Merge pull request #28 from sourcefuse/feature/client-vpn-refactor

Removed Cloudposse dependency for Client VPN

Author: vijay-stephen

.terraform.lock.hcl

@@ -75,7 +75,7 @@ No resources.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_client_vpn_config"></a> [client\_vpn\_config](#input\_client\_vpn\_config) | VPN configuration options including certs and vpn settings | <pre>object({<br>    create = optional(bool, false)<br>    # certs<br>    self_signed_cert_data = optional(object({<br>      create             = optional(bool, true)<br>      secret_path_format = optional(string, "/%s.%s")<br>      server_common_name = optional(string, "")<br>      organization_name  = optional(string, "")<br>      allowed_uses = optional(list(string), [<br>        "key_encipherment",<br>        "digital_signature",<br>        "server_auth"<br>      ])<br>      ca_pem             = optional(string, "")<br>      private_ca_key_pem = optional(string, "")<br>    }))<br><br><br>    # vpn settings<br>    iam_saml_provider_enabled      = optional(bool, false)<br>    iam_saml_provider_name         = optional(string, null)<br>    saml_metadata_document_content = optional(string, null)<br>    client_cidr_block              = string<br>    split_tunnel                   = optional(bool, true)<br>    self_service_portal            = optional(string, "disabled")<br>    dns_servers                    = optional(list(string), ["1.1.1.1", "1.0.0.1"])<br><br>    # logging options<br>    log_options = optional(object({<br>      enabled               = bool<br>      cloudwatch_log_stream = optional(string, null)<br>      cloudwatch_log_group  = optional(string, null)<br>      }), {<br>      enabled = false<br>    })<br><br>    # authentication options<br>    authentication_options = list(object({<br>      active_directory_id            = optional(string, null)<br>      root_certificate_chain_arn     = optional(string, null)<br>      saml_provider_arn              = optional(string, null)<br>      self_service_saml_provider_arn = optional(string, null)<br>      type                           = string<br>    }))<br><br>    # server and transport protocol<br>    client_server_certificate_arn    = optional(string, null)<br>    client_server_transport_protocol = optional(string, "tcp")<br><br>    # security and network associations<br>    security_group_data = optional(object({<br>      client_vpn_additional_security_group_ids = optional(list(string), [])<br>      ingress_rules = list(object({<br>        description        = optional(string, "")<br>        from_port          = number<br>        to_port            = number<br>        protocol           = any<br>        cidr_blocks        = optional(list(string), [])<br>        security_group_ids = optional(list(string), [])<br>        ipv6_cidr_blocks   = optional(list(string), [])<br>      }))<br>      egress_rules = list(object({<br>        description        = optional(string, "")<br>        from_port          = number<br>        to_port            = number<br>        protocol           = any<br>        cidr_blocks        = optional(list(string), [])<br>        security_group_ids = optional(list(string), [])<br>        ipv6_cidr_blocks   = optional(list(string), [])<br>      }))<br>      }),<br>      {<br>        ingress_rules = [<br>          {<br>            description = "VPN ingress to 443"<br>            from_port   = 443<br>            to_port     = 443<br>            protocol    = "tcp"<br>          }<br>        ]<br>        egress_rules = [<br>          {<br>            description = "VPN egress to internet"<br>            from_port   = 0<br>            to_port     = 0<br>            protocol    = -1<br>            cidr_blocks = ["0.0.0.0/0"]<br>          }<br>        ]<br>      }<br>    )<br><br>    subnet_ids = list(string)<br><br>    # authorization options<br>    authorization_options = map(object({<br>      target_network_cidr  = string<br>      access_group_id      = optional(string, null)<br>      authorize_all_groups = optional(bool, true)<br>    }))<br>  })</pre> | <pre>{<br>  "authentication_options": null,<br>  "authorization_options": null,<br>  "client_cidr_block": null,<br>  "create": false,<br>  "subnet_ids": []<br>}</pre> | no |
+| <a name="input_client_vpn_config"></a> [client\_vpn\_config](#input\_client\_vpn\_config) | VPN configuration options including certs and vpn settings | <pre>object({<br>    create = optional(bool, false)<br>    # certs<br>    server_certificate_data = optional(object({<br>      create       = optional(bool, true)<br>      common_name  = string<br>      organization = string<br>      allowed_uses = optional(list(string), [<br>        "key_encipherment",<br>        "digital_signature",<br>        "server_auth"<br>      ])<br>      ca_cert_pem        = string<br>      ca_private_key_pem = string<br>      certificate_arn    = optional(string, null)<br>    }))<br><br><br>    # vpn settings<br>    iam_saml_provider_enabled      = optional(bool, false)<br>    iam_saml_provider_name         = optional(string, null)<br>    saml_metadata_document_content = optional(string, null)<br>    client_cidr_block              = string<br>    split_tunnel                   = optional(bool, true)<br>    self_service_portal            = optional(string, "disabled")<br>    dns_servers                    = optional(list(string), ["1.1.1.1", "1.0.0.1"])<br><br>    # logging options<br>    log_options = optional(object({<br>      enabled               = bool<br>      cloudwatch_log_stream = optional(string, null)<br>      cloudwatch_log_group  = optional(string, null)<br>      }), {<br>      enabled = false<br>    })<br><br>    # authentication options<br>    authentication_options = list(object({<br>      active_directory_id            = optional(string, null)<br>      root_certificate_chain_arn     = optional(string, null)<br>      saml_provider_arn              = optional(string, null)<br>      self_service_saml_provider_arn = optional(string, null)<br>      type                           = string<br>    }))<br><br>    transport_protocol = optional(string, "tcp")<br><br>    # security and network associations<br>    security_group_data = optional(object({<br>      client_vpn_additional_security_group_ids = optional(list(string), [])<br>      ingress_rules = list(object({<br>        description        = optional(string, "")<br>        from_port          = number<br>        to_port            = number<br>        protocol           = any<br>        cidr_blocks        = optional(list(string), [])<br>        security_group_ids = optional(list(string), [])<br>        ipv6_cidr_blocks   = optional(list(string), [])<br>      }))<br>      egress_rules = list(object({<br>        description        = optional(string, "")<br>        from_port          = number<br>        to_port            = number<br>        protocol           = any<br>        cidr_blocks        = optional(list(string), [])<br>        security_group_ids = optional(list(string), [])<br>        ipv6_cidr_blocks   = optional(list(string), [])<br>      }))<br>      }),<br>      {<br>        ingress_rules = [<br>          {<br>            description = "VPN ingress to 443"<br>            from_port   = 443<br>            to_port     = 443<br>            protocol    = "tcp"<br>          }<br>        ]<br>        egress_rules = [<br>          {<br>            description = "VPN egress to internet"<br>            from_port   = 0<br>            to_port     = 0<br>            protocol    = -1<br>            cidr_blocks = ["0.0.0.0/0"]<br>          }<br>        ]<br>      }<br>    )<br><br>    subnet_ids = list(string)<br><br>    # authorization options<br>    authorization_options = map(object({<br>      target_network_cidr  = string<br>      access_group_id      = optional(string, null)<br>      authorize_all_groups = optional(bool, true)<br>    }))<br>  })</pre> | <pre>{<br>  "authentication_options": null,<br>  "authorization_options": null,<br>  "client_cidr_block": null,<br>  "create": false,<br>  "subnet_ids": []<br>}</pre> | no |
 | <a name="input_environment"></a> [environment](#input\_environment) | Environmenr name | `string` | n/a | yes |
 | <a name="input_name"></a> [name](#input\_name) | Name of Client VPN or Site to site VPN | `string` | n/a | yes |
 | <a name="input_namespace"></a> [namespace](#input\_namespace) | Namespace name | `string` | n/a | yes |
@@ -87,10 +87,10 @@ No resources.
 
