Module: `ec2-client-vpn`

The terraform-aws-ec2-client-vpn project provides for ec2 client vpn infrastructure. AWS Client VPN is a managed client-based VPN service based on OpenVPN that enables you to securely access your AWS resources and resources in your on-premises network. With Client VPN, you can access your resources from any location using any OpenVPN-based VPN client.

Usage

For a complete example, see examples/complete.

For automated tests of the complete example using bats and Terratest (which tests and deploys the example on AWS), see test.

module "vpc_target" {
  source  = "cloudposse/vpc/aws"
  # Cloud Posse recommends pinning every module to a specific version
  # version = "x.x.x"

  cidr_block = "172.16.0.0/16"

  context = module.this.context
}

module "vpc_client" {
  source  = "cloudposse/vpc/aws"
  # Cloud Posse recommends pinning every module to a specific version
  # version = "x.x.x"

  cidr_block = "172.31.0.0/16"

  context = module.this.context
}

module "subnets" {
  source  = "cloudposse/dynamic-subnets/aws"
  # Cloud Posse recommends pinning every module to a specific version
  # version = "x.x.x"

  availability_zones   = var.availability_zones
  vpc_id               = module.vpc_target.vpc_id
  igw_id               = module.vpc_target.igw_id
  cidr_block           = module.vpc_target.vpc_cidr_block
  nat_gateway_enabled  = true
  nat_instance_enabled = false

  context = module.this.context
}

module "ec2_client_vpn" {
  source  = "cloudposse/ec2-client-vpn/aws"
  # Cloud Posse recommends pinning every module to a specific version
  # version = "x.x.x"

  client_cidr             = module.vpc_client.vpc_cidr_block
  organization_name       = var.organization_name
  logging_enabled         = var.logging_enabled
  retention_in_days       = var.retention_in_days
  associated_subnets      = module.subnets.private_subnet_ids
  authorization_rules     = var.authorization_rules

  additional_routes = [
    {
      destination_cidr_block = "0.0.0.0/0"
      description            = "Internet Route"
      target_vpc_subnet_id   = element(module.subnets.private_subnet_ids, 0)
    }
  ]
}

Examples

Here is an example of using this module:

examples/complete - complete example of using this module

Requirements

Name	Version
terraform	>= 1.0
aws	>= 4.0
awsutils	>= 0.16.0

Providers

Name	Version
aws	>= 4.0
awsutils	>= 0.16.0

Modules

Name	Source	Version
cloudwatch_log	cloudposse/cloudwatch-logs/aws	0.6.8
self_signed_cert_ca	cloudposse/ssm-tls-self-signed-cert/aws	1.3.0
self_signed_cert_root	cloudposse/ssm-tls-self-signed-cert/aws	1.3.0
self_signed_cert_server	cloudposse/ssm-tls-self-signed-cert/aws	1.3.0
this	cloudposse/label/null	0.25.0
vpn_security_group	cloudposse/security-group/aws	2.2.0

Resources

Name	Type
aws_ec2_client_vpn_authorization_rule.default	resource
aws_ec2_client_vpn_endpoint.default	resource
aws_ec2_client_vpn_network_association.default	resource
aws_ec2_client_vpn_route.default	resource
aws_iam_saml_provider.default	resource
aws_ssm_parameter.ca_key	data source
aws_ssm_parameter.root_key	data source
awsutils_ec2_client_vpn_export_client_config.default	data source

