Backup_Repos/code-server
1
0
Fork 0
mirror of https://github.com/cdr/code-server.git synced 2025-12-09 09:55:30 +01:00
Code Issues Projects Releases Wiki Activity
code-server/terraform/deployments/eks/terraform.tfvars.example
Claude 369f459203
Add AWS Client VPN support for secure private access to code-server 
This commit adds comprehensive VPN infrastructure to enable secure,
certificate-based access to code-server deployments. VPN provides an
additional security layer by requiring network-level authentication
before accessing internal resources.

Features:
- AWS Client VPN endpoint with certificate-based authentication
- Split tunnel support (route only VPC traffic through VPN)
- CloudWatch logging for all VPN connections
- Multi-platform client support (Windows, macOS, Linux, iOS, Android)
- Automatic certificate generation and ACM upload
- Client configuration export scripts
- Integration with both EC2 and EKS deployments

New Terraform Module:
- modules/vpn: Complete AWS Client VPN infrastructure
  - VPN endpoint with configurable authentication
  - Network associations for HA across multiple AZs
  - Authorization rules for VPC access
  - Security groups for VPN traffic
  - CloudWatch log groups and streams
  - Support for SAML/federated authentication

Scripts:
- scripts/generate-vpn-certificates.sh: Generate and upload VPN certificates
  - Creates CA, server, and client certificates
  - Automatically uploads to AWS Certificate Manager
  - Outputs certificate ARNs for Terraform configuration
- scripts/export-vpn-config.sh: Export client VPN configuration
  - Downloads VPN config from AWS
  - Embeds client certificates
  - Creates platform-ready .ovpn files

Deployment Updates:
- EC2 and EKS deployments now support optional VPN
- New variables for VPN configuration
- Updated outputs to include VPN endpoint information
- Example configurations with VPN settings

Documentation:
- VPN-SETUP-GUIDE.md: Comprehensive VPN setup guide
  - Certificate generation process
  - Terraform configuration
  - Client setup for all major platforms
  - Testing and troubleshooting
  - Advanced configuration options
  - Cost considerations and optimization

Configuration Options:
- Certificate-based or SAML/SSO authentication
- Split tunnel (recommended) or full tunnel
- UDP (faster) or TCP (more reliable) transport
- Configurable session timeout (8-24 hours)
- Custom DNS servers
- Client login banner
- Multiple authorization rules

Security Features:
- X.509 certificate authentication
- Private subnet associations
- Network-level access control
- Session logging and audit trail
- Support for multi-factor (VPN cert + OAuth2/SAML)

Cost: ~$216/month base + ~$0.40/user/day for active connections
2025-11-15 17:40:23 +00:00

51 lines
2.2 KiB
Text
Raw Blame History

# Example Terraform Variables for EKS Deployment
# Copy this file to terraform.tfvars and fill in your values
aws_region = "us-east-1"
project_name = "code-server"
environment = "dev"
# VPC Configuration
vpc_cidr = "10.0.0.0/16"
public_subnet_cidrs = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]
private_subnet_cidrs = ["10.0.11.0/24", "10.0.12.0/24", "10.0.13.0/24"]
single_nat_gateway = false # Set to true for cost optimization
# Security Configuration
allowed_cidr_blocks = ["10.0.0.0/8"] # Restrict to private network
ssh_allowed_cidr_blocks = [] # No SSH access (use SSM instead)
# EKS Configuration
kubernetes_version = "1.28"
endpoint_public_access = false # Set to true if you need public API access
public_access_cidrs = ["0.0.0.0/0"] # Restrict this if endpoint_public_access is true
# Node Group Configuration
node_instance_types = ["t3.medium"]
capacity_type = "ON_DEMAND" # or "SPOT" for cost optimization
node_disk_size = 50
min_nodes = 1
max_nodes = 3
desired_nodes = 2
# OAuth2 / SAML Configuration
deploy_oauth2_proxy = true
oauth2_client_id = "your-client-id-from-idp"
oauth2_client_secret = "your-client-secret-from-idp"
# Generate cookie secret with:
# python -c 'import os,base64; print(base64.urlsafe_b64encode(os.urandom(32)).decode())'
oauth2_cookie_secret = "generate-random-secret-here"
# VPN Configuration (Optional - for enhanced security)
# First run: ../../scripts/generate-vpn-certificates.sh
enable_vpn = false # Set to true to enable VPN
vpn_server_certificate_arn = "" # ARN from generate-vpn-certificates.sh
vpn_client_certificate_arn = "" # ARN from generate-vpn-certificates.sh
vpn_client_cidr_block = "172.16.0.0/22" # Must not overlap with VPC
vpn_split_tunnel = true # Only route VPC traffic through VPN
vpn_authentication_type = "certificate-authentication"
vpn_transport_protocol = "udp" # udp (faster) or tcp (more reliable)
vpn_port = 443 # 443 or 1194
vpn_session_timeout_hours = 24 # 8-24 hours
vpn_client_login_banner = "Welcome to Code-Server VPN. Authorized access only."
Reference in a new issue View git blame Copy permalink