/openvpn-server-tf-module

Terraform module to create an OpenVPN server instance

Primary LanguageHCLCreative Commons Zero v1.0 UniversalCC0-1.0

openvpn-server-tf-module

GitHub Build Status

This project implements a Terraform module that will create an OpenVPN server EC2 instance using the open-vpn AMI.

See here for more details on Terraform modules and the standard module structure.

Usage

module "example" {
  source = "github.com/cisagov/openvpn-server-tf-module"
  providers = {
    aws                = "aws"
    aws.dns            = "aws.dns"
    aws.cert_read_role = "aws.cert_read_role"
    aws.ssm_read_role  = "aws.ssm_read_role"
  }

  cert_bucket_name                          = "spiffy-cert-bucket"
  cert_read_role_accounts_allowed           = ["123456789012","123456789013"]
  client_network                            = "10.10.2.0 255.255.255.0"
  crowdstrike_falcon_sensor_customer_id_key = "/thulsa/doom/customer_id"
  crowdstrike_falcon_sensor_tags_key        = "/thulsa/doom/tags"
  hostname                                  = "vpn.fonz.shark-jump.foo.org"
  freeipa_domain                            = "shark-jump.foo.org"
  freeipa_realm                             = "SHARK-JUMP.FOO.ORG"
  nessus_hostname_key                       = "/thulsa/doom/nessus/hostname"
  nessus_key_key                            = "/thulsa/doom/nessus/key"
  nessus_port_key                           = "/thulsa/doom/nessus/port"
  private_networks                          = ["10.10.1.0 255.255.255.0"]
  private_zone_id                           = "MYZONEID"
  private_reverse_zone_id                   = "MYREVZONEID"
  public_zone_id                            = "MYPUBLICZONEID"
  ssm_read_role_accounts_allowed            = ["123456789014","123456789015"]
  subnet_id                                 = "subnet-0123456789abcdef0"
  trusted_cidr_blocks_vpn                   = ["0.0.0.0/0"]
}

Examples

Requirements

Name Version
terraform ~> 1.0
aws ~> 4.9
cloudinit ~> 2.0

Providers

Name Version
aws ~> 4.9
aws.dns ~> 4.9
cloudinit ~> 2.0

Modules

Name Source Version
certreadrole github.com/cisagov/cert-read-role-tf-module n/a
ssmreadrole github.com/cisagov/ssm-read-role-tf-module n/a

Resources

Name Type
aws_eip.openvpn resource
aws_iam_instance_profile.instance_profile resource
aws_iam_role.instance_role resource
aws_iam_role_policy.assume_delegated_role_policy resource
aws_iam_role_policy_attachment.cloudwatch_agent_policy_attachment resource
aws_iam_role_policy_attachment.ssm_agent_policy_attachment resource
aws_instance.openvpn resource
aws_route53_record.private_PTR resource
aws_route53_record.private_server_A resource
aws_route53_record.private_server_AAAA resource
aws_route53_record.server_A resource
aws_route53_record.server_AAAA resource
aws_security_group.openvpn_servers resource
aws_security_group_rule.openvpn_tcp_https_egress resource
aws_security_group_rule.vpn_udp_ingress resource
aws_ami.openvpn data source
aws_arn.subnet data source
aws_availability_zone.the_az data source
aws_iam_policy_document.assume_delegated_role_policy_doc data source
aws_iam_policy_document.assume_role_policy_doc data source
aws_subnet.the_subnet data source
aws_vpc.the_vpc data source
cloudinit_config.cloud_init_tasks data source

