https://github.com/govtechsg/terraform-openvpn

terraform
Last synced: about 1 year ago
JSON representation
Host: GitHub
URL: https://github.com/govtechsg/terraform-openvpn
Owner: GovTechSG
License: mit
Created: 2021-10-23T08:07:26.000Z (over 4 years ago)
Default Branch: master
Last Pushed: 2023-04-04T08:43:12.000Z (about 3 years ago)
Last Synced: 2024-04-14T23:19:54.588Z (about 2 years ago)
Topics: terraform
Language: HCL
Homepage:
Size: 235 KB
Stars: 3
Watchers: 58
Forks: 1
Open Issues: 2
Metadata Files:
- Readme: README.md
- License: LICENSE
- Security: security_group.tf
Awesome Lists containing this project

README

          # OpenVPN

This module setups an openvpn server with 2 load balancers, 1 for user logins for retrieval or profile, and 1 for vpn client connection and admin access

## Design

![Architecture](architecture.png)

## Usage

```

module "ovpn"{

  name = "my-openvpn"

  openvpn_hostname          = "example-connection.com"

  openvpn_pool_ip           = "172.40.200.0/22"

  openvpn_ami_id            = "ami-xxx" # From your openvpn marketplace subscription

  domain_name               = "example.com"

  route53_zone_id           = "xx" # For ACM creation

  vpc_id                    = "vpc-xx"

  s3_bucket_access_logs     = "my-bucket"

  public_subnet_ids         = ["subnet-xxx"]

  private_subnet_ids        = ["subnet-yyy"]

  key_name                  = "my-ssh-key-pair"

  # Your VPC cidr for clients to access private network

  vpn_private_network_cidrs = [

    "172.111.111.0/22"

  ]

}

```

## Notes

### Use RDS

#### Requirements

1. RDS MySQL setup separately

2. RDS username and password in secrets manager with the following key/values

   1. username

   2. password

If you wish to use RDS with this module for backing up your openvpn settings remotely, please note the following

1. certain variables will cause a change in user-data script, this will cause a recreation of your EC2 primary server instance. If you have yet to be connected to the RDS succesfully, this will result in a loss of your current settings (Please see [here](https://openvpn.net/vpn-server-resources/configuration-database-management-and-backups/#change-database-backend-to-mysql-or-amazon-rds) if you are migrating from a local sqlite to rds mysql)

2. When using RDS, a custom user data script will be ran, do take a look at the [template](./vm_openvpn.tpl) before using it to see if it fits your needs

3. This module does not set your linux admin user password as that is not a safe practice. Therefore on initial setup, you have to ssh in to set the admin password before you can manage via the admin web server. Run `passwd openvpn` to set your password in the server

### Autoscaling cluster

> WIP## Requirements

No requirements.

## Providers

| Name | Version |

|------|---------|

|  [aws](#provider\_aws) | n/a |

|  [template](#provider\_template) | n/a |

## Modules

No modules.

## Resources

| Name | Type |

|------|------|

| [aws_acm_certificate.cert](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/acm_certificate) | resource |

| [aws_acm_certificate_validation.cert](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/acm_certificate_validation) | resource |

| [aws_autoscaling_group.ovpn-ext-asg](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/autoscaling_group) | resource |

| [aws_iam_instance_profile.openvpn-ec2-profile](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_instance_profile) | resource |

| [aws_iam_role.openvpn](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |

| [aws_instance.primary](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance) | resource |

| [aws_launch_configuration.ovpn-launch](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_configuration) | resource |

| [aws_lb.connection](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb) | resource |

| [aws_lb.web](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb) | resource |

| [aws_lb_listener.connection](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_listener) | resource |

| [aws_lb_listener.connection-admin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_listener) | resource |

| [aws_lb_listener.connection-udp](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_listener) | resource |

| [aws_lb_listener.web-front-end](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_listener) | resource |

| [aws_lb_target_group.conn-admin-to-ec2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_target_group) | resource |

| [aws_lb_target_group.conn-to-ec2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_target_group) | resource |

| [aws_lb_target_group.conn-to-ec2-udp](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_target_group) | resource |

| [aws_lb_target_group.web-to-ec2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_target_group) | resource |

| [aws_lb_target_group_attachment.primary-conn](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_target_group_attachment) | resource |

