Terraform module to create an AWS Client VPN
module "client_vpn" {
source = "blackbird-cloud/client-vpn/aws"
version = "~> 3.0"
name = "example-client-vpn"
cloudwatch_log_group_name = var.cloudwatch_log_group_name
cloudwatch_log_stream_name = var.cloudwatch_log_stream_name
auth_rules = var.auth_rules
client_cidr_block = var.client_cidr_block
vpc_id = var.vpc_id
private_subnets = var.private_subnets
security_group_ids = var.security_group_ids
dns_servers = var.dns_servers
split_tunnel = true
server_certificate_arn = var.server_certificate_arn
vpn_saml_metadata = file(var.vpn_saml_metadata_file)
vpn_portal_saml_metadata = file(var.vpn_portal_saml_metadata_file)
}| Name | Version |
|---|---|
| terraform | >= 1.5 |
| aws | >= 5 |
| Name | Version |
|---|---|
| aws | >= 5 |
| Name | Type |
|---|---|
| aws_ec2_client_vpn_authorization_rule.auth | resource |
| aws_ec2_client_vpn_authorization_rule.internet | resource |
| aws_ec2_client_vpn_endpoint.vpn | resource |
| aws_ec2_client_vpn_network_association.associations | resource |
| aws_ec2_client_vpn_route.internet | resource |
| aws_ec2_client_vpn_route.routes | resource |
| aws_iam_saml_provider.vpn | resource |
| aws_iam_saml_provider.vpn_portal | resource |
| aws_identitystore_group.sso_groups | data source |
| aws_ssoadmin_instances.current | data source |
| aws_vpc.selected | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| auth_rules | List of CIDR blocks, and IDP groups (SSO group IDs), or group names (AWS IAM Identity Center group names) to authorize access for. | list(object({ |
n/a | yes |
| client_cidr_block | CIDR Block used for assigning IP's to clients, must not overlap with any of the connected networks. | string |
n/a | yes |
| client_login_banner_text | (Optional) The text to display on the client login banner. If not specified, no banner is displayed. | string |
"" |
no |
| cloudwatch_log_group_name | (Optional) CloudWatch log group name for VPN connection logging. | string |
"" |
no |
| cloudwatch_log_stream_name | (Optional) CloudWatch log stream name for VPN connection logging. | string |
"" |
no |
| dns_servers | (Optional) Information about the DNS servers to be used for DNS resolution. A Client VPN endpoint can have up to two DNS servers. If no DNS server is specified, the DNS address of the connecting device is used. | list(string) |
[] |
no |
| name | Name of the VPN | string |
n/a | yes |
| private_subnets | List of private subnets | list(string) |
n/a | yes |
| security_group_ids | (Optional) List of security group IDs to associate with the Client VPN endpoint. If not specified, a new security group will be created. | list(string) |
[] |
no |
| server_certificate_arn | ARN of the ACM certificate the server will use. | string |
n/a | yes |
| split_tunnel | To split the VPN tunnel, or not, defaults to false | bool |
false |
no |
| tags | (Optional) Map of resource tags for all AWS resources. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level. | map(string) |
{} |
no |
| transport_protocol | (Optional) The transport protocol to use for the VPN connection. Defaults to tcp. |
string |
"tcp" |
no |
| vpc_id | VPC ID For the VPN SG | string |
n/a | yes |
| vpn_port | (Optional) The port to use for the VPN connection. Defaults to 443. |
number |
443 |
no |
| vpn_portal_saml_metadata | VPN SelfService Portal XML document generated by an identity provider that supports SAML 2.0. | string |
n/a | yes |
| vpn_saml_metadata | VPN XML document generated by an identity provider that supports SAML 2.0. | string |
n/a | yes |
| Name | Description |
|---|---|
| vpn | The Client VPN endpoint. |
We are Blackbird Cloud, Amsterdam based cloud consultancy, and cloud management service provider. We help companies build secure, cost efficient, and scale-able solutions.
Checkout our other 👉 terraform modules
Copyright © 2017-2025 Blackbird Cloud