Inputs

Name	Description	Type	Default	Required
additional_routes	A list of additional routes that should be attached to the Client VPN endpoint	`list(object({ destination_cidr_block = string description = string target_vpc_subnet_id = string }))`	`[]`	no
additional_security_group_rules	A list of Security Group rule objects to add to the created security group, in addition to the ones this module normally creates. (To suppress the module's rules, set `create_security_group` to false and supply your own security group via `associated_security_group_ids`.) The keys and values of the objects are fully compatible with the `aws_security_group_rule` resource, except for `security_group_id` which will be ignored, and the optional "key" which, if provided, must be unique and known at "plan" time. To get more info see https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule .	`list(any)`	`[]`	no
additional_security_groups	DEPRECATED: Use `associated_security_group_ids` instead. List of security groups to attach to the client vpn network associations	`list(string)`	`[]`	no
additional_tag_map	Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`. This is for some rare cases where resources want additional configuration of tags and therefore take a list of maps with tag key, value, and additional configuration.	`map(string)`	`{}`	no
allow_self_security_group	Whether the security group itself will be added as a source to this ingress rule.	`bool`	`true`	no
allowed_cidr_blocks	A list of IPv4 CIDRs to allow access to the security group created by this module. The length of this list must be known at "plan" time.	`list(string)`	`[]`	no
allowed_ipv6_cidr_blocks	A list of IPv6 CIDRs to allow access to the security group created by this module. The length of this list must be known at "plan" time.	`list(string)`	`[]`	no
allowed_ipv6_prefix_list_ids	A list of IPv6 Prefix Lists IDs to allow access to the security group created by this module. The length of this list must be known at "plan" time.	`list(string)`	`[]`	no
allowed_security_group_ids	A list of IDs of Security Groups to allow access to the security group created by this module. The length of this list must be known at "plan" time.	`list(string)`	`[]`	no
associated_security_group_ids	A list of IDs of Security Groups to associate the VPN endpoints with, in addition to the created security group. These security groups will not be modified and, if `create_security_group` is `false`, must have rules providing the desired access.	`list(string)`	`[]`	no
associated_subnets	List of subnets to associate with the VPN endpoint	`list(string)`	n/a	yes
attributes	ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`, in the order they appear in the list. New attributes are appended to the end of the list. The elements of the list are joined by the `delimiter` and treated as a single ID element.	`list(string)`	`[]`	no
authentication_type	One of `certificate-authentication` or `federated-authentication`	`string`	`"certificate-authentication"`	no
authorization_rules	List of objects describing the authorization rules for the client vpn	`list(map(any))`	`[]`	no
ca_common_name	Unique Common Name for CA self-signed certificate	`string`	`null`	no
client_cidr	Network CIDR to use for clients	`string`	n/a	yes
client_conf_tmpl_path	Path to template file of vpn client exported configuration. Path is relative to ${path.module}	`string`	`null`	no
context	Single object for setting entire context at once. See description of individual variables for details. Leave string and numeric variables as `null` to use default value. Individual variable settings (non-null) override settings in context object, except for attributes, tags, and additional_tag_map, which are merged.	`any`	`{ "additional_tag_map": {}, "attributes": [], "delimiter": null, "descriptor_formats": {}, "enabled": true, "environment": null, "id_length_limit": null, "label_key_case": null, "label_order": [], "label_value_case": null, "labels_as_tags": [ "unset" ], "name": null, "namespace": null, "regex_replace_chars": null, "stage": null, "tags": {}, "tenant": null }`	no
create_security_group	Set `true` to create and configure a new security group. If false, `associated_security_group_ids` must be provided.	`bool`	`true`	no
delimiter	Delimiter to be used between ID elements. Defaults to `-` (hyphen). Set to `""` to use no delimiter at all.	`string`	`null`	no
descriptor_formats	Describe additional descriptors to be output in the `descriptors` output map. Map of maps. Keys are names of descriptors. Values are maps of the form `{<br/> format = string<br/> labels = list(string)<br/>}` (Type is `any` so the map values can later be enhanced to provide additional options.) `format` is a Terraform format string to be passed to the `format()` function. `labels` is a list of labels, in order, to pass to `format()` function. Label values will be normalized before being passed to `format()` so they will be identical to how they appear in `id`. Default is `{}` (`descriptors` output will be empty).	`any`	`{}`	no
dns_servers	Information about the DNS servers to be used for DNS resolution. A Client VPN endpoint can have up to two DNS servers. If no DNS server is specified, the DNS address of the connecting device is used.	`list(string)`	`[]`	no
enabled	Set to false to prevent the module from creating any resources	`bool`	`null`	no
environment	ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT'	`string`	`null`	no
export_client_certificate	Flag to determine whether to export the client certificate with the VPN configuration	`bool`	`false`	no
id_length_limit	Limit `id` to this many characters (minimum 6). Set to `0` for unlimited length. Set to `null` for keep the existing setting, which defaults to `0`. Does not affect `id_full`.	`number`	`null`	no
