Skip to content

terraform-aws-arc-vpn

Latest Release Last Updated Terraform GitHub Actions

Quality gate

Snyk

Overview

SourceFuse AWS Reference Architecture (ARC) Terraform module for managing a Client VPN.

For more information about this repository and its usage, please see Terraform AWS ARC CloudFront Usage Guide.

Usage

To see a full example, check out the main.tf file in the example folder.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
module "this" {
  source  = "sourcefuse/arc-vpn/aws"
  version = "1.0.0"
  vpc_id = data.aws_vpc.this.id

  authentication_options_type                       = "certificate-authentication"
  authentication_options_root_certificate_chain_arn = module.self_signed_cert_root.certificate_arn

  ## access
  client_vpn_authorize_all_groups = true
  client_vpn_subnet_ids           = data.aws_subnets.private.ids
  client_vpn_target_network_cidr  = data.aws_vpc.this.cidr_block

  ## self signed certificate
  create_self_signed_server_cert             = true
  self_signed_server_cert_server_common_name = "${var.namespace}-${var.environment}.arc-vpn-example.client"
  self_signed_server_cert_organization_name  = var.namespace
  self_signed_server_cert_ca_pem             = module.self_signed_cert_ca.certificate_pem
  self_signed_server_cert_private_ca_key_pem = join("", data.aws_ssm_parameter.ca_key[*].value)

  ## client vpn
  client_cidr             = cidrsubnet(data.aws_vpc.this.cidr_block, 6, 1)
  client_vpn_name         = "${var.namespace}-${var.environment}-client-vpn-example"
  client_vpn_gateway_name = "${var.namespace}-${var.environment}-vpn-gateway-example"

  tags = module.tags.tags
}

Requirements

Name Version
terraform >= 1.3, < 2.0.0
aws >= 4.0

Providers

Name Version
aws 5.11.0

Modules

Name Source Version
self_signed_cert git::https://github.com/cloudposse/terraform-aws-ssm-tls-self-signed-cert.git 1.3.0

Resources

Name Type
aws_ec2_client_vpn_authorization_rule.this resource
aws_ec2_client_vpn_endpoint.this resource
aws_ec2_client_vpn_network_association.this resource
aws_iam_saml_provider.this resource
aws_security_group.vpn resource
aws_vpn_gateway.this resource

Inputs

Name Description Type Default Required
authentication_options_active_directory_id The ID of the Active Directory to be used for authentication if type is directory-service-authentication. string null no
authentication_options_root_certificate_chain_arn The ARN of the client certificate. The certificate must be signed by a certificate authority (CA) and it must be provisioned in AWS Certificate Manager (ACM). Only necessary when type is set to certificate-authentication. string null no
authentication_options_saml_provider_arn The ARN of the IAM SAML identity provider if type is federated-authentication. string null no
authentication_options_self_service_saml_provider_arn The ARN of the IAM SAML identity provider for the self service portal if type is federated-authentication. string null no
authentication_options_type The type of client authentication to be used.
Specify certificate-authentication to use certificate-based authentication, directory-service-authentication to use Active Directory authentication,
or federated-authentication to use Federated Authentication via SAML 2.0.		 string n/a yes
client_cidr The IPv4 address range, in CIDR notation, from which to assign client IP addresses. string n/a yes
client_server_certificate_arn The ARN of the ACM server certificate. string null no
client_server_transport_protocol The transport protocol to be used by the VPN session. string "tcp" no
client_vpn_access_group_id The ID of the group to which the authorization rule grants access. One of access_group_id or authorize_all_groups must be set. string null no
client_vpn_additional_security_group_ids Additional IDs of security groups to add to the target network. list(string) [] no
client_vpn_authorize_all_groups Indicates whether the authorization rule grants access to all clients. One of access_group_id or authorize_all_groups must be set. bool true no
client_vpn_egress_rules Egress rules for the security groups. 
list(object({
    description        = optional(string, "")
    from_port          = number
    to_port            = number
    protocol           = any
    cidr_blocks        = optional(list(string), [])
    security_group_ids = optional(list(string), [])
    ipv6_cidr_blocks   = optional(list(string), [])
  }))
 
