Merge pull request #1 from rhythmictech/init

ENG-1300

.github/workflows/pre-commit.yaml

@@ -19,7 +19,7 @@ jobs:
       - name: Setup Terraform
         uses: hashicorp/setup-terraform@v1
         with:
-          terraform_version: ~0.12.29
+          terraform_version: ~0.13.5
       - name: initialize Terraform
         run: terraform init --backend=false
       - name: pre-commit

.github/workflows/pullRequest.yaml

@@ -16,7 +16,7 @@ jobs:
       - name: Setup Terraform
         uses: hashicorp/setup-terraform@v1
         with:
-          terraform_version: ~0.12.29
+          terraform_version: ~0.13.5
       - name: initialize Terraform
         run: terraform init --backend=false
       - name: pre-commit
@@ -45,7 +45,7 @@ jobs:
       - name: setup Terraform
         uses: hashicorp/setup-terraform@v1
         with:
-          terraform_version: ~0.12.29
+          terraform_version: ~0.13.5
       - name: Terraform init
         run: terraform init --backend=false
       - name: tflint
@@ -63,7 +63,7 @@ jobs:
       - name: setup Terraform
         uses: hashicorp/setup-terraform@v1
         with:
-          terraform_version: ~0.12.29
+          terraform_version: ~0.13.5
       - name: Terraform init
         run: terraform init --backend=false
       - name: tfsec

.github/workflows/tflint.yaml

@@ -16,7 +16,7 @@ jobs:
       - name: setup Terraform
         uses: hashicorp/setup-terraform@v1
         with:
-          terraform_version: ~0.12.29
+          terraform_version: ~0.13.5
       - name: Terraform init
         run: terraform init --backend=false
       - name: tflint

.github/workflows/tfsec.yaml

@@ -16,7 +16,7 @@ jobs:
       - name: setup Terraform
         uses: hashicorp/setup-terraform@v1
         with:
-          terraform_version: ~0.12.29
+          terraform_version: ~0.13.5
       - name: Terraform init
         run: terraform init --backend=false
       - name: tfsec

.pre-commit-config.yaml

@@ -1,6 +1,6 @@
 repos:
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.31.0
+    rev: v1.43.0
     hooks:
       - id: terraform_docs
         always_run: true
@@ -41,7 +41,7 @@ repos:
         files: \.tf(vars)?$
         exclude: examples
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v3.0.0
+    rev: v3.3.0
     hooks:
       - id: check-case-conflict
       - id: check-json

.terraform-version

@@ -0,0 +1 @@
+latest:^0.13

README.md

@@ -24,24 +24,39 @@ A bit about this module
 
 | Name | Version |
 |------|---------|
-| terraform | >= 0.12.14 |
+| terraform | ~> 0.13.0 |
+| aws | ~> 3.5 |
 
 ## Providers
 
-No provider.
+| Name | Version |
+|------|---------|
+| aws | ~> 3.5 |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| name | Moniker to apply to all resources in the module | `string` | n/a | yes |
-| tags | User-Defined tags | `map(string)` | `{}` | no |
+| associated\_subnets | List of subnets to associate with the VPN endpoint | `list(string)` | n/a | yes |
+| authorization\_rules | List of objects describing the authorization rules for the client vpn | <pre>list(object({<br>    name                 = string<br>    access_group_id      = string<br>    authorize_all_groups = bool<br>    description          = string<br>    target_network_cidr  = string<br>  }))</pre> | n/a | yes |
+| client\_cidr\_block | (optional) describe your variable | `string` | n/a | yes |
+| name | Name to associate with various resources | `string` | n/a | yes |
+| server\_certificate\_arn | ARN of ACM certificate to use with Client VPN | `string` | n/a | yes |
+| vpc\_id | ID of VPC to attach VPN to | `string` | n/a | yes |
+| additional\_routes | A list of additional routes that should be attached to the Client VPN endpoint | <pre>list(object({<br>    destination_cidr_block = string<br>    description            = string<br>    target_vpc_subnet_id   = string<br>  }))</pre> | `[]` | no |
+| additional\_security\_groups | List of security groups to attach to the client vpn network associations | `list(string)` | `[]` | no |
+| cloudwatch\_log\_retention\_days | How long to keep VPN logs. Possible values are: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653, and 0. If you select 0, the events in the log group are always retained and never expire. | `number` | `30` | no |
+| saml\_metadata\_document | Optional SAML metadata document. Must include this or `saml_provider_arn` | `string` | `null` | no |
+| saml\_provider\_arn | Optional SAML provider ARN. Must include this or `saml_metadata_document` | `string` | `null` | no |
+| split\_tunnel\_enabled | Whether to enable split tunnelling | `bool` | `true` | no |
+| tags | Map of strings containing tags for AWS resources | `map(string)` | `{}` | no |
 
