terraform-aws-arc-vpn ¶

Overview¶

SourceFuse AWS Reference Architecture (ARC) Terraform module for managing a Client VPN.

Usage¶

To see a full example, check out the main.tf file in the example folder.

module "this" {
  source  = "sourcefuse/arc-vpn/aws"
  version = "0.0.4"
  vpc_id = data.aws_vpc.this.id

  authentication_options_type                       = "certificate-authentication"
  authentication_options_root_certificate_chain_arn = module.self_signed_cert_root.certificate_arn

  ## access
  client_vpn_authorize_all_groups = true
  client_vpn_subnet_ids           = data.aws_subnets.private.ids
  client_vpn_target_network_cidr  = data.aws_vpc.this.cidr_block

  ## self signed certificate
  create_self_signed_server_cert             = true
  self_signed_server_cert_server_common_name = "${var.namespace}-${var.environment}.arc-vpn-example.client"
  self_signed_server_cert_organization_name  = var.namespace
  self_signed_server_cert_ca_pem             = module.self_signed_cert_ca.certificate_pem
  self_signed_server_cert_private_ca_key_pem = join("", data.aws_ssm_parameter.ca_key[*].value)

  ## client vpn
  client_cidr             = cidrsubnet(data.aws_vpc.this.cidr_block, 6, 1)
  client_vpn_name         = "${var.namespace}-${var.environment}-client-vpn-example"
  client_vpn_gateway_name = "${var.namespace}-${var.environment}-vpn-gateway-example"

  tags = module.tags.tags
}

Requirements¶

Name	Version
terraform	>= 1.3, < 2.0.0
aws	>= 4.0

Providers¶

Name	Version
aws	5.11.0

Modules¶

Name	Source	Version
self_signed_cert	git::https://github.com/cloudposse/terraform-aws-ssm-tls-self-signed-cert.git	1.3.0

Resources¶

Name	Type
aws_ec2_client_vpn_authorization_rule.this	resource
aws_ec2_client_vpn_endpoint.this	resource
aws_ec2_client_vpn_network_association.this	resource
aws_iam_saml_provider.this	resource
aws_security_group.vpn	resource
aws_vpn_gateway.this	resource

