Github actions update

DNS resolver endpoint security group fix

.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,8 @@
+## What
+* Describe what changes your commits have made.
+
+## Why
+* Describe why you have made these changes.
+
+## References
+* Use `closes #123`, if this PR closes a GitHub issue `#123`

.github/auto-release.yml

@@ -0,0 +1,44 @@
+name-template: "v$RESOLVED_VERSION"
+tag-template: "$RESOLVED_VERSION"
+version-template: "$MAJOR.$MINOR.$PATCH"
+version-resolver:
+  major:
+    labels:
+      - "major"
+  minor:
+    labels:
+      - "minor"
+      - "enhancement"
+  patch:
+    labels:
+      - "auto-update"
+      - "patch"
+      - "fix"
+      - "bugfix"
+      - "bug"
+      - "hotfix"
+      - "no-release"
+  default: "minor"
+
+categories:
+  - title: "🚀 Enhancements"
+    labels:
+      - "enhancement"
+      - "patch"
+  - title: "🐛 Bug Fixes"
+    labels:
+      - "fix"
+      - "bugfix"
+      - "bug"
+      - "hotfix"
+  - title: "🤖 Automatic Updates"
+    labels:
+      - "auto-update"
+
+change-template: |
+  <details>
+    <summary>$TITLE @$AUTHOR (#$NUMBER)</summary>
+    $BODY
+  </details>
+template: |
+  $CHANGES

.github/workflows/format.yml

@@ -0,0 +1,31 @@
+name: Format
+on:
+  pull_request_target:
+    types: [opened, synchronize]
+
+jobs:
+  format:
+    runs-on: ubuntu-latest
+    container: blackbird-cloud/terraform-toolkit:latest
+    steps:
+      - uses: actions/checkout@v2
+        if: github.event.pull_request.state == 'open'
+        name: Privileged Checkout
+        with:
+          token: ${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }}
+          repository: ${{ github.event.pull_request.head.repo.full_name }}
+          ref: ${{ github.event.pull_request.head.ref }}
+
+      - name: Validate and Format
+        if: github.event.pull_request.state == 'open'
+        shell: sh
+        env:
+          GITHUB_TOKEN: "${{ secrets.PUBLIC_REPO_ACCESS_TOKEN }}"
+        run:
+          - terraform init -backend=false
+          - terraform validate
+          - terraform fmt
+
+      - uses: EndBug/add-and-commit@v9
+        with:
+          default_author: github_actions

README.md

@@ -9,13 +9,14 @@
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 4 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.60.0 |
 
 ## Modules
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_sg"></a> [sg](#module\_sg) | terraform-aws-modules/security-group/aws | 4.8.0 |
+| <a name="module_resolver_sg"></a> [resolver\_sg](#module\_resolver\_sg) | terraform-aws-modules/security-group/aws | 4.17.1 |
+| <a name="module_sg"></a> [sg](#module\_sg) | terraform-aws-modules/security-group/aws | 4.17.1 |
 
 ## Resources
 
@@ -30,6 +31,7 @@
 | [aws_iam_saml_provider.vpn](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_saml_provider) | resource |
 | [aws_iam_saml_provider.vpn_portal](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_saml_provider) | resource |
 | [aws_route53_resolver_endpoint.vpn_dns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_resolver_endpoint) | resource |
+| [aws_vpc.selected](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source |
 
 ## Inputs
 
@@ -45,7 +47,6 @@
 | <a name="input_server_certificate_arn"></a> [server\_certificate\_arn](#input\_server\_certificate\_arn) | ARN of the ACM certificate the server will use. | `string` | n/a | yes |
 | <a name="input_split_tunnel"></a> [split\_tunnel](#input\_split\_tunnel) | To split the VPN tunnel, or not, defaults to false | `bool` | `false` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | (Optional) Map of resource tags for all AWS resources. If configured with a provider default\_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level. | `map(string)` | `{}` | no |
-| <a name="input_vpc_cidr_block"></a> [vpc\_cidr\_block](#input\_vpc\_cidr\_block) | CIDR Block used to create the VPC that hosts the VPN. | `string` | n/a | yes |
 | <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | VPC ID For the VPN SG | `string` | n/a | yes |
 | <a name="input_vpn_portal_saml_metadata"></a> [vpn\_portal\_saml\_metadata](#input\_vpn\_portal\_saml\_metadata) | VPN SelfService Portal XML document generated by an identity provider that supports SAML 2.0. | `string` | n/a | yes |
 | <a name="input_vpn_saml_metadata"></a> [vpn\_saml\_metadata](#input\_vpn\_saml\_metadata) | VPN XML document generated by an identity provider that supports SAML 2.0. | `string` | n/a | yes |
@@ -54,5 +55,7 @@
 
