This terraform module creates all necessary AWS services, certificates, keys, and *.ovpn configurations files.
With this module, you avoid the need to manually generate ca, server, client keys, and certificates, everything is automated. After generating all required keys and certificates, they are stored in AWS ACM and AWS SSM Parameter store.
Also, *.ovpn configurations files for VPN users are created and stored in an S3 bucket ({project-name}-{environment}-vpn-config-files). These *.ovpn configurations files are ready to be used without any customization (adding client certificate and key), you just need to download one of generated *.ovpn files, import it into a VPN client, and connect to the targeted VPC network.
This terraform module is for AWS VPC Client VPN mutual authentication only.
Recomanded VPN clients:
To add new user config, new value within input variable aws-vpn-client-list should be added (example: aws-vpn-client-list = ["root", "user-1", "user2", "new-user"]).
To remove existing user config, value from input variable aws-vpn-client-list should be removed (example: aws-vpn-client-list = ["root", "user-1"]). NOTE: Do not delete "root" user!!
module "vpn-client" {
source = "babicamir/vpn-client/aws"
version = "{version}"
organization_name = "OrganizationName"
project-name = "MyProject"
environment = "default"
# Network information
vpc_id = "{VPC id}"
subnet_id = "{subnet id}"
client_cidr_block = "172.0.0.0/22" # It must be different from the primary VPC CIDR
# VPN config options
split_tunnel = "true" # or false
vpn_inactive_period = "300" # seconds
session_timeout_hours = "8"
logs_retention_in_days = "7"
# List of users to be created
aws-vpn-client-list = ["root", "user-1", "user2"] #Do not delete "root" user!
}To generate additional *.ovpn configuration for new user, you just need add new value in aws-vpn-client-list = ["root", "user-1", "new-user????"] input variable. Make sure to keep the root user as it is used to create aws_ec2_client_vpn_endpoint resource.
| Name | Version |
|---|---|
| terraform | >= 1.8.2 |
| aws | >= 5.46.0 |
| Name | Version |
|---|---|
| aws | >= 5.46.0 |
| tls | >= 4.0.5 |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| organization_name | Organization name!? | string |
[] |
yes |
| project-name | Project name!? | string |
[] |
yes |
| environment | Environment name!? | string |
[] |
yes |
| tags | Custom, user-defined tags | map |
[] |
no |
| aws-vpn-client-list | VPN client list!? | set(string) |
[] |
yes |
| vpc_id | VPC ID | string |
[] |
yes |
| subnet_id | Subnet for client vpn network association. It is recommended that it be a private subnet. | string |
[] |
yes |
| client_cidr_block | AWS VPN client cidr block. It must be different from the primary VPC CIDR | string |
[] |
yes |
| split_tunnel | Split tunnel traffic (true or false) | bool |
[] |
yes |
| vpn_inactive_period | VPN inactive period in seconds | number |
[] |
yes |
| session_timeout_hours | Session timeout hours | number |
[] |
yes |
| logs_retention_in_days | VPN client list!? | number |
[] |
yes |
| Name | Description |
|---|---|
| aws_ec2_client_vpn_endpoint | All attributes for resource for: aws_ec2_client_vpn_endpoint |
| aws_vpn_security_group | All attributes for resource for: aws_vpn_security_group |
More info about AWS Client VPN and Terraform you can found on following links: