This is a Terraform module for creating an OpenVPN server in the COOL Shared Services account. This deployment should be laid down on top of cisagov/cool-sharedservices-networking, after cisagov/cool-sharedservices-freeipa has been applied.
- Terraform installed on your system.
- An accessible AWS S3 bucket to store Terraform state (specified in backend.tf).
- An accessible AWS DynamoDB database to store the Terraform state lock (specified in backend.tf).
- Access to all of the Terraform remote states specified in remote_states.tf.
Name | Version |
---|---|
terraform | ~> 1.0 |
aws | ~> 4.9 |
Name | Version |
---|---|
aws | ~> 4.9 |
aws.organizationsreadonly | ~> 4.9 |
aws.provision_sharedservices | ~> 4.9 |
terraform | n/a |
Name | Source | Version |
---|---|---|
cw_alarms_openvpn | github.com/cisagov/instance-cw-alarms-tf-module | n/a |
openvpn | github.com/cisagov/openvpn-server-tf-module | n/a |
Name | Type |
---|---|
aws_iam_policy.provisionopenvpn_policy | resource |
aws_iam_role_policy_attachment.provisionopenvpn_policy_attachment | resource |
aws_security_group.assessment_environment_services_access | resource |
aws_security_group_rule.egress_to_assessment_env_services | resource |
aws_caller_identity.current | data source |
aws_caller_identity.sharedservices | data source |
aws_iam_policy_document.provisionopenvpn_policy_doc | data source |
aws_organizations_organization.cool | data source |
terraform_remote_state.cdm | data source |
terraform_remote_state.dns_certboto | data source |
terraform_remote_state.freeipa | data source |
terraform_remote_state.images_parameterstore | data source |
terraform_remote_state.master | data source |
terraform_remote_state.networking | data source |
terraform_remote_state.public_dns | data source |
terraform_remote_state.sharedservices | data source |
Name | Description | Type | Default | Required |
---|---|---|---|---|
aws_region | The AWS region where the shared services account is to be created (e.g. "us-east-1"). | string |
"us-east-1" |
no |
cert_bucket_name | The name of the AWS S3 bucket where certificates are stored. | string |
"cisa-cool-certificates" |
no |
client_dns_search_domain | The DNS search domain to be pushed to VPN clients. | string |
n/a | yes |
client_dns_server | The address of the DNS server to be pushed to the VPN clients. | string |
n/a | yes |
client_motd_url | A URL to the motd page. This will be pushed to VPN clients as an environment variable. | string |
"https://github.com/cisagov/cool-system/blob/develop/motd.md#welcome-to-cisas-cloud-oriented-operations-lab-cool" |
no |
client_network | A string containing the network and netmask to assign client addresses. The server will take the first address. (e.g. "10.240.0.0 255.255.255.0"). | string |
n/a | yes |
cool_domain | The domain where the COOL resources reside (e.g. "cool.cyber.dhs.gov"). | string |
"cool.cyber.dhs.gov" |
no |
crowdstrike_falcon_sensor_customer_id_key | The SSM Parameter Store key whose corresponding value contains the customer ID for CrowdStrike Falcon (e.g. /cdm/falcon/customer_id). | string |
"/cdm/falcon/customer_id" |
no |
crowdstrike_falcon_sensor_tags_key | The SSM Parameter Store key whose corresponding value contains a comma-delimited list of tags that are to be applied to CrowdStrike Falcon (e.g. /cdm/falcon/tags). | string |
"/cdm/falcon/tags" |
no |
nessus_hostname_key | The SSM Parameter Store key whose corresponding value contains the hostname of the CDM Tenable Nessus server to which the Nessus Agent should link (e.g. /cdm/nessus/hostname). | string |
"/cdm/nessus_hostname" |
no |
nessus_key_key | The SSM Parameter Store key whose corresponding value contains the secret key that the Nessus Agent should use when linking with the CDM Tenable Nessus server (e.g. /cdm/nessus/key). | string |
"/cdm/nessus_key" |
no |
nessus_port_key | The SSM Parameter Store key whose corresponding value contains the port to which the Nessus Agent should connect when linking with the CDM Tenable Nessus server (e.g. /cdm/nessus/port). | string |
"/cdm/nessus_port" |
no |
private_networks | A list of strings, each of which contains a network and netmask defining a list of subnets that exist behind the VPN server (e.g. ["10.224.0.0 255.240.0.0", "192.168.100.0 255.255.255.0"]). This will be concatenated with the list of S3 gateway endpoint routes and the result will be pushed to the clients. | list(string) |
n/a | yes |
provisionaccount_role_name | The name of the IAM role that allows sufficient permissions to provision all AWS resources in the Shared Services account. | string |
"ProvisionAccount" |
no |
provisionopenvpn_policy_description | The description to associate with the IAM policy that allows provisioning of OpenVPN in the Shared Services account. | string |
"Allows provisioning of OpenVPN in the Shared Services account." |
no |
provisionopenvpn_policy_name | The name to assign the IAM policy that allows provisioning of OpenVPN in the Shared Services account. | string |
"ProvisionOpenVPN" |
no |
root_disk_size | The size of the OpenVPN instance's root disk in GiB. | number |
8 |
no |
tags | Tags to apply to all AWS resources created. | map(string) |
{} |
no |
trusted_cidr_blocks_vpn | A list of the CIDR blocks that are allowed to access the VPN port on the VPN servers (e.g. ["10.10.0.0/16", "10.11.0.0/16"]). | list(string) |
[] |
no |
Name | Description |
---|---|
assessment_environment_services_access_security_group | The security group allowing VPN users access to services running in the assessment environments. |
instance_id | The ID corresponding to the OpenVPN server EC2 instance. |
security_group_id | The ID corresponding to the OpenVPN server security group. |
Running pre-commit
requires running terraform init
in every directory that
contains Terraform code. In this repository, that is only the main directory.
We welcome contributions! Please see CONTRIBUTING.md
for
details.
This project is in the worldwide public domain.
This project is in the public domain within the United States, and copyright and related rights in the work worldwide are waived through the CC0 1.0 Universal public domain dedication.
All contributions to this project will be released under the CC0 dedication. By submitting a pull request, you are agreeing to comply with this waiver of copyright interest.