Skip to content

rhythmictech/terraform-aws-client-vpn-federated

BranchesTags

Repository files navigation

terraform-aws-client-vpn-federated

Creates an AWS Client VPN with federated client authentication

tflint tfsec yamllint misspell pre-commit-check follow on Twitter

Example

Here's what using the module will look like

module "vpn" {
  source = "rhythmictech/client-vpn-federated/aws"

  name                   = "vpn"
  additional_routes      = var.additional_routes
  associated_subnets     = var.associated_subnets
  client_cidr_block      = var.vpn_client_cidr_block
  saml_metadata_document = file("${path.module}/saml-metadata.xml")
  server_certificate_arn = data.aws_acm_certificate.com_cert.arn
  tags                   = local.tags
  vpc_id                 = var.vpc_id

  authorization_rules = [{
    name                 = "allow-all"
    access_group_id      = null
    authorize_all_groups = true
    description          = "Allow All Groups"
    target_network_cidr  = var.cidr_block
  }]

}

Requirements

Name Version
terraform >= 1.1
aws ~> 5.27

Providers

Name Version
aws ~> 5.27

Modules

Name Source Version
saml_is_defined rhythmictech/errorcheck/terraform ~> 1.2
saml_not_defined_twice rhythmictech/errorcheck/terraform ~> 1.2

Resources

Name Type
aws_cloudwatch_log_group.vpn resource
aws_cloudwatch_log_stream.vpn resource
aws_ec2_client_vpn_authorization_rule.rules resource
aws_ec2_client_vpn_endpoint.this resource
aws_ec2_client_vpn_network_association.this resource
aws_ec2_client_vpn_route.additional resource
aws_iam_saml_provider.this resource
aws_security_group.this resource

Inputs

Name Description Type Default Required
additional_routes A list of additional routes that should be attached to the Client VPN endpoint 
list(object({
    destination_cidr_block = string
    description            = string
    target_vpc_subnet_id   = string
  }))
 [] no
additional_security_groups List of security groups to attach to the client vpn network associations list(string) [] no
associated_subnets List of subnets to associate with the VPN endpoint list(string) n/a yes
authorization_rules List of objects describing the authorization rules for the client vpn 
list(object({
    access_group_id      = string
    authorize_all_groups = bool
    description          = string
    target_network_cidr  = string
  }))
 n/a yes
client_cidr_block IPv4 CIDR block for client addresses. /22 or greater string n/a yes
cloudwatch_log_retention_days How long to keep VPN logs. Possible values are: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653, and 0. If you select 0, the events in the log group are always retained and never expire. number 30 no
dns_servers Up to two DNS servers list(string) [] no
name Name to associate with various resources string n/a yes
saml_metadata_document Optional SAML metadata document. Must include this or saml_provider_arn string null no
saml_provider_arn Optional SAML provider ARN. Must include this or saml_metadata_document string null no
server_certificate_arn ARN of ACM certificate to use with Client VPN string n/a yes
split_tunnel_enabled Whether to enable split tunneling bool true no
tags Map of strings containing tags for AWS resources map(string) {} no
vpc_id ID of VPC to attach VPN to string n/a yes

Outputs

Name Description
vpn_dns_name DNS name to be used by clients when establishing VPN session
vpn_endpoint_security_groups VPN endpoint security groups

The Giants Underneath this Module

About

Sets up a SAML federated AWS Client VPN

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

3 stars

Watchers

3 watching

Forks

4 forks
Report repository

Releases 13

Add required egress rule on SG Latest
Jun 6, 2024
+ 12 releases

Packages

No packages published

Contributors 4

  •  
  •  
  •  
  •  

Languages