This project implements a Terraform module that will create an OpenVPN server EC2 instance using the open-vpn AMI.
See here for more details on Terraform modules and the standard module structure.
module "example" {
source = "github.com/cisagov/openvpn-server-tf-module"
providers = {
aws = "aws"
aws.dns = "aws.dns"
aws.cert_read_role = "aws.cert_read_role"
aws.ssm_read_role = "aws.ssm_read_role"
}
cert_bucket_name = "spiffy-cert-bucket"
cert_read_role_accounts_allowed = ["123456789012","123456789013"]
client_network = "10.10.2.0 255.255.255.0"
crowdstrike_falcon_sensor_customer_id_key = "/thulsa/doom/customer_id"
crowdstrike_falcon_sensor_tags_key = "/thulsa/doom/tags"
hostname = "vpn.fonz.shark-jump.foo.org"
freeipa_domain = "shark-jump.foo.org"
freeipa_realm = "SHARK-JUMP.FOO.ORG"
nessus_hostname_key = "/thulsa/doom/nessus/hostname"
nessus_key_key = "/thulsa/doom/nessus/key"
nessus_port_key = "/thulsa/doom/nessus/port"
private_networks = ["10.10.1.0 255.255.255.0"]
private_zone_id = "MYZONEID"
private_reverse_zone_id = "MYREVZONEID"
public_zone_id = "MYPUBLICZONEID"
ssm_read_role_accounts_allowed = ["123456789014","123456789015"]
subnet_id = "subnet-0123456789abcdef0"
trusted_cidr_blocks_vpn = ["0.0.0.0/0"]
}
Name | Version |
---|---|
terraform | >= 1.1 |
aws | >= 4.9 |
cloudinit | >= 2.0 |
Name | Version |
---|---|
aws | >= 4.9 |
aws.dns | >= 4.9 |
cloudinit | >= 2.0 |
Name | Source | Version |
---|---|---|
certreadrole | github.com/cisagov/cert-read-role-tf-module | n/a |
ssmreadrole | github.com/cisagov/ssm-read-role-tf-module | n/a |
Name | Description | Type | Default | Required |
---|---|---|---|---|
ami_owner_account_id | The ID of the AWS account that owns the OpenVPN AMI, or "self" if the AMI is owned by the same account as the provisioner. | string |
"self" |
no |
aws_instance_type | The AWS instance type to deploy (e.g. t4g.small). | string |
"t4g.small" |
no |
cert_bucket_name | The name of a bucket that stores certificates (e.g. my-certs). | string |
n/a | yes |
cert_read_role_accounts_allowed | A list of accounts allowed to access the role that can read certificates from an S3 bucket. | list(string) |
[] |
no |
client_dns_search_domain | The DNS search domain to be pushed to VPN clients. | string |
n/a | yes |
client_dns_server | The address of the DNS server to be pushed to the VPN clients. | string |
n/a | yes |
client_inactive_timeout | The number of seconds of tolerable user inactivity before a client will be disconnected from the VPN. | number |
3600 |
no |
client_motd_url | A URL to the motd page. This will be pushed to VPN clients as an environment variable. | string |
"" |
no |
client_network | A string containing the network and netmask to assign client addresses (e.g. "10.240.0.0 255.255.255.0"). The server will take the first address. | string |
n/a | yes |
create_AAAA | Whether or not to create AAAA records for the OpenVPN server. | bool |
false |
no |
crowdstrike_falcon_sensor_customer_id_key | The SSM Parameter Store key whose corresponding value contains the customer ID for CrowdStrike Falcon (e.g. /cdm/falcon/customer_id). | string |
n/a | yes |
crowdstrike_falcon_sensor_install_path | The install path of the CrowdStrike Falcon sensor (e.g. /opt/CrowdStrike). | string |
"/opt/CrowdStrike" |
no |
crowdstrike_falcon_sensor_tags_key | The SSM Parameter Store key whose corresponding value contains a comma-delimited list of tags that are to be applied to CrowdStrike Falcon (e.g. /cdm/falcon/tags). | string |
n/a | yes |
freeipa_domain | The domain for the IPA client (e.g. example.com). | string |
n/a | yes |
freeipa_realm | The realm for the IPA client (e.g. EXAMPLE.COM). | string |
n/a | yes |
hostname | The hostname of the OpenVPN server (e.g. vpn.example.com). | string |
n/a | yes |
