cfn-vpn 0.4.2 → 1.2.0

data/lib/cfnvpn/globals.rb

@@ -0,0 +1,16 @@
+module CfnVpn
+  class << self
+    
+    # Returns the filepath to the location CfnVpn will use for
+    # storage. Used for certificate generation as well as the 
+    # download and upload location. Can be overridden by specifying 
+    # a value for the ENV variable
+    # 'CFNVPN_PATH'.
+    #
+    # @return [String]
+    def cfnvpn_path
+      @cfnvpn_path ||= File.expand_path(ENV["CFNVPN_PATH"] || "~/.cfnvpn")
+    end
+    
+  end
+end

data/lib/cfnvpn/log.rb

@@ -1,38 +1,38 @@
 require 'logger'
 
 module CfnVpn
-  module Log
-
-    def self.colors
-      @colors ||= {
-        ERROR: 31, # red
-        WARN: 33, # yellow
-        INFO: 0,
-        DEBUG: 32 # grenn
-      }
-    end
+  module Log 
+    class << self
+      def colors
+        @colors ||= {
+          ERROR: 31, # red
+          WARN: 33, # yellow
+          INFO: 0,
+          DEBUG: 32 # grenn
+        }
+      end
 
-    def self.logger
-      if @logger.nil?
-        @logger = Logger.new(STDOUT)
-        @logger.level = Logger::INFO
-        @logger.formatter = proc do |severity, datetime, progname, msg|
-          "\e[#{colors[severity.to_sym]}m#{severity}: - #{msg}\e[0m\n"
+      def logger
+        if @logger.nil?
+          @logger = Logger.new(STDOUT)
+          @logger.level = Logger::INFO
+          @logger.formatter = proc do |severity, datetime, progname, msg|
+            "\e[#{colors[severity.to_sym]}m#{severity}: - #{msg}\e[0m\n"
+          end
         end
+        @logger
       end
-      @logger
-    end
 
-    def self.logger=(logger)
-      @logger = logger
-    end
+      def logger=(logger)
+        @logger = logger
+      end
 
-    levels = %w(debug info warn error fatal)
-    levels.each do |level|
-      define_method("#{level.to_sym}") do |msg|
-        self.logger.send(level, msg)
+      levels = %w(debug info warn error fatal)
+      levels.each do |level|
+        define_method("#{level.to_sym}") do |msg|
+          self.logger.send(level, msg)
+        end
       end
     end
-
   end
 end

data/lib/cfnvpn/s3.rb

@@ -14,7 +14,7 @@ module CfnVpn
     def store_object(file)
       body = File.open(file, 'rb').read
       file_name = file.split('/').last
-      Log.logger.debug("uploading #{file} to s3://#{@bucket}/#{@path}/#{file_name}")
+      CfnVpn::Log.logger.debug("uploading #{file} to s3://#{@bucket}/#{@path}/#{file_name}")
       @client.put_object({
         body: body,
         bucket: @bucket,
@@ -26,7 +26,7 @@ module CfnVpn
 
     def get_object(file)
       file_name = file.split('/').last
-      Log.logger.debug("downloading s3://#{@bucket}/#{@path}/#{file_name} to #{file}")
+      CfnVpn::Log.logger.debug("downloading s3://#{@bucket}/#{@path}/#{file_name} to #{file}")
       @client.get_object(
         response_target: file,
         bucket: @bucket,
@@ -34,7 +34,7 @@ module CfnVpn
     end
 
     def store_config(config)
-      Log.logger.debug("uploading config to s3://#{@bucket}/#{@path}/#{@name}.config.ovpn")
+      CfnVpn::Log.logger.debug("uploading config to s3://#{@bucket}/#{@path}/#{@name}.config.ovpn")
       @client.put_object({
         body: config,
         bucket: @bucket,
@@ -54,7 +54,7 @@ module CfnVpn
     end
 
     def store_embedded_config(config, cn)
-      Log.logger.debug("uploading config to s3://#{@bucket}/#{@path}/#{@name}_#{cn}.config.ovpn")
+      CfnVpn::Log.logger.debug("uploading config to s3://#{@bucket}/#{@path}/#{@name}_#{cn}.config.ovpn")
       @client.put_object({
         body: config,
         bucket: @bucket,

data/lib/cfnvpn/string.rb

@@ -0,0 +1,29 @@
+class String
+  def underscore
+    self.gsub(/::/, '/').
+    gsub(/([A-Z]+)([A-Z][a-z])/,'\1_\2').
+    gsub(/([a-z\d])([A-Z])/,'\1_\2').
+    tr("-", "_").
+    downcase
+  end
+
+  def resource_safe
+    self.gsub(/[^a-zA-Z0-9]/, "").capitalize
+  end
+
+  def colorize(color_code)
+    "\e[#{color_code}m#{self}\e[0m"
+  end
+
+  def red
+    colorize(31)
+  end
+
+  def green
+    colorize(32)
+  end
+
+  def yellow
+    colorize(33)
+  end
+end

