Terraform module which creates Client VPN Endpoint resources on AWS.
These type of resources are supported:
Terraform 0.12 and newer.
Name | Version |
---|---|
terraform | >= 0.12 |
aws | >= 2.49 |
bash |
This project is using terraform to deploy infrastructure, you can download it here: https://learn.hashicorp.com/tutorials/terraform/install-cli
$ cd ./tf
$ terraform init
$ terraform plan
$ terraform apply
You may need to add execution permission :
chmod u+x .terraform/modules/client_vpn/scripts/*
$ terraform destroy
module "client_vpn" {
source = "github.com/trackit/terraform-aws-client-vpn?ref=v0.2.0"
region = "us-east-1"
env = "production"
cert_issuer = "mycompany.internal"
cert_server_name = "mycompany"
aws_tenant_name = "aws"
clients = ["client"]
subnet_id = "subnet-12345678"
client_cidr_block = "10.250.0.0/16"
target_cidr_block = "10.0.0.0/16"
vpn_name = "My VPN Endpoint"
client_auth = "federated-authentication"
saml_provider_arn = "arn:12345678"
}
module "client_vpn" {
source = "github.com/trackit/terraform-aws-client-vpn?ref=v0.2.0"
region = "us-east-1"
env = "production"
cert_issuer = "mycompany.internal"
cert_server_name = "mycompany"
aws_tenant_name = "aws"
clients = ["client"]
subnet_id = "subnet-12345678"
client_cidr_block = "10.250.0.0/16"
target_cidr_block = "10.0.0.0/16"
vpn_name = "My VPN Endpoint"
client_auth = "certificate-authentication"
}
Name | Description | Type | Default |
---|---|---|---|
region | Region to work on. | string | |
env | The environment (e.g. prod, dev, stage) | string | "prod" |
clients | A list of client certificate name | list(string) | ["client"] |
cert_issuer | Common Name for CA Certificate | list(string) | "CA" |
cert_server_name | Name for the Server Certificate | string | "Server" |
aws_tenant_name | Name for the AWS Tenant | string | "AWS" |
key_save_folder | Where to store keys (relative to pki folder) | string | "clientvpn_keys" |
subnet_id | The subnet ID to which we need to associate the VPN Client Connection. | string | |
target_cidr_block | The CIDR block to wich the client will have access to. Might be VPC CIDR's block for example. | string | |
dns_servers | Information about the DNS servers to be used for DNS resolution. A Client VPN endpoint can have up to two DNS servers. | list(string) | null |
vpn_name | The name of the VPN Client Connection. | string | "VPN" |
cloudwatch_enabled | Indicates whether connection logging is enabled. | bool | true |
cloudwatch_log_group | The name of the cloudwatch log group. | string | vpn_endpoint_cloudwatch_log_group |
cloudwatch_log_stream | The name of the cloudwatch log stream. | string | vpn_endpoint_cloudwatch_log_stream |
aws_cli_profile_name | The name of the aws cli profile used in scripts | string | default |
client_auth | the type of client authentication to be used : certificate-authentication / directory-service-authentication / federated-authentication | string | certificate-authentication |
active_directory_id | The ID of the Active Directory to be used for authentication if type is directory-service-authentication | string | null |
root_certificate_chain_arn | The ARN of the client certificate. The certificate must be signed by a certificate authority (CA) and it must be provisioned in AWS Certificate Manager (ACM). Only necessary when type is set to certificate-authentication. | string | null |
saml_provider_arn | The ARN of the IAM SAML identity provider if type is federated-authentication | string | null |
Name | Description |
---|---|
kms_sops_arn | |
decrypt_command | Output of the decrypt script |
encrypt_command | Output of the encrypt script |
server_certificate_arn | The ARN of the generated Server Certificate |
env | Environment variable |
pki_folder_name | Generated certificate folder |
client_vpn_endpoint_id | The ID of the Client VPN endpoint. |
client_vpn_endpoint_arn | The ARN of the Client VPN endpoint. |
client_vpn_endpoint_dns_name | The DNS name to be used by clients when establishing their VPN session. |
client_vpn_endpoint_status | The current state of the Client VPN endpoint. |
resource "aws_ec2_client_vpn_endpoint" "client_vpn" {
depends_on = [aws_acm_certificate.server_cert]
description = var.vpn_name
server_certificate_arn = aws_acm_certificate.server_cert.arn
client_cidr_block = var.client_cidr_block
split_tunnel = true
dns_servers = var.dns_servers
lifecycle {
ignore_changes = [server_certificate_arn, authentication_options]
}
authentication_options {
type = var.client_auth
active_directory_id = var.active_directory_id
root_certificate_chain_arn = var.root_certificate_chain_arn
saml_provider_arn = var.saml_provider_arn
}
connection_log_options {
enabled = var.cloudwatch_enabled
cloudwatch_log_group = aws_cloudwatch_log_group.client_vpn.name
cloudwatch_log_stream = aws_cloudwatch_log_stream.client_vpn.name
}
provisioner "local-exec" {
environment = merge(local.provisioner_base_env, {
"CLIENT_VPN_ID" = self.id
})
command = "${path.module}/scripts/authorize_client.sh"
}
tags = {
Name = var.vpn_name
}
}