label_key_case	Controls the letter case of the `tags` keys (label names) for tags generated by this module. Does not affect keys of tags passed in via the `tags` input. Possible values: `lower`, `title`, `upper`. Default value: `title`.	`string`	`null`	no
label_order	The order in which the labels (ID elements) appear in the `id`. Defaults to ["namespace", "environment", "stage", "name", "attributes"]. You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present.	`list(string)`	`null`	no
label_value_case	Controls the letter case of ID elements (labels) as included in `id`, set as tag values, and output by this module individually. Does not affect values of tags passed in via the `tags` input. Possible values: `lower`, `title`, `upper` and `none` (no transformation). Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs. Default value: `lower`.	`string`	`null`	no
labels_as_tags	Set of labels (ID elements) to include as tags in the `tags` output. Default is to include all labels. Tags with empty values will not be included in the `tags` output. Set to `[]` to suppress all generated tags. Notes: The value of the `name` tag, if included, will be the `id`, not the `name`. Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be changed in later chained modules. Attempts to change it will be silently ignored.	`set(string)`	`[ "default" ]`	no
logging_enabled	Enables or disables Client VPN Cloudwatch logging.	`bool`	`false`	no
logging_stream_name	Names of stream used for logging	`string`	n/a	yes
name	ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'. This is the only ID element not also included as a `tag`. The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input.	`string`	`null`	no
namespace	ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique	`string`	`null`	no
organization_name	Name of organization to use in private certificate	`string`	n/a	yes
regex_replace_chars	Terraform regular expression (regex) string. Characters matching the regex will be removed from the ID elements. If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits.	`string`	`null`	no
retention_in_days	Number of days you want to retain log events in the log group	`number`	`"30"`	no
root_common_name	Unique Common Name for Root self-signed certificate	`string`	`null`	no
saml_metadata_document	Optional SAML metadata document. Must include this or `saml_provider_arn`	`string`	`null`	no
saml_provider_arn	Optional SAML provider ARN. Must include this or `saml_metadata_document`	`string`	`null`	no
secret_path_format	The path format to use when writing secrets to the certificate backend. The certificate secret path will be computed as `format(var.secret_path_format, var.name, var.secret_extensions.certificate)` and the private key path as `format(var.secret_path_format, var.name, var.secret_extensions.private_key)`. Thus by default, if `var.name`=`example-self-signed-cert`, then the resulting secret paths for the self-signed certificate's PEM file and private key will be `/example-self-signed-cert.pem` and `/example-self-signed-cert.key`, respectively. This variable can be overridden in order to create more specific certificate backend paths.	`string`	`"/%s.%s"`	no
security_group_create_before_destroy	Set `true` to enable Terraform `create_before_destroy` behavior on the created security group. Note that changing this value will always cause the security group to be replaced.	`bool`	`true`	no
security_group_create_timeout	How long to wait for the security group to be created.	`string`	`"10m"`	no
security_group_delete_timeout	How long to retry on `DependencyViolation` errors during security group deletion from lingering ENIs left by certain AWS services such as Elastic Load Balancing.	`string`	`"15m"`	no
security_group_description	The description to assign to the created Security Group. Warning: Changing the description causes the security group to be replaced.	`string`	`null`	no
security_group_name	The name to assign to the created security group. Must be unique within the VPC. If not provided, will be derived from the `null-label.context` passed in. If `create_before_destroy` is true, will be used as a name prefix.	`list(string)`	`[]`	no
self_service_portal_enabled	Specify whether to enable the self-service portal for the Client VPN endpoint	`bool`	`false`	no
self_service_saml_provider_arn	The ARN of the IAM SAML identity provider for the self service portal if type is federated-authentication.	`string`	`null`	no
server_common_name	Unique Common Name for Server self-signed certificate	`string`	`null`	no
session_timeout_hours	The maximum session duration is a trigger by which end-users are required to re-authenticate prior to establishing a VPN session. Default value is 24. Valid values: 8 \| 10 \| 12 \| 24	`string`	`"24"`	no
split_tunnel	Indicates whether split-tunnel is enabled on VPN endpoint. Default value is false.	`bool`	`false`	no
stage	ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release'	`string`	`null`	no
tags	Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`). Neither the tag keys nor the tag values will be modified by this module.	`map(string)`	`{}`	no
tenant	ID element _(Rarely used, not included by default)_. A customer identifier, indicating who this instance of a resource is for	`string`	`null`	no
transport_protocol	Transport protocol used by the TLS sessions.	`string`	`"udp"`	no
vpc_id	ID of VPC to attach VPN to	`string`	n/a	yes

Outputs

Name	Description
client_configuration	VPN Client Configuration data.
full_client_configuration	Client configuration including client certificate and private key
vpn_endpoint_arn	The ARN of the Client VPN Endpoint Connection.
vpn_endpoint_dns_name	The DNS Name of the Client VPN Endpoint Connection.
vpn_endpoint_id	The ID of the Client VPN Endpoint Connection.

Module: ec2-client-vpn

Usage​

Examples​

Requirements​

Providers​

Modules​

Resources​

Inputs​

Outputs​