Inputs

Name Description Type Default Required
ami_owner_account_id The ID of the AWS account that owns the OpenVPN AMI, or "self" if the AMI is owned by the same account as the provisioner. string "self" no
aws_instance_type The AWS instance type to deploy (e.g. t3.medium). string "t3.small" no
cert_bucket_name The name of a bucket that stores certificates (e.g. my-certs). string n/a yes
cert_read_role_accounts_allowed A list of accounts allowed to access the role that can read certificates from an S3 bucket. list(string) [] no
client_dns_search_domain The DNS search domain to be pushed to VPN clients. string n/a yes
client_dns_server The address of the DNS server to be pushed to the VPN clients. string n/a yes
client_inactive_timeout The number of seconds of tolerable user inactivity before a client will be disconnected from the VPN. number 3600 no
client_motd_url A URL to the motd page. This will be pushed to VPN clients as an environment variable. string "" no
client_network A string containing the network and netmask to assign client addresses (e.g. "10.240.0.0 255.255.255.0"). The server will take the first address. string n/a yes
create_AAAA Whether or not to create AAAA records for the OpenVPN server. bool false no
crowdstrike_falcon_sensor_customer_id_key The SSM Parameter Store key whose corresponding value contains the customer ID for CrowdStrike Falcon (e.g. /cdm/falcon/customer_id). string n/a yes
crowdstrike_falcon_sensor_install_path The install path of the CrowdStrike Falcon sensor (e.g. /opt/CrowdStrike). string "/opt/CrowdStrike" no
crowdstrike_falcon_sensor_tags_key The SSM Parameter Store key whose corresponding value contains a comma-delimited list of tags that are to be applied to CrowdStrike Falcon (e.g. /cdm/falcon/tags). string n/a yes
freeipa_domain The domain for the IPA client (e.g. example.com). string n/a yes
freeipa_realm The realm for the IPA client (e.g. EXAMPLE.COM). string n/a yes
hostname The hostname of the OpenVPN server (e.g. vpn.example.com). string n/a yes
nessus_agent_install_path The install path of the Nessus Agent (e.g. /opt/nessus_agent). string "/opt/nessus_agent" no
nessus_groups A list of strings, each of which is the name of a group in the CDM Tenable Nessus server that the Nessus Agent should join (e.g. ["group1", "group2"]). list(string) [ "COOL_Fed_32" ] no
nessus_hostname_key The SSM Parameter Store key whose corresponding value contains the hostname of the CDM Tenable Nessus server to which the Nessus Agent should link (e.g. /cdm/nessus/hostname). string n/a yes
nessus_key_key The SSM Parameter Store key whose corresponding value contains the secret key that the Nessus Agent should use when linking with the CDM Tenable Nessus server (e.g. /cdm/nessus/key). string n/a yes
nessus_port_key The SSM Parameter Store key whose corresponding value contains the port to which the Nessus Agent should connect when linking with the CDM Tenable Nessus server (e.g. /cdm/nessus/port). string n/a yes
private_networks A list of network netmasks that exist behind the VPN server (e.g. ["10.224.0.0 255.240.0.0", "192.168.100.0 255.255.255.0"]). These will be pushed to the client. list(string) n/a yes
private_reverse_zone_id The DNS Zone ID in which to create private reverse lookup records. string n/a yes
private_zone_id The DNS Zone ID in which to create private lookup records. string n/a yes
public_zone_id The DNS Zone ID in which to create public lookup records. string n/a yes
root_disk_size The size of the OpenVPN instance's root disk in GiB. number 8 no
security_groups Additional security group ids the server will join. list(string) [] no
ssm_dh4096_pem The SSM key that contains the Diffie Hellman pem. string "/openvpn/server/dh4096.pem" no
ssm_read_role_accounts_allowed A list of accounts allowed to access the role that can read SSM keys. list(string) [] no
ssm_region The region of the SSM to access. string "us-east-1" no
ssm_tlscrypt_key The SSM key that contains the tls-auth key. string "/openvpn/server/tlscrypt.key" no
subnet_id The ID of the AWS subnet to deploy into (e.g. subnet-0123456789abcdef0). string n/a yes
trusted_cidr_blocks_vpn A list of the CIDR blocks that are allowed to access the VPN port on OpenVPN servers (e.g. ["10.10.0.0/16", "10.11.0.0/16"]). list(string) n/a yes
ttl The TTL value to use for Route53 DNS records (e.g. 86400). A smaller value may be useful when the DNS records are changing often, for example when testing. number 60 no
vpn_group The LDAP group that grants users the permission to connect to the VPN server (e.g. vpnusers). string n/a yes

Outputs

Name Description
arn The EC2 instance ARN.
availability_zone The AZ where the EC2 instance is deployed.
id The EC2 instance ID.
private_ip The private IP of the EC2 instance.
public_ip The public IP of the OpenVPN instance.
security_group_arn The ARN of the OpenVPN server security group.
security_group_id The ID of the OpenVPN server security group.
subnet_id The ID of the subnet where the EC2 instance is deployed.

Notes

Running pre-commit requires running terraform init in every directory that contains Terraform code. In this repository, these are the main directory and every directory under examples/.

Contributing

We welcome contributions! Please see CONTRIBUTING.md for details.

License

This project is in the worldwide public domain.

This project is in the public domain within the United States, and copyright and related rights in the work worldwide are waived through the CC0 1.0 Universal public domain dedication.

All contributions to this project will be released under the CC0 dedication. By submitting a pull request, you are agreeing to comply with this waiver of copyright interest.