 ## Outputs
 
 | Name | Description |
 |------|-------------|
-| tags\_module | Tags Module in it's entirety |
+| vpn\_dns\_name | DNS name to be used by clients when establishing VPN session |
+| vpn\_endpoint\_security\_groups | VPN endpoint security groups |
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 

bin/install-macos.sh

@@ -14,5 +14,4 @@ git config --global init.templateDir ~/.git-template
 pre-commit init-templatedir ~/.git-template
 
 echo 'installing terraform with tfenv'
-tfenv install latest:^0.12
-tfenv use latest:^0.12
+tfenv install

bin/install-ubuntu.sh

@@ -19,5 +19,4 @@ git config --global init.templateDir ~/.git-template
 pre-commit init-templatedir ~/.git-template
 
 echo 'installing terraform with tfenv'
-tfenv install latest:^0.12
-tfenv use latest:^0.12
+tfenv install

main.tf

@@ -1,16 +1,92 @@
+locals {
+  tags = merge(
+    var.tags,
+    {
+      terraform_module = basename(abspath(path.module))
+    }
+  )
+}
 
-module "tags" {
-  source  = "rhythmictech/tags/terraform"
-  version = "1.0.0"
+resource "aws_cloudwatch_log_group" "vpn" {
+  name_prefix       = "vpn-${var.name}"
+  retention_in_days = var.cloudwatch_log_retention_days
+  tags              = local.tags
+}
 
-  enforce_case = "UPPER"
-  names        = [var.name]
-  tags         = var.tags
+resource "aws_cloudwatch_log_stream" "vpn" {
+  name           = "vpn-${var.name}"
+  log_group_name = aws_cloudwatch_log_group.vpn.name
 }
 
-locals {
-  # tflint-ignore: terraform_unused_declarations
-  name = module.tags.name
-  # tflint-ignore: terraform_unused_declarations
-  tags = module.tags.tags_no_name
+resource "aws_iam_saml_provider" "this" {
+  count = var.saml_metadata_document != null ? 1 : 0
+
+  name                   = var.name
+  saml_metadata_document = var.saml_metadata_document
+}
+
+resource "aws_ec2_client_vpn_endpoint" "this" {
+  description            = "Client VPN"
+  client_cidr_block      = var.client_cidr_block
+  server_certificate_arn = var.server_certificate_arn
+  split_tunnel           = var.split_tunnel_enabled
+  tags                   = local.tags
+
+  authentication_options {
+    type              = "federated-authentication"
+    saml_provider_arn = try(aws_iam_saml_provider.this[0].arn, var.saml_provider_arn)
+  }
+
+  connection_log_options {
+    enabled               = true
+    cloudwatch_log_group  = aws_cloudwatch_log_group.vpn.name
+    cloudwatch_log_stream = aws_cloudwatch_log_stream.vpn.name
+  }
+}
+
+resource "aws_security_group" "this" {
+  name_prefix = var.name
+  description = "Client VPN network associations"
+  tags        = var.tags
+  vpc_id      = var.vpc_id
+
+  ingress {
+    description = "Allow self access only by default"
+    from_port   = 0
+    protocol    = -1
+    self        = true
+    to_port     = 0
+  }
+}
+
+resource "aws_ec2_client_vpn_network_association" "this" {
+  for_each = toset(var.associated_subnets) #avoid ordering errors by using a for_each instead of count
+
+  client_vpn_endpoint_id = aws_ec2_client_vpn_endpoint.this.id
+  subnet_id              = each.key
+
+  security_groups = concat(
+    [aws_security_group.this.id],
+    var.additional_security_groups
+  )
+}
+
+resource "aws_ec2_client_vpn_authorization_rule" "rules" {
+  count = length(var.authorization_rules)
+
+  access_group_id        = var.authorization_rules[count.index].access_group_id
+  authorize_all_groups   = var.authorization_rules[count.index].authorize_all_groups
+  client_vpn_endpoint_id = aws_ec2_client_vpn_endpoint.this.id
+  description            = var.authorization_rules[count.index].description
+  target_network_cidr    = var.authorization_rules[count.index].target_network_cidr
+
+}
+
+resource "aws_ec2_client_vpn_route" "additional" {
+  count = length(var.additional_routes)
+
+  description            = try(var.additional_routes[count.index].description, null)
+  destination_cidr_block = var.additional_routes[count.index].destination_cidr_block
+  client_vpn_endpoint_id = aws_ec2_client_vpn_endpoint.this.id
+  target_vpc_subnet_id   = var.additional_routes[count.index].target_vpc_subnet_id
 }

outputs.tf

@@ -1,5 +1,14 @@
+output "vpn_dns_name" {
+  description = "DNS name to be used by clients when establishing VPN session"
+  value       = aws_ec2_client_vpn_endpoint.this.dns_name
+}
+
+output "vpn_endpoint_security_groups" {
+  description = "VPN endpoint security groups"
 
-output "tags_module" {
-  description = "Tags Module in it's entirety"
-  value       = module.tags
+  value = distinct(
+    flatten(
+      [for association in aws_ec2_client_vpn_network_association.this : association.security_groups]
+    )
+  )
 }