adding self-service support to Rhythmic ClientVPN module

jjduverge · jjduverge · commit b7be61b60349 · 2026-04-07T11:15:46.000-05:00
diff --git a/README.md b/README.md
@@ -55,6 +55,7 @@ module "vpn" {
 |------|--------|---------|
 | <a name="module_saml_is_defined"></a> [saml\_is\_defined](#module\_saml\_is\_defined) | rhythmictech/errorcheck/terraform | ~> 1.2 |
 | <a name="module_saml_not_defined_twice"></a> [saml\_not\_defined\_twice](#module\_saml\_not\_defined\_twice) | rhythmictech/errorcheck/terraform | ~> 1.2 |
+| <a name="module_self_service_saml_not_defined_twice"></a> [self\_service\_saml\_not\_defined\_twice](#module\_self\_service\_saml\_not\_defined\_twice) | rhythmictech/errorcheck/terraform | ~> 1.2 |
 
 ## Resources
 
@@ -66,6 +67,7 @@ module "vpn" {
 | [aws_ec2_client_vpn_endpoint.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_client_vpn_endpoint) | resource |
 | [aws_ec2_client_vpn_network_association.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_client_vpn_network_association) | resource |
 | [aws_ec2_client_vpn_route.additional](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_client_vpn_route) | resource |
+| [aws_iam_saml_provider.self_service](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_saml_provider) | resource |
 | [aws_iam_saml_provider.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_saml_provider) | resource |
 | [aws_security_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
 
@@ -83,6 +85,8 @@ module "vpn" {
 | <a name="input_name"></a> [name](#input\_name) | Name to associate with various resources | `string` | n/a | yes |
 | <a name="input_saml_metadata_document"></a> [saml\_metadata\_document](#input\_saml\_metadata\_document) | Optional SAML metadata document. Must include this or `saml_provider_arn` | `string` | `null` | no |
 | <a name="input_saml_provider_arn"></a> [saml\_provider\_arn](#input\_saml\_provider\_arn) | Optional SAML provider ARN. Must include this or `saml_metadata_document` | `string` | `null` | no |
+| <a name="input_self_service_saml_metadata_document"></a> [self\_service\_saml\_metadata\_document](#input\_self\_service\_saml\_metadata\_document) | Optional SAML metadata document for the self-service portal. Must include this or `self_service_saml_provider_arn` to enable self-service; omit both to disable. | `string` | `null` | no |
+| <a name="input_self_service_saml_provider_arn"></a> [self\_service\_saml\_provider\_arn](#input\_self\_service\_saml\_provider\_arn) | Optional ARN of an existing IAM SAML provider for the self-service portal. Must include this or `self_service_saml_metadata_document` to enable self-service; omit both to disable. | `string` | `null` | no |
 | <a name="input_server_certificate_arn"></a> [server\_certificate\_arn](#input\_server\_certificate\_arn) | ARN of ACM certificate to use with Client VPN | `string` | n/a | yes |
 | <a name="input_split_tunnel_enabled"></a> [split\_tunnel\_enabled](#input\_split\_tunnel\_enabled) | Whether to enable split tunneling | `bool` | `true` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Map of strings containing tags for AWS resources | `map(string)` | `{}` | no |
@@ -93,6 +97,7 @@ module "vpn" {
 | Name | Description |
 |------|-------------|
 | <a name="output_vpn_dns_name"></a> [vpn\_dns\_name](#output\_vpn\_dns\_name) | DNS name to be used by clients when establishing VPN session |
+| <a name="output_self_service_saml_provider_arn"></a> [self\_service\_saml\_provider\_arn](#output\_self\_service\_saml\_provider\_arn) | ARN of the IAM SAML provider created for the self-service portal (null if not created by this module) |
 | <a name="output_vpn_endpoint_security_groups"></a> [vpn\_endpoint\_security\_groups](#output\_vpn\_endpoint\_security\_groups) | VPN endpoint security groups |
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 
diff --git a/main.tf b/main.tf
@@ -26,6 +26,13 @@ resource "aws_iam_saml_provider" "this" {
   saml_metadata_document = var.saml_metadata_document
 }
 
