terraform-aws-client-vpn

Terraform module for provisioning an AWS Client VPN

Usage

module "client_vpn" {
  source  = "anishkumarait/client-vpn/aws"
  version = "x.x.x"
}

Examples

• client-vpn

Requirements

Name	Version
terraform	>= 1.6.0
aws	>= 6.0

Providers

Name	Version
aws	>= 6.0

Modules

No modules.

Resources

Name	Type
aws_cloudwatch_log_group.this	resource
aws_cloudwatch_log_stream.this	resource
aws_ec2_client_vpn_authorization_rule.this	resource
aws_ec2_client_vpn_endpoint.this	resource
aws_ec2_client_vpn_network_association.this	resource
aws_ec2_client_vpn_route.this	resource

Inputs

Name	Description	Type	Default	Required
authentication_options	List of authentication options for the Client VPN endpoint.	list(object({ type = string active_directory_id = optional(string) root_certificate_chain_arn = optional(string) saml_provider_arn = optional(string) self_service_saml_provider_arn = optional(string) }))	n/a	yes
authorization_rules	List of authorization rules to apply to the Client VPN.	list(object({ cidr = string description = optional(string) access_group_id = optional(string) authorize_all_groups = optional(bool) }))	[]	no
client_cidr_block	The IPv4 address range in CIDR notation to assign client IP addresses. Required unless traffic_ip_address_type is ipv6.	string	null	no
client_connect_options	Client connect options for managing connection authorization for new client connections.	object({ enabled = bool lambda_function_arn = optional(string) })	{ "enabled": false, "lambda_function_arn": null }	no
client_login_banner_options	Client login banner options.	object({ enabled = bool banner_text = optional(string) })	{ "banner_text": null, "enabled": false }	no
client_route_enforcement_options	Options to enforce administrator-defined routes on connected clients	object({ enforced = bool })	{ "enforced": false }	no
connection_log_options	Configuration block for connection logging.	object({ enabled = bool cloudwatch_log_group = optional(string) cloudwatch_log_stream = optional(string) })	{ "enabled": true }	no
description	Description for the Client VPN endpoint.	string	null	no
disconnect_on_session_timeout	Whether to disconnect the client VPN session after the maximum session_timeout_hours is reached.	bool	false	no
dns_servers	Custom DNS servers to use. Can specify up to two.	list(string)	[]	no
endpoint_ip_address_type	IP address type for the Client VPN endpoint. Valid values: ipv4, ipv6, dual-stack.	string	"ipv4"	no
kms_key_id	KMS key ARN to encrypt the logs.	string	null	no
log_group_class	Log class of the log group.	string	"STANDARD"	no
log_group_name	Name of the CloudWatch log group.	string	null	no
log_stream_name	Name of the CloudWatch log stream.	string	null	no
name	Name tag for the Client VPN endpoint.	string	null	no
name_prefix	Prefix name for the CloudWatch log group.	string	null	no
region	AWS region where this resource will be created.	string	null	no
retention_in_days	Number of days to retain log events in the log group.	number	0	no
route_definitions	List of CIDRs to create VPN routes for.	list(object({ cidr = string description = optional(string) }))	[]	no
security_group_ids	List of security group IDs to associate with the Client VPN endpoint.	list(string)	[]	no
self_service_portal	Enable or disable the self-service portal. Valid values: enabled, disabled.	string	"disabled"	no
server_certificate_arn	The ARN of the ACM server certificate for the Client VPN endpoint.	string	n/a	yes
session_timeout_hours	Maximum session duration in hours. Valid values: 8, 10, 12, 24.	number	24	no
skip_destroy	Whether to destroy the log group when resource is destroyed.	bool	false	no
split_tunnel	Whether split-tunnel is enabled.	bool	false	no
subnet_ids	List of subnet IDs to associate with the Client VPN endpoint for high availability.	list(string)	n/a	yes
tags	Map of tags to assign to the Client VPN endpoint.	map(string)	{}	no
traffic_ip_address_type	IP address type for traffic within the Client VPN tunnel. Valid values: ipv4, ipv6, dual-stack.	string	"ipv4"	no
transport_protocol	Transport protocol for the VPN session. Valid values: udp, tcp.	string	"udp"	no
vpc_id	The ID of the VPC to associate with the Client VPN endpoint.	string	null	no
vpn_port	Port number for the Client VPN endpoint. Valid values: 443, 1194.	number	443	no

Outputs

Name	Description
client_vpn_endpoint_arn	The ARN of the Client VPN endpoint.
client_vpn_endpoint_dns_name	The DNS name to be used by clients when establishing their VPN session.
client_vpn_endpoint_id	The ID of the Client VPN endpoint.
client_vpn_network_association_association_ids	A map of subnet_id to the association ID of the target network association.
client_vpn_network_association_ids	A map of subnet_id to the unique ID of the target network association.
client_vpn_network_association_vpc_ids	A map of subnet_id to the VPC ID in which the target subnet is located.
client_vpn_route_ids	A map of route key to the ID of the Client VPN route.
client_vpn_route_origins	A map of route key to the origin type of the Client VPN route. Typically 'add-route' for manually added routes.
client_vpn_route_types	A map of route key to the route type of the Client VPN route.
client_vpn_self_service_portal_url	The URL of the self-service portal for the Client VPN endpoint.

License

See LICENSE file for full details.

Maintainers

• Anish Kumar

Pre-commit hooks

Install dependencies

• pre-commit
• terraform-docs required for terraform_docs hooks.
• TFLint required for terraform_tflint hook.

MacOS

brew install pre-commit terraform-docs tflint

brew tap git-chglog/git-chglog
brew install git-chglog