This component is responsible for provisioning VPN Client Endpoints.
Stack Level: Regional
Here's an example snippet for how to use this component. This component should only be applied once as the resources it
creates are regional. This is typically done via the corp stack (e.g. uw2-corp.yaml). This is because a vpc endpoint
requires a vpc and the network stack does not have a vpc.
components:
terraform:
ec2-client-vpn:
settings:
spacelift:
workspace_enabled: true
vars:
enabled: true
client_cidr: 10.100.0.0/10
logging_stream_name: client_vpn
logging_enabled: true
retention_in_days: 7
organization_name: acme
split_tunnel: true
availability_zones:
- us-west-2a
- us-west-2b
- us-west-2c
associated_security_group_ids: []
additional_routes:
- destination_cidr_block: 0.0.0.0/0
description: Internet Route
authorization_rules:
- name: Internet Rule
authorize_all_groups: true
description: Allows routing to the internet"
target_network_cidr: 0.0.0.0/0NOTE: This module uses the aws_ec2_client_vpn_route resource which throws an error if too many API calls come from a
single host. Ignore this error and repeat the terraform command. It usually takes 3 deploys (or destroys) to complete.
Error on create (See issue hashicorp/terraform-provider-aws#19750)
ConcurrentMutationLimitExceeded: Cannot initiate another change for this endpoint at this time. Please try again later.
Error on destroy (See issue hashicorp/terraform-provider-aws#16645)
timeout while waiting for resource to be gone (last state: 'deleting', timeout: 1m0s)
NOTE: The GoogleIDPMetadata-cloudposse.com.xml in this repo is equivalent to the one in the sso component and is
used for testing. This component can only specify a single SAML document. The customer SAML xml should be placed in this
directory side-by-side the CloudPosse SAML xml.
Prior to testing, the component needs to be deployed and the AWS client app needs to be setup by the IdP admin otherwise
the following steps will result in an error similar to app_not_configured_for_user.
- Deploy the component in a regional account with a VPC like
ue2-corp. - Copy the contents of
client_configurationinto a file calledclient_configuration.ovpn - Download AWS client VPN
brew install --cask aws-vpn-client - Launch the VPN
- File > Manage Profiles to open the Manage Profiles window
- Click Add Profile to open the Add Profile window
- Set the display name e.g.
<tenant>-<environment>-<stage> - Click the folder icon and find the file that was saved in a previous step
- Click Add Profile to save the profile
- Click Done to close to Manage Profiles window
- Under "Ready to connect.", choose the profile, and click Connect
A browser will launch and allow you to connect to the VPN.
- Make a note of where this component is deployed
- Ensure that the resource to connect to is in a VPC that is connected by the transit gateway
- Ensure that the resource to connect to contains a security group with a rule that allows ingress from where the
client vpn is deployed (e.g.
ue2-corp) - Use
nmapto test if the port isopen. If the port isfilteredthen it's not open.
nmap -p <PORT> <HOST>Successful tests have been seen with MSK and RDS.
| Name | Version |
|---|---|
| terraform | >= 1.0 |
| aws | >= 4.0 |
| awsutils | >= 0.11.0 |
No providers.
| Name | Source | Version |
|---|---|---|
| ec2_client_vpn | cloudposse/ec2-client-vpn/aws | 0.14.0 |
| iam_roles | ../account-map/modules/iam-roles | n/a |
| this | cloudposse/label/null | 0.25.0 |
| vpc | cloudposse/stack-config/yaml//modules/remote-state | 1.5.0 |
No resources.
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| additional_tag_map | Additional key-value pairs to add to each map in tags_as_list_of_maps. Not added to tags or id.This is for some rare cases where resources want additional configuration of tags and therefore take a list of maps with tag key, value, and additional configuration. |
map(string) |
{} |
no |
| associated_security_group_ids | List of security groups to attach to the client vpn network associations | list(string) |
[] |
no |
| attributes | ID element. Additional attributes (e.g. workers or cluster) to add to id,in the order they appear in the list. New attributes are appended to the end of the list. The elements of the list are joined by the delimiterand treated as a single ID element. |
list(string) |
[] |
no |
| authentication_type | One of certificate-authentication or federated-authentication |
string |
"certificate-authentication" |
no |
| authorization_rules | List of objects describing the authorization rules for the Client VPN. Each Target Network CIDR range given will be used to create an additional route attached to the Client VPN endpoint with the same Description. | list(object({ |
n/a | yes |
| ca_common_name | Unique Common Name for CA self-signed certificate | string |
null |
no |
| client_cidr | Network CIDR to use for clients | string |
n/a | yes |
| context | Single object for setting entire context at once. See description of individual variables for details. Leave string and numeric variables as null to use default value.Individual variable settings (non-null) override settings in context object, except for attributes, tags, and additional_tag_map, which are merged. |
any |
{ |
no |
| delimiter | Delimiter to be used between ID elements. Defaults to - (hyphen). Set to "" to use no delimiter at all. |
string |
null |
no |
| descriptor_formats | Describe additional descriptors to be output in the descriptors output map.Map of maps. Keys are names of descriptors. Values are maps of the form {<br/> format = string<br/> labels = list(string)<br/>}(Type is any so the map values can later be enhanced to provide additional options.)format is a Terraform format string to be passed to the format() function.labels is a list of labels, in order, to pass to format() function.Label values will be normalized before being passed to format() so they will beidentical to how they appear in id.Default is {} (descriptors output will be empty). |
any |
{} |
no |
| dns_servers | Information about the DNS servers to be used for DNS resolution. A Client VPN endpoint can have up to two DNS servers. If no DNS server is specified, the DNS address of the VPC that is to be associated with Client VPN endpoint is used as the DNS server. | list(string) |
[] |
no |
| enabled | Set to false to prevent the module from creating any resources | bool |
null |
no |
| environment | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | string |
null |
no |
| export_client_certificate | Flag to determine whether to export the client certificate with the VPN configuration | bool |
true |
no |
| id_length_limit | Limit id to this many characters (minimum 6).Set to 0 for unlimited length.Set to null for keep the existing setting, which defaults to 0.Does not affect id_full. |
number |
null |
no |
| label_key_case | Controls the letter case of the tags keys (label names) for tags generated by this module.Does not affect keys of tags passed in via the tags input.Possible values: lower, title, upper.Default value: title. |
string |
null |
no |
| label_order | The order in which the labels (ID elements) appear in the id.Defaults to ["namespace", "environment", "stage", "name", "attributes"]. You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. |
list(string) |
null |
no |
| label_value_case | Controls the letter case of ID elements (labels) as included in id,set as tag values, and output by this module individually. Does not affect values of tags passed in via the tags input.Possible values: lower, title, upper and none (no transformation).Set this to title and set delimiter to "" to yield Pascal Case IDs.Default value: lower. |
string |
null |
no |
| labels_as_tags | Set of labels (ID elements) to include as tags in the tags output.Default is to include all labels. Tags with empty values will not be included in the tags output.Set to [] to suppress all generated tags.Notes: The value of the name tag, if included, will be the id, not the name.Unlike other null-label inputs, the initial setting of labels_as_tags cannot bechanged in later chained modules. Attempts to change it will be silently ignored. |
set(string) |
[ |
no |
| logging_enabled | Enables or disables Client VPN Cloudwatch logging. | bool |
false |
no |
| logging_stream_name | Names of stream used for logging | string |
n/a | yes |
| name | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'. This is the only ID element not also included as a tag.The "name" tag is set to the full id string. There is no tag with the value of the name input. |
string |
null |
no |
| namespace | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | string |
null |
no |
| organization_name | Name of organization to use in private certificate | string |
n/a | yes |
| regex_replace_chars | Terraform regular expression (regex) string. Characters matching the regex will be removed from the ID elements. If not set, "/[^a-zA-Z0-9-]/" is used to remove all characters other than hyphens, letters and digits. |
string |
null |
no |
| region | VPN Endpoints are region-specific. This identifies the region. AWS Region | string |
n/a | yes |
| retention_in_days | Number of days you want to retain log events in the log group | number |
30 |
no |
| root_common_name | Unique Common Name for Root self-signed certificate | string |
null |
no |
| saml_metadata_document | Optional SAML metadata document. Must include this or saml_provider_arn |
string |
null |
no |
| saml_provider_arn | Optional SAML provider ARN. Must include this or saml_metadata_document |
string |
null |
no |
| server_common_name | Unique Common Name for Server self-signed certificate | string |
null |
no |
| split_tunnel | Indicates whether split-tunnel is enabled on VPN endpoint. Default value is false. | bool |
false |
no |
| stage | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | string |
null |
no |
| tags | Additional tags (e.g. {'BusinessUnit': 'XYZ'}).Neither the tag keys nor the tag values will be modified by this module. |
map(string) |
{} |
no |
| tenant | ID element _(Rarely used, not included by default)_. A customer identifier, indicating who this instance of a resource is for | string |
null |
no |
| Name | Description |
|---|---|
| client_configuration | VPN Client Configuration file (.ovpn) contents that can be imported into AWS client vpn |
| full_client_configuration | Client configuration including client certificate and private key for mutual authentication |
| vpn_endpoint_arn | The ARN of the Client VPN Endpoint Connection. |
| vpn_endpoint_dns_name | The DNS Name of the Client VPN Endpoint Connection. |
| vpn_endpoint_id | The ID of the Client VPN Endpoint Connection. |
- cloudposse/terraform-aws-ec2-client-vpn - Cloud Posse's upstream component
- cloudposse/awsutils - Cloud Posse's awsutils provider
Tip
Cloud Posse uses atmos to easily orchestrate multiple environments using Terraform.