+resource "aws_iam_saml_provider" "self_service" {
+  count = var.self_service_saml_metadata_document != null ? 1 : 0
+
+  name                   = "${var.name}-self-service"
+  saml_metadata_document = var.self_service_saml_metadata_document
+}
+
 resource "aws_ec2_client_vpn_endpoint" "this" {
   description            = "Client VPN"
   client_cidr_block      = var.client_cidr_block
@@ -37,8 +44,9 @@ resource "aws_ec2_client_vpn_endpoint" "this" {
   tags                   = local.tags
 
   authentication_options {
-    type              = "federated-authentication"
-    saml_provider_arn = try(aws_iam_saml_provider.this[0].arn, var.saml_provider_arn)
+    type                           = "federated-authentication"
+    saml_provider_arn              = try(aws_iam_saml_provider.this[0].arn, var.saml_provider_arn)
+    self_service_saml_provider_arn = try(aws_iam_saml_provider.self_service[0].arn, var.self_service_saml_provider_arn, null)
   }
 
   connection_log_options {
diff --git a/outputs.tf b/outputs.tf
@@ -7,3 +7,8 @@ output "vpn_endpoint_security_groups" {
   description = "VPN endpoint security groups"
   value       = aws_ec2_client_vpn_endpoint.this.security_group_ids
 }
+
+output "self_service_saml_provider_arn" {
+  description = "ARN of the IAM SAML provider created for the self-service portal (null if not created by this module)"
+  value       = try(aws_iam_saml_provider.self_service[0].arn, null)
+}
diff --git a/variables.tf b/variables.tf
@@ -123,6 +123,39 @@ module "saml_not_defined_twice" {
   error_message = "Must not define both `saml_metadata_document` and `saml_provider_arn`."
 }
 
+variable "self_service_saml_metadata_document" {
+  default     = null
+  description = "Optional SAML metadata document for the self-service portal. Must include this or `self_service_saml_provider_arn` to enable self-service; omit both to disable."
+  type        = string
+}
+
+variable "self_service_saml_provider_arn" {
+  default     = null
+  description = "Optional ARN of an existing IAM SAML provider for the self-service portal. Must include this or `self_service_saml_metadata_document` to enable self-service; omit both to disable."
+  type        = string
+
+  validation {
+    error_message = "Invalid self-service SAML provider ARN."
+
+    condition = (
+      var.self_service_saml_provider_arn == null ||
+      try(length(regexall(
+        "^arn:aws:iam::(?P<account_id>\\d{12}):saml-provider/(?P<provider_name>[\\w+=,\\.@-]+)$",
+        var.self_service_saml_provider_arn
+        )) > 0,
+        false
+    ))
+  }
+}
+
+module "self_service_saml_not_defined_twice" {
+  source  = "rhythmictech/errorcheck/terraform"
+  version = "~> 1.2"
+
+  assert        = !(var.self_service_saml_metadata_document != null && var.self_service_saml_provider_arn != null)
+  error_message = "Must not define both `self_service_saml_metadata_document` and `self_service_saml_provider_arn`."
+}
+
 variable "server_certificate_arn" {
   description = "ARN of ACM certificate to use with Client VPN"
   type        = string

Original file line number	Diff line number	Diff line change
`@@ -7,3 +7,8 @@ output "vpn_endpoint_security_groups" {`
`7`	`7`	`description = "VPN endpoint security groups"`
`8`	`8`	`value = aws_ec2_client_vpn_endpoint.this.security_group_ids`
`9`	`9`	`}`
	`10`	`+`
	`11`	`+output "self_service_saml_provider_arn" {`
	`12`	`+ description = "ARN of the IAM SAML provider created for the self-service portal (null if not created by this module)"`
	`13`	`+ value = try(aws_iam_saml_provider.self_service[0].arn, null)`
	`14`	`+}`