问题描述
一直在尝试尝试访问与AWS上连接到我们vpn的客户端的访问权限。
与SSH相比,可以连接到VPN和客户端,但不能连接到我们的公共子网组中的EC2实例。我们希望通过端口3306从EC2实例连接到在连接的客户端上运行的数据库。除非我们切换到站点到站点VPN,否则开始认为这是不可能的。
是否可以在AWS中设置客户端vpn端点(相互证书身份验证),以便可以从AWS内部的ec2实例访问与其连接的客户端?
除了添加路由表,添加授权并允许安全组访问子网外,这是tf-config:
resource "tls_private_key" "ca_key" {
algorithm = "RSA"
}
resource "tls_private_key" "client_key" {
algorithm = "RSA"
}
resource "tls_private_key" "server_key" {
algorithm = "RSA"
}
resource "tls_self_signed_cert" "ca_cert" {
is_ca_certificate = true
key_algorithm = "RSA"
private_key_pem = tls_private_key.ca_key.private_key_pem
subject {
common_name = "My Cert Authority"
organization = "My,Inc"
}
validity_period_hours = 3*365*24
allowed_uses = [
"cert_signing","crl_signing"
]
}
resource "tls_cert_request" "client_request" {
key_algorithm = "RSA"
private_key_pem = tls_private_key.client_key.private_key_pem
subject {
common_name = "my.vpn.client"
organization = "My,Inc"
}
}
resource "tls_cert_request" "server_request" {
key_algorithm = "RSA"
private_key_pem = tls_private_key.server_key.private_key_pem
subject {
common_name = "my.vpn.server"
organization = "My,Inc"
}
}
resource "tls_locally_signed_cert" "client_cert" {
cert_request_pem = tls_cert_request.client_request.cert_request_pem
ca_key_algorithm = "RSA"
ca_private_key_pem = tls_private_key.ca_key.private_key_pem
ca_cert_pem = tls_self_signed_cert.ca_cert.cert_pem
validity_period_hours = 3*365*24
allowed_uses = [
"key_encipherment","digital_signature","client_auth"
]
}
resource "tls_locally_signed_cert" "server_cert" {
cert_request_pem = tls_cert_request.server_request.cert_request_pem
ca_key_algorithm = "RSA"
ca_private_key_pem = tls_private_key.ca_key.private_key_pem
ca_cert_pem = tls_self_signed_cert.ca_cert.cert_pem
validity_period_hours = 3*365*24
allowed_uses = [
"key_encipherment","server_auth"
]
}
resource "aws_acm_certificate" "server_acm" {
private_key = tls_private_key.server_key.private_key_pem
certificate_body = tls_locally_signed_cert.server_cert.cert_pem
certificate_chain = tls_self_signed_cert.ca_cert.cert_pem
tags = local.tags
}
resource "aws_acm_certificate" "client_acm" {
private_key = tls_private_key.client_key.private_key_pem
certificate_body = tls_locally_signed_cert.client_cert.cert_pem
certificate_chain = tls_self_signed_cert.ca_cert.cert_pem
tags = local.tags
}
resource "aws_cloudwatch_log_group" "vpn_lg" {
name = "vpn"
tags = local.tags
}
resource "aws_cloudwatch_log_stream" "vpn_ls" {
name = "vpn-usage"
log_group_name = aws_cloudwatch_log_group.vpn_lg.name
}
resource "aws_ec2_client_vpn_endpoint" "at_vpn" {
description = "Terraform created."
server_certificate_arn = aws_acm_certificate.server_acm.arn
client_cidr_block = "172.16.0.0/22"
authentication_options {
type = "certificate-authentication"
root_certificate_chain_arn = aws_acm_certificate.client_acm.arn
}
connection_log_options {
enabled = true
cloudwatch_log_group = aws_cloudwatch_log_group.vpn_lg.name
cloudwatch_log_stream = aws_cloudwatch_log_stream.vpn_ls.name
}
tags = local.tags
}
resource "aws_ec2_client_vpn_network_association" "at_vpn" {
for_each = toset(var.public_vpc_subnet_ids)
client_vpn_endpoint_id = aws_ec2_client_vpn_endpoint.at_vpn.id
subnet_id = each.key
lifecycle {
ignore_changes = [subnet_id] # This is a hack to fix a bug: https://github.com/terraform-providers/terraform-provider-aws/issues/7597
}
}
解决方法
暂无找到可以解决该程序问题的有效方法,小编努力寻找整理中!
如果你已经找到好的解决方法,欢迎将解决方案带上本链接一起发送给小编。
小编邮箱:dio#foxmail.com (将#修改为@)