Add enable_internet_access var and VPN route

joe-niland · joe-niland · commit a53bedf92570 · 2020-09-30T10:54:00.000+10:00
diff --git a/main.tf b/main.tf
@@ -59,6 +59,14 @@ resource aws_ec2_client_vpn_authorization_rule ingress-all {
   description            = "Allow all VPN groups access to ${var.allowed_ingress_network_cidr}"
 }
 
+resource aws_ec2_client_vpn_route internet-access {
+  count                  = var.enable_internet_access ? 1 : 0
+  for_each               = toset(var.subnet_ids)
+  client_vpn_endpoint_id = aws_ec2_client_vpn_endpoint.default.id
+  destination_cidr_block = "0.0.0.0/0"
+  target_vpc_subnet_id   = aws_ec2_client_vpn_network_association.default[each.key].subnet_id
+}
+
 data "aws_region" "current" {}
 
 # 'Borrowed' from: https://github.com/achuchulev/terraform-aws-client-vpn-endpoint/blob/master/main.tf
diff --git a/variables.tf b/variables.tf
@@ -22,6 +22,12 @@ variable "security_groups" {
   default     = null
 }
 
+variable "enable_internet_access" {
+  type        = bool
+  description = "If true, add a route to 0.0.0.0/0 on VPN endpoint route table. Your VPN subnet must also have a route to an Internet Gateway."
+  default     = false
+}
+
 // Authentication
 
 variable "cert_dir" {
