Merge pull request #25 from sourcefuse/feature/site-to-site-vpn

Feature - Site to Site VPN

Author: vijay-stephen

.github/workflows/snyk.yaml

@@ -0,0 +1,38 @@
+---
+name: snyk
+
+on:                 # yamllint disable-line rule:truthy
+  push:
+    branches:
+      - "**"        # matches every branch
+      - "!main"     # excludes main
+  pull_request:
+    branches:
+      - main
+
+jobs:
+  security:
+    runs-on: ubuntu-latest
+    name: snyk
+    steps:
+      - name: checkout
+        uses: actions/checkout@v3
+
+      - name: Vulnerability scan
+        uses: snyk/actions/iac@master
+        with:
+          command: monitor
+          args: --severity-threshold=low
+
+      - name: Set up Node 18
+        uses: actions/setup-node@v3
+        with:
+          node-version: 18
+
+      - name: install Snyk CLI
+        run: npm install -g snyk
+
+      - name: snyk monitor
+        run: snyk iac test --report --severity-threshold=medium
+        env:
+          SNYK_TOKEN: ${{ secrets.ARC_SNYK_TOKEN }}

.github/workflows/tflint.yml

@@ -33,25 +33,3 @@ jobs:
 
       - name: Run tflint
         run: tflint -f compact
-
-  security:
-    runs-on: ubuntu-latest
-    name: snyk
-    steps:
-      - name: checkout
-        uses: actions/checkout@v2
-      - name: Vulnerability scan
-        uses: snyk/actions/iac@master
-        with:
-          command: monitor
-          args: --severity-threshold=low
-      - name: Set up Node 18
-        uses: actions/setup-node@v3
-        with:
-          node-version: 18
-      - name: install Snyk CLI
-        run: npm install -g snyk
-      - name: snyk monitor
-        run: snyk iac test --report
-        env:
-          SNYK_TOKEN: ${{ secrets.ARC_SNYK_TOKEN }}

README.md

@@ -69,7 +69,8 @@ For a list of outputs, see the README [Outputs](https://github.com/sourcefuse/te
 
 ### Basic Usage
 
-For basic usage, see the [example](https://github.com/sourcefuse/terraform-aws-arc-vpn/tree/main/example) folder.
+#### Client VPN
+For basic Client VPN usage, see the [example](https://github.com/sourcefuse/terraform-aws-arc-vpn/tree/main/examples/client-vpn) folder.
 
 This example will create:
 
@@ -93,7 +94,7 @@ This example will create:
 
 The VPN setup allows users to securely connect to the AWS VPC from anywhere, using the created client VPN. The self-signed certificates are used to authenticate the users.
 
-### How to create AWS Client VPN file
+##### How to create AWS Client VPN file
 - Download and install AWS Client VPN Application [download](https://aws.amazon.com/vpn/client-vpn-download/)
 - Download the AWS Client VPN Configuration File
 	- Navigate to `VPC` > `Client VPN endpoints`
@@ -110,12 +111,29 @@ The VPN setup allows users to securely connect to the AWS VPC from anywhere, usi
 		Copy from SSM PARAM self-signed-cert-ca.key
 	</key>
 	```
+#### Site to Site VPN
+For basic Site to Site VPN usage, see the [example](https://github.com/sourcefuse/terraform-aws-arc-vpn/tree/main/examples/site-to-site-vpn) folder.
 
+This example will create:
 
+- Customer Gateway (AWS Customer Gateway Resource)
+	- Represents the on-premises customer gateway device.
+	- Configured with BGP ASN, IP address, and optional certificate.
+- VPN Gateway (AWS Virtual Private Gateway Resource)
+	- An AWS-side gateway for the VPN connection, attached to a specified VPC.
+	- Optionally configured with Amazon-side ASN and availability zone.
+VPN Connection (AWS VPN Connection Resource)
+	- Establishes the encrypted IPsec VPN tunnel between the customer gateway and VPN gateway (or Transit Gateway).
+	- Supports configurations for static or BGP routing, encryption algorithms, and logging.
+	- Tunnel configurations (e.g., inside CIDR, pre-shared keys, encryption and integrity algorithms) are managed for two tunnels (primary and secondary).
+    - The module can create a connection to an existing Transit Gateway instead of a VPN Gateway.
+Logs and Monitoring
+	- Enables detailed logging for the tunnels (e.g., CloudWatch logs) with configurable retention periods and output formats.
 
 ### Tips and Recommendations
 
-To authenticate the AWS Client VPN, integration with Active Directory (AD) is possible.
+
+To authenticate AWS Client VPN, integration with Active Directory (AD) is supported. This allows user authentication via AD credentials, enhancing security and centralizing access control within your organization's existing infrastructure.
 
 ## Troubleshooting
 

docs/module-usage-guide/README.md

@@ -21,7 +21,7 @@
 | <a name="module_self_signed_cert_ca"></a> [self\_signed\_cert\_ca](#module\_self\_signed\_cert\_ca) | git::https://github.com/cloudposse/terraform-aws-ssm-tls-self-signed-cert.git | 1.3.0 |
 | <a name="module_self_signed_cert_root"></a> [self\_signed\_cert\_root](#module\_self\_signed\_cert\_root) | git::https://github.com/cloudposse/terraform-aws-ssm-tls-self-signed-cert.git | 1.3.0 |
 | <a name="module_tags"></a> [tags](#module\_tags) | sourcefuse/arc-tags/aws | 1.2.3 |
-| <a name="module_vpn"></a> [vpn](#module\_vpn) | sourcefuse/arc-vpn/aws | 1.0.0 |
+| <a name="module_vpn"></a> [vpn](#module\_vpn) | ../../ | n/a |
 
 ## Resources
 

example/.terraform-version renamed to examples/client-vpn/.terraform-version

@@ -140,30 +140,42 @@ module "self_signed_cert_root" {
 ## vpn
 ################################################################################
 module "vpn" {
-  source  = "sourcefuse/arc-vpn/aws"
-  version = "1.0.0" # pin the correct version
-
-  vpc_id = data.aws_vpc.this.id
-
-  authentication_options_type                       = "certificate-authentication"
-  authentication_options_root_certificate_chain_arn = module.self_signed_cert_root.certificate_arn
-
-  ## access
-  client_vpn_authorize_all_groups = true
-  client_vpn_subnet_ids           = data.aws_subnets.private.ids
-  client_vpn_target_network_cidr  = data.aws_vpc.this.cidr_block
-
-  ## self signed certificate
-  create_self_signed_server_cert             = true
-  self_signed_server_cert_server_common_name = "${var.namespace}-${var.environment}.arc-vpn-example.client"
-  self_signed_server_cert_organization_name  = var.namespace
-  self_signed_server_cert_ca_pem             = module.self_signed_cert_ca.certificate_pem
-  self_signed_server_cert_private_ca_key_pem = join("", data.aws_ssm_parameter.ca_key[*].value)
-
-  ## client vpn
-  client_cidr             = cidrsubnet(data.aws_vpc.this.cidr_block, 6, 1)
-  client_vpn_name         = "${var.namespace}-${var.environment}-client-vpn-example"
-  client_vpn_gateway_name = "${var.namespace}-${var.environment}-vpn-gateway-example"
+  source = "../../"
+  #version = "1.0.0" # pin the correct version
+
+  name        = "poc-dev-client-vpn-example"
+  namespace   = "poc"
+  environment = "dev"
+  vpc_id      = data.aws_vpc.this.id
+
+  client_vpn_config = {
+
+    client_cidr_block = cidrsubnet(data.aws_vpc.this.cidr_block, 6, 1)
+    self_signed_cert_data = {
+      create             = true
+      secret_path_format = "/%s.%s"
+      server_common_name = "${var.namespace}-${var.environment}.arc-vpn-example.client"
+      organization_name  = var.namespace
+      ca_pem             = module.self_signed_cert_ca.certificate_pem
+      private_ca_key_pem = data.aws_ssm_parameter.ca_key.value
+    }
+    authentication_options = [
+      {
+        root_certificate_chain_arn = module.self_signed_cert_root.certificate_arn
+        type                       = "certificate-authentication"
+      }
+    ]
+    authorization_options = {
+      "auth-1" = {
+        target_network_cidr  = data.aws_vpc.this.cidr_block
+        access_group_id      = null
+        authorize_all_groups = true
+      }
+    }
+
+    split_tunnel = true
+    subnet_ids   = data.aws_subnets.private.ids
+  }
 
   tags = module.tags.tags
 }