Include var.stage in cert/config naming

Author: joe-niland

main.tf

@@ -1,12 +1,12 @@
 locals {
-  vpn_config_path = "${path.root}/${var.config_dir}/client-config.ovpn"
+  vpn_config_path = "${path.root}/${var.config_dir}/${var.stage}-client-config.ovpn"
 }
 
 // Certs
 // Assume scripts/gen-certs.sh has been run
 resource aws_acm_certificate client {
-  private_key       = file("${path.root}/${var.cert_dir}/client1.${var.cert_domain}.key")
-  certificate_body  = file("${path.root}/${var.cert_dir}/client1.${var.cert_domain}.crt")
+  private_key       = file("${path.root}/${var.cert_dir}/${var.stage}.${var.cert_domain}.key")
+  certificate_body  = file("${path.root}/${var.cert_dir}/${var.stage}.${var.cert_domain}.crt")
   certificate_chain = file("${path.root}/${var.cert_dir}/ca.crt")
 }
 
@@ -60,8 +60,7 @@ resource aws_ec2_client_vpn_authorization_rule ingress-all {
 }
 
 resource aws_ec2_client_vpn_route internet-access {
-  count                  = var.enable_internet_access ? 1 : 0
-  for_each               = toset(var.subnet_ids)
+  for_each               = var.enable_internet_access ? toset(var.subnet_ids) : []
   client_vpn_endpoint_id = aws_ec2_client_vpn_endpoint.default.id
   destination_cidr_block = "0.0.0.0/0"
   target_vpc_subnet_id   = aws_ec2_client_vpn_network_association.default[each.key].subnet_id
@@ -82,7 +81,7 @@ resource null_resource export-client-config {
 
 resource null_resource append-client-config-certs {
   provisioner local-exec {
-    command = "${path.module}/scripts/client-append-cert.sh ${path.root} ${var.cert_dir} ${var.config_dir} ${var.cert_domain}"
+    command = "${path.module}/scripts/client-append-cert.sh ${path.root} ${var.cert_dir} ${var.config_dir} ${var.cert_domain} ${var.stage}"
   }
 
   depends_on = [null_resource.export-client-config]

scripts/client-append-cert.sh

@@ -4,9 +4,10 @@ MODULE_ROOT=$1
 CERT_DIR=$2
 CONFIG_DIR=$3
 DOMAIN=$4
+STAGE=$5
 
 CONFIG_PATH=$MODULE_ROOT/$CONFIG_DIR
-CONFIG_FILE_PATH=$MODULE_ROOT/$CONFIG_DIR/client-config.ovpn
+CONFIG_FILE_PATH=$MODULE_ROOT/$CONFIG_DIR/$STAGE-client-config.ovpn
 CERT_PATH=$MODULE_ROOT/$CERT_DIR
 
 echo $CONFIG_FILE_PATH
@@ -17,14 +18,14 @@ echo $CONFIG_FILE_PATH
 
 RANDOM_STRING=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 10 | head -n 1)
 
-cp $CERT_DIR/client1.$DOMAIN.crt $CONFIG_PATH && \
-cp $CERT_DIR/client1.$DOMAIN.key $CONFIG_PATH && \
+cp $CERT_DIR/$STAGE.$DOMAIN.crt $CONFIG_PATH && \
+cp $CERT_DIR/$STAGE.$DOMAIN.key $CONFIG_PATH && \
 [ -f $CONFIG_FILE_PATH ] && { 
     sed -i "s/cvpn-endpoint/$RANDOM_STRING.cvpn-endpoint/g" "$CONFIG_FILE_PATH"
 } && {
     cat<<EOF >> $CONFIG_FILE_PATH
 
-cert client1.$DOMAIN.crt
-key client1.$DOMAIN.key
+cert $STAGE.$DOMAIN.crt
+key $STAGE.$DOMAIN.key
 EOF
 }

scripts/gen-certs.sh

@@ -4,20 +4,21 @@
 
 STORAGE_DIR=$1
 DOMAIN=$2
+STAGE=$3
 
 git clone https://github.com/OpenVPN/easy-rsa.git
 pushd easy-rsa/easyrsa3
 ./easyrsa init-pki
 export EASYRSA_BATCH=1
 ./easyrsa build-ca nopass
 ./easyrsa build-server-full server nopass
-./easyrsa build-client-full client1.$DOMAIN nopass
+./easyrsa build-client-full $STAGE.$DOMAIN nopass
 mkdir -p ../../$STORAGE_DIR
 mv pki/ca.crt ../../$STORAGE_DIR/
 mv pki/issued/server.crt ../../$STORAGE_DIR/
 mv pki/private/server.key ../../$STORAGE_DIR/
-mv pki/issued/client1.$DOMAIN.crt ../../$STORAGE_DIR/
-mv pki/private/client1.$DOMAIN.key ../../$STORAGE_DIR/
+mv pki/issued/$STAGE.$DOMAIN.crt ../../$STORAGE_DIR/
+mv pki/private/$STAGE.$DOMAIN.key ../../$STORAGE_DIR/
 popd
 rm -rf ./easy-rsa
 unset EASYRSA_BATCH