data/lib/cfnvpn/templates/helper.rb

@@ -0,0 +1,14 @@
+require 'aws-sdk-ec2'
+
+module CfnVpn
+  module Templates
+    class Helper
+      def self.get_auth_cidr(region, subnet_id)
+        client = Aws::EC2::Client.new(region: region)
+        subnets = client.describe_subnets({subnet_ids:[subnet_id]})
+        vpcs = client.describe_vpcs({vpc_ids:[subnets.subnets[0].vpc_id]})
+        return vpcs.vpcs[0].cidr_block
+      end
+    end
+  end
+end

data/lib/cfnvpn/templates/vpn.rb

@@ -0,0 +1,353 @@
+require 'cfndsl'
+require 'cfnvpn/templates/helper'
+
+module CfnVpn
+  module Templates
+    class Vpn < CfnDsl::CloudFormationTemplate
+
+      def initialize
+        super
+      end
+
+      def render(name, config)
+        Description "cfnvpn #{name} AWS Client-VPN"
+        Parameter(:AssociateSubnets) {
+          Type 'String'
+          Default 'true'
+          AllowedValues ['true', 'false']
+          Description 'Toggle to false to disassociate all Client VPN subnet associations'
+        }
+
+        Condition(:EnableSubnetAssociation, FnEquals(Ref(:AssociateSubnets), 'true'))
+
+        Logs_LogGroup(:ClientVpnLogGroup) {
+          LogGroupName FnSub("#{name}-ClientVpn")
+          RetentionInDays 30
+        }
+
+        EC2_ClientVpnEndpoint(:ClientVpnEndpoint) {
+          Description FnSub("cfnvpn #{name} AWS Client-VPN")
+          AuthenticationOptions([
+          if config[:type] == 'federated'
+            {
+              FederatedAuthentication: {
+                SAMLProviderArn: config[:saml_arn],
+                SelfServiceSAMLProviderArn: config[:saml_arn]
+              },
+              Type: 'federated-authentication'
+            }
+          elsif config[:type] == 'active-directory'
+            {
+              ActiveDirectory: {
+                DirectoryId: config[:directory_id]
+              },
+              Type: 'directory-service-authentication'
+            }
+          else
+            {
+              MutualAuthentication: {
+                ClientRootCertificateChainArn: config[:client_cert_arn]
+              },
+              Type: 'certificate-authentication'
+            }
+          end
+          ])
+          ServerCertificateArn config[:server_cert_arn]
+          ClientCidrBlock config[:cidr]
+          ConnectionLogOptions({
+            CloudwatchLogGroup: Ref(:ClientVpnLogGroup),
+            Enabled: true
+          })
+          DnsServers config[:dns_servers].any? ? config[:dns_servers] : Ref('AWS::NoValue')
+          TagSpecifications([{
+            ResourceType: "client-vpn-endpoint",
+            Tags: [
+              { Key: 'Name', Value: name }
+            ]
+          }])
+          TransportProtocol config[:protocol]
+          SplitTunnel config[:split_tunnel]
+        }
+
+        config[:subnet_ids].each_with_index do |subnet, index|
+          suffix = index == 0 ? "" : "For#{subnet.resource_safe}"
+
+          EC2_ClientVpnTargetNetworkAssociation(:"ClientVpnTargetNetworkAssociation#{suffix}") {
+            Condition(:EnableSubnetAssociation)
+            ClientVpnEndpointId Ref(:ClientVpnEndpoint)
+            SubnetId subnet
+          }
+
+          if config[:default_groups].any?
+            config[:default_groups].each do |group|
+              EC2_ClientVpnAuthorizationRule(:"TargetNetworkAuthorizationRule#{suffix}#{group.resource_safe}"[0..255]) {
+                Condition(:EnableSubnetAssociation)
+                DependsOn "ClientVpnTargetNetworkAssociation#{suffix}"
+                Description FnSub("#{name} client-vpn auth rule for subnet association")
+                AccessGroupId group
+                ClientVpnEndpointId Ref(:ClientVpnEndpoint)
+                TargetNetworkCidr CfnVpn::Templates::Helper.get_auth_cidr(config[:region], subnet)
+              }
+            end
+          else
+            EC2_ClientVpnAuthorizationRule(:"TargetNetworkAuthorizationRule#{suffix}") {
+              Condition(:EnableSubnetAssociation)
+              DependsOn "ClientVpnTargetNetworkAssociation#{suffix}"
+              Description FnSub("#{name} client-vpn auth rule for subnet association")
+              AuthorizeAllGroups true
+              ClientVpnEndpointId Ref(:ClientVpnEndpoint)
+              TargetNetworkCidr CfnVpn::Templates::Helper.get_auth_cidr(config[:region], subnet)
+            }
