Client VPN Endpoint - Allow Custom Security Groups

[Bwanabanana]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

This request asks for custom (non-VPC default) security groups to be associated with the Client VPN endpoint.

The Target Network configuration of the recently added Client VPN support allows the configuration of the 'landing subnets' for connected clients but does not allow custom security groups to be specified and retains the default settings for a Client VPN endpoint:

The VPC's default security group is automatically applied for the subnet association. You can modify the security group after associating the subnet.

See the Client VPN Target Network documentation for more information.

New or Affected Resource(s)

This relates to the aws_ec2_client_vpn_endpoint and aws_ec2_client_vpn_network_association resources, recently added to 1.58.0 by @slapula under #7009.

References

• https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/cvpn-working-target.html
• r/aws_client_vpn_endpoint: Adding new resource to manage AWS Client VPN endpoints #7009

[slapula]

Oops, I also failed to account for this: https://docs.aws.amazon.com/sdk-for-go/api/service/ec2/#EC2.ApplySecurityGroupsToClientVpnTargetNetwork

I think I can get away with adding this functionality to aws_ec2_client_vpn_network_association.

[Bwanabanana]

Yes, sounds reasonable to be able to provide a list of security groups for each aws_ec2_client_vpn_network_association. It's funny, because the AWS console doesn't provide the ability to associate a distinct list of security groups to a given Target Network (i.e. subnet) - it simply applies the given list selected to every Target Network associated with the Client VPN endpoint! Until you linked the go API above, I hadn't realised that was possible. 😄

[AlexanderMarkov]

Any progress here?

[bflad]

Support for this functionality has been merged and will release with version 3.3.0 of the Terraform AWS Provider, later today. Thanks to @slapula for starting the implementation! 👍

[ghost]

This has been released in version 3.3.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!