terraform-aws-client-vpn-federated

Creates an AWS Client VPN with federated client authentication

Example

Here's what using the module will look like

module "vpn" {
  source = "rhythmictech/client-vpn-federated/aws"

  name                   = "vpn"
  additional_routes      = var.additional_routes
  associated_subnets     = var.associated_subnets
  client_cidr_block      = var.vpn_client_cidr_block
  saml_metadata_document = file("${path.module}/saml-metadata.xml")
  server_certificate_arn = data.aws_acm_certificate.com_cert.arn
  tags                   = local.tags
  vpc_id                 = var.vpc_id

  authorization_rules = [{
    name                 = "allow-all"
    access_group_id      = null
    authorize_all_groups = true
    description          = "Allow All Groups"
    target_network_cidr  = var.cidr_block
  }]

}

Requirements

Name	Version
terraform	>= 1.1
aws	~> 5.27

Providers

Name	Version
aws	~> 5.27

Modules

Name	Source	Version
saml_is_defined	rhythmictech/errorcheck/terraform	~> 1.2
saml_not_defined_twice	rhythmictech/errorcheck/terraform	~> 1.2
self_service_saml_not_defined_twice	rhythmictech/errorcheck/terraform	~> 1.2

Resources

Name	Type
aws_cloudwatch_log_group.vpn	resource
aws_cloudwatch_log_stream.vpn	resource
aws_ec2_client_vpn_authorization_rule.rules	resource
aws_ec2_client_vpn_endpoint.this	resource
aws_ec2_client_vpn_network_association.this	resource
aws_ec2_client_vpn_route.additional	resource
aws_iam_saml_provider.self_service	resource
aws_iam_saml_provider.this	resource
aws_security_group.this	resource

Inputs

Name	Description	Type	Default	Required
additional_routes	A list of additional routes that should be attached to the Client VPN endpoint	list(object({ destination_cidr_block = string description = string target_vpc_subnet_id = string }))	[]	no
additional_security_groups	List of security groups to attach to the client vpn network associations	list(string)	[]	no
associated_subnets	List of subnets to associate with the VPN endpoint	list(string)	n/a	yes
authorization_rules	List of objects describing the authorization rules for the client vpn	list(object({ access_group_id = string authorize_all_groups = bool description = string target_network_cidr = string }))	n/a	yes
client_cidr_block	IPv4 CIDR block for client addresses. /22 or greater	string	n/a	yes
cloudwatch_log_retention_days	How long to keep VPN logs. Possible values are: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653, and 0. If you select 0, the events in the log group are always retained and never expire.	number	30	no
dns_servers	Up to two DNS servers	list(string)	[]	no
name	Name to associate with various resources	string	n/a	yes
saml_metadata_document	Optional SAML metadata document. Must include this or saml_provider_arn	string	null	no
saml_provider_arn	Optional SAML provider ARN. Must include this or saml_metadata_document	string	null	no
self_service_saml_metadata_document	Optional SAML metadata document for the self-service portal. Must include this or self_service_saml_provider_arn to enable self-service; omit both to disable.	string	null	no
self_service_saml_provider_arn	Optional ARN of an existing IAM SAML provider for the self-service portal. Must include this or self_service_saml_metadata_document to enable self-service; omit both to disable.	string	null	no
server_certificate_arn	ARN of ACM certificate to use with Client VPN	string	n/a	yes
split_tunnel_enabled	Whether to enable split tunneling	bool	true	no
tags	Map of strings containing tags for AWS resources	map(string)	{}	no
vpc_id	ID of VPC to attach VPN to	string	n/a	yes

Outputs

Name	Description
vpn_dns_name	DNS name to be used by clients when establishing VPN session
self_service_saml_provider_arn	ARN of the IAM SAML provider created for the self-service portal (null if not created by this module)
vpn_endpoint_security_groups	VPN endpoint security groups

The Giants Underneath this Module

• pre-commit.com
• terraform.io
• github.com/tfutils/tfenv
• github.com/segmentio/terraform-docs