This Terraform module manages an AWS Client VPN with mutual authentication.
It creates and manages:
- Client authentication's keypair and certificate
- Server authentication's keypair and certificate
- Client VPN endpoint
- Client VPN target network associations
It requires:
- CA's certificate
- CA's private key
Post-apply required steps:
- Authorization ingress
- OpenVPN client config file download
- OpenVPN client config file update with client private key and certificate *
* They can retrieved from the module outputs.
The Ingress Authorization currenlty is not supported and you have to manage it externally in order to start tunneling. Anyway there's an open issue and some workarounds available.
| Name | Version |
|---|---|
| aws | n/a |
| tls | n/a |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| auth_ca_cert_pem | n/a | any |
n/a | yes |
| auth_ca_private_key_pem | n/a | any |
n/a | yes |
| auth_client_cert_validity_period_hours | The validity period in hours of the client certificate | number |
17520 |
no |
| auth_client_certificate_common_name | The FQDN of the client certificate for the VPN Client mutual authentication | any |
n/a | yes |
| auth_client_certificate_organization | The organization name of the client certificate for the VPN Clients mutual authentication" | string |
"client" |
no |
| auth_server_cert_validity_period_hours | The validity period in hours of the server certificate | number |
17520 |
no |
| auth_server_certificate_common_name | The FQDN of the server certificate for the VPN Client mutual authentication | any |
n/a | yes |
| auth_server_certificate_organization | The organization name of the server certificate for the VPN Clients mutual authentication" | string |
"server" |
no |
| custom_tags | A map of custom tags to apply to all resources | map(string) |
{} |
no |
| default_tags | A map of default tags to apply to all resources | map(string) |
|
no |
| split_tunnel | n/a | bool |
true |
no |
| target_network_association_subnet_ids | A list of one or more networks (VPC subnets) that you associate with a Client VPN endpoint. Associating a subnet with a Client VPN endpoint enables you to establish VPN sessions. All subnets must be from the same VPC. Each subnet must belong to a different Availability Zone | list(string) |
n/a | yes |
| vpn_cidr | The IPv4 address range, in CIDR notation, from which to assign client IP addresses. The address range cannot overlap with the local CIDR of the VPC in which the associated subnet is located, or the routes that you add manually. The address range cannot be changed after the Client VPN endpoint has been created. The CIDR block should be /22 or greater. | any |
n/a | yes |
| Name | Description |
|---|---|
| auth_client_certificate | n/a |
| auth_client_private_key | n/a |
| target_network_associations_security_groups | n/a |