adrianlzt · February 12, 2024 16:17
diff --git a/vpn.tf b/vpn.tf
 # Creamos una CA self-signed para generar los certificados de los clientes VPN
 resource "tls_private_key" "foo-vpn-ca-key" {
  algorithm = "RSA"
  rsa_bits  = 4096
 }

 resource "tls_self_signed_cert" "foo-vpn-ca" {
  private_key_pem = tls_private_key.foo-vpn-ca-key.private_key_pem

  subject {
    common_name  = "${var.product}-${var.environment}"
    organization = "bar"
  }

  # 114 años
  validity_period_hours = 999999

  allowed_uses = [
    "cert_signing",
  ]
 }

 # Convertimos el formato de la clave pública de la CA para que sea compatible con Azure (quitando la cabecera y el pie)
 locals {
  lines                  = split("\n", tls_self_signed_cert.foo-vpn-ca.cert_pem)
  without_first_and_last = slice(local.lines, 1, length(local.lines) - 2)
  ca_no_header_no_footer = join("\n", local.without_first_and_last)
 }

 resource "azurerm_public_ip" "vpn" {
  name                = "${var.product}-${var.environment}-vpn"
  resource_group_name = azurerm_resource_group.foo.name
  location            = var.location
  sku                 = "Standard"
  allocation_method   = "Static"
 }

 resource "azurerm_subnet" "vpn" {
  # El nombre no puede cambiarse, lo require azurerm_virtual_network_gateway
  name                 = "GatewaySubnet"
  virtual_network_name = azurerm_virtual_network.foo.name
  resource_group_name  = azurerm_resource_group.foo.name
  address_prefixes     = ["${var.net-prefix}.100.0/24"]
 }

 resource "azurerm_virtual_network_gateway" "foo" {
  name                = "${var.product}-${var.environment}"
  location            = var.location
  resource_group_name = azurerm_resource_group.foo.name

  type     = "Vpn"
  vpn_type = "RouteBased"

  # https://learn.microsoft.com/es-es/azure/vpn-gateway/vpn-gateway-about-vpngateways#gwsku
  sku = "VpnGw1"

  ip_configuration {
    name                          = "${var.product}-${var.environment}-vnetGatewayConfig"
    public_ip_address_id          = azurerm_public_ip.vpn.id
    private_ip_address_allocation = "Dynamic"
    subnet_id                     = azurerm_subnet.vpn.id
  }

  vpn_client_configuration {
    address_space = ["${var.vpn-net}"]

    root_certificate {
      name             = tls_self_signed_cert.foo-vpn-ca.subject[0].common_name
      public_cert_data = local.ca_no_header_no_footer
    }
  }
 }
	# Creamos una CA self-signed para generar los certificados de los clientes VPN
	resource "tls_private_key" "foo-vpn-ca-key" {
	algorithm = "RSA"
	rsa_bits = 4096
	}

	resource "tls_self_signed_cert" "foo-vpn-ca" {
	private_key_pem = tls_private_key.foo-vpn-ca-key.private_key_pem

	subject {
	common_name = "${var.product}-${var.environment}"
	organization = "bar"
	}

	# 114 años
	validity_period_hours = 999999

	allowed_uses = [
	"cert_signing",
	]
	}

	# Convertimos el formato de la clave pública de la CA para que sea compatible con Azure (quitando la cabecera y el pie)
	locals {
	lines = split("\n", tls_self_signed_cert.foo-vpn-ca.cert_pem)
	without_first_and_last = slice(local.lines, 1, length(local.lines) - 2)
	ca_no_header_no_footer = join("\n", local.without_first_and_last)
	}

	resource "azurerm_public_ip" "vpn" {
	name = "${var.product}-${var.environment}-vpn"
	resource_group_name = azurerm_resource_group.foo.name
	location = var.location
	sku = "Standard"
	allocation_method = "Static"
	}

	resource "azurerm_subnet" "vpn" {
	# El nombre no puede cambiarse, lo require azurerm_virtual_network_gateway
	name = "GatewaySubnet"
	virtual_network_name = azurerm_virtual_network.foo.name
	resource_group_name = azurerm_resource_group.foo.name
	address_prefixes = ["${var.net-prefix}.100.0/24"]
	}

	resource "azurerm_virtual_network_gateway" "foo" {
	name = "${var.product}-${var.environment}"
	location = var.location
	resource_group_name = azurerm_resource_group.foo.name

	type = "Vpn"
	vpn_type = "RouteBased"

	# https://learn.microsoft.com/es-es/azure/vpn-gateway/vpn-gateway-about-vpngateways#gwsku
	sku = "VpnGw1"

	ip_configuration {
	name = "${var.product}-${var.environment}-vnetGatewayConfig"
	public_ip_address_id = azurerm_public_ip.vpn.id
	private_ip_address_allocation = "Dynamic"
	subnet_id = azurerm_subnet.vpn.id
	}

	vpn_client_configuration {
	address_space = ["${var.vpn-net}"]

	root_certificate {
	name = tls_self_signed_cert.foo-vpn-ca.subject[0].common_name
	public_cert_data = local.ca_no_header_no_footer
	}
	}
	}