openvpn-aws-terraform

What is?

Automated creation of a simple OpenVPN infrastructure on AWS.

What for?

More secure Internet connections from diverse range of devices and access points.

How to?

Prepare

• Install aws-vault to have nice support for MFA with terraform
• Install terraform

Configure AWS

• Set up a user with access keys (in my case auto_admin)
  • Make sure the user can assume admin [role]
    • Make sure the role requires MFA device, for example Google Authenticator
  • You might find it useful to look at this Terraform Issue Comment
• Prepare a normal user, that will have access to generated OpenVPN configs
  • User name should match value from iam_users variable set in terraform (below)
  • User should have the following IAM policy attached

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:ListAllMyBuckets",
        "s3:GetBucketLocation"
      ],
      "Resource": [
        "arn:aws:s3:::*"
      ]
    }
  ]
}

Execute the build

• Clone this repository
• Create a file with custom settings, for example example.auto.tfvars with values overriding defaults from variables.tf

# example.auto.tfvars
profile = "auto_admin"
aws_id  = 210987654321
# ...

• Finally execute

terraform init
aws-vault exec auto_admin -- terraform plan
aws-vault exec auto_admin -- terraform apply

What if?

• The code was created and tested on Linux Mint
  • aws-vault v4.5.1
  • Terraform v0.11.11
• The code assumes that it can access and use a preexisting domain configured in Route53
• Here is a diagram depicting the flow: