Client VPN Endpoint - Add Federated Authentication

[connor-tyndall]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

This request asks for the ability to add federated authentication (authN) as an authentication option for a Client VPN (CVPN) endpoint.

Based on the release by AWS today (5/19/20), federated authN is now supported by AWS CVPN. Until now, CVPN only supported AD and Mutual authN.

New or Affected Resource(s)

• aws_ec2_client_vpn_endpoint:

    - authentication_options
  

Potential Terraform Configuration

resource "aws_ec2_client_vpn_endpoint" "example" {
  description            = "terraform-clientvpn-example"
  server_certificate_arn = "${aws_acm_certificate.cert.arn}"
  client_cidr_block      = "10.0.0.0/16"

  authentication_options {
    type                       = "federated-authentication"
    saml_provider_arn          = "${aws_iam_saml_provider.okta.arn}"
  }

  connection_log_options {
    enabled               = true
    cloudwatch_log_group  = "${aws_cloudwatch_log_group.lg.name}"
    cloudwatch_log_stream = "${aws_cloudwatch_log_stream.ls.name}"
  }
}

References

• https://aws.amazon.com/about-aws/whats-new/2020/05/aws-client-vpn-supports-federated-authentication-via-saml-2/

• https://aws.amazon.com/blogs/networking-and-content-delivery/authenticate-aws-client-vpn-users-with-saml/

[ewbankkit]

Requires AWS SDK v1.31.1:

• Update module aws/aws-sdk-go to v1.31.2 #13399

[muhammaddadu]

I'm getting the issue

An argument named "saml_provider_arn" is not expected here.

[lanejlanej]

Hi,
Do you have any idea of when this enhancement is likely to make it to a release? Adding clientvpn with federated auth is a requirement for a project I am working on.

[steverukuts]

@lanejlanej It seems to be in CloudFormation, specifically the AWS::EC2::ClientVpnEndpoint ClientAuthenticationRequest
structure, so you could possibly use an aws_cloudformation_stack to create the resource.

If that works then when this is implemented you can import the resources into your state without affecting anything.

Note I've never done the above but I hope that's helpful to get you started on a workaround.

[lanejlanej]

Hi Steve,
Thanks for the quick response. That sounds like a good workaround, and I'll give it a go.

[divyaraghavann]

Hi any idea on the ETA for this? Need it for a project I'm working on right now.

[jgeurts]

Terraform has unfortunately been MIA regarding the pull requests... I addressed comments for the original PR over 3 weeks ago and not a peep from terraform.

[divyaraghavann]

Terraform has unfortunately been MIA regarding the pull requests... I addressed comments for the original PR over 3 weeks ago and not a peep from terraform.

That's a bummer. I assumed Terraform was super responsive wrt adding support for new functionality. :(

[jgeurts]

@maryelizbeth @bflad @gdavison @anGie44 @breathingdust @ksatirli can someone please tell me what needs to be done to get #14171 merged? That PR appears to address the concerns of related to this issue. That PR has been open for over a month without seemingly even a glance from any maintainers of this project... I would love to hear something, anything from Hashicorp for how to get attention to community provided PRs.

[bflad]

Hi @jgeurts 👋 Information about our review process can be found in the FAQ. While the pull request is lacking the 👍 reactions to bubble to the top of that priority list, this issue does, so I have added this to our community priorities and it will likely get attention in the next two weeks or so.

[jgeurts]

That's great, thank you!

[connor-tyndall]

In the meantime, I've been able to use local values to define the aws_cloudformation_stack template_body. If need be, you can pass in multiple resource definitions into local.stack and use the merge function to create a single CloudFormation stack.

################
# Locals
################
locals {
 stack = {
    Resources = merge(local.endpoint)
    Outputs = {
      "clientVpnId" = {
        Description = "Client VPN ID",
        Value = {
          Ref = "endpoint${replace(var.vpc_id, "-", "")}"
        }
      }
    }
  }

  endpoint = {
    "endpoint${replace(var.vpc_id, "-", "")}" = {
      Type = "AWS::EC2::ClientVpnEndpoint"
      Properties = {
        AuthenticationOptions = [
          {
            Type = "federated-authentication"
            FederatedAuthentication = {
              SAMLProviderArn = var.saml_provider_arn
            }
          }
        ]
        ClientCidrBlock = var.clientCidr
        ConnectionLogOptions = {
          Enabled            = var.endpoint_logging
          CloudwatchLogGroup = aws_cloudwatch_log_group.client_vpn.name
        }
        Description          = "Client VPN Endpoint via Federated AuthN"
        ServerCertificateArn = aws_acm_certificate.server.arn
        TransportProtocol    = var.transport_protocol
        SplitTunnel          = var.split_tunnel
        SecurityGroupIds = [
          aws_security_group.cvpn_sg.id
        ]
        VpcId = var.vpc_id
      }
    }
  }

################
# CloudFormation
################
resource "aws_cloudformation_stack" "client_vpn" {
  name          = "client-vpn"
  template_body = jsonencode(local.stack)
}
     

[nikolay]

It's kind of funny that we need to use CloudFormation for this - it used to be when Terraform implemented features first, now it's CloudFormation and Terraforms lags behind and features are sorted out by 👍s.

[musha68k]

As per @bflad's comment above could everyone in here please upvote @jgeurts's MR #14171 so we really make sure it bubbles up in the priority merge list? Thank you.

[bflad]

Support for this functionality has been merged and will release with version 3.5.0 of the Terraform AWS Provider, likely on Thursday. Thanks to @jrayhawk and @jgeurts for the implementation. 👍

[ghost]

This has been released in version 3.5.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!