Works with Github Actions, Atlantis, or Spacelift.
Watch demo of using Atmos with Terraform
Example of running
atmos to manage infrastructure from our Quick Start tutorial.
Check out these related projects.
- Cloud Posse Terraform Modules - Our collection of reusable Terraform modules used by our reference architectures.
- Atmos - Atmos is like docker-compose but for your infrastructure
Tip
Use Cloud Posse's ready-to-go terraform architecture blueprints for AWS to get up and running quickly.
✅ We build it together with your team.
✅ Your team owns everything.
✅ 100% Open Source and backed by fanatical support.
📚 Learn More
Cloud Posse is the leading DevOps Accelerator for funded startups and enterprises.
Your team can operate like a pro today.
Ensure that your team succeeds by using Cloud Posse's proven process and turnkey blueprints. Plus, we stick around until you succeed.
- Reference Architecture. You'll get everything you need from the ground up built using 100% infrastructure as code.
- Deployment Strategy. Adopt a proven deployment strategy with GitHub Actions, enabling automated, repeatable, and reliable software releases.
- Site Reliability Engineering. Gain total visibility into your applications and services with Datadog, ensuring high availability and performance.
- Security Baseline. Establish a secure environment from the start, with built-in governance, accountability, and comprehensive audit logs, safeguarding your operations.
- GitOps. Empower your team to manage infrastructure changes confidently and efficiently through Pull Requests, leveraging the full power of GitHub Actions.
- Training. Equip your team with the knowledge and skills to confidently manage the infrastructure, ensuring long-term success and self-sufficiency.
- Support. Benefit from a seamless communication over Slack with our experts, ensuring you have the support you need, whenever you need it.
- Troubleshooting. Access expert assistance to quickly resolve any operational challenges, minimizing downtime and maintaining business continuity.
- Code Reviews. Enhance your team’s code quality with our expert feedback, fostering continuous improvement and collaboration.
- Bug Fixes. Rely on our team to troubleshoot and resolve any issues, ensuring your systems run smoothly.
- Migration Assistance. Accelerate your migration process with our dedicated support, minimizing disruption and speeding up time-to-value.
- Customer Workshops. Engage with our team in weekly workshops, gaining insights and strategies to continuously improve and innovate.
This project is under active development, and we encourage contributions from our community.
Many thanks to our outstanding contributors:
For 🐛 bug reports & feature requests, please use the issue tracker.
In general, PRs are welcome. We follow the typical "fork-and-pull" Git workflow.
- Review our Code of Conduct and Contributor Guidelines.
- Fork the repo on GitHub
- Clone the project to your own machine
- Commit changes to your own branch
- Push your work back up to your fork
- Submit a Pull Request so that we can review your changes
NOTE: Be sure to merge the latest changes from "upstream" before making a pull request!
Join our Open Source Community on Slack. It's FREE for everyone! Our "SweetOps" community is where you get to talk with others who share a similar vision for how to rollout and manage infrastructure. This is the best place to talk shop, ask questions, solicit feedback, and work together as a community to build totally sweet infrastructure.
Sign up for our newsletter and join 3,000+ DevOps engineers, CTOs, and founders who get insider access to the latest DevOps trends, so you can always stay in the know. Dropped straight into your Inbox every week — and usually a 5-minute read.
Join us every Wednesday via Zoom for your weekly dose of insider DevOps trends, AWS news and Terraform insights, all sourced from our SweetOps community, plus a live Q&A that you can’t find anywhere else. It's FREE for everyone!
Preamble to the Apache License, Version 2.0
Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements. See the NOTICE file
distributed with this work for additional information
regarding copyright ownership. The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License. You may obtain a copy of the License at
https://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.
All other trademarks referenced herein are the property of their respective owners.
Copyright © 2017-2025 Cloud Posse, LLC