aws_ec2_client_vpn_endpoint: add federated auth

aws/resource_aws_ec2_client_vpn_endpoint.go

@@ -73,8 +73,15 @@ func resourceAwsEc2ClientVpnEndpoint() *schema.Resource {
 							ValidateFunc: validation.StringInSlice([]string{
 								ec2.ClientVpnAuthenticationTypeCertificateAuthentication,
 								ec2.ClientVpnAuthenticationTypeDirectoryServiceAuthentication,
+								ec2.ClientVpnAuthenticationTypeFederatedAuthentication,
 							}, false),
 						},
+						"saml_provider_arn": {
+							Type:         schema.TypeString,
+							Optional:     true,
+							ForceNew:     true,
+							ValidateFunc: validateArn,
+						},
 						"active_directory_id": {
 							Type:     schema.TypeString,
 							Optional: true,
@@ -361,6 +368,9 @@ func flattenAuthOptsConfig(aopts []*ec2.ClientVpnAuthentication) []map[string]in
 		if aopt.MutualAuthentication != nil {
 			r["root_certificate_chain_arn"] = aws.StringValue(aopt.MutualAuthentication.ClientRootCertificateChain)
 		}
+		if aopt.FederatedAuthentication != nil {
+			r["saml_provider_arn"] = aws.StringValue(aopt.FederatedAuthentication.SamlProviderArn)
+		}
 		if aopt.ActiveDirectory != nil {
 			r["active_directory_id"] = aws.StringValue(aopt.ActiveDirectory.DirectoryId)
 		}
@@ -386,6 +396,12 @@ func expandEc2ClientVpnAuthenticationRequest(data map[string]interface{}) *ec2.C
 		}
 	}
 
+	if data["type"].(string) == ec2.ClientVpnAuthenticationTypeFederatedAuthentication {
+		req.FederatedAuthentication = &ec2.FederatedAuthenticationRequest{
+			SAMLProviderArn: aws.String(data["saml_provider_arn"].(string)),
+		}
+	}
+
 	return req
 }
 

aws/resource_aws_ec2_client_vpn_endpoint_test.go

@@ -84,6 +84,7 @@ func TestAccAwsEc2ClientVpn(t *testing.T) {
 			"disappears":        testAccAwsEc2ClientVpnEndpoint_disappears,
 			"msAD":              testAccAwsEc2ClientVpnEndpoint_msAD,
 			"mutualAuthAndMsAD": testAccAwsEc2ClientVpnEndpoint_mutualAuthAndMsAD,
+			"federated":         testAccAwsEc2ClientVpnEndpoint_federated,
 			"withLogGroup":      testAccAwsEc2ClientVpnEndpoint_withLogGroup,
 			"withDNSServers":    testAccAwsEc2ClientVpnEndpoint_withDNSServers,
 			"tags":              testAccAwsEc2ClientVpnEndpoint_tags,
@@ -223,6 +224,33 @@ func testAccAwsEc2ClientVpnEndpoint_mutualAuthAndMsAD(t *testing.T) {
 	})
 }
 
+func testAccAwsEc2ClientVpnEndpoint_federated(t *testing.T) {
+	var v ec2.ClientVpnEndpoint
+	rStr := acctest.RandString(5)
+	resourceName := "aws_ec2_client_vpn_endpoint.test"
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t); testAccPreCheckClientVPNSyncronize(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckAwsEc2ClientVpnEndpointDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccEc2ClientVpnEndpointConfigWithFederatedAuth(rStr),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAwsEc2ClientVpnEndpointExists(resourceName, &v),
+					resource.TestCheckResourceAttr(resourceName, "authentication_options.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "authentication_options.0.type", "federated-authentication"),
+				),
+			},
+			{
+				ResourceName:      resourceName,
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+		},
+	})
+}
+
 func testAccAwsEc2ClientVpnEndpoint_withLogGroup(t *testing.T) {
 	var v1, v2 ec2.ClientVpnEndpoint
 	rStr := acctest.RandString(5)
@@ -580,6 +608,30 @@ resource "aws_ec2_client_vpn_endpoint" "test" {
 `, rName)
 }
 
+func testAccEc2ClientVpnEndpointConfigWithFederatedAuth(rName string) string {
+	return testAccEc2ClientVpnEndpointConfigAcmCertificateBase() + fmt.Sprintf(`
+resource "aws_iam_saml_provider" "default" {
+  name                   = "myprovider-%s"
+  saml_metadata_document = "${file("./test-fixtures/saml-metadata.xml")}"
+}
+
+resource "aws_ec2_client_vpn_endpoint" "test" {
+  description            = "terraform-testacc-clientvpn-%s"
+  server_certificate_arn = "${aws_acm_certificate.test.arn}"
+  client_cidr_block      = "10.0.0.0/16"
+
+  authentication_options {
+    type              = "federated-authentication"
+    saml_provider_arn = "${aws_iam_saml_provider.default.arn}"
+  }
+
+  connection_log_options {
+    enabled = false
+  }
+}
+`, rName, rName)
+}
+
 func testAccEc2ClientVpnEndpointConfig_tags(rName string) string {
 	return testAccEc2ClientVpnEndpointConfigAcmCertificateBase() + fmt.Sprintf(`
 resource "aws_ec2_client_vpn_endpoint" "test" {

website/docs/r/ec2_client_vpn_endpoint.html.markdown

@@ -51,9 +51,10 @@ The following arguments are supported:
 
 One of the following arguments must be supplied:
 
-* `type` - (Required) The type of client authentication to be used. Specify `certificate-authentication` to use certificate-based authentication, or `directory-service-authentication` to use Active Directory authentication.
+* `type` - (Required) The type of client authentication to be used. Specify `certificate-authentication` to use certificate-based authentication, `directory-service-authentication` to use Active Directory authentication, or `federated-authentication` to use Federated Authentication via SAML 2.0.
 * `active_directory_id` - (Optional) The ID of the Active Directory to be used for authentication if type is `directory-service-authentication`.
 * `root_certificate_chain_arn` - (Optional) The ARN of the client certificate. The certificate must be signed by a certificate authority (CA) and it must be provisioned in AWS Certificate Manager (ACM). Only necessary when type is set to `certificate-authentication`.
+* `saml_provider_arn` - (Optional) The ARN of the IAM SAML identity provider if type is `federated-authentication`.
 
 ### `connection_log_options` Argument Reference