Create a Client VPN endpoint in the specified VPC's subnets. This can be used to provide secure access to private resources in the VPC.
Client authentication and authorization is managed by AWS IAM Identity Center. Users must be added to the access group specified by the access_group_id variable in order to connect to the VPN.
The client VPN endpoint must be associated with the resource's subnet that you are providing access to. For each association, there is a fixed $0.10/hour charge as well as a $0.05/hour charge for each active client connection.
This module is based on the design of fivexl/terraform-aws-client-vpn-endpoint.
No requirements.
| Name | Version |
|---|---|
| aws | n/a |
| tls | n/a |
No modules.
| Name | Type |
|---|---|
| aws_acm_certificate.client_vpn | resource |
| aws_cloudwatch_log_group.this | resource |
| aws_ec2_client_vpn_authorization_rule.this_internal_dns | resource |
| aws_ec2_client_vpn_authorization_rule.this_subnets | resource |
| aws_ec2_client_vpn_authorization_rule.this_subnets_certificate | resource |
| aws_ec2_client_vpn_endpoint.this | resource |
| aws_ec2_client_vpn_network_association.this_subnets | resource |
| aws_iam_saml_provider.client_vpn | resource |
| aws_iam_saml_provider.client_vpn_self_service | resource |
| aws_security_group.this | resource |
| aws_security_group_rule.egress_all | resource |
| tls_private_key.client_vpn | resource |
| tls_self_signed_cert.client_vpn | resource |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| access_group_id | (Required) IAM Identity Center access group ID that is authorized to access the private subnets. | string |
n/a | yes |
| acm_certificate_arn | (Required) The ARN of the ACM server certificate to use for VPN client connection encryption. | string |
n/a | yes |
| authentication_option | (Optional, default 'federated-authentication') The authentication option to use for the VPN endpoint. Valid values are 'federated-authentication' or 'certificate-authentication'. | string |
"federated-authentication" |
no |
| banner_text | The text to display on the banner page when a user connects to the Client VPN endpoint. | string |
"This is a private network. Only authorized users may connect and should take care not to cause service disruptions." |
no |
| billing_tag_key | (Optional, default 'CostCentre') The name of the billing tag | string |
"CostCentre" |
no |
| billing_tag_value | (Required) The value of the billing tag | string |
n/a | yes |
| client_vpn_saml_metadata_document | (Optional, default empty) The base64 encoded SAML metadata document for the Client VPN endpoint | string |
"" |
no |
| client_vpn_self_service_saml_metadata_document | (Optional, default empty) The base64 encoded SAML metadata document for the Client VPN's self-service endpoint. The self_service_portal variable must be set to 'enabled' for this to take effect. | string |
"" |
no |
| common_name | (Optional, default 'cds-snc.ca') The common name to use for the VPN client certificate. | string |
"cds-snc.ca" |
no |
| endpoint_cidr_block | (Optional, default '172.16.0.0/22') The CIDR block to use for the VPN endpoint. | string |
"172.16.0.0/22" |
no |
| endpoint_name | (Required) The name of the VPN endpoint to create. It must only contain alphanumeric characters, hyphens and underscores. | string |
n/a | yes |
| organization | (Optional, default 'Canadian Digital Service') The organization to use for the VPN client certificate. | string |
"Canadian Digital Service" |
no |
| public_dns_servers | (Optional, default ['8.8.8.8']) Public DNS servers to add to the VPN. | list(string) |
[ |
no |
| self_service_portal | (Optional, default 'disabled') Should a self-service portal be created for users to download the VPN client software? | string |
"disabled" |
no |
| session_timeout_hours | (Optional, default 8) The maximum number of hours after which to automatically disconnect a session. Allowed values are 8, 10, 12, 24 | number |
8 |
no |
| split_tunnel | (Optional, default true) Whether to enable split tunneling for the VPN endpoint. | bool |
true |
no |
| subnet_cidr_blocks | (Required) CIDR blocks of the subnets to associate with the VPN endpoint. | list(string) |
n/a | yes |
| subnet_ids | (Optional, default []) IDs of the subnets to associate with the VPN endpoint. If left blank, no subnets will be associated with the VPN client endpoint, removing the $0.10/hour/association cost. | list(string) |
[] |
no |
| transport_protocol | (Optional, default 'udp') Transport protocol to use for the VPN endpoint. Valid values are 'tcp' or 'udp'. | string |
"udp" |
no |
| vpc_cidr_block | (Required) The CIDR block of the VPC to associate with the VPN endpoint. | string |
n/a | yes |
| vpc_id | (Required) ID of the VPC to associate with the VPN endpoint. | string |
n/a | yes |
| Name | Description |
|---|---|
| client_vpn_certificate_pem | Client VPN's certificate PEM |
| client_vpn_cloudwatch_log_group_name | Client VPN's CloudWatch log group name |
| client_vpn_endpoint_id | Client VPN's endpoint ID |
| client_vpn_private_key_pem | Client VPN's private key PEM |
| client_vpn_security_group_id | Client VPN's security group ID |