Skip to content

Commit

Permalink
Merge pull request #8 from willthames/authorization-rules
Browse files Browse the repository at this point in the history
Authorize access by CIDR range
  • Loading branch information
adenot authored Oct 25, 2021
2 parents cc999dd + 4d1fc44 commit 2ddc435
Show file tree
Hide file tree
Showing 3 changed files with 28 additions and 0 deletions.
2 changes: 2 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,8 @@ The following resources will be created:

| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| `allowed_cidr_ranges` | (Optional) List of CIDR ranges allowed to use the VPN|`list`|[]|no|
| `allowed_access_groups` | (Optional) List of Access Group IDs allowed to use the VPN (default is all access groups if `allowed_cidr_ranges` is set)|`list`|[]|no|
| authentication\_saml\_provider\_arn | (Optional) The ARN of the IAM SAML identity provider if type is federated-authentication. | `any` | `null` | no |
| authentication\_type | The type of client authentication to be used. Specify certificate-authentication to use certificate-based authentication, directory-service-authentication to use Active Directory authentication, or federated-authentication to use Federated Authentication via SAML 2.0. | `string` | `"certificate-authentication"` | no |
| cidr | Network CIDR to use for clients | `any` | n/a | yes |
Expand Down
12 changes: 12 additions & 0 deletions _variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,18 @@ variable "subnet_ids" {
description = "Subnet ID to associate clients (each subnet passed will create an VPN association - costs involved)"
}

variable "allowed_cidr_ranges" {
type = list(string)
description = "List of CIDR ranges from which access is allowed"
default = []
}

variable "allowed_access_groups" {
type = list(string)
description = "List of Access group IDs to allow access. Leave empty to allow all groups"
default = []
}

variable "vpc_id" {
type = string
description = "VPC Id to create resources"
Expand Down
14 changes: 14 additions & 0 deletions vpn-endpoint.tf
Original file line number Diff line number Diff line change
Expand Up @@ -32,3 +32,17 @@ resource "aws_ec2_client_vpn_network_association" "default" {
subnet_id = element(var.subnet_ids, count.index)
security_groups = [var.security_group_id == "" ? aws_security_group.default[0].id : var.security_group_id]
}

resource "aws_ec2_client_vpn_authorization_rule" "all_groups" {
count = length(var.allowed_access_groups) > 0 ? 0 : length(var.allowed_cidr_ranges)
client_vpn_endpoint_id = aws_ec2_client_vpn_endpoint.default.id
target_network_cidr = var.allowed_cidr_ranges[count.index]
authorize_all_groups = true
}

resource "aws_ec2_client_vpn_authorization_rule" "specific_groups" {
count = length(var.allowed_access_groups) * length(var.allowed_cidr_ranges)
client_vpn_endpoint_id = aws_ec2_client_vpn_endpoint.default.id
target_network_cidr = element(var.allowed_cidr_ranges, count.index)
access_group_id = var.allowed_access_groups[count.index % length(var.allowed_cidr_ranges)]
}

0 comments on commit 2ddc435

Please sign in to comment.