Merge pull request #16 from rackspace-infrastructure-automation/MPCSU…

…PENG-894

Terraform 0.12 upgrade

.terraform-version

@@ -0,0 +1 @@
+0.12.17

modules/client/README.md

@@ -1,42 +1,52 @@
-# aws-terraform-vpn/modules/client
-AWS Client VPN is a managed client-based VPN service that enables you to securely access your AWS resources and resources in your on-premises network.
+# aws-terraform-vpn/modules/client  
+AWS Client VPN is a managed client-based VPN service that enables you to securely access your AWS resources and resources in your on-premises network.  
 With Client VPN, you can access your resources from any location using an OpenVPN-based VPN client.
 
 ## Basic Usage
 
 ### Client VPN
 ```HCL
 module "vpn1" {
- source = "git@github.com:rackspace-infrastructure-automation/aws-terraform-vpn//modules/client/?ref=v0.0.4"
+  source = "git@github.com:rackspace-infrastructure-automation/aws-terraform-vpn//modules/client/?ref=v0.12.0"
 
- client_vpn_cidr_block      = "192.168.10.0/24"
- private_subnet_count       = 2
- private_subnets            = [subnet_1, subnet_2]
- root_certificate_chain_arn = "arn:aws:acm:REGION:AWS_ACCOUNT:certificate/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
- server_certificate_arn     = "arn:aws:acm:REGION:AWS_ACCOUNT:certificate/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
- vpc_id                     = "vpc_id"
+  client_vpn_cidr_block      = "192.168.10.0/24"
+  private_subnet_count       = 2
+  private_subnets            = [subnet_1, subnet_2]
+  root_certificate_chain_arn = "arn:aws:acm:REGION:AWS_ACCOUNT:certificate/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
+  server_certificate_arn     = "arn:aws:acm:REGION:AWS_ACCOUNT:certificate/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
+  vpc_id                     = "vpc_id"
 
 }
 ```
 
+## Terraform 0.12 upgrade
+
+There should be no changes required to move from previous versions of this module to version 0.12.0 or higher.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| aws | >= 2.1.0 |
+
 ## Inputs
 
 | Name | Description | Type | Default | Required |
-|------|-------------|:----:|:-----:|:-----:|
-| alarm\_evaluations | The number of periods over which data is evaluated to monitor VPN connection status. | string | `"10"` | no |
-| alarm\_period | Time the specified statistic is applied. Must be in seconds that is also a multiple of 60. | string | `"60"` | no |
-| client\_vpn\_cidr\_block | Add the IPv4 address range, in CIDR notation, from which to assign client IP Address must be either /16 or /22 address space | string | n/a | yes |
-| environment | The name of the environment, e.g. Production, Development, etc. | string | `"development"` | no |
-| name | The name prefix for the VPN client resources | string | `"vpn-client"` | no |
-| notification\_topic | List of SNS Topic ARNs to use for customer notifications from CloudWatch alarms. (OPTIONAL) | list | `<list>` | no |
-| private\_subnet\_count | Number of private subnets in the VPC | string | `"2"` | no |
-| private\_subnets | List of private subnets | list | n/a | yes |
-| public\_subnet\_count | Number of public subnets in the VPC | string | `"0"` | no |
-| public\_subnets | List of public subnets | list | `<list>` | no |
-| root\_certificate\_chain\_arn | The ARN of the client certificate. The certificate must be signed by a certificate authority (CA) and it must be provisioned in AWS Certificate Manager (ACM). | string | n/a | yes |
-| server\_certificate\_arn | The server certificate ARN. | string | n/a | yes |
-| tags | Custom tags to apply to all resources. | map | `<map>` | no |
-| vpc\_id | VPC ID | string | n/a | yes |
+|------|-------------|------|---------|:-----:|
+| alarm\_evaluations | The number of periods over which data is evaluated to monitor VPN connection status. | `number` | `10` | no |
+| alarm\_period | Time the specified statistic is applied. Must be in seconds that is also a multiple of 60. | `number` | `60` | no |
+| client\_vpn\_cidr\_block | Add the IPv4 address range, in CIDR notation, from which to assign client IP Address must be either /16 or /22 address space | `string` | n/a | yes |
+| environment | The name of the environment, e.g. Production, Development, etc. | `string` | `"development"` | no |
+| name | The name prefix for the VPN client resources | `string` | `"vpn-client"` | no |
+| notification\_topic | List of SNS Topic ARNs to use for customer notifications from CloudWatch alarms. (OPTIONAL) | `list(string)` | `[]` | no |
+| private\_subnet\_count | Number of private subnets in the VPC | `number` | `2` | no |
+| private\_subnets | List of private subnets | `list(string)` | n/a | yes |
+| public\_subnet\_count | Number of public subnets in the VPC | `number` | `0` | no |
+| public\_subnets | List of public subnets | `list(string)` | `[]` | no |
+| root\_certificate\_chain\_arn | The ARN of the client certificate. The certificate must be signed by a certificate authority (CA) and it must be provisioned in AWS Certificate Manager (ACM). | `string` | n/a | yes |
+| server\_certificate\_arn | The server certificate ARN. | `string` | n/a | yes |
+| tags | Custom tags to apply to all resources. | `map(string)` | `{}` | no |
+| vpc\_id | VPC ID | `string` | n/a | yes |
 
