terraform-aws-openvpn
This module setup an OpenVPN installation and requires an existing VPC.
The following resources will be created:
- Elastic Container Service(ECS)
- Network Load Balance
- Tasks Definition
- ECS Service
- IAM roles for the ECS Tasks
- Cloudwatch log group for the ECS
- S3 Bucket to save the ECS Openvpn logs
- Security group for the openvpn access
- SSM Parameter resources (Domain Name, Users, Route Push and Revoke Users).
In addition you have the option to:
- Enable or disable Multi-Factor Authentication (MFA)
Requirements
| Name | Version |
|---|---|
| terraform | >= 0.13.0 |
| aws | >= 4.4.0 |
Providers
| Name | Version |
|---|---|
| aws | >= 4.4.0 |
| random | n/a |
| template | n/a |
Inputs
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| alb_ssl_policy | The name of the SSL Policy for the listener. Required if protocol is HTTPS or TLS. | string |
"ELBSecurityPolicy-2016-08" |
no |
| architecture | Architecture to select the AMI, x86_64 or arm64 | string |
"x86_64" |
no |
| asg_protect_from_scale_in | (Optional) Allows setting instance protection. The autoscaling group will not select instances with this setting for termination during scale in events. | bool |
false |
no |
| asg_target_capacity | Target average capacity percentage for the ECS capacity provider to track for autoscaling. | number |
70 |
no |
| autoscaling_default_cooldown | The amount of time, in seconds, after a scaling activity completes before another scaling activity can start. | number |
300 |
no |
| autoscaling_health_check_grace_period | The length of time that Auto Scaling waits before checking an instance’s health status. The grace period begins when an instance comes into service. | number |
300 |
no |
| backup | Assing a backup tag to efs resource - Backup will be performed by AWS Backup. | string |
"true" |
no |
| cw_retention_period | Retention period (in days) for Cloud Watch log group. Default to Never Expire. | number |
0 |
no |
| domain_name | Domain name to point to openvpn container for external access | string |
"vpn.address" |
no |
| hosted_zone | Hosted Zone to create DNS record for this app | string |
"" |
no |
| hosted_zone_id | Hosted Zone ID to create DNS record for this app (prefer this instead of hosted_zone) | string |
"" |
no |
| hostname_create | Optional parameter to create or not a Route53 record | string |
"true" |
no |
| image | VPN_SERVICE | string |
"dnxsolutions/openvpn:2.4.0" |
no |
| instance_type_1 | Instance type for ECS workers (first priority). | any |
n/a | yes |
| instance_type_2 | Instance type for ECS workers (second priority). | any |
n/a | yes |
| instance_type_3 | Instance type for ECS workers (third priority). | any |
n/a | yes |
| instance_volume_size | Volume size for docker volume (in GB). | number |
30 |
no |
| instance_volume_size_root | Volume size for root volume (in GB). | number |
16 |
no |
| kms_key_ebs_arn | ARN of a KMS Key to use on EBS volumes | string |
"" |
no |
| kms_key_efs_arn | ARN of a KMS Key to use on EFS volumes | string |
"" |
no |
| kms_key_s3_arn | ARN of a KMS Key to use on S3 buckets | string |
"" |
no |
| lb_access_logs_bucket | Bucket to store logs from lb access. | string |
"" |
no |
| lb_access_logs_prefix | Bucket prefix to store lb access logs. | string |
"" |
no |
| mfa | Enable or disable MFA for VPN users | string |
"false" |
no |
| name | Name of this ECS cluster. | any |
n/a | yes |
| nlb_security_group_ids | Extra security groups for instances. | list(string) |
[] |
no |
| on_demand_base_capacity | You can designate a base portion of your total capacity as On-Demand. As the group scales, per your settings, the base portion is provisioned first, while additional On-Demand capacity is percentage-based. | number |
0 |
no |
| on_demand_percentage | Percentage of on-demand intances vs spot. | number |
0 |
no |
| private_subnet_ids | List of private subnet IDs for ECS instances and Internal ALB when enabled. | list(string) |
n/a | yes |
| protocol | Protocol that will be use by the vpn | string |
"tcp" |
no |
| provisioned_throughput_in_mibps | The throughput, measured in MiB/s, that you want to provision for the file system. | number |
0 |
no |
| public_subnet_ids | List of public subnet IDs for ECS ALB. | list(string) |
n/a | yes |
| requester_cidrs | List of CIDRs to add to openvpn-access SG so clients can connect to resources | list(string) |
[] |
no |
| route_push | List of routes to push to client, comma-separated (ex: ‘10.100.0.0 255.255.0.0,10.200.0.0 255.255.0.0’) | string |
"" |
no |
| s3_bucket_policy | Openvpn S3 bucket policy | string |
"" |
no |
| secure_subnet_ids | List of secure subnet IDs for EFS. | list(string) |
n/a | yes |
| security_group_ids | Extra security groups for instances. | list(string) |
[] |
no |
| target_group_arns | List of target groups for ASG to register. | list(string) |
[] |
no |
| throughput_mode | Throughput mode for the file system. Defaults to bursting. Valid values: bursting, provisioned. | string |
"bursting" |
no |
| userdata | Extra commands to pass to userdata. | string |
"" |
no |
| vpc_id | VPC ID to deploy the ECS cluster. | any |
n/a | yes |
Outputs
| Name | Description |
|---|---|
| ecs_nodes_secgrp_id | n/a |
| s3_bucket_openvpn | n/a |
Authors
Module managed by DNX Solutions.
License
Apache 2 Licensed. See LICENSE for full details.