Skip to content

Resource: awsEc2ClientVpnEndpoint

Provides an AWS Client VPN endpoint for OpenVPN clients. For more information on usage, please see the AWS Client VPN Administrator's Guide.

\~> NOTE on Client VPN endpoint target network security groups: Terraform provides both a standalone Client VPN endpoint network association resource with a (deprecated) securityGroups argument and a Client VPN endpoint resource with a securityGroupIds argument. Do not specify security groups in both resources. Doing so will cause a conflict and will overwrite the target network security group association.

Example Usage

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.ec2ClientVpnEndpoint.Ec2ClientVpnEndpoint(this, "example", {
  authenticationOptions: [
    {
      rootCertificateChainArn: "${aws_acm_certificate.root_cert.arn}",
      type: "certificate-authentication",
    },
  ],
  clientCidrBlock: "10.0.0.0/16",
  connectionLogOptions: {
    cloudwatchLogGroup: "${aws_cloudwatch_log_group.lg.name}",
    cloudwatchLogStream: "${aws_cloudwatch_log_stream.ls.name}",
    enabled: true,
  },
  description: "terraform-clientvpn-example",
  serverCertificateArn: "${aws_acm_certificate.cert.arn}",
});

Argument Reference

The following arguments are supported:

  • authenticationOptions - (Required) Information about the authentication method to be used to authenticate clients.
  • clientCidrBlock - (Required) The IPv4 address range, in CIDR notation, from which to assign client IP addresses. The address range cannot overlap with the local CIDR of the VPC in which the associated subnet is located, or the routes that you add manually. The address range cannot be changed after the Client VPN endpoint has been created. The CIDR block should be /22 or greater.
  • clientConnectOptions - (Optional) The options for managing connection authorization for new client connections.
  • clientLoginBannerOptions - (Optional) Options for enabling a customizable text banner that will be displayed on AWS provided clients when a VPN session is established.
  • connectionLogOptions - (Required) Information about the client connection logging options.
  • description - (Optional) A brief description of the Client VPN endpoint.
  • dnsServers - (Optional) Information about the DNS servers to be used for DNS resolution. A Client VPN endpoint can have up to two DNS servers. If no DNS server is specified, the DNS address of the connecting device is used.
  • securityGroupIds - (Optional) The IDs of one or more security groups to apply to the target network. You must also specify the ID of the VPC that contains the security groups.
  • selfServicePortal - (Optional) Specify whether to enable the self-service portal for the Client VPN endpoint. Values can be enabled or disabled. Default value is disabled.
  • serverCertificateArn - (Required) The ARN of the ACM server certificate.
  • sessionTimeoutHours - (Optional) The maximum session duration is a trigger by which end-users are required to re-authenticate prior to establishing a VPN session. Default value is 24 - Valid values: 8 |10 |12 |24
  • splitTunnel - (Optional) Indicates whether split-tunnel is enabled on VPN endpoint. Default value is false.
  • tags - (Optional) A mapping of tags to assign to the resource. If configured with a provider defaultTags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
  • transportProtocol - (Optional) The transport protocol to be used by the VPN session. Default value is udp.
  • vpcId - (Optional) The ID of the VPC to associate with the Client VPN endpoint. If no security group IDs are specified in the request, the default security group for the VPC is applied.
  • vpnPort - (Optional) The port number for the Client VPN endpoint. Valid values are 443 and 1194. Default value is 443.

authenticationOptions Argument Reference

One of the following arguments must be supplied:

  • activeDirectoryId - (Optional) The ID of the Active Directory to be used for authentication if type is directoryServiceAuthentication.
  • rootCertificateChainArn - (Optional) The ARN of the client certificate. The certificate must be signed by a certificate authority (CA) and it must be provisioned in AWS Certificate Manager (ACM). Only necessary when type is set to certificateAuthentication.
  • samlProviderArn - (Optional) The ARN of the IAM SAML identity provider if type is federatedAuthentication.
  • selfServiceSamlProviderArn - (Optional) The ARN of the IAM SAML identity provider for the self service portal if type is federatedAuthentication.
  • type - (Required) The type of client authentication to be used. Specify certificateAuthentication to use certificate-based authentication, directoryServiceAuthentication to use Active Directory authentication, or federatedAuthentication to use Federated Authentication via SAML 2.0.

clientConnectOptions Argument reference

  • enabled - (Optional) Indicates whether client connect options are enabled. The default is false (not enabled).
  • lambdaFunctionArn - (Optional) The Amazon Resource Name (ARN) of the Lambda function used for connection authorization.

clientLoginBannerOptions Argument reference

  • bannerText - (Optional) Customizable text that will be displayed in a banner on AWS provided clients when a VPN session is established. UTF-8 encoded characters only. Maximum of 1400 characters.
  • enabled - (Optional) Enable or disable a customizable text banner that will be displayed on AWS provided clients when a VPN session is established. The default is false (not enabled).

connectionLogOptions Argument Reference

One of the following arguments must be supplied:

  • cloudwatchLogGroup - (Optional) The name of the CloudWatch Logs log group.
  • cloudwatchLogStream - (Optional) The name of the CloudWatch Logs log stream to which the connection data is published.
  • enabled - (Required) Indicates whether connection logging is enabled.

Attributes Reference

In addition to all arguments above, the following attributes are exported:

  • arn - The ARN of the Client VPN endpoint.
  • dnsName - The DNS name to be used by clients when establishing their VPN session.
  • id - The ID of the Client VPN endpoint.
  • status - Deprecated The current state of the Client VPN endpoint.
  • tagsAll - A map of tags assigned to the resource, including those inherited from the provider defaultTags configuration block.

Import

AWS Client VPN endpoints can be imported using the id value found via awsEc2DescribeClientVpnEndpoints, e.g.,

$ terraform import aws_ec2_client_vpn_endpoint.example cvpn-endpoint-0ac3a1abbccddd666