 ## Outputs
 

modules/client/examples/examples.tf

@@ -1,5 +1,9 @@
+terraform {
+  required_version = ">= 0.12"
+}
+
 provider "aws" {
-  version = "~> 1.2"
+  version = "~> 2.2"
   region  = "us-west-2"
 }
 
@@ -13,29 +17,30 @@ resource "random_string" "cloudwatch_loggroup_rstring" {
 }
 
 module "vpc" {
-  source = "git@github.com:rackspace-infrastructure-automation/aws-terraform-vpc_basenetwork//?ref=master"
+  source = "git@github.com:rackspace-infrastructure-automation/aws-terraform-vpc_basenetwork//?ref=v0.12.0"
 
-  vpc_name = "Test1VPC"
+  name = "Test1VPC"
 }
 
 ######################
 # Use Client VPN     #
 ######################
 
 data "aws_acm_certificate" "cert" {
-  domain      = "${var.fqdn}"
-  statuses    = ["ISSUED"]
+  domain      = var.fqdn
   most_recent = true
+  statuses    = ["ISSUED"]
 }
 
 module "vpn1" {
-  source = "git@github.com:rackspace-infrastructure-automation/aws-terraform-vpn//modules/client/?ref=v0.0.4"
+  source = "git@github.com:rackspace-infrastructure-automation/aws-terraform-vpn//modules/client/?ref=v0.12.0"
 
   client_vpn_cidr_block      = "192.168.8.0/22"
+  name                       = random_string.cloudwatch_loggroup_rstring.result
   private_subnet_count       = 2
-  private_subnets            = "${module.vpc.private_subnets}"
-  root_certificate_chain_arn = "${data.aws_acm_certificate.cert.arn}"
-  server_certificate_arn     = "${data.aws_acm_certificate.cert.arn}"
-  vpc_id                     = "${module.vpc.vpc_id}"
-  name                       = "${random_string.cloudwatch_loggroup_rstring.result}"
+  private_subnets            = module.vpc.private_subnets
+  root_certificate_chain_arn = data.aws_acm_certificate.cert.arn
+  server_certificate_arn     = data.aws_acm_certificate.cert.arn
+  vpc_id                     = module.vpc.vpc_id
 }
+

