Skip to content

Latest commit

 

History

History
103 lines (84 loc) · 7.84 KB

File metadata and controls

103 lines (84 loc) · 7.84 KB

terraform-aws-client-vpn-federated

Creates an AWS Client VPN with federated client authentication

tflint tfsec yamllint misspell pre-commit-check follow on Twitter

Example

Here's what using the module will look like

module "vpn" {
  source = "rhythmictech/client-vpn-federated/aws"

  name                   = "vpn"
  additional_routes      = var.additional_routes
  associated_subnets     = var.associated_subnets
  client_cidr_block      = var.vpn_client_cidr_block
  saml_metadata_document = file("${path.module}/saml-metadata.xml")
  server_certificate_arn = data.aws_acm_certificate.com_cert.arn
  tags                   = local.tags
  vpc_id                 = var.vpc_id

  authorization_rules = [{
    name                 = "allow-all"
    access_group_id      = null
    authorize_all_groups = true
    description          = "Allow All Groups"
    target_network_cidr  = var.cidr_block
  }]

}

Requirements

Name Version
terraform >= 1.1
aws ~> 5.27

Providers

Name Version
aws ~> 5.27

Modules

Name Source Version
saml_is_defined rhythmictech/errorcheck/terraform ~> 1.2
saml_not_defined_twice rhythmictech/errorcheck/terraform ~> 1.2

Resources

Name Type
aws_cloudwatch_log_group.vpn resource
aws_cloudwatch_log_stream.vpn resource
aws_ec2_client_vpn_authorization_rule.rules resource
aws_ec2_client_vpn_endpoint.this resource
aws_ec2_client_vpn_network_association.this resource
aws_ec2_client_vpn_route.additional resource
aws_iam_saml_provider.this resource
aws_security_group.this resource

Inputs

Name Description Type Default Required
additional_routes A list of additional routes that should be attached to the Client VPN endpoint
list(object({
destination_cidr_block = string
description = string
target_vpc_subnet_id = string
}))
[] no
additional_security_groups List of security groups to attach to the client vpn network associations list(string) [] no
associated_subnets List of subnets to associate with the VPN endpoint list(string) n/a yes
authorization_rules List of objects describing the authorization rules for the client vpn
list(object({
access_group_id = string
authorize_all_groups = bool
description = string
target_network_cidr = string
}))
n/a yes
client_cidr_block IPv4 CIDR block for client addresses. /22 or greater string n/a yes
cloudwatch_log_retention_days How long to keep VPN logs. Possible values are: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653, and 0. If you select 0, the events in the log group are always retained and never expire. number 30 no
dns_servers Up to two DNS servers list(string) [] no
name Name to associate with various resources string n/a yes
saml_metadata_document Optional SAML metadata document. Must include this or saml_provider_arn string null no
saml_provider_arn Optional SAML provider ARN. Must include this or saml_metadata_document string null no
server_certificate_arn ARN of ACM certificate to use with Client VPN string n/a yes
split_tunnel_enabled Whether to enable split tunneling bool true no
tags Map of strings containing tags for AWS resources map(string) {} no
vpc_id ID of VPC to attach VPN to string n/a yes

Outputs

Name Description
vpn_dns_name DNS name to be used by clients when establishing VPN session
vpn_endpoint_security_groups VPN endpoint security groups

The Giants Underneath this Module