[
  {
    "cidr_blocks": [
      "0.0.0.0/0"
    ],
    "description": "VPN egress to internet",
    "from_port": 0,
    "protocol": -1,
    "to_port": 0
  }
]
 no
client_vpn_gateway_name The name of the client vpn gateway. string n/a yes
client_vpn_ingress_rules Ingress rules for the security groups. 
list(object({
    description        = optional(string, "")
    from_port          = number
    to_port            = number
    protocol           = any
    cidr_blocks        = optional(list(string), [])
    security_group_ids = optional(list(string), [])
    ipv6_cidr_blocks   = optional(list(string), [])
  }))
 
[
  {
    "description": "VPN ingress to 443",
    "from_port": 443,
    "protocol": "tcp",
    "to_port": 443
  }
]
 no
client_vpn_log_options Whether logging is enabled and where to send the logs output. 
object({
    enabled               = bool                   // Indicates whether connection logging is enabled
    cloudwatch_log_stream = optional(string, null) // The name of the vpn client cloudwatch log stream
    cloudwatch_log_group  = optional(string, null) // The name of the vpn client cloudwatch log group
  })
 
{
  "enabled": false
}
 no
client_vpn_name The name of the client vpn string n/a yes
client_vpn_self_service_portal Specify whether to enable the self-service portal for the Client VPN endpoint. Values can be enabled or disabled. string "disabled" no
client_vpn_split_tunnel Indicates whether split-tunnel is enabled on VPN endpoint. bool true no
client_vpn_subnet_ids The ID of the subnets to associate with the Client VPN endpoint. list(string) n/a yes
client_vpn_target_network_cidr The IPv4 address range, in CIDR notation, of the network to which the authorization rule applies. string n/a yes
create_self_signed_server_cert Create a self signed certificate to use for the VPN server. bool true no
create_vpn_gateway Whether to create VPN Gateway, as for a VPC only one Gateway is allowed bool true no
dns_servers The list of dns server ip address list(string) 
[
  "1.1.1.1",
  "1.0.0.1"
]
 no
iam_saml_provider_enabled Enable the SAML provider for SSO login to Client VPN. If enabled, var.iam_saml_provider_name and var.saml_metadata_document_content must be set. bool false no
iam_saml_provider_name The name of the IAM SAML Provider string null no
saml_metadata_document_content The content of the saml metadata document string null no
self_signed_server_cert_allowed_uses List of keywords each describing a use that is permitted for the issued certificate.
Must be one of of the values outlined in self_signed_cert.allowed_uses.		 list(string) 
[
  "key_encipherment",
  "digital_signature",
  "server_auth"
]
 no
self_signed_server_cert_ca_pem Server certificate CA PEM string "" no
self_signed_server_cert_organization_name Organization name to assign the server certificate string "" no
self_signed_server_cert_private_ca_key_pem Server certificate Private Key PEM string "" no
self_signed_server_cert_secret_path_format The path format to use when writing secrets to the certificate backend. string "/%s.%s" no
self_signed_server_cert_server_common_name Common name to assign the server certificate string "" no
tags Default tags to apply to every applicable resource map(string) n/a yes
vpc_id The ID of the target network VPC string n/a yes

Outputs

Name Description
client_self_signed_cert_server_certificate_arn Self signed certificate server certificate ARN
client_vpn_arn The client vpn ARN
client_vpn_id The client vpn ID

Versioning

while Contributing or doing git commit please specify the breaking change in your commit message whether its major,minor or patch

For Example

1
git commit -m "your commit message #major"
By specifying this , it will bump the version and if you don't specify this in your commit message then by default it will consider patch and will bump that accordingly

Development

Prerequisites

Configurations

  • Configure pre-commit hooks 
    1
    pre-commit install

Tests

  • Tests are available in test directory
  • Configure the dependencies 
    1
2
3
    cd test/
go mod init github.com/sourcefuse/terraform-aws-refarch-vpn
go get github.com/gruntwork-io/terratest/modules/terraform
  • Now execute the test 
    1
    go test -timeout  30m

Authors

This project is authored by:

  • SourceFuse