modules/client/main.tf

@@ -3,116 +3,142 @@
  * AWS Client VPN is a managed client-based VPN service that enables you to securely access your AWS resources and resources in your on-premises network.
  * With Client VPN, you can access your resources from any location using an OpenVPN-based VPN client.
  *
- *## Basic Usage
+ * ## Basic Usage
+ * 
+ * ### Client VPN
+ * ```HCL
+ * module "vpn1" {
+ *   source = "git@github.com:rackspace-infrastructure-automation/aws-terraform-vpn//modules/client/?ref=v0.12.0"
+ * 
+ *   client_vpn_cidr_block      = "192.168.10.0/24"
+ *   private_subnet_count       = 2
+ *   private_subnets            = [subnet_1, subnet_2]
+ *   root_certificate_chain_arn = "arn:aws:acm:REGION:AWS_ACCOUNT:certificate/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
+ *   server_certificate_arn     = "arn:aws:acm:REGION:AWS_ACCOUNT:certificate/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
+ *   vpc_id                     = "vpc_id"
+ * 
+ * }
+ * ```
  *
- *### Client VPN
- *```HCL
- *module "vpn1" {
- *  source = "git@github.com:rackspace-infrastructure-automation/aws-terraform-vpn//modules/client/?ref=v0.0.4"
- *
- *  client_vpn_cidr_block      = "192.168.10.0/24"
- *  private_subnet_count       = 2
- *  private_subnets            = [subnet_1, subnet_2]
- *  root_certificate_chain_arn = "arn:aws:acm:REGION:AWS_ACCOUNT:certificate/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
- *  server_certificate_arn     = "arn:aws:acm:REGION:AWS_ACCOUNT:certificate/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
- *  vpc_id                     = "vpc_id"
- *
- *}
- *```
+ * ## Terraform 0.12 upgrade
  *
+ * There should be no changes required to move from previous versions of this module to version 0.12.0 or higher.
  */
 
+terraform {
+  required_version = ">= 0.12"
+
+  required_providers {
+    aws = ">= 2.1.0"
+  }
+}
+
 locals {
   tags = {
-    Environment     = "${var.environment}"
+    Environment     = var.environment
     ServiceProvider = "Rackspace"
   }
 }
 
 resource "aws_cloudwatch_log_group" "client_vpn" {
   name = "${var.name}-Client-VPN-lg"
-  tags = "${merge(map("Name", "${var.name}-ClientVpnConnection"), var.tags, local.tags)}"
+
+  tags = merge(
+    var.tags,
+    local.tags,
+    {
+      "Name" = "${var.name}-ClientVpnConnection"
+    },
+  )
 }
 
 resource "aws_cloudwatch_log_stream" "client_vpn" {
+  log_group_name = aws_cloudwatch_log_group.client_vpn.name
   name           = "${var.name}-Client-VPN-ls"
-  log_group_name = "${aws_cloudwatch_log_group.client_vpn.name}"
 }
 
 resource "aws_ec2_client_vpn_endpoint" "client_vpn" {
+  client_cidr_block      = var.client_vpn_cidr_block
   description            = "Client Vpn CIDR block must not overlap users network"
-  server_certificate_arn = "${var.server_certificate_arn}"
-  client_cidr_block      = "${var.client_vpn_cidr_block}"
+  server_certificate_arn = var.server_certificate_arn
 
   authentication_options {
+    root_certificate_chain_arn = var.root_certificate_chain_arn
     type                       = "certificate-authentication"
-    root_certificate_chain_arn = "${var.root_certificate_chain_arn}"
   }
 
   connection_log_options {
+    cloudwatch_log_group  = aws_cloudwatch_log_group.client_vpn.name
+    cloudwatch_log_stream = aws_cloudwatch_log_stream.client_vpn.name
     enabled               = true
-    cloudwatch_log_group  = "${aws_cloudwatch_log_group.client_vpn.name}"
-    cloudwatch_log_stream = "${aws_cloudwatch_log_stream.client_vpn.name}"
   }
 }
 
 module "client_vpn_status" {
-  source = "git@github.com:rackspace-infrastructure-automation/aws-terraform-cloudwatch_alarm//?ref=v0.0.1"
+  source = "git@github.com:rackspace-infrastructure-automation/aws-terraform-cloudwatch_alarm//?ref=v0.12.0"
 