| [aws_lb_target_group_attachment.primary-conn-admin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_target_group_attachment) | resource |

| [aws_lb_target_group_attachment.primary-conn-udp](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_target_group_attachment) | resource |

| [aws_lb_target_group_attachment.primary-web](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_target_group_attachment) | resource |

| [aws_network_acl_rule.allow-udp-connection](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl_rule) | resource |

| [aws_network_acl_rule.allow-udp-connection-egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl_rule) | resource |

| [aws_route53_record.conn](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |

| [aws_route53_record.openvpn](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |

| [aws_route53_record.web](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |

| [aws_security_group.ec2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |

| [aws_security_group.openvpn-conn](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |

| [aws_security_group.openvpn-web](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |

| [aws_security_group_rule.allow-1194-to-ec2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |

| [aws_security_group_rule.allow-943-from-cidr](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |

| [aws_security_group_rule.allow-conn-to-ec2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |

| [aws_security_group_rule.allow-from-elb](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |

| [aws_security_group_rule.allow-individual-1194-to-ec2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |

| [aws_security_group_rule.allow-outbound](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |

| [aws_security_group_rule.allow-ssh](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |

| [aws_security_group_rule.allow-web-internal](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |

| [aws_security_group_rule.conn-egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |

| [aws_security_group_rule.conn-ingress-individual](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |

| [aws_security_group_rule.conn-ingress-public](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |

| [aws_security_group_rule.web-egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |

| [aws_security_group_rule.web-ingress-individual-443](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |

| [aws_security_group_rule.web-ingress-individual-80](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |

| [aws_security_group_rule.web-ingress-public-443](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |

| [aws_security_group_rule.web-ingress-public-80](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |

| [template_file.ovpn_ext_tpl_primary](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file) | data source |

| [template_file.ovpn_ext_tpl_secondary](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file) | data source |

## Inputs

| Name | Description | Type | Default | Required |

|------|-------------|------|---------|:--------:|

|  [admin\_allowed\_ips](#input\_admin\_allowed\_ips) | Map of User and IP for tcp admin\_port admin web | 
map(object({
    name    = string,
    ip_addr = set(string)
  })) | `{}` | no |

|  [admin\_port](#input\_admin\_port) | Port number which openvpn admin website wil be hosted on | `number` | `943` | no |

|  [aws\_region](#input\_aws\_region) | AWS region. | `string` | `"ap-southeast-1"` | no |

|  [conn\_allow\_public](#input\_conn\_allow\_public) | Allow public vpn clients to connect to the vpn server? | `bool` | `true` | no |

|  [conn\_allowed\_ips](#input\_conn\_allowed\_ips) | Map of User and IP for openvpn connection | map(object({
    name    = string,
    ip_addr = set(string)
  })) | `{}` | no |

|  [conn\_port](#input\_conn\_port) | Port number which openvpn clients will use to establish a vpn connection to the server with, 1-65535 | `number` | `1194` | no |

|  [domain\_name](#input\_domain\_name) | domain name to serve site on | `string` | n/a | yes |

|  [extra\_iam\_policy\_arns](#input\_extra\_iam\_policy\_arns) | Extra IAM policies to include (e.g cloudwatch, session manager) | `list(string)` | `[]` | no |

|  [key\_name](#input\_key\_name) | SSH Key pair name | `string` | `""` | no |

|  [nacl\_udp\_port\_allow\_list](#input\_nacl\_udp\_port\_allow\_list) | Creating NACL rules for openvpn UDP connection | map(object({
    nacl_id     = string,
    rule_number = number
  })) | `{}` | no |

|  [name](#input\_name) | Name prefix for various resources created | `string` | n/a | yes |

|  [openvpn\_ami\_id](#input\_openvpn\_ami\_id) | Openvpn AMI id from marketplace subscription | `string` | n/a | yes |

|  [openvpn\_hostname](#input\_openvpn\_hostname) | openvpn connection url, different from the web url | `string` | n/a | yes |

|  [openvpn\_pool\_ip](#input\_openvpn\_pool\_ip) | IP Pool range for clients | `string` | `"172.27.200.0/22"` | no |

