hashicorp · nbsdan · Mar 2, 2021
@@ -0,0 +1,3 @@
+```release-note:enhancement
+resource/aws_ec2_client_vpn_endpoint: Add `self_service_portal` and `self_service_saml_provider_arn` arguments for using self service portal
+```
@@ -50,6 +50,15 @@ func resourceAwsEc2ClientVpnEndpoint() *schema.Resource {
 				Optional: true,
 				Default:  false,
 			},
+			"self_service_portal": {
+				Type:     schema.TypeString,
+				Optional: true,
+				Default:  ec2.SelfServicePortalDisabled,
+				ValidateFunc: validation.StringInSlice([]string{
+					ec2.SelfServicePortalEnabled,
+					ec2.SelfServicePortalDisabled,
+				}, false),
+			},
 			"transport_protocol": {
 				Type:     schema.TypeString,
 				Optional: true,
@@ -82,6 +91,12 @@ func resourceAwsEc2ClientVpnEndpoint() *schema.Resource {
 							ForceNew:     true,
 							ValidateFunc: validateArn,
 						},
+						"self_service_saml_provider_arn": {
+							Type:         schema.TypeString,
+							Optional:     true,
+							ForceNew:     true,
+							ValidateFunc: validateArn,
+						},
 						"active_directory_id": {
 							Type:     schema.TypeString,
 							Optional: true,
@@ -149,6 +164,10 @@ func resourceAwsEc2ClientVpnEndpointCreate(d *schema.ResourceData, meta interfac
 		req.Description = aws.String(v.(string))
 	}
 
+	if v, ok := d.GetOk("self_service_portal"); ok {
+		req.SelfServicePortal = aws.String(v.(string))
+	}
+
 	if v, ok := d.GetOk("dns_servers"); ok {
 		req.DnsServers = expandStringSet(v.(*schema.Set))
 	}
@@ -238,6 +257,13 @@ func resourceAwsEc2ClientVpnEndpointRead(d *schema.ResourceData, meta interface{
 	}
 	d.Set("split_tunnel", result.ClientVpnEndpoints[0].SplitTunnel)
 
+	self_service_portal := ec2.SelfServicePortalDisabled
+	if result.ClientVpnEndpoints[0].SelfServicePortalUrl != nil && *(result.ClientVpnEndpoints[0].SelfServicePortalUrl) != "" {
+		self_service_portal = ec2.SelfServicePortalEnabled
+	}
+
+	d.Set("self_service_portal", self_service_portal)
+
 	err = d.Set("authentication_options", flattenAuthOptsConfig(result.ClientVpnEndpoints[0].AuthenticationOptions))
 	if err != nil {
 		return fmt.Errorf("error setting authentication_options: %w", err)
@@ -312,6 +338,10 @@ func resourceAwsEc2ClientVpnEndpointUpdate(d *schema.ResourceData, meta interfac
 		req.SplitTunnel = aws.Bool(d.Get("split_tunnel").(bool))
 	}
 
+	if d.HasChange("self_service_portal") {
+		req.SelfServicePortal = aws.String(d.Get("self_service_portal").(string))
+	}
+
 	if d.HasChange("connection_log_options") {
 		if v, ok := d.GetOk("connection_log_options"); ok {
 			connSet := v.([]interface{})
@@ -370,6 +400,7 @@ func flattenAuthOptsConfig(aopts []*ec2.ClientVpnAuthentication) []map[string]in
 		}
 		if aopt.FederatedAuthentication != nil {
 			r["saml_provider_arn"] = aws.StringValue(aopt.FederatedAuthentication.SamlProviderArn)
+			r["self_service_saml_provider_arn"] = aws.StringValue(aopt.FederatedAuthentication.SelfServiceSamlProviderArn)
 		}
 		if aopt.ActiveDirectory != nil {
 			r["active_directory_id"] = aws.StringValue(aopt.ActiveDirectory.DirectoryId)
@@ -398,7 +429,8 @@ func expandEc2ClientVpnAuthenticationRequest(data map[string]interface{}) *ec2.C
 
 	if data["type"].(string) == ec2.ClientVpnAuthenticationTypeFederatedAuthentication {
 		req.FederatedAuthentication = &ec2.FederatedAuthenticationRequest{
-			SAMLProviderArn: aws.String(data["saml_provider_arn"].(string)),
+			SAMLProviderArn:            aws.String(data["saml_provider_arn"].(string)),
+			SelfServiceSAMLProviderArn: aws.String(data["self_service_saml_provider_arn"].(string)),
 		}
 	}
 

@@ -93,6 +93,7 @@ func TestAccAwsEc2ClientVpn_serial(t *testing.T) {
 			"withDNSServers":    testAccAwsEc2ClientVpnEndpoint_withDNSServers,
 			"tags":              testAccAwsEc2ClientVpnEndpoint_tags,
 			"splitTunnel":       testAccAwsEc2ClientVpnEndpoint_splitTunnel,
+			"selfServicePortal": testAccAwsEc2ClientVpnEndpoint_selfServicePortal,
 		},
 		"AuthorizationRule": {
 			"basic":      testAccAwsEc2ClientVpnAuthorizationRule_basic,
@@ -251,13 +252,24 @@ func testAccAwsEc2ClientVpnEndpoint_federated(t *testing.T) {
 					testAccCheckAwsEc2ClientVpnEndpointExists(resourceName, &v),
 					resource.TestCheckResourceAttr(resourceName, "authentication_options.#", "1"),
 					resource.TestCheckResourceAttr(resourceName, "authentication_options.0.type", "federated-authentication"),
+					resource.TestCheckResourceAttrSet(resourceName, "authentication_options.0.saml_provider_arn"),
 				),
 			},
 			{
 				ResourceName:      resourceName,
 				ImportState:       true,
 				ImportStateVerify: true,
 			},
+			{
+				Config: testAccEc2ClientVpnEndpointConfigWithFederatedAuthSelfServiceSamlProviderArn(rStr),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAwsEc2ClientVpnEndpointExists(resourceName, &v),
+					resource.TestCheckResourceAttr(resourceName, "authentication_options.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "authentication_options.0.type", "federated-authentication"),
+					resource.TestCheckResourceAttrSet(resourceName, "authentication_options.0.saml_provider_arn"),
+					resource.TestCheckResourceAttrSet(resourceName, "authentication_options.0.self_service_saml_provider_arn"),
+				),
+			},
 		},
 	})
 }
@@ -400,6 +412,39 @@ func testAccAwsEc2ClientVpnEndpoint_splitTunnel(t *testing.T) {
 	})
 }
 
+func testAccAwsEc2ClientVpnEndpoint_selfServicePortal(t *testing.T) {
+	var v1, v2 ec2.ClientVpnEndpoint
+	rName := acctest.RandomWithPrefix("tf-acc-test")
+	resourceName := "aws_ec2_client_vpn_endpoint.test"
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheckClientVPNSyncronize(t); testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckAwsEc2ClientVpnEndpointDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccEc2ClientVpnEndpointConfigSelfServicePortal(rName, "enabled"),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAwsEc2ClientVpnEndpointExists(resourceName, &v1),
+					resource.TestCheckResourceAttr(resourceName, "self_service_portal", "enabled"),
+				),
+			},
+			{
+				ResourceName:      resourceName,
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+			{
+				Config: testAccEc2ClientVpnEndpointConfigSelfServicePortal(rName, "disabled"),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAwsEc2ClientVpnEndpointExists(resourceName, &v2),
+					resource.TestCheckResourceAttr(resourceName, "self_service_portal", "disabled"),
+				),
+			},
+		},
+	})
+}
+
 func testAccPreCheckClientVPNSyncronize(t *testing.T) {
 	sync.TestAccPreCheckSyncronize(t, testAccEc2ClientVpnEndpointSemaphore, "Client VPN")
 }
@@ -638,6 +683,36 @@ resource "aws_ec2_client_vpn_endpoint" "test" {
 `, rName, rName)
 }
 
