Skip to content

Terraform code to create the OpenVPN shared service in the COOL environment.

License

Notifications You must be signed in to change notification settings

cisagov/cool-sharedservices-openvpn

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

cool-sharedservices-openvpn

GitHub Build Status

This is a Terraform module for creating an OpenVPN server in the COOL Shared Services account. This deployment should be laid down on top of cisagov/cool-sharedservices-networking, after cisagov/cool-sharedservices-freeipa has been applied.

Pre-requisites

  • Terraform installed on your system.
  • An accessible AWS S3 bucket to store Terraform state (specified in backend.tf).
  • An accessible AWS DynamoDB database to store the Terraform state lock (specified in backend.tf).
  • Access to all of the Terraform remote states specified in remote_states.tf.

Requirements

Name Version
terraform ~> 1.0
aws ~> 4.9

Providers

Name Version
aws ~> 4.9
aws.organizationsreadonly ~> 4.9
aws.provision_sharedservices ~> 4.9
terraform n/a

Modules

Name Source Version
cw_alarms_openvpn github.com/cisagov/instance-cw-alarms-tf-module n/a
openvpn github.com/cisagov/openvpn-server-tf-module n/a

Resources

Name Type
aws_iam_policy.provisionopenvpn_policy resource
aws_iam_role_policy_attachment.provisionopenvpn_policy_attachment resource
aws_security_group.assessment_environment_services_access resource
aws_security_group_rule.egress_to_assessment_env_services resource
aws_caller_identity.current data source
aws_caller_identity.sharedservices data source
aws_iam_policy_document.provisionopenvpn_policy_doc data source
aws_organizations_organization.cool data source
terraform_remote_state.cdm data source
terraform_remote_state.dns_certboto data source
terraform_remote_state.freeipa data source
terraform_remote_state.images_parameterstore data source
terraform_remote_state.master data source
terraform_remote_state.networking data source
terraform_remote_state.public_dns data source
terraform_remote_state.sharedservices data source

Inputs

Name Description Type Default Required
aws_region The AWS region where the shared services account is to be created (e.g. "us-east-1"). string "us-east-1" no
cert_bucket_name The name of the AWS S3 bucket where certificates are stored. string "cisa-cool-certificates" no
client_dns_search_domain The DNS search domain to be pushed to VPN clients. string n/a yes
client_dns_server The address of the DNS server to be pushed to the VPN clients. string n/a yes
client_motd_url A URL to the motd page. This will be pushed to VPN clients as an environment variable. string "https://github.com/cisagov/cool-system/blob/develop/motd.md#welcome-to-cisas-cloud-oriented-operations-lab-cool" no
client_network A string containing the network and netmask to assign client addresses. The server will take the first address. (e.g. "10.240.0.0 255.255.255.0"). string n/a yes
cool_domain The domain where the COOL resources reside (e.g. "cool.cyber.dhs.gov"). string "cool.cyber.dhs.gov" no
crowdstrike_falcon_sensor_customer_id_key The SSM Parameter Store key whose corresponding value contains the customer ID for CrowdStrike Falcon (e.g. /cdm/falcon/customer_id). string "/cdm/falcon/customer_id" no
crowdstrike_falcon_sensor_tags_key The SSM Parameter Store key whose corresponding value contains a comma-delimited list of tags that are to be applied to CrowdStrike Falcon (e.g. /cdm/falcon/tags). string "/cdm/falcon/tags" no
nessus_hostname_key The SSM Parameter Store key whose corresponding value contains the hostname of the CDM Tenable Nessus server to which the Nessus Agent should link (e.g. /cdm/nessus/hostname). string "/cdm/nessus_hostname" no
nessus_key_key The SSM Parameter Store key whose corresponding value contains the secret key that the Nessus Agent should use when linking with the CDM Tenable Nessus server (e.g. /cdm/nessus/key). string "/cdm/nessus_key" no
nessus_port_key The SSM Parameter Store key whose corresponding value contains the port to which the Nessus Agent should connect when linking with the CDM Tenable Nessus server (e.g. /cdm/nessus/port). string "/cdm/nessus_port" no
private_networks A list of strings, each of which contains a network and netmask defining a list of subnets that exist behind the VPN server (e.g. ["10.224.0.0 255.240.0.0", "192.168.100.0 255.255.255.0"]). This will be concatenated with the list of S3 gateway endpoint routes and the result will be pushed to the clients. list(string) n/a yes
provisionaccount_role_name The name of the IAM role that allows sufficient permissions to provision all AWS resources in the Shared Services account. string "ProvisionAccount" no
provisionopenvpn_policy_description The description to associate with the IAM policy that allows provisioning of OpenVPN in the Shared Services account. string "Allows provisioning of OpenVPN in the Shared Services account." no
provisionopenvpn_policy_name The name to assign the IAM policy that allows provisioning of OpenVPN in the Shared Services account. string "ProvisionOpenVPN" no
root_disk_size The size of the OpenVPN instance's root disk in GiB. number 8 no
tags Tags to apply to all AWS resources created. map(string) {} no
trusted_cidr_blocks_vpn A list of the CIDR blocks that are allowed to access the VPN port on the VPN servers (e.g. ["10.10.0.0/16", "10.11.0.0/16"]). list(string) [] no

Outputs

Name Description
assessment_environment_services_access_security_group The security group allowing VPN users access to services running in the assessment environments.
instance_id The ID corresponding to the OpenVPN server EC2 instance.
security_group_id The ID corresponding to the OpenVPN server security group.

Notes

Running pre-commit requires running terraform init in every directory that contains Terraform code. In this repository, that is only the main directory.

Contributing

We welcome contributions! Please see CONTRIBUTING.md for details.

License

This project is in the worldwide public domain.

This project is in the public domain within the United States, and copyright and related rights in the work worldwide are waived through the CC0 1.0 Universal public domain dedication.

All contributions to this project will be released under the CC0 dedication. By submitting a pull request, you are agreeing to comply with this waiver of copyright interest.

About

Terraform code to create the OpenVPN shared service in the COOL environment.

Resources

License

Security policy

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published