|  [openvpn\_secret\_manager\_credentials\_arn](#input\_openvpn\_secret\_manager\_credentials\_arn) | ARN of AWS Secret Manager secret that contains ths password to use for openvpn admin user | `string` | `""` | no |

|  [permissions\_boundary](#input\_permissions\_boundary) | Permissions boundary that will be added to the created roles. | `string` | `null` | no |

|  [private\_subnet\_ids](#input\_private\_subnet\_ids) | List of private subnet ids for launch configuration to create ec2 instances in | `list(string)` | n/a | yes |

|  [public\_subnet\_ids](#input\_public\_subnet\_ids) | List of public subnet ids for elastic load balancer | `list(string)` | n/a | yes |

|  [rds\_fqdn](#input\_rds\_fqdn) | Hostname of RDS | `string` | `""` | no |

|  [rds\_secret\_manager\_credentials\_arn](#input\_rds\_secret\_manager\_credentials\_arn) | ARN of AWS Secret Manager secret that contains ths password to use to connect to RDS with | `string` | `""` | no |

|  [rds\_secret\_manager\_id](#input\_rds\_secret\_manager\_id) | Path of AWS Secret Manager secret that contains ths password to use to connect to RDS with | `string` | `""` | no |

|  [route53\_zone\_id](#input\_route53\_zone\_id) | Route53 Zone ID | `string` | `""` | no |

|  [s3\_bucket\_access\_logs](#input\_s3\_bucket\_access\_logs) | S3 bucket for storing access logs | `string` | n/a | yes |

|  [s3\_prefix](#input\_s3\_prefix) | Prefix for access logs if you want to change the object folder. remember to add a prevailing '/' e.g 'nlb/ | `string` | `""` | no |

|  [ssh\_allowed\_ips](#input\_ssh\_allowed\_ips) | Map of User and IP for ssh | map(object({
    name    = string,
    ip_addr = set(string)
  })) | n/a | yes |

|  [tags](#input\_tags) | Tags to include | `map` | `{}` | no |

|  [use\_rds](#input\_use\_rds) | Toggle to use RDS or local sqlite db | `bool` | `false` | no |

|  [vpc\_id](#input\_vpc\_id) | VPC ID | `string` | n/a | yes |

|  [vpn\_private\_network\_cidrs](#input\_vpn\_private\_network\_cidrs) | Private network cidr which clients will be able to access, typically your VPC cidr | `list(string)` | `[]` | no |

|  [web\_allow\_public](#input\_web\_allow\_public) | Allow public to access the web UI? | `bool` | `true` | no |

|  [web\_allowed\_ips](#input\_web\_allowed\_ips) | Map of User and IP for tcp 443 web | map(object({
    name    = string,
    ip_addr = set(string)
  })) | `{}` | no |

|  [web\_port](#input\_web\_port) | Port number which openvpn website wil be hosted on | `number` | `443` | no |

## Outputs

| Name | Description |

|------|-------------|

|  [acm\_arn](#output\_acm\_arn) | n/a |

|  [acm\_domain\_name](#output\_acm\_domain\_name) | n/a |

|  [asg\_arn](#output\_asg\_arn) | n/a |

|  [aws\_lb\_connection\_arn](#output\_aws\_lb\_connection\_arn) | n/a |

|  [aws\_lb\_connection\_dns](#output\_aws\_lb\_connection\_dns) | n/a |

|  [aws\_lb\_web\_arn](#output\_aws\_lb\_web\_arn) | n/a |

|  [aws\_lb\_web\_dns](#output\_aws\_lb\_web\_dns) | n/a |

|  [instance\_primary\_arn](#output\_instance\_primary\_arn) | n/a |

|  [instance\_profile\_arn](#output\_instance\_profile\_arn) | n/a |

|  [instance\_root\_block\_id](#output\_instance\_root\_block\_id) | n/a |

|  [launch\_configuration\_arn](#output\_launch\_configuration\_arn) | n/a |

|  [security\_group\_id\_connection](#output\_security\_group\_id\_connection) | n/a |

|  [security\_group\_id\_ec2](#output\_security\_group\_id\_ec2) | n/a |

|  [security\_group\_id\_web](#output\_security\_group\_id\_web) | n/a |
ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Awesome

https://github.com/govtechsg/terraform-openvpn

Awesome Lists containing this project

README