   alarm_description        = "${var.name}-VPN Connection State"
   alarm_name               = "${var.name}-VPN-Status"
   comparison_operator      = "LessThanOrEqualToThreshold"
   customer_alarms_enabled  = true
-  evaluation_periods       = "${var.alarm_evaluations}"
+  evaluation_periods       = var.alarm_evaluations
   metric_name              = "TunnelState"
   namespace                = "AWS/VPN"
-  notification_topic       = "${var.notification_topic}"
-  period                   = "${var.alarm_period}"
+  notification_topic       = var.notification_topic
+  period                   = var.alarm_period
   rackspace_alarms_enabled = false
   statistic                = "Maximum"
-  threshold                = "0"
+  threshold                = 0
 
-  dimensions = [{
-    VpnId = "${aws_ec2_client_vpn_endpoint.client_vpn.id}"
-  }]
+  dimensions = [
+    {
+      VpnId = aws_ec2_client_vpn_endpoint.client_vpn.id
+    },
+  ]
 }
 
 resource "aws_ec2_client_vpn_network_association" "private" {
-  count = "${var.private_subnet_count}"
+  count = var.private_subnet_count
 
-  client_vpn_endpoint_id = "${aws_ec2_client_vpn_endpoint.client_vpn.id}"
-  subnet_id              = "${element(var.private_subnets, count.index)}"
+  client_vpn_endpoint_id = aws_ec2_client_vpn_endpoint.client_vpn.id
+  subnet_id              = element(var.private_subnets, count.index)
 }
 
 resource "aws_ec2_client_vpn_network_association" "public" {
-  count = "${var.public_subnet_count}"
+  count = var.public_subnet_count
 
-  client_vpn_endpoint_id = "${aws_ec2_client_vpn_endpoint.client_vpn.id}"
-  subnet_id              = "${element(var.public_subnets, count.index)}"
+  client_vpn_endpoint_id = aws_ec2_client_vpn_endpoint.client_vpn.id
+  subnet_id              = element(var.public_subnets, count.index)
 }
 
 resource "aws_security_group" "client_vpn_security_group" {
-  name_prefix = "${var.name}-ClientVpnSecurityGroup"
   description = "Client VPN Security Group"
-  vpc_id      = "${var.vpc_id}"
+  name_prefix = "${var.name}-ClientVpnSecurityGroup"
+  vpc_id      = var.vpc_id
 
-  ingress {
+  egress {
+    cidr_blocks = ["0.0.0.0/0"]
     from_port   = 0
+    protocol    = "-1"
     to_port     = 0
-    protocol    = "tcp"
-    cidr_blocks = ["0.0.0.0/0"]
   }
 
-  egress {
+  ingress {
+    cidr_blocks = ["0.0.0.0/0"]
     from_port   = 0
+    protocol    = "tcp"
     to_port     = 0
-    protocol    = "-1"
-    cidr_blocks = ["0.0.0.0/0"]
   }
 
+  tags = merge(
+    local.tags,
+    {
+      "Name" = "${var.name}-ClientVpnSecurityGroup"
+    },
+  )
+
   lifecycle {
     create_before_destroy = true
   }
-
-  tags = "${merge(local.tags, map("Name", "${var.name}-ClientVpnSecurityGroup"))}"
 }
+

modules/client/outputs.tf

@@ -1,9 +1,10 @@
+output "aws_ec2_client_vpn_endpoint_dns" {
+  description = "client vpn end point DNS"
+  value       = aws_ec2_client_vpn_endpoint.client_vpn.dns_name
+}
+
 output "aws_ec2_client_vpn_endpoint_id" {
   description = "client vpn end point id"
-  value       = "${aws_ec2_client_vpn_endpoint.client_vpn.id}"
+  value       = aws_ec2_client_vpn_endpoint.client_vpn.id
 }
 
-output "aws_ec2_client_vpn_endpoint_dns" {
-  description = "client vpn end point DNS"
-  value       = "${aws_ec2_client_vpn_endpoint.client_vpn.dns_name}"
-}