_provider_name"></a> [saml\_provider\_name](#input\_saml\_provider\_name) | Name of the SAML provider | `string` | `"Client_VPN"` | no |

diff --git a/examples/basic/main.tf b/examples/basic/main.tf
@@ -38,7 +38,7 @@ locals {
   team_authorization_rules = {
     "administrators" = [
       {
-        access_group_id     = data.aws_identitystore_group.groups["Cloud Admins"].group_id
+        access_group_id     = data.aws_identitystore_group.groups["Cloud Administrators"].group_id
         description         = "Allow VPN access to all internal services for Cloud Admin users"
         name                = "cloud-admin-allow-all"
         target_network_cidr = local.networks.all-internal
@@ -101,4 +101,6 @@ module "vpn" {
   vpn_log_stream_name           = var.vpn_log_stream_name
   vpn_org_name                  = var.vpn_org_name
   vpc_id                        = module.vpc.vpc_id
+
+  depends_on = [module.vpc]
 }
diff --git a/examples/basic/values/production.tfvars b/examples/basic/values/production.tfvars
@@ -3,6 +3,7 @@ identity_store_id      = "<IDENTITY_STORE_ID>"
 public_subnet_netmask  = 27
 private_subnet_netmask = 27
 transit_subnet_netmask = 28
+transit_gateway_id     = "<TRANSIT_GATEWAY_ID>"
 vpc_netmask            = 24
 vpn_log_retention      = 7
 vpn_log_stream_name    = "<NAME>-client-vpn"

diff --git a/examples/basic/variables.tf b/examples/basic/variables.tf
@@ -76,6 +76,7 @@ variable "vpn_log_stream_name" {
 variable "name" {
   description = "Name of the VPN"
   type        = string
+  default     = "vpn"
 }
 
 variable "vpn_org_name" {

diff --git a/main.tf b/main.tf
@@ -16,11 +16,12 @@ resource "aws_iam_saml_provider" "vpn_portal" {
 ## Provision the VPN
 # tfsec:ignore:aws-cloudwatch-log-group-customer-key
 module "client_vpn" {
+  count   = var.enable_vpn ? 1 : 0
   source  = "cloudposse/ec2-client-vpn/aws"
   version = "1.0.0"
 
   additional_routes              = local.additional_routes
-  associated_subnets             = []
+  associated_subnets             = var.public_subnet_ids
   authentication_type            = "federated-authentication"
   authorization_rules            = var.authorization_rules
   client_cidr                    = var.client_cidr
@@ -36,13 +37,3 @@ module "client_vpn" {
   tags                           = var.tags
   vpc_id                         = var.vpc_id
 }
-
-## Associate the VPN with the subnets 
-resource "aws_ec2_client_vpn_network_association" "default" {
-  for_each = toset(var.public_subnet_ids)
-
-  client_vpn_endpoint_id = module.client_vpn.vpn_endpoint_id
-  subnet_id              = each.value
-
-  depends_on = [module.client_vpn]
-}
diff --git a/outputs.tf b/outputs.tf
@@ -1,11 +1,10 @@
 
 output "vpn_endpoint_dns_name" {
-  value       = module.client_vpn.vpn_endpoint_dns_name
   description = "The DNS Name of the Client VPN Endpoint Connection."
+  value       = var.enable_vpn ? module.client_vpn[0].client_vpn_endpoint_dns_name : null
 }
 
 output "client_configuration" {
-  value       = module.client_vpn.client_configuration
   description = "VPN Client Configuration data."
-  sensitive   = true
+  value       = var.enable_vpn ? module.client_vpn[0].client_configuration : null
 }
diff --git a/variables.tf b/variables.tf
@@ -8,6 +8,12 @@ variable "authorization_rules" {
   }))
 }
 
+variable "enable_vpn" {
+  description = "Whether to enable and deploy the VPN (useful do to dependency of this module)"
+  type        = bool
+  default     = false
+}
+
 variable "saml_provider_document" {
   description = "Document for the SAML provider"
   type        = string
@@ -49,6 +55,7 @@ variable "vpc_id" {
 variable "public_subnet_ids" {
   description = "IDs of the public subnets to use for the VPN"
   type        = list(string)
+  default     = []
 }
 
 variable "vpn_log_retention" {