Skip to content

Commit

Permalink
docs: updating the readme
Browse files Browse the repository at this point in the history
  • Loading branch information
@gambol99
gambol99 committed Oct 9, 2024
1 parent 1ae4384 commit d89db61
Showing 1 changed file with 0 additions and 106 deletions.
106 changes: 0 additions & 106 deletions README.md
View file
Original file line number Diff line number Diff line change
@@ -1,109 +1,3 @@
<!-- BEGIN_TF_DOCS -->
<!-- markdownlint-disable -->

<a href="https://www.appvia.io/"><img src="./appvia_banner.jpg" alt="Appvia Banner"/></a><br/><p align="right"> <a href="https://registry.terraform.io/modules/appvia/vpn/aws/latest"><img src="https://img.shields.io/static/v1?label=APPVIA&message=Terraform%20Registry&color=191970&style=for-the-badge" alt="Terraform Registry"/></a></a> <a href="https://github.com/appvia/terraform-aws-vpn/releases/latest"><img src="https://img.shields.io/github/release/appvia/terraform-aws-vpn.svg?style=for-the-badge&color=006400" alt="Latest Release"/></a> <a href="https://appvia-community.slack.com/join/shared_invite/zt-1s7i7xy85-T155drryqU56emm09ojMVA#/shared-invite/email"><img src="https://img.shields.io/badge/Slack-Join%20Community-purple?style=for-the-badge&logo=slack" alt="Slack Community"/></a> <a href="https://github.com/appvia/terraform-aws-vpn/graphs/contributors"><img src="https://img.shields.io/github/contributors/appvia/terraform-aws-vpn.svg?style=for-the-badge&color=FF8C00" alt="Contributors"/></a>

<!-- markdownlint-restore -->
<!--
***** CAUTION: DO NOT EDIT ABOVE THIS LINE ******
-->


# Description

This repository creates an AWS Client VPN Endpoint for the AWS Organization, which is connected to the AWS Transit Gateway.

<img src=docs/architecture.png width=800></img>

## Prerequisites

AWS SSO must be configured appropriately for the AWS Organization, for the Client VPN to be able to authenticate users.

**Steps:**

1. Login to the AWS Account where <CUSTOMER_NAME> AWS SSO is configured (`https://<CUSTOMER_SSO_DOMAIN>.awsapps.com/start#/` => `<CUSTOMER_MANAGEMENT_ACCOUNT>`)
2. Navigate to IAM Identity Center
3. On the left-hand column, navigate to `Applications` and then `Add application`
4. Tick `Add a custom SAML 2.0 application` and press `Next`
5. Provide a friendly display name for the application, e.g. `AWS Client VPN`
6. `Application start URL` can later be changed to the VPN self-service portal URL, once provisioned
7. At the bottom under `Application metadata`, specify:
1. `Application ACS URL: http://127.0.0.1:35001`
2. `Application SAML audience: urn:amazon:webservices:clientvpn`
8. Press `Submit`
9. Press `Assign Users` and then assign any Users or Groups who should have access to the VPN (or select all Groups for now)
10. At the top right, press `Actions` and then `Edit attribute mappings`
1. For `Subject`, set the string value to `${user:email}` and format as `emailAddress`
2. Add `memberOf`, set the string value to `${user:groups}` and format as `unspecified`
11. Press `Save changes`
12. Go back to `Actions` and then `Edit configuration`
13. Press `Download` to retrieve the `IAM Identity Center SAML metadata file` and store it in this repository in the `metadata` directory
14. Repeat all the steps for the `AWS Client VPN Self Service Portal`, with one change:
1. For the `Application ACS URL`, provide the value `https://self-service.clientvpn.amazonaws.com/api/auth/sso/saml`

Once the above steps are complete, the Terraform can be applied via the GitHub CI Pipeline.

## Updating Docs

The `terraform-docs` utility is used to generate this README. Follow the below steps to update:

1. Make changes to the `.terraform-docs.yml` file
2. Fetch the `terraform-docs` binary (https://terraform-docs.io/user-guide/installation/)
3. Run `terraform-docs markdown table --output-file ${PWD}/README.md --output-mode inject .`

## Adding new authorization rule

By default, all VPN access is denied, regardless of provided routing. You are required to explicitly allow access to given CIDR ranges to different SSO groups through a set of authorization rules. In order to add a new rule when the SSO Group exists already, you need to do the following:

1. Check if the data resource was created to extract the group ID in your terraform values

```hcl
variable "sso_groups" {
description = "SSO groups to create VPN rules for"
type = list(string)
default = []
}
```

2. Add a new authorization rule explicitly in `main.tf` specifying what CIDR range is allowed for each group. Only one CIDR is allowed per rule:

```hcl
authorization_rules = [
{
access_group_id = data.aws_identitystore_group.groups["NAME OF THE GROUP"].group_id
description = "Allow VPN access to all internal services for Cloud Admin users"
name = "allow-all-cloud-admin"
target_network_cidr = "10.0.0.0/8" # All internal access
},
]
```

## Troubleshooting

### Can't access required CIDRs over VPN?

If you have added an authorization rule, but can't access the network over VPN, make sure that:

- you have disconnected/reconnected to your VPN client (you may need to wait a couple of minutes or disconnect/reconnect a couple of times)
- you are part of the correct group
- the group ID is correct (You can find it in the Identity Center in AWS Audit Account and comapre to added rules for Client VPN in Remote Access AWS Account)
- the group has been added to both VPN applications in Identity Center in AWS Audit Account
- the resource you are trying to access has correct security group rules.

### Want to add a new SSO group and permissions to access VPN?

When adding a new group to SSO, there are following steps to complete:

- Add a new group to the AWS SSO Application within [Google Admin](https://admin.google.com/u/1/ac/apps/saml/45189681917)
- Add the new group to [terraform-aws-identity](https://github.com/CUSTOMER_ORG/terraform-aws-vpn/tree/main) repository.
- Add a new group to VPN applications in Identity Center in AWS Audit Account
- Specify the allowed CIDR ranges via new authorization rule for the new group in this repository.

## References

- AWS Blog: [AWS SSO and AWS Client VPN setup](https://aws.amazon.com/blogs/networking-and-content-delivery/using-aws-sso-with-aws-client-vpn-for-authentication-and-authorization/)
- AWS Docs: [SAML-based IDP configuration](https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/federated-authentication.html)

<!-- BEGIN_TF_DOCS -->
## Requirements

Expand Down

0 comments on commit d89db61

Please sign in to comment.