Inputs¶

Name	Description	Type	Default	Required
authentication_options_active_directory_id	The ID of the Active Directory to be used for authentication if type is directory-service-authentication.	`string`	`null`	no
authentication_options_root_certificate_chain_arn	The ARN of the client certificate. The certificate must be signed by a certificate authority (CA) and it must be provisioned in AWS Certificate Manager (ACM). Only necessary when type is set to certificate-authentication.	`string`	`null`	no
authentication_options_saml_provider_arn	The ARN of the IAM SAML identity provider if type is federated-authentication.	`string`	`null`	no
authentication_options_self_service_saml_provider_arn	The ARN of the IAM SAML identity provider for the self service portal if type is federated-authentication.	`string`	`null`	no
authentication_options_type	The type of client authentication to be used. Specify certificate-authentication to use certificate-based authentication, directory-service-authentication to use Active Directory authentication, or federated-authentication to use Federated Authentication via SAML 2.0.	`string`	n/a	yes
client_cidr	The IPv4 address range, in CIDR notation, from which to assign client IP addresses.	`string`	n/a	yes
client_server_certificate_arn	The ARN of the ACM server certificate.	`string`	`null`	no
client_server_transport_protocol	The transport protocol to be used by the VPN session.	`string`	`"tcp"`	no
client_vpn_access_group_id	The ID of the group to which the authorization rule grants access. One of access_group_id or authorize_all_groups must be set.	`string`	`null`	no
client_vpn_additional_security_group_ids	Additional IDs of security groups to add to the target network.	`list(string)`	`[]`	no
client_vpn_authorize_all_groups	Indicates whether the authorization rule grants access to all clients. One of access_group_id or authorize_all_groups must be set.	`bool`	`true`	no
client_vpn_egress_rules	Egress rules for the security groups.	list(object({ description = optional(string, "") from_port = number to_port = number protocol = any cidr_blocks = optional(list(string), []) security_group_ids = optional(list(string), []) ipv6_cidr_blocks = optional(list(string), []) }))	[ { "cidr_blocks": [ "0.0.0.0/0" ], "description": "VPN egress to internet", "from_port": 0, "protocol": -1, "to_port": 0 } ]	no
client_vpn_gateway_name	The name of the client vpn gateway.	`string`	n/a	yes
client_vpn_ingress_rules	Ingress rules for the security groups.	list(object({ description = optional(string, "") from_port = number to_port = number protocol = any cidr_blocks = optional(list(string), []) security_group_ids = optional(list(string), []) ipv6_cidr_blocks = optional(list(string), []) }))	[ { "description": "VPN ingress to 443", "from_port": 443, "protocol": "tcp", "to_port": 443 } ]	no
client_vpn_log_options	Whether logging is enabled and where to send the logs output.	object({ enabled = bool // Indicates whether connection logging is enabled cloudwatch_log_stream = optional(string, null) // The name of the vpn client cloudwatch log stream cloudwatch_log_group = optional(string, null) // The name of the vpn client cloudwatch log group })	{ "enabled": false }	no
client_vpn_name	The name of the client vpn	`string`	n/a	yes
client_vpn_self_service_portal	Specify whether to enable the self-service portal for the Client VPN endpoint. Values can be enabled or disabled.	`string`	`"disabled"`	no
client_vpn_split_tunnel	Indicates whether split-tunnel is enabled on VPN endpoint.	`bool`	`true`	no
client_vpn_subnet_ids	The ID of the subnets to associate with the Client VPN endpoint.	`list(string)`	n/a	yes
client_vpn_target_network_cidr	The IPv4 address range, in CIDR notation, of the network to which the authorization rule applies.	`string`	n/a	yes
create_self_signed_server_cert	Create a self signed certificate to use for the VPN server.	`bool`	`true`	no
dns_servers	The list of dns server ip address	`list(string)`	[ "1.1.1.1", "1.0.0.1" ]	no
iam_saml_provider_enabled	Enable the SAML provider for SSO login to Client VPN. If enabled, `var.iam_saml_provider_name` and `var.saml_metadata_document_content` must be set.	`bool`	`false`	no
iam_saml_provider_name	The name of the IAM SAML Provider	`string`	`null`	no
saml_metadata_document_content	The content of the saml metadata document	`string`	`null`	no
self_signed_server_cert_allowed_uses	List of keywords each describing a use that is permitted for the issued certificate. Must be one of of the values outlined in self_signed_cert.allowed_uses.	`list(string)`	[ "key_encipherment", "digital_signature", "server_auth" ]	no
self_signed_server_cert_ca_pem	Server certificate CA PEM	`string`	`""`	no
self_signed_server_cert_organization_name	Organization name to assign the server certificate	`string`	`""`	no
self_signed_server_cert_private_ca_key_pem	Server certificate Private Key PEM	`string`	`""`	no
self_signed_server_cert_secret_path_format	The path format to use when writing secrets to the certificate backend.	`string`	`"/%s.%s"`	no
self_signed_server_cert_server_common_name	Common name to assign the server certificate	`string`	`""`	no
tags	Default tags to apply to every applicable resource	`map(string)`	n/a	yes
vpc_id	The ID of the target network VPC	`string`	n/a	yes

Outputs¶

Name	Description
client_self_signed_cert_server_certificate_arn	Self signed certificate server certificate ARN
client_vpn_arn	The client vpn ARN
client_vpn_id	The client vpn ID

Versioning¶

This project uses a .version file at the root of the repo which the pipeline reads from and does a git tag.

When you intend to commit to main, you will need to increment this version. Once the project is merged, the pipeline will kick off and tag the latest git commit.

Development¶

Prerequisites¶

Configurations¶

Configure pre-commit hooks
1
pre-commit install

Tests¶

Tests are available in test directory

Configure the dependencies

cd test/
go mod init github.com/sourcefuse/terraform-aws-refarch-vpn
go get github.com/gruntwork-io/terratest/modules/terraform

Now execute the test
1
go test -timeout 30m

Authors¶

This project is authored by:

SourceFuse

terraform-aws-arc-vpn¶