generated from terraform-ibm-modules/terraform-ibm-module-template
-
Notifications
You must be signed in to change notification settings - Fork 3
/
main.tf
82 lines (73 loc) · 3.54 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
locals {
# There is a provider bug generating "module-metadata.json" where variable value is not access directly.
# https://github.com/IBM-Cloud/terraform-config-inspect/issues/19
subnet_ids = var.subnet_ids
secrets_manager_validate_condition = (var.create_s2s_auth_policy == true && var.secrets_manager_id == null)
secrets_manager_validate_msg = "Value for 'secrets_manager_id' must not be null if 'create_s2s_auth_policy' is true"
# tflint-ignore: terraform_unused_declarations
secrets_manager_validate_check = regex("^${local.secrets_manager_validate_msg}$", (!local.secrets_manager_validate_condition ? local.secrets_manager_validate_msg : ""))
}
# IAM Service to Service Authorization
# More info: https://cloud.ibm.com/docs/vpc?topic=vpc-client-to-site-authentication#creating-iam-service-to-service
# NOTE: The auth policy cannot be scoped to the exact VPN server instance ID because the VPN can't be provisioned
# without the cert from secrets manager, but it cant grab the cert from secrets manager until the policy is created.
resource "ibm_iam_authorization_policy" "policy" {
count = var.create_s2s_auth_policy ? 1 : 0
source_service_name = "is"
source_resource_type = "vpn-server"
source_resource_group_id = var.resource_group_id
target_service_name = "secrets-manager"
target_resource_instance_id = var.secrets_manager_id
roles = ["SecretsReader"]
description = "Allow all VPN server instances in the resource group ${var.resource_group_id} to read from the Secrets Manager instance with ID ${var.secrets_manager_id}"
}
# workaround for https://github.com/IBM-Cloud/terraform-provider-ibm/issues/4478
resource "time_sleep" "wait_for_authorization_policy" {
depends_on = [ibm_iam_authorization_policy.policy]
create_duration = "30s"
}
# Access groups
# More info: https://cloud.ibm.com/docs/vpc?topic=vpc-create-iam-access-group
resource "ibm_iam_access_group" "cts_vpn_access_group" {
count = var.create_policy ? 1 : 0
name = var.access_group_name
description = "Access group for the Client to Site VPN"
}
resource "ibm_iam_access_group_policy" "cts_vpn_access_group_policy" {
count = var.create_policy ? 1 : 0
access_group_id = ibm_iam_access_group.cts_vpn_access_group[0].id
roles = ["VPN Client"]
resources {
service = "is"
}
}
resource "ibm_iam_access_group_members" "cts_vpn_access_group_users" {
count = var.create_policy && length(var.vpn_client_access_group_users) > 0 ? 1 : 0
access_group_id = ibm_iam_access_group.cts_vpn_access_group[0].id
ibm_ids = var.vpn_client_access_group_users
}
# Client to Site VPN
resource "ibm_is_vpn_server" "vpn" {
certificate_crn = var.server_cert_crn
client_authentication {
method = var.client_auth_methods
identity_provider = var.client_auth_methods == "username" ? "iam" : null
}
client_idle_timeout = var.client_idle_timeout
client_ip_pool = var.client_ip_pool
client_dns_server_ips = var.client_dns_server_ips
enable_split_tunneling = var.enable_split_tunneling
name = var.vpn_gateway_name
subnets = local.subnet_ids
resource_group = var.resource_group_id
}
resource "ibm_is_vpn_server_route" "server_route" {
depends_on = [
ibm_iam_authorization_policy.policy
]
for_each = var.vpn_server_routes
vpn_server = ibm_is_vpn_server.vpn.vpn_server
destination = each.value.destination
action = each.value.action
name = each.key
}