This component is responsible for provisioning VPN Client Endpoints.
Stack Level: Regional
Here's an example snippet for how to use this component. This component should only be applied once as the resources it creates are regional. This is typically done via the corp stack (e.g.
uw2-corp.yaml). This is because a vpc endpoint requires a vpc and the network stack does not have a vpc.
- destination_cidr_block: 0.0.0.0/0
description: Internet Route
- name: Internet Rule
description: Allows routing to the internet"
NOTE: This module uses the
aws_ec2_client_vpn_route resource which throws an error if too many API calls come from a single host. Ignore this error and repeat the terraform command. It usually takes 3 deploys (or destroys) to complete.
Error on create (See issue https://github.com/hashicorp/terraform-provider-aws/issues/19750)
ConcurrentMutationLimitExceeded: Cannot initiate another change for this endpoint at this time. Please try again later.
Error on destroy (See issue https://github.com/hashicorp/terraform-provider-aws/issues/16645)
timeout while waiting for resource to be gone (last state: 'deleting', timeout: 1m0s)
GoogleIDPMetadata-cloudposse.com.xml in this repo is equivalent to the one in the
sso component and is used for testing. This component can only specify a single SAML document. The customer SAML xml should be placed in this directory side-by-side the CloudPosse SAML xml.
Prior to testing, the component needs to be deployed and the AWS client app needs to be setup by the IdP admin otherwise the following steps will result in an error similar to
- Deploy the component in a regional account with a VPC like
- Copy the contents of
client_configurationinto a file called
- Download AWS client VPN
brew install --cask aws-vpn-client
- Launch the VPN
- File > Manage Profiles to open the Manage Profiles window
- Click Add Profile to open the Add Profile window
- Set the display name e.g.
- Click the folder icon and find the file that was saved in a previous step
- Click Add Profile to save the profile
- Click Done to close to Manage Profiles window
- Under "Ready to connect.", choose the profile, and click Connect
A browser will launch and allow you to connect to the VPN.
Make a note of where this component is deployed
Ensure that the resource to connect to is in a VPC that is connected by the transit gateway
Ensure that the resource to connect to contains a security group with a rule that allows ingress from where the client vpn is deployed (e.g.
nmapto test if the port is
open. If the port is
filteredthen it's not open.
nmap -p <PORT> <HOST>
Successful tests have been seen with MSK and RDS.
|additional_tag_map||Additional key-value pairs to add to each map in |
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration.
|associated_security_group_ids||List of security groups to attach to the client vpn network associations||no|
|attributes||ID element. Additional attributes (e.g. |
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the
and treated as a single ID element.
|authentication_type||One of ||no|
|authorization_rules||List of objects describing the authorization rules for the Client VPN. Each Target Network CIDR range given will be used to create an additional route attached to the Client VPN endpoint with the same Description.||n/a||yes|
|ca_common_name||Unique Common Name for CA self-signed certificate||no|
|client_cidr||Network CIDR to use for clients||n/a||yes|
|context||Single object for setting entire context at once.|
See description of individual variables for details.
Leave string and numeric variables as
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional_tag_map, which are merged.
|delimiter||Delimiter to be used between ID elements.|
|descriptor_formats||Describe additional descriptors to be output in the |
Map of maps. Keys are names of descriptors. Values are maps of the form
Label values will be normalized before being passed to
identical to how they appear in
|dns_servers||Information about the DNS servers to be used for DNS resolution. A Client VPN endpoint can have up to two DNS servers. If no DNS server is specified, the DNS address of the VPC that is to be associated with Client VPN endpoint is used as the DNS server.||no|
|enabled||Set to false to prevent the module from creating any resources||no|
|environment||ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT'||no|
|export_client_certificate||Flag to determine whether to export the client certificate with the VPN configuration||no|
Does not affect
|import_profile_name||AWS Profile name to use when importing a resource||no|
|import_role_arn||IAM Role ARN to use when importing a resource||no|
|label_key_case||Controls the letter case of the |
Does not affect keys of tags passed in via the
|label_order||The order in which the labels (ID elements) appear in the |
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present.
|label_value_case||Controls the letter case of ID elements (labels) as included in |
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the
Set this to
|labels_as_tags||Set of labels (ID elements) to include as tags in the |
Default is to include all labels.
Tags with empty values will not be included in the
The value of the
changed in later chained modules. Attempts to change it will be silently ignored.
|logging_enabled||Enables or disables Client VPN Cloudwatch logging.||no|
|logging_stream_name||Names of stream used for logging||n/a||yes|
|name||ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.|
This is the only ID element not also included as a
The "name" tag is set to the full
|namespace||ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique||no|
|organization_name||Name of organization to use in private certificate||n/a||yes|
|regex_replace_chars||Terraform regular expression (regex) string.|
Characters matching the regex will be removed from the ID elements.
If not set,
|region||VPN Endpoints are region-specific. This identifies the region. AWS Region||n/a||yes|
|retention_in_days||Number of days you want to retain log events in the log group||no|
|root_common_name||Unique Common Name for Root self-signed certificate||no|
|saml_metadata_document||Optional SAML metadata document. Must include this or ||no|
|saml_provider_arn||Optional SAML provider ARN. Must include this or ||no|
|server_common_name||Unique Common Name for Server self-signed certificate||no|
|split_tunnel||Indicates whether split-tunnel is enabled on VPN endpoint. Default value is false.||no|
|stage||ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release'||no|
|tags||Additional tags (e.g. |
Neither the tag keys nor the tag values will be modified by this module.
|tenant||ID element _(Rarely used, not included by default)_. A customer identifier, indicating who this instance of a resource is for||no|
|client_configuration||VPN Client Configuration file (.ovpn) contents that can be imported into AWS client vpn|
|full_client_configuration||Client configuration including client certificate and private key for mutual authentication|
|vpn_endpoint_arn||The ARN of the Client VPN Endpoint Connection.|
|vpn_endpoint_dns_name||The DNS Name of the Client VPN Endpoint Connection.|
|vpn_endpoint_id||The ID of the Client VPN Endpoint Connection.|
- cloudposse/terraform-aws-ec2-client-vpn - Cloud Posse's upstream component
- cloudposse/awsutils - Cloud Posse's awsutils provider