* Open port 80 for Let's encrypt validation to pass. (opsgang#12)

* Move away from the hardcoded 10.0.0.0/8 network range to proper list
* Ammended the documentation with the new option
* Minor variable typo fixed

README.md

@@ -18,13 +18,14 @@ After provisioning, don't forget to run commands below:
 * **ami_id:** Amazon Linux AMI ID
 * **instance_type:** Instance type of the VPN box (t2.small is mostly enough)
 * **whitelist:** List of office IP addresses that you can SSH and non-VPN connected users can reach temporary profile download pages
+* **internal_cidrs:** List of CIDRs that will be whitelisted to access the VPN server internally. _This option replaced the hard-coded 10.0.0.0/8 network range_
 * **tags:** Map of AWS Tag key and values
 * **resource_name_prefix:** All the resources will be prefixed with the value of this variable
 * **healthchecks_io_key:** Health check key for healthchecks.io
 
 # Outputs
 * **vpn_instance_private_ip_address:** Private IP address of the instance
-* **vpn_public_ip_addres:** EIP of the VPN box
+* **vpn_public_ip_address:** EIP of the VPN box
 * **vpn_management_ui:** URL for the management UI
 
 

main.tf

@@ -162,15 +162,23 @@ resource "aws_security_group" "pritunl" {
     from_port   = 22
     to_port     = 22
     protocol    = "tcp"
-    cidr_blocks = ["10.0.0.0/8"]
+    cidr_blocks = ["${var.internal_cidrs}"]
   }
 
-  # HTTP access
+  # HTTP access for Let's Encrypt validation
+  ingress {
+    from_port   = 80
+    to_port     = 80
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  # HTTPS access
   ingress {
     from_port   = 443
     to_port     = 443
     protocol    = "tcp"
-    cidr_blocks = ["10.0.0.0/8"]
+    cidr_blocks = ["${var.internal_cidrs}"]
   }
 
   # VPN WAN access
@@ -186,7 +194,7 @@ resource "aws_security_group" "pritunl" {
     from_port   = -1
     to_port     = -1
     protocol    = "icmp"
-    cidr_blocks = ["10.0.0.0/8"]
+    cidr_blocks = ["${var.internal_cidrs}"]
   }
 
   # outbound internet access
@@ -212,14 +220,16 @@ resource "aws_security_group" "allow_from_office" {
 
   # SSH access
   ingress {
+    description = "Allow SSH access from select CIDRs"
     from_port   = 22
     to_port     = 22
     protocol    = "tcp"
     cidr_blocks = ["${var.whitelist}"]
   }
 
-  # HTTP access
+  # HTTPS access
   ingress {
+    description = "Allow HTTPS access from select CIDRs"
     from_port   = 443
     to_port     = 443
     protocol    = "tcp"
@@ -228,8 +238,9 @@ resource "aws_security_group" "allow_from_office" {
 
   # ICMP
   ingress {
+    description = "Allow ICMPv4 from select CIDRs"
     from_port   = -1
-    to_port     = -1
+    to_port   = -1
     protocol    = "icmp"
     cidr_blocks = ["${var.whitelist}"]
   }

outputs.tf

@@ -2,7 +2,7 @@ output "vpn_instance_private_ip_address" {
   value = "${aws_instance.pritunl.private_ip}"
 }
 
-output "vpn_public_ip_addres" {
+output "vpn_public_ip_address" {
   value = "${aws_eip.pritunl.public_ip}"
 }
 

variables.tf

@@ -16,6 +16,8 @@ variable "ami_id" {
 
 variable "instance_type" {
   description = "Instance type for VPN Box"
+  type        = "string"
+  default     = "t2.micro"
 }
 
 variable "whitelist" {
@@ -37,3 +39,9 @@ variable "healthchecks_io_key" {
   description = "Health check key for healthchecks.io"
   default     = "invalid"
 }
+
+variable "internal_cidrs" {
+  description = "[List] IP CIDRs to whitelist in the pritunl's security group"
+  type        = "list"
+  default     = ["10.0.0.0/8"]
+}