 | Name | Description |
 |------|-------------|
-| <a name="output_client_self_signed_cert_server_certificate_arn"></a> [client\_self\_signed\_cert\_server\_certificate\_arn](#output\_client\_self\_signed\_cert\_server\_certificate\_arn) | Self signed certificate server certificate ARN |
 | <a name="output_client_vpn_arn"></a> [client\_vpn\_arn](#output\_client\_vpn\_arn) | The client vpn ARN |
 | <a name="output_client_vpn_id"></a> [client\_vpn\_id](#output\_client\_vpn\_id) | The client vpn ID |
 | <a name="output_customer_gateway_id"></a> [customer\_gateway\_id](#output\_customer\_gateway\_id) | Customer Gateway ID |
+| <a name="output_server_certificate"></a> [server\_certificate](#output\_server\_certificate) | Server certificate ARN |
 | <a name="output_site_to_site_vpn_id"></a> [site\_to\_site\_vpn\_id](#output\_site\_to\_site\_vpn\_id) | The site to site vpn ID |
 | <a name="output_vpn_gateway_id"></a> [vpn\_gateway\_id](#output\_vpn\_gateway\_id) | The VPN Gateway ID |
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

README.md

@@ -74,9 +74,9 @@ For basic Client VPN usage, see the [example](https://github.com/sourcefuse/terr
 
 This example will create:
 
-- Self-Signed Certificate Authority (CA) Creation: It creates a self-signed CA certificate using the cloudposse/terraform-aws-ssm-tls-self-signed-cert module. The certificate is stored in AWS SSM (Systems Manager).
+- CA Certificate
 
-- Self-Signed Root Certificate Creation: It creates a self-signed root certificate using the cloudposse/terraform-aws-ssm-tls-self-signed-cert module. This certificate is signed by the previously created CA certificate.
+- Root Certificate
 
 - VPN Setup: It uses the sourcefuse/arc-vpn/aws module to create a VPN setup. This includes: