--- /dev/null
+resource "aws_eip" "vpn" {
+ count = 1
+ vpc = true
+}
+
+resource "aws_security_group" "vpn" {
+ vpc_id = "${var.vpc_id}"
+ name = "${var.name}-vpn"
+ description = "Allow VPN traffic."
+}
+
+resource "aws_security_group_rule" "vpn-out-all" {
+ security_group_id = "${aws_security_group.vpn.id}"
+ type = "egress"
+ from_port = 0
+ to_port = 0
+ protocol = "all"
+ cidr_blocks = ["0.0.0.0/0"]
+}
+
+resource "aws_security_group_rule" "vpn-in-user" {
+ security_group_id = "${aws_security_group.vpn.id}"
+ type = "ingress"
+ from_port = 1195
+ to_port = 1195
+ protocol = "tcp"
+ cidr_blocks = ["0.0.0.0/0"]
+}
+
+resource "aws_security_group_rule" "vpn-in-bridge" {
+ security_group_id = "${aws_security_group.vpn.id}"
+ type = "ingress"
+ from_port = 1194
+ to_port = 1194
+ protocol = "udp"
+ cidr_blocks = ["0.0.0.0/0"]
+}
+
+resource "aws_security_group_rule" "vpn-in-bastion" {
+ security_group_id = "${aws_security_group.vpn.id}"
+ type = "ingress"
+ from_port = 22
+ to_port = 22
+ protocol = "tcp"
+ cidr_blocks = ["0.0.0.0/0"]
+}
+
+resource "aws_elb" "default" {
+ count = "${var.vpcaccess_elb}"
+ name = "${var.name}-int-elb"
+ subnets = ["${var.subnet_ids}"]
+ internal = true
+ listener {
+ lb_port = 22
+ lb_protocol = "tcp"
+ instance_port = 22
+ instance_protocol = "tcp"
+ }
+ health_check {
+ healthy_threshold = 3
+ unhealthy_threshold = 2
+ interval = 30
+ timeout = 5
+ target = "TCP:1195"
+ }
+ idle_timeout = 600
+ tags {
+ module = "${var.name}"
+ phase = "${var.environment}"
+ }
+}
+
+module "asg-stack" {
+ source = "../modules/tf_aws_asg_stack"
+ vpc_id = "${var.vpc_id}"
+ acct_name = "${var.acct_name}"
+ notification_arns = ["${var.notification_arns}"]
+ module = "${var.name}"
+ phase = "${var.environment}"
+ instance_type = "${var.instance_type}"
+ key_name = "${var.key_name}"
+ public_ips = true
+ subnet_ids = ["${var.subnet_ids}"]
+ iam_policy_arns = ["${var.role_policy_arns}"]
+ security_group_ids = ["${concat(var.security_group_ids, list(aws_security_group.vpn.id))}"]
+ max_size = 1
+ min_size = 0
+ iam_allow_actions = [
+ "ec2:AssociateAddress",
+ "ec2:ModifyInstanceAttribute",
+ "ec2:ModifyNetworkInterfaceAttribute"
+ ]
+ elbs = ["${var.vpcaccess_elb ? aws_elb.default.id : ""}"]
+}