search

cloudposse / terraform-aws-ec2-client-vpn

https://cloudposse.com/accelerate
Apache License 2.0
45 stars 28 forks source link

Cannot enable logging #54

Closed ZeroDeth closed 1 year ago

ZeroDeth commented 1 year ago

Found a bug? Maybe our Slack Community can help.

Slack Community

Describe the Bug

A clear and concise description of what the bug is.

Terraform complain when enable logging 

Error: "name" isn't a valid log group name (alphanumeric characters, underscores, hyphens, slashes, hash signs and dots are allowed): ""

 with module.client_vpn_endpoint.module.cloudwatch_log.aws_cloudwatch_log_group.default[0],
 on .terraform/modules/client_vpn_endpoint.cloudwatch_log/main.tf line 17, in resource "aws_cloudwatch_log_group" "default":
 17:   name              = module.log_group_label.id

Expected Behavior

A clear and concise description of what you expected to happen.

Steps to Reproduce

Steps to reproduce the behavior:

  1. Go to '...'
  2. Run '....'
  3. Enter '....'
  4. See error

Screenshots

If applicable, add screenshots or logs to help explain your problem.

module "client_vpn_endpoint" {
  source  = "registry.terraform.io/cloudposse/ec2-client-vpn/aws"
  version = "0.13.0"

  #  source  = "registry.terraform.io/MonoidDev/ec2-client-vpn/aws"
  #  version = "0.12.7"

  enabled = local.create_ec2_client_vpn

  ca_common_name = "vpn.shr.xxx.io"
  #  root_common_name   = "vpn-client.shr.xxx.io"
  server_common_name = "vpn-server.shr.xxx.io"

  client_cidr         = "10.11.0.0/22"
  organization_name   = "Sherif"
  logging_enabled     = true
  logging_stream_name = "VPN"
  retention_in_days   = "90"
  vpc_id              = module.vpc_0.vpc_id
  associated_subnets  = module.vpc_0.private_subnets
  # allowed_cidr_blocks           = []
  authorization_rules = [
    {
      name            = "PlatformTeam-DEV"
      authorize_all_groups = true
      description         = "Platform Team to DEV"
      target_network_cidr = "10.30.0.0/16"
    }
  ]

  additional_routes = [
    {
      destination_cidr_block = "10.30.0.0/16"
      description            = "dev-aft-01"
      target_vpc_subnet_id   = module.vpc_0.private_subnets[0]
    },
    {
      destination_cidr_block = "10.30.0.0/16"
      description            = "dev-aft-01"
      target_vpc_subnet_id   = module.vpc_0.private_subnets[1] #Working Subnet
    },
    {
      destination_cidr_block = "10.30.0.0/16"
      description            = "dev-aft-01"
      target_vpc_subnet_id   = module.vpc_0.private_subnets[2]
    }
  ]

  # associated_security_group_ids  = []
  create_security_group          = true
  export_client_certificate      = true
  split_tunnel                   = true
  dns_servers                    = ["1.1.1.1", "8.8.8.8"] # Public DNS
  authentication_type            = "federated-authentication"
  saml_provider_arn              = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:saml-provider/aws-client-vpn"
  self_service_saml_provider_arn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:saml-provider/aws-client-vpn-self-service"
  self_service_portal_enabled    = true
  session_timeout_hours          = "8"

  tags = local.tags_vpn
}

Environment (please complete the following information):

Anything that will help us triage the bug will help. Here are some ideas:

Additional Context

Add any other context about the problem here.

ZeroDeth commented 1 year ago

Tried creating a new resource:

resource "aws_cloudwatch_log_group" "client_vpn_cw" {
  name = "endpoint"

  tags = local.tags_vpn
}
resource "aws_cloudwatch_log_stream" "client_vpn_stream" {
  name           = "vpn"
  log_group_name = aws_cloudwatch_log_group.client_vpn_cw.name
}

Still cannot enable logging even if created new stream: logging_stream_name = aws_cloudwatch_log_stream.client_vpn_stream.name

joe-niland commented 1 year ago

The Cloud Posse modules assume use of context.tf (which means namespace, stage, name, etc variables will normally be defined) so in this case, module "log_group_label" has nothing set.

You can set variables namespace, stage, name etc or you can use context.tf or the null-label module in your own project and set them there, then pass the module reference into module "ec2_client_vpn" via the context variable.

The example shows how to use context.tf.