Added a flaf to create virtual private gateway

Author: vijay-stephen

README.md

@@ -2,20 +2,22 @@
 
 [![Quality gate](https://sonarcloud.io/api/project_badges/quality_gate?project=sourcefuse_terraform-aws-arc-vpn)](https://sonarcloud.io/summary/new_code?id=sourcefuse_terraform-aws-arc-vpn)
 
-[![Snyk](https://github.com/sourcefuse/terraform-aws-refarch-vpn/actions/workflows/test.yml/badge.svg)](https://github.com/sourcefuse/terraform-aws-refarch-vpn/actions/workflows/test.yml)
+[![Snyk](https://github.com/sourcefuse/terraform-aws-refarch-vpn/actions/workflows/test.yml/badge.svg)](https://github.com/sourcefuse/c/actions/workflows/test.yml)
 
 ## Overview
 
 SourceFuse AWS Reference Architecture (ARC) Terraform module for managing a Client VPN.
 
+For more information about this repository and its usage, please see [Terraform AWS ARC CloudFront Usage Guide](https://github.com/sourcefuse/terraform-aws-arc-vpn/blob/main/docs/module-usage-guide/README.md).
+
 ## Usage
 
 To see a full example, check out the [main.tf](https://github.com/sourcefuse/terraform-aws-arc-vpn/blob/main/example/main.tf) file in the example folder.
 
-```hcl
+```tcl
 module "this" {
   source  = "sourcefuse/arc-vpn/aws"
-  version = "0.0.4"
+  version = "1.0.0"
   vpc_id = data.aws_vpc.this.id
 
   authentication_options_type                       = "certificate-authentication"

docs/module-usage-guide/README.md

@@ -4,7 +4,10 @@
 
 ### Purpose of the Document
 
-This document provides guidelines and instructions for users looking to implement Terraform ARC module for managing a Client VPN.
+This document provides guidelines and instructions for users looking to implement Terraform ARC module for managing a AWS Client VPN.
+
+#### What is AWS Client VPN ? 
+AWS Client VPN is a managed remote access VPN solution used by your remote workforce to securely access resources within both AWS and your on-premises network. Fully elastic, it automatically scales up, or down, based on demand.
 
 ### Module Overview
 
@@ -24,7 +27,7 @@ Before using this module, ensure you have the following:
 
 To use the module in your Terraform configuration, include the following source block:
 
-```hcl
+```tcl
 module "client_vpn" {
   source  = "sourcefuse/arc-vpn/aws"
   version = "0.0.8"
@@ -48,7 +51,9 @@ Integrate the module with your existing Terraform mono repo configuration, follo
 
 ### Required AWS Permissions
 
-Ensure that the AWS credentials used to execute Terraform have the necessary permissions to create Client VPN.
+Ensure that the AWS credentials used to execute Terraform have the necessary permissions to create 
+ - Client VPN Endpoint
+ - Virtual Private Gateway
 
 ## Module Configuration
 
@@ -68,28 +73,49 @@ For basic usage, see the [example](https://github.com/sourcefuse/terraform-aws-a
 
 This example will create:
 
-Self-Signed Certificate Authority (CA) Creation: It creates a self-signed CA certificate using the cloudposse/terraform-aws-ssm-tls-self-signed-cert module. The certificate is stored in AWS SSM (Systems Manager).
+- Self-Signed Certificate Authority (CA) Creation: It creates a self-signed CA certificate using the cloudposse/terraform-aws-ssm-tls-self-signed-cert module. The certificate is stored in AWS SSM (Systems Manager).
 
-Self-Signed Root Certificate Creation: It creates a self-signed root certificate using the cloudposse/terraform-aws-ssm-tls-self-signed-cert module. This certificate is signed by the previously created CA certificate.
+- Self-Signed Root Certificate Creation: It creates a self-signed root certificate using the cloudposse/terraform-aws-ssm-tls-self-signed-cert module. This certificate is signed by the previously created CA certificate.
 
-VPN Setup: It uses the sourcefuse/arc-vpn/aws module to create a VPN setup. This includes:
+- VPN Setup: It uses the sourcefuse/arc-vpn/aws module to create a VPN setup. This includes:
 
-Setting up certificate-based authentication using the self-signed root certificate.
+	- Certificate-based authentication using the self-signed root certificate.
 
-Authorizing all groups to access the VPN.
+	- Authorize all groups to access the VPN.
 
-Specifying the private subnets where the VPN endpoints will be created.
+	- Specifying the private subnets where the VPN endpoints will be created.
 