+func testAccEc2ClientVpnEndpointConfigWithFederatedAuthSelfServiceSamlProviderArn(rName string) string {
+	return testAccEc2ClientVpnEndpointConfigAcmCertificateBase() + fmt.Sprintf(`
+resource "aws_iam_saml_provider" "default" {
+  name                   = "myprovider-%s"
+  saml_metadata_document = file("./test-fixtures/saml-metadata.xml")
+}
+
+resource "aws_iam_saml_provider" "self_service" {
+  name                   = "myprovider-selfservice--%s"
+  saml_metadata_document = file("./test-fixtures/saml-metadata.xml")
+}
+
+resource "aws_ec2_client_vpn_endpoint" "test" {
+  description            = "terraform-testacc-clientvpn-%s"
+  server_certificate_arn = aws_acm_certificate.test.arn
+  client_cidr_block      = "10.0.0.0/16"
+
+  authentication_options {
+    type                           = "federated-authentication"
+    saml_provider_arn              = aws_iam_saml_provider.default.arn
+    self_service_saml_provider_arn = aws_iam_saml_provider.self_service.arn
+  }
+
+  connection_log_options {
+    enabled = false
+  }
+}
+`, rName, rName, rName)
+}
+
 func testAccEc2ClientVpnEndpointConfig_tags(rName string) string {
 	return testAccEc2ClientVpnEndpointConfigAcmCertificateBase() + fmt.Sprintf(`
 resource "aws_ec2_client_vpn_endpoint" "test" {
@@ -704,3 +779,28 @@ resource "aws_ec2_client_vpn_endpoint" "test" {
 }
 `, rName, splitTunnel)
 }
+
+func testAccEc2ClientVpnEndpointConfigSelfServicePortal(rName string, selfServicePortal string) string {
+	return testAccEc2ClientVpnEndpointConfigAcmCertificateBase() + fmt.Sprintf(`
+resource "aws_iam_saml_provider" "default" {
+  name                   = "myprovider-%s"
+  saml_metadata_document = file("./test-fixtures/saml-metadata.xml")
+}
+
+resource "aws_ec2_client_vpn_endpoint" "test" {
+  description            = "terraform-testacc-clientvpn-%s"
+  server_certificate_arn = aws_acm_certificate.test.arn
+  client_cidr_block      = "10.0.0.0/16"
+  self_service_portal    = %[3]q
+
+  authentication_options {
+    type              = "federated-authentication"
+    saml_provider_arn = aws_iam_saml_provider.default.arn
+  }
+
+  connection_log_options {
+    enabled = false
+  }
+}
+`, rName, rName, selfServicePortal)
+}
@@ -43,6 +43,7 @@ The following arguments are supported:
 * `dns_servers` - (Optional) Information about the DNS servers to be used for DNS resolution. A Client VPN endpoint can have up to two DNS servers. If no DNS server is specified, the DNS address of the VPC that is to be associated with Client VPN endpoint is used as the DNS server.
 * `server_certificate_arn` - (Required) The ARN of the ACM server certificate.
 * `split_tunnel` - (Optional) Indicates whether split-tunnel is enabled on VPN endpoint. Default value is `false`.
+* `self_service_portal` - (Optional) Specify whether to enable the self-service portal for the Client VPN endpoint. Values can be `enabled` or `disabled`. Default value is `disabled`.
 * `tags` - (Optional) A mapping of tags to assign to the resource.
 * `transport_protocol` - (Optional) The transport protocol to be used by the VPN session. Default value is `udp`.
 
@@ -55,6 +56,7 @@ One of the following arguments must be supplied:
 * `active_directory_id` - (Optional) The ID of the Active Directory to be used for authentication if type is `directory-service-authentication`.
 * `root_certificate_chain_arn` - (Optional) The ARN of the client certificate. The certificate must be signed by a certificate authority (CA) and it must be provisioned in AWS Certificate Manager (ACM). Only necessary when type is set to `certificate-authentication`.
 * `saml_provider_arn` - (Optional) The ARN of the IAM SAML identity provider if type is `federated-authentication`.
+* `self_service_saml_provider_arn` - (Optional) The ARN of the IAM SAML identity provider for the self service portal if type is `federated-authentication`.
 
 ### `connection_log_options` Argument Reference