Merge pull request #7 from DNXLabs/feature/split-tunnel-custom-sg

Custom security group
DNXLabs · Oct 19, 2021 · dcb4cc5 · dcb4cc5
2 parents 36d43aa + 0dee4fc
commit dcb4cc5
Show file tree

Hide file tree

Showing 4 changed files with 40 additions and 6 deletions.
diff --git a/_outputs.tf b/_outputs.tf
@@ -0,0 +1,6 @@
+output "security_group_id" {
+  value = try(aws_security_group.default[0].id, var.security_group_id)
+}
+output "vpn_endpoint_id" {
+  value = aws_ec2_client_vpn_endpoint.default.id
+}
diff --git a/_variables.tf b/_variables.tf
@@ -5,14 +5,15 @@ variable "name" {
 variable "cidr" {
   description = "Network CIDR to use for clients"
 }
-variable "split_tunnel" {
-  description = "Allow split tunnel"
-  default     = false
-}
 
 variable "subnet_ids" {
   type        = list(string)
-  description = "Subnet ID to associate clients"
+  description = "Subnet ID to associate clients (each subnet passed will create an VPN association - costs involved)"
+}
+
+variable "vpc_id" {
+  type        = string
+  description = "VPC Id to create resources"
 }
 variable "dns_servers" {
   type        = list(string)
@@ -43,5 +44,15 @@ variable "authentication_type" {
 
 variable "authentication_saml_provider_arn" {
   default     = null
-  description = " (Optional) The ARN of the IAM SAML identity provider if type is federated-authentication."
+  description = "(Optional) The ARN of the IAM SAML identity provider if type is federated-authentication."
 }
+
+variable "split_tunnel" {
+  default     = true
+  description = "With split_tunnel false, all client traffic will go through the VPN."
+}
+
+variable "security_group_id" {
+  default     = ""
+  description = "Optional security group id to use instead of the default created"
+}
diff --git a/sg.tf b/sg.tf
@@ -0,0 +1,16 @@
+resource "aws_security_group" "default" {
+  count       = var.security_group_id == "" ? 1 : 0
+  name_prefix = "${var.name}-Client-VPN"
+  description = "security group allowing egress for client-vpn users"
+  vpc_id      = var.vpc_id
+}
+
+resource "aws_security_group_rule" "default_egress_world" {
+  count             = var.security_group_id == "" ? 1 : 0
+  type              = "egress"
+  from_port         = -1
+  to_port           = -1
+  protocol          = "all"
+  cidr_blocks       = ["0.0.0.0/0"]
+  security_group_id = aws_security_group.default[0].id
+}
diff --git a/vpn-endpoint.tf b/vpn-endpoint.tf
@@ -30,4 +30,5 @@ resource "aws_ec2_client_vpn_network_association" "default" {
   count                  = length(var.subnet_ids)
   client_vpn_endpoint_id = aws_ec2_client_vpn_endpoint.default.id
   subnet_id              = element(var.subnet_ids, count.index)
+  security_groups        = [var.security_group_id == "" ? aws_security_group.default[0].id : var.security_group_id]
 }