-Specifying the target network CIDR block, which is the VPC's CIDR block.
+	- Specifying the target network CIDR block, which is the VPC's CIDR block.
 
-Creating a self-signed server certificate.
+	- Created a self-signed server certificate.
 
-Setting up the client VPN with a specified client CIDR block, VPN name, and VPN gateway name.
+	- Setting up the client VPN with a specified client CIDR block, VPN name, and VPN gateway name.
 
 The VPN setup allows users to securely connect to the AWS VPC from anywhere, using the created client VPN. The self-signed certificates are used to authenticate the users.
+
+### How to create AWS Client VPN file
+- Download and install AWS Client VPN Application [download](https://aws.amazon.com/vpn/client-vpn-download/)
+- Download the AWS Client VPN Configuration File
+	- Navigate to `VPC` > `Client VPN endpoints`
+	- Select the endpoint and click `Download Client Configuration`
+- Incase authentication is using certificate
+	- Open the Client Configuration file in an editor.
+	- Append the certificate data as show below to the configuration file
+	```
+	<cert>
+		Copy from SSM PARAM self-signed-cert-ca.pem
+	</cert>
+
+	<key>
+		Copy from SSM PARAM self-signed-cert-ca.key
+	</key>
+	```
+
+
+
 ### Tips and Recommendations
 
-The module focuses on setting up AWS Client VPN. Adjust the configuration parameters as needed for your specific use case.
+To authenticate the AWS Client VPN, integration with Active Directory (AD) is possible.
 
 ## Troubleshooting
 

example/.terraform.lock.hcl

@@ -60,10 +60,16 @@ data "aws_subnets" "private" {
 ## certs
 ################################################################################
 module "self_signed_cert_ca" {
-  source = "git::https://github.com/cloudposse/terraform-aws-ssm-tls-self-signed-cert.git?ref=1.3.0"
+  source = "git::https://github.com/cloudposse/terraform-aws-ssm-tls- self-signed-cert.git?ref=1.3.0"
 
   attributes = ["self", "signed", "cert", "ca"]
 
+  enabled = true
+
+  namespace = var.namespace
+  stage     = var.environment
+  name      = "demo"
+
   secret_path_format = var.secret_path_format
 
   subject = {
@@ -94,8 +100,14 @@ data "aws_ssm_parameter" "ca_key" {
 module "self_signed_cert_root" {
   source = "git::https://github.com/cloudposse/terraform-aws-ssm-tls-self-signed-cert.git?ref=1.3.0"
 
+  enabled = true
+
   attributes = ["self", "signed", "cert", "root"]
 
+  namespace = var.namespace
+  stage     = var.environment   
+  name      = "demo"
+
   secret_path_format = var.secret_path_format
 
   subject = {
@@ -123,12 +135,13 @@ module "self_signed_cert_root" {
   }
 }
 
+
 ################################################################################
 ## vpn
 ################################################################################
 module "vpn" {
   source  = "sourcefuse/arc-vpn/aws"
-  version = "0.0.4"
+  //version = "1.0.0" # pin the correct version
 
   vpc_id = data.aws_vpc.this.id
 
@@ -152,5 +165,7 @@ module "vpn" {
   client_vpn_name         = "${var.namespace}-${var.environment}-client-vpn-example"
   client_vpn_gateway_name = "${var.namespace}-${var.environment}-vpn-gateway-example"
 
+  create_vpn_gateway = true
+
   tags = module.tags.tags
 }

example/main.tf

@@ -67,6 +67,9 @@ module "self_signed_cert" {
   attributes         = ["self", "signed", "cert", "server"]
   secret_path_format = var.self_signed_server_cert_secret_path_format
 
+   name = var.client_vpn_name
+
+
   subject = {
     common_name  = var.self_signed_server_cert_server_common_name
     organization = var.self_signed_server_cert_organization_name
@@ -93,6 +96,7 @@ module "self_signed_cert" {
 ## vpn
 ################################################################################
 resource "aws_vpn_gateway" "this" {
+  count = var.create_vpn_gateway ? 1 : 0
   vpc_id = var.vpc_id
 
   tags = merge(var.tags, tomap({

main.tf

@@ -261,3 +261,9 @@ variable "client_vpn_authorize_all_groups" {
   description = "Indicates whether the authorization rule grants access to all clients. One of access_group_id or authorize_all_groups must be set."
   default     = true
 }
+
+variable "create_vpn_gateway" {
+  type        = bool
+  description = "Whether to create VPN Gateway, as for a VPC only one Gateway is allowed"
+  default     = true  
+}