 | Name | Description |
 |------|-------------|
-| <a name="output_security_group"></a> [security\_group](#output\_security\_group) | n/a |
-| <a name="output_vpn"></a> [vpn](#output\_vpn) | n/a |
+| <a name="output_aws_route53_resolver_endpoint"></a> [aws\_route53\_resolver\_endpoint](#output\_aws\_route53\_resolver\_endpoint) | The Route53 DNS resolver endpoint. |
+| <a name="output_resolver_security_group"></a> [resolver\_security\_group](#output\_resolver\_security\_group) | The AWS security group used to controll ingress traffic to the Route 53 DNS resolver endpoint. |
+| <a name="output_security_group"></a> [security\_group](#output\_security\_group) | The AWS security group used to controll ingress traffic to the Client VPN self-service-portal. |
+| <a name="output_vpn"></a> [vpn](#output\_vpn) | The Client VPN endpoint. |

main.tf

@@ -1,6 +1,11 @@
+data "aws_vpc" "selected" {
+  id = var.vpc_id
+}
+
 locals {
+  vpc_cidr_block = data.aws_vpc.selected.cidr_block
   routes = distinct(compact([
-    for auth_rule in var.auth_rules : auth_rule.cidr != var.vpc_cidr_block ? auth_rule.cidr : null
+    for auth_rule in var.auth_rules : auth_rule.cidr != local.vpc_cidr_block ? auth_rule.cidr : null
   ]))
   routes_per_subnet = toset(
     flatten(
@@ -31,7 +36,7 @@ locals {
 
 module "sg" {
   source  = "terraform-aws-modules/security-group/aws"
-  version = "4.8.0"
+  version = "4.17.1"
 
   vpc_id      = var.vpc_id
   name        = "${var.name}-sg"
@@ -151,12 +156,38 @@ resource "aws_ec2_client_vpn_authorization_rule" "internet" {
   description            = "internet"
 }
 
+module "resolver_sg" {
+  source  = "terraform-aws-modules/security-group/aws"
+  version = "4.17.1"
+
+  vpc_id      = var.vpc_id
+  name        = "${var.name}-dns-resolver"
+  description = "Security group for ${var.name} VPN"
+  ingress_with_cidr_blocks = [
+    {
+      from_port   = 53
+      to_port     = 53
+      protocol    = "tcp"
+      description = "DNS TCP"
+      cidr_blocks = "${var.client_cidr_block},${local.vpc_cidr_block}"
+    },
+    {
+      from_port   = 53
+      to_port     = 53
+      protocol    = "udp"
+      description = "DNS UDP"
+      cidr_blocks = "${var.client_cidr_block},${local.vpc_cidr_block}"
+    }
+  ]
+  tags = var.tags
+}
+
 # https://aws.amazon.com/premiumsupport/knowledge-center/client-vpn-how-dns-works-with-endpoint/
 # https://docs.aws.amazon.com/vpn/latest/clientvpn-user/linux-troubleshooting.html
 resource "aws_route53_resolver_endpoint" "vpn_dns" {
-  name               = "${var.name}-dns-access"
+  name               = "${var.name}-dns-resolver"
   direction          = "INBOUND"
-  security_group_ids = [module.sg.security_group_id]
+  security_group_ids = [module.resolver_sg.security_group_id]
 
   dynamic "ip_address" {
     for_each = { for subnet in var.private_subnets : subnet => subnet }

outputs.tf

@@ -1,7 +1,19 @@
 output "security_group" {
-  value = module.sg
+  description = "The AWS security group used to controll ingress traffic to the Client VPN self-service-portal."
+  value       = module.sg
 }
 
 output "vpn" {
-  value = aws_ec2_client_vpn_endpoint.vpn
+  description = "The Client VPN endpoint."
+  value       = aws_ec2_client_vpn_endpoint.vpn
+}
+
+output "resolver_security_group" {
+  description = "The AWS security group used to controll ingress traffic to the Route 53 DNS resolver endpoint."
+  value       = module.resolver_sg
+}
+
+output "aws_route53_resolver_endpoint" {
+  description = "The Route53 DNS resolver endpoint."
+  value       = aws_route53_resolver_endpoint.vpn_dns
 }

variables.tf

@@ -41,11 +41,6 @@ variable "cloudwatch_log_stream_name" {
   default     = ""
 }
 
-variable "vpc_cidr_block" {
-  type        = string
-  description = "CIDR Block used to create the VPC that hosts the VPN."
-}
-
 variable "auth_rules" {
   type = list(object({
     cidr        = string