Client VPN Endpoint - Add Optional Self-Service Portal Arguments

[connor-tyndall]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

This request asks for the ability to add the optional Self-service SAML provider ARN within the authentication option for a Client VPN (CVPN) endpoint using Federated authentication as well as the option to enable the self-service portal.

Based on the release by AWS today (11/4/20), Client VPN now supports a self-service portal to download VPN profiles and desktop applications.

New or Affected Resource(s)

• aws_ec2_client_vpn_endpoint

self_service_portal

authentication_options {
    self_service_saml_provider_arn
  }

Potential Terraform Configuration

resource "aws_ec2_client_vpn_endpoint" "example" {
  description            = "terraform-clientvpn-example"
  server_certificate_arn = aws_acm_certificate.cert.arn
  client_cidr_block      = "10.0.0.0/16"
  split_tunnel = true
  self_service_portal = true

  authentication_options {
    type                       = "federated-authentication"
    saml_provider_arn          = aws_iam_saml_provider.okta.arn
    self_service_saml_provider_arn = aws_iam_saml_provider.okta_self_service.arn
  }

  connection_log_options {
    enabled               = true
    cloudwatch_log_group  = aws_cloudwatch_log_group.lg.name
    cloudwatch_log_stream = aws_cloudwatch_log_stream.ls.name
  }
}

References

• https://aws.amazon.com/about-aws/whats-new/2020/11/aws-client-vpn-announces-self-service-portal/
• https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateClientVpnEndpoint.html
• https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_FederatedAuthenticationRequest.html

[ewbankkit]

Requires AWS SDK v1.35.18:

• build(deps): bump github.com/aws/aws-sdk-go from 1.35.9 to 1.35.19 #15964

[nbsdan]

I've started a PR which allows specifying the self service portal and saml provider options like so:

resource "aws_ec2_client_vpn_endpoint" "example" {
  description            = "terraform-clientvpn-example"
  server_certificate_arn = aws_acm_certificate.cert.arn
  client_cidr_block      = "10.0.0.0/16"
  split_tunnel = true
  self_service_portal = "enabled"

  authentication_options {
    type                       = "federated-authentication"
    saml_provider_arn          = aws_iam_saml_provider.okta.arn
    self_service_saml_provider_arn = aws_iam_saml_provider.okta_self_service.arn
  }

  connection_log_options {
    enabled               = true
    cloudwatch_log_group  = aws_cloudwatch_log_group.lg.name
    cloudwatch_log_stream = aws_cloudwatch_log_stream.ls.name
  }
}

This differs from the original request, which asked for true or false for the self_service_portal attribute. The AWS API use the strings "enabled" and "disabled" and so I thought it would be best to stick with that.

I have not run acceptance tests, however I have tried to write them.

I would love some feedback on what else would need to be done to achieve this and if someone could confirm the acceptance tests work then that would be awesome.

[coffeewithayman]

This is really necessary for IDP providers that do not support multiple ACS URLs: https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/client-authentication.html#saml-self-service-support

[ariellev]

We also need a way to set not just the description but also the endpoint "Name", so it would be awesome to have a name attribute

[nbsdan]

Hi @ariellev, I believe you can already set the name by using a tag with the key "Name", though I have not verified this myself.

[clee-newclassrooms]

As a meager workaround, I was able to have this in my Terraform graph/state and still set the self-service portal provider by manually creating the CVPN endpoint and then importing the CVPN resource into Terraform state. The provider appears to ignore the self-service portal provider ARN argument/attribute. This means that as long as Terraform doesn't compute some change to the CVPN resource (which might remove the self-service provider ARN when the change is applied), I can still depend on the CVPN by reference in other resources without breaking self-service.

[github-actions]

This functionality has been released in v3.59.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.