AWSTemplateFormatVersion: "2010-09-09"

Description: This template provisions Client VPN Resources

Parameters:
  ClientCidrBlock:
    Type: String
    AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$
    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28

  ServerCertificateArn:
    Description: Specify Server Cert Arn for VPN endpoint.
    Type: String

  ClientCertificateArn:
    Description: Specify Client Cert Arn for VPN endpoint.
    Type: String

  SubnetID:
    Description: The ID of the subnet to associate with the Client VPN endpoint.
    Type: String

  TargetNetworkCidr:
    Description: The IPv4 address range, in CIDR notation, of the network for which access is being authorized.
    Type: String
    AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$
    ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-28

  VPC:
    Description: The ID of the VPC to associate with the Client VPN endpoint.
    Type: String

Resources:
  ClientVpnEndpoint:
    Type: AWS::EC2::ClientVpnEndpoint
    Properties:
      AuthenticationOptions:
        - MutualAuthentication:
            ClientRootCertificateChainArn: !Ref ClientCertificateArn
          Type: certificate-authentication
      ClientCidrBlock: !Ref ClientCidrBlock
      ConnectionLogOptions:
        Enabled: false
      Description: Client VPN to connect to instances in Private Subnet 1
      ServerCertificateArn: !Ref ServerCertificateArn
      VpcId: !Ref VPC
      SecurityGroupIds:
        - !Ref VPNSecurityGroup
      TagSpecifications:
        - ResourceType: client-vpn-endpoint
          Tags:
            - Key: Name
              Value: VFX-ClientVPN

  VpnEndpointTargetNetworkAssociation:
    Type: AWS::EC2::ClientVpnTargetNetworkAssociation
    Properties:
      ClientVpnEndpointId: !Ref ClientVpnEndpoint
      SubnetId: !Ref SubnetID

  VpnEndpointAuthorizationRule:
    Type: AWS::EC2::ClientVpnAuthorizationRule
    Properties:
      ClientVpnEndpointId: !Ref ClientVpnEndpoint
      AuthorizeAllGroups: true
      Description: Allow access to VFX Host subnet.
      TargetNetworkCidr: !Ref TargetNetworkCidr

  InternetAuthRule:
    Type: AWS::EC2::ClientVpnAuthorizationRule
    Properties:
      ClientVpnEndpointId: !Ref ClientVpnEndpoint
      AuthorizeAllGroups: true
      TargetNetworkCidr: 0.0.0.0/0
      Description: Allow access to internet

  InternetRoute:
    Type: AWS::EC2::ClientVpnRoute
    DependsOn: VpnEndpointTargetNetworkAssociation
    Properties:
      ClientVpnEndpointId: !Ref ClientVpnEndpoint
      TargetVpcSubnetId: !Ref SubnetID
      DestinationCidrBlock: 0.0.0.0/0
      Description: Route to the internet

  VPNSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupName: Security Group for VPN Clients
      GroupDescription: This security group is attached to the Client VPN Endpoint.
      VpcId: !Ref VPC

  VPNHostSecurityGroupIngress1:
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      GroupId: !Ref VPNSecurityGroup
      IpProtocol: "-1"
      SourceSecurityGroupId: !Ref VPNSecurityGroup

Outputs:
  VPNSecurityGroupID:
    Description: VPN Security Group ID
    Value: !GetAtt VPNSecurityGroup.GroupId

  ClientVpnEndpointID:
    Value: !Ref ClientVpnEndpoint