Merge pull request #30 from DNXLabs/feature/client-connection-options

Added options for managing connection authorization for new client connections
DNXLabs · Mar 6, 2024 · c67482f · c67482f
2 parents ab1ab16 + 7d995f5
commit c67482f
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -34,6 +34,8 @@ The following resources will be created:
 | authentication\_saml\_provider\_arn | (Optional) The ARN of the IAM SAML identity provider if type is federated-authentication. | `any` | `null` | no |
 | authentication\_type | The type of client authentication to be used. Specify certificate-authentication to use certificate-based authentication, directory-service-authentication to use Active Directory authentication, or federated-authentication to use Federated Authentication via SAML 2.0. | `string` | `"certificate-authentication"` | no |
 | cidr | Network CIDR to use for clients | `any` | n/a | yes |
+| client\_connect\_options | Indicates whether client connect options are enabled | `bool` | `false` | no |
+| connection\_authorization\_lambda\_function\_arn | The Amazon Resource Name (ARN) of the Lambda function used for connection authorization. | `any` | `null` | no |
 | dns\_servers | List of DNS Servers | `list(string)` | `[]` | no |
 | enable\_self\_service\_portal | Specify whether to enable the self-service portal for the Client VPN endpoint | `bool` | `false` | no |
 | logs\_retention | Retention in days for CloudWatch Log Group | `number` | `365` | no |

diff --git a/_variables.tf b/_variables.tf
@@ -74,3 +74,14 @@ variable "enable_self_service_portal" {
   default     = false
   description = "Specify whether to enable the self-service portal for the Client VPN endpoint"
 }
+
+variable "client_connect_options" {
+  type = bool
+  default = false
+  description = "Indicates whether client connect options are enabled"  
+}
+
+variable "connection_authorization_lambda_function_arn" {
+  default = null
+  description = "The Amazon Resource Name (ARN) of the Lambda function used for connection authorization."  
+}
diff --git a/vpn-endpoint.tf b/vpn-endpoint.tf
@@ -20,6 +20,11 @@ resource "aws_ec2_client_vpn_endpoint" "default" {
     cloudwatch_log_stream = aws_cloudwatch_log_stream.vpn.name
   }
 
+  client_connect_options {
+    enabled             = var.client_connect_options
+    lambda_function_arn = var.client_connect_options != true ? null : var.connection_authorization_lambda_function_arn
+  }
+
   tags = merge(
     var.tags,
     tomap({