nessus_agent_install_path | The install path of the Nessus Agent (e.g. /opt/nessus_agent). | string |
"/opt/nessus_agent" |
no |
nessus_groups | A list of strings, each of which is the name of a group in the CDM Tenable Nessus server that the Nessus Agent should join (e.g. ["group1", "group2"]). | list(string) |
[ "COOL_Fed_32" ] |
no |
nessus_hostname_key | The SSM Parameter Store key whose corresponding value contains the hostname of the CDM Tenable Nessus server to which the Nessus Agent should link (e.g. /cdm/nessus/hostname). | string |
n/a | yes |
nessus_key_key | The SSM Parameter Store key whose corresponding value contains the secret key that the Nessus Agent should use when linking with the CDM Tenable Nessus server (e.g. /cdm/nessus/key). | string |
n/a | yes |
nessus_port_key | The SSM Parameter Store key whose corresponding value contains the port to which the Nessus Agent should connect when linking with the CDM Tenable Nessus server (e.g. /cdm/nessus/port). | string |
n/a | yes |
private_networks | A list of network netmasks that exist behind the VPN server (e.g. ["10.224.0.0 255.240.0.0", "192.168.100.0 255.255.255.0"]). These will be pushed to the client. | list(string) |
n/a | yes |
private_reverse_zone_id | The DNS Zone ID in which to create private reverse lookup records. | string |
n/a | yes |
private_zone_id | The DNS Zone ID in which to create private lookup records. | string |
n/a | yes |
public_zone_id | The DNS Zone ID in which to create public lookup records. | string |
n/a | yes |
root_disk_size | The size of the OpenVPN instance's root disk in GiB. | number |
8 |
no |
security_groups | Additional security group ids the server will join. | list(string) |
[] |
no |
ssm_dh4096_pem | The SSM key that contains the Diffie Hellman pem. | string |
"/openvpn/server/dh4096.pem" |
no |
ssm_read_role_accounts_allowed | A list of accounts allowed to access the role that can read SSM keys. | list(string) |
[] |
no |
ssm_region | The region of the SSM to access. | string |
"us-east-1" |
no |
ssm_tlscrypt_key | The SSM key that contains the tls-auth key. | string |
"/openvpn/server/tlscrypt.key" |
no |
subnet_id | The ID of the AWS subnet to deploy into (e.g. subnet-0123456789abcdef0). | string |
n/a | yes |
trusted_cidr_blocks_vpn | A list of the CIDR blocks that are allowed to access the VPN port on OpenVPN servers (e.g. ["10.10.0.0/16", "10.11.0.0/16"]). | list(string) |
n/a | yes |
ttl | The TTL value to use for Route53 DNS records (e.g. 86400). A smaller value may be useful when the DNS records are changing often, for example when testing. | number |
60 |
no |
vpn_group | The LDAP group that grants users the permission to connect to the VPN server (e.g. vpnusers). | string |
n/a | yes |
Name | Description |
---|---|
arn | The EC2 instance ARN. |
availability_zone | The AZ where the EC2 instance is deployed. |
id | The EC2 instance ID. |
private_ip | The private IP of the EC2 instance. |
public_ip | The public IP of the OpenVPN instance. |
security_group_arn | The ARN of the OpenVPN server security group. |
security_group_id | The ID of the OpenVPN server security group. |
subnet_id | The ID of the subnet where the EC2 instance is deployed. |
Running pre-commit
requires running terraform init
in every directory that
contains Terraform code. In this repository, these are the main directory and
every directory under examples/
.
We welcome contributions! Please see CONTRIBUTING.md
for
details.
This project is in the worldwide public domain.
This project is in the public domain within the United States, and copyright and related rights in the work worldwide are waived through the CC0 1.0 Universal public domain dedication.
All contributions to this project will be released under the CC0 dedication. By submitting a pull request, you are agreeing to comply with this waiver of copyright interest.