Skip to content

Latest commit

 

History

History
267 lines (219 loc) · 15 KB

README.md

File metadata and controls

267 lines (219 loc) · 15 KB
Raw

terraform-aws-client-vpn-endpoint

AWS Client VPN endpoint

Info

How to create Application for VPN in AWS Single Sign-On

  • Open AWS SSO service page. Select Applications from the sidebar
  • Choose Add a new application
  • Select Add a custom SAML 2.0 application
  • Fill Display name and Description
  • Set session duration (VPN session duration) - 12h
  • Select "If you don't have a metadata file, you can manually type your metadata values."
  • Application ACS URL: http://127.0.0.1:35001
  • Application SAML audience: urn:amazon:webservices:clientvpn
  • Save changes
  • Download AWS SSO SAML metadata file (file for vpn secret)
  • Select tab "Attribute mappings":
    • Subject -> ${user:subject} -> emailAddress
    • NameID -> ${user:email} -> basic
    • memberOf -> ${user:groups} -> unspecified
  • Select tab "Assigned users"
  • Assign users or groups created on previous step

Example

# Get metadata.xml file from AWS SSO/Applications
# Encode file with base64 `base64 -w 0` (linux only) or `openssl base64 -A`
# Create secret `saml_metadata` with key `saml_metadata_xml` and value base64

data "aws_secretsmanager_secret" "saml" {
  name = "saml_metadata"
}

data "aws_secretsmanager_secret_version" "saml" {
  secret_id     = data.aws_secretsmanager_secret.saml.id
  version_stage = "AWSCURRENT"
}

resource "aws_iam_saml_provider" "vpn" {
  name                   = var.vpn_saml_provider_name # could be anything that satisfy regular expression pattern: [\w._-]+ 
  saml_metadata_document = base64decode(jsondecode(data.aws_secretsmanager_secret_version.saml.secret_string)["saml_metadata_xml"]) # saml_metadata_xml
  tags                   = var.tags
}

module "vpn" {
  source                     = "fivexl/client-vpn-endpoint/aws"
  endpoint_name              = "myvpn"
  endpoint_client_cidr_block = "10.100.0.0/16"
  endpoint_subnets           = [module.vpc.intra_subnets[0]] # Attach VPN to single subnet. Reduce cost
  endpoint_vpc_id            = module.vpc.vpc_id
  tls_subject_common_name    = "int.example.com"
  saml_provider_arn          = aws_iam_saml_provider.vpn.arn

  authorization_rules = {}

  additional_routes = {
    "${module.vpc.intra_subnets[0]}" = "172.16.0.0/24"
  }

  authorization_rules_all_groups = {
    full_access_private_subnet_0 = module.vpc.private_subnets_cidr_blocks[0]
  }

  tags = var.tags
}

Example without split tunnel (classic VPN)

# Get metadata.xml file from AWS SSO/Applications
# Encode file with base64 `base64 -w 0` (linux only) or `openssl base64 -A`
# Create secret `saml_metadata` with key `saml_metadata_xml` and value base64

data "aws_secretsmanager_secret" "saml" {
  name = "saml_metadata"
}

data "aws_secretsmanager_secret_version" "saml" {
  secret_id     = data.aws_secretsmanager_secret.saml.id
  version_stage = "AWSCURRENT"
}

resource "aws_iam_saml_provider" "vpn" {
  name                   = var.vpn_saml_provider_name # could be anything that satisfy regular expression pattern: [\w._-]+ 
  saml_metadata_document = base64decode(jsondecode(data.aws_secretsmanager_secret_version.saml.secret_string)["saml_metadata_xml"]) # saml_metadata_xml
  tags                   = var.tags
}

module "vpn" {
  source                     = "fivexl/client-vpn-endpoint/aws"
  endpoint_name              = "myvpn"
  endpoint_client_cidr_block = "10.100.0.0/16"
  endpoint_subnets           = [module.vpc.private_subnets[0]] # Attach VPN to single subnet. Reduce cost
  endpoint_vpc_id            = module.vpc.vpc_id
  tls_subject_common_name    = "int.example.com"
  saml_provider_arn          = aws_iam_saml_provider.vpn.arn

  authorization_rules = {}

  additional_routes = {
    "${module.vpc.private_subnets[0]}" = "0.0.0.0/0"
  }

  authorization_rules_all_groups = {
    worldwide = "0.0.0.0/0"
  }
  
  enable_split_tunnel = false

  tags = var.tags
}

Example with VPC module

variable "vpn_access_public" {
  description = "List of SSO Group IDs for accessing public subnets"
  type        = list(string)
  default     = []
}

variable "vpn_access_private" {
  description = "List of SSO Group IDs for accessing private subnets"
  type        = list(string)
  default     = []
}

variable "vpn_access_intra" {
  description = "List of SSO Group IDs for accessing intra subnets"
  type        = list(string)
  default     = []
}

variable "vpn_access_db" {
  description = "List of SSO Group IDs for accessing db subnets"
  type        = list(string)
  default     = []
}

variable "vpn_access_elasticache" {
  description = "List of SSO Group IDs for accessing elasticache subnets"
  type        = list(string)
  default     = []
}

variable "vpn_access_all" {
  description = "List of SSO Group IDs for accessing all subnets"
  type        = list(string)
  default     = []
}

# https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/limits.html
# Authorization rules per Client VPN endpoint defaul quota is 50
# https://console.aws.amazon.com/servicequotas/home/services/ec2/quotas/L-9A1BC94B
locals {
  vpn_authorization_rules_public      = { for item in setproduct(module.vpc.public_subnets_cidr_blocks, var.vpn_access_public) : "public_${item[0]}_${item[1]}" => "${item[0]},${item[1]}" }
  vpn_authorization_rules_private     = { for item in setproduct(module.vpc.private_subnets_cidr_blocks, var.vpn_access_private) : "private_${item[0]}_${item[1]}" => "${item[0]},${item[1]}" }
  vpn_authorization_rules_intra       = { for item in setproduct(module.vpc.intra_subnets_cidr_blocks, var.vpn_access_intra) : "intra_${item[0]}_${item[1]}" => "${item[0]},${item[1]}" }
  vpn_authorization_rules_db          = { for item in setproduct(module.vpc.database_subnets_cidr_blocks, var.vpn_access_db) : "db_${item[0]}_${item[1]}" => "${item[0]},${item[1]}" }
  vpn_authorization_rules_elasticache = { for item in setproduct(module.vpc.elasticache_subnets_cidr_blocks, var.vpn_access_elasticache) : "elasticache_${item[0]}_${item[1]}" => "${item[0]},${item[1]}" }
  vpn_authorization_rules_all         = { for item in setproduct([module.vpc.vpc_cidr_block], var.vpn_access_all) : "all_${item[0]}_${item[1]}" => "${item[0]},${item[1]}" }
  vpn_authorization_rules = merge(
    local.vpn_authorization_rules_public,
    local.vpn_authorization_rules_private,
    local.vpn_authorization_rules_intra,
    local.vpn_authorization_rules_db,
    local.vpn_authorization_rules_elasticache,
    local.vpn_authorization_rules_all
  )
}

module "vpn" {
  source                     = "fivexl/client-vpn-endpoint/aws"
  endpoint_name              = "myvpn"
  endpoint_client_cidr_block = "10.100.0.0/16"
  endpoint_subnets           = [module.vpc.intra_subnets[0]] # Attach VPN to single subnet. Reduce cost
  endpoint_vpc_id            = module.vpc.vpc_id
  tls_subject_common_name    = "int.example.com"
  saml_provider_arn          = data.aws_ssm_parameter.iam_vpn_saml_provider_arn.value

  authorization_rules = local.vpn_authorization_rules

  authorization_rules_all_groups = {}

  tags = var.tags
}

Requirements

Name Version
terraform >= 0.15
aws >= 4.0
tls >= 3.2.0

Providers

Name Version
aws >= 4.0
tls >= 3.2.0

Modules

No modules.

Resources

Name Type
aws_acm_certificate.this resource
aws_cloudwatch_log_group.this resource
aws_cloudwatch_log_stream.this resource
aws_ec2_client_vpn_authorization_rule.this resource
aws_ec2_client_vpn_authorization_rule.this_all_groups resource
aws_ec2_client_vpn_authorization_rule.this_sso_to_dns resource
aws_ec2_client_vpn_endpoint.this_sso resource
aws_ec2_client_vpn_network_association.this_sso resource
aws_ec2_client_vpn_route.this_sso resource
aws_security_group.this resource
tls_private_key.this resource
tls_self_signed_cert.this resource
aws_vpc.this data source

Inputs

Name Description Type Default Required
additional_routes A list of maps where each map contains a subnet ID of endpoint subnet for network association and a list of cidrs to where traffic should be routed from that subnet. Useful in cases if you need to route beyond the VPC subnet, for instance peered VPC list(map(string)) {} no
authorization_rules Map containing authorization rule configuration. rule_name = "target_network_cidr, access_group_id" . map(string) {} no
authorization_rules_all_groups Map containing authorization rule configuration with authorize_all_groups=true. rule_name = "target_network_cidr" . map(string) {} no
certificate_arn The ARN of ACM certigicate to use for the VPN server config. string null no
cloudwatch_log_group_name_prefix Specifies the name prefix of CloudWatch Log Group for VPC flow logs. string "/aws/client-vpn-endpoint/" no
cloudwatch_log_group_retention_in_days Specifies the number of days you want to retain log events in the specified log group for VPN connection logs. number 30 no
create_endpoint Create Client VPN Endpoint bool true no
dns_servers DNS servers to be used for DNS resolution. A Client VPN endpoint can have up to two DNS servers. If no DNS server is specified, the DNS address of the connecting device is used. Conflict with use_vpc_internal_dns list(string) [] no
enable_split_tunnel Indicates whether split-tunnel is enabled on VPN endpoint bool true no
endpoint_client_cidr_block The IPv4 address range, in CIDR notation, from which to assign client IP addresses. The address range cannot overlap with the local CIDR of the VPC in which the associated subnet is located, or the routes that you add manually. The address range cannot be changed after the Client VPN endpoint has been created. The CIDR block should be /22 or greater. string "10.100.100.0/24" no
endpoint_name Name to be used on the Client VPN Endpoint string n/a yes
endpoint_subnets List of IDs of endpoint subnets for network association list(string) n/a yes
endpoint_vpc_id VPC where the VPN will be connected. string n/a yes
saml_provider_arn The ARN of the IAM SAML identity provider. string n/a yes
tags A map of tags to add to all resources map(string) {} no
tls_subject_common_name The common_name for subject for which a certificate is being requested. RFC5280. Not used if certificate_arn provided. string "vpn.example.com" no
tls_validity_period_hours Specifies the number of hours after initial issuing that the certificate will become invalid. Not used if certificate_arn provided. number 47400 no
transport_protocol The transport protocol to be used by the VPN session. string "udp" no
use_vpc_internal_dns Use VPC Internal DNS as is DNS servers bool true no

Outputs

Name Description
ec2_client_vpn_endpoint_arn The ARN of the Client VPN endpoint
ec2_client_vpn_endpoint_id The ID of the Client VPN endpoint
ec2_client_vpn_network_associations Network associations for AWS Client VPN endpoint
security_group_description Security group description
security_group_id A map of tags to add to all resources
security_group_name Name of the security group
security_group_vpc_id VPC ID