From 0770111b4d9c4a03baf515e7eceef710f3ba99c9 Mon Sep 17 00:00:00 2001
From: Alexandre Mont'Alvao <alexandre.alvao@dnx.solutions>
Date: Wed, 6 Mar 2024 11:13:30 +1100
Subject: [PATCH] Added options for managing connection authorization for new
 client connections

---
 _variables.tf   | 11 +++++++++++
 vpn-endpoint.tf |  5 +++++
 2 files changed, 16 insertions(+)

diff --git a/_variables.tf b/_variables.tf
index b567d76..b887373 100644
--- a/_variables.tf
+++ b/_variables.tf
@@ -74,3 +74,14 @@ variable "enable_self_service_portal" {
   default     = false
   description = "Specify whether to enable the self-service portal for the Client VPN endpoint"
 }
+
+variable "client_connect_options" {
+  type = bool
+  default = false
+  description = "Indicates whether client connect options are enabled"  
+}
+
+variable "connection_authorization_lambda_function_arn" {
+  default = null
+  description = "The Amazon Resource Name (ARN) of the Lambda function used for connection authorization."  
+}
\ No newline at end of file
diff --git a/vpn-endpoint.tf b/vpn-endpoint.tf
index 67d77f4..4cbaa54 100644
--- a/vpn-endpoint.tf
+++ b/vpn-endpoint.tf
@@ -20,6 +20,11 @@ resource "aws_ec2_client_vpn_endpoint" "default" {
     cloudwatch_log_stream = aws_cloudwatch_log_stream.vpn.name
   }
 
+  client_connect_options {
+    enabled             = var.client_connect_options
+    lambda_function_arn = var.client_connect_options != true ? null : var.connection_authorization_lambda_function_arn
+  }
+  
   tags = merge(
     var.tags,
     tomap({