+          end
+
+          if subnet == config[:internet_route]
+            EC2_ClientVpnRoute(:RouteToInternet) {
+              Condition(:EnableSubnetAssociation)
+              DependsOn "ClientVpnTargetNetworkAssociation#{suffix}"
+              Description 'Route to the internet'
+              ClientVpnEndpointId Ref(:ClientVpnEndpoint)
+              DestinationCidrBlock '0.0.0.0/0'
+              TargetVpcSubnetId config[:internet_route]
+            }
+          
+            EC2_ClientVpnAuthorizationRule(:RouteToInternetAuthorizationRule) {
+              Condition(:EnableSubnetAssociation)
+              DependsOn "ClientVpnTargetNetworkAssociation#{suffix}"
+              Description 'Route to the internet'
+              AuthorizeAllGroups true
+              ClientVpnEndpointId Ref(:ClientVpnEndpoint)
+              TargetNetworkCidr '0.0.0.0/0'
+            }
+  
+            output(:InternetRoute, config[:internet_route])
+          end
+        end
+
+        config[:routes].each do |route|
+          EC2_ClientVpnRoute(:"#{route[:cidr].resource_safe}VpnRoute") {
+            Description route[:desc]
+            ClientVpnEndpointId Ref(:ClientVpnEndpoint)
+            DestinationCidrBlock route[:cidr]
+            TargetVpcSubnetId route[:subnet]
+          }
+          if route[:groups].any?
+            route[:groups].each do |group|
+              EC2_ClientVpnAuthorizationRule(:"#{route[:cidr].resource_safe}AuthorizationRule#{group.resource_safe}"[0..255]) {
+                Description route[:desc]
+                AccessGroupId group
+                ClientVpnEndpointId Ref(:ClientVpnEndpoint)
+                TargetNetworkCidr route[:cidr]
+              }
+            end
+          else
+            EC2_ClientVpnAuthorizationRule(:"#{route[:cidr].resource_safe}AllowAllAuthorizationRule") {
+              Description route[:desc]
+              AuthorizeAllGroups true
+              ClientVpnEndpointId Ref(:ClientVpnEndpoint)
+              TargetNetworkCidr route[:cidr]
+            }
+          end
+        end
+        
+        SSM_Parameter(:CfnVpnConfig) {
+          Description "#{name} cfnvpn config"
+          Name "/cfnvpn/config/#{name}"
+          Tier 'Standard'
+          Type 'String'
+          Value config.to_json
+          Tags({
+            Name:  "#{name}-cfnvpn-config",
+            Environment: 'cfnvpn'
+          })
+        }
+
+        if config[:start] || config[:stop]
+          scheduler(name, config[:start], config[:stop])
+          output(:Start, config[:start]) if config[:start]
+          output(:Stop, config[:stop]) if config[:stop]
+        end
+
+        output(:ServerCertArn, config[:server_cert_arn])
+        output(:Cidr, config[:cidr])
+        output(:DnsServers, config.fetch(:dns_servers, []).join(','))
+        output(:SubnetIds, config[:subnet_ids].join(','))
+        output(:SplitTunnel, config[:split_tunnel])
+        output(:Protocol, config[:protocol])
+        output(:Type, config[:type])
+
+        if config[:type] == 'federated'
+          output(:SamlArn, config[:saml_arn])
+        elsif config[:type] == 'active-directory'
+          output(:DirectoryId, config[:directory_id])
+        else
+          output(:ClientCertArn, config[:client_cert_arn])
+        end
+      end
+
+      def output(name, value)
+        Output(name) { Value value }
+      end
+
+      def scheduler(name, start, stop)
+        IAM_Role(:ClientVpnSchedulerRole) {
+          AssumeRolePolicyDocument({
+            Version: '2012-10-17',
+            Statement: [{
+              Effect: 'Allow',
+              Principal: { Service: [ 'lambda.amazonaws.com' ] },
+              Action: [ 'sts:AssumeRole' ]
+            }]
+          })
+          Path '/cfnvpn/'
+          Policies([
+            {
+              PolicyName: 'cloudformation',
+              PolicyDocument: {
+                Version: '2012-10-17',
+                Statement: [{
+                  Effect: 'Allow',
+                  Action: [
+                    'cloudformation:UpdateStack'
+                  ],
+                  Resource: FnSub("arn:aws:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/#{name}-cfnvpn/*")
+                }]
+              }
+            },
+            {
+              PolicyName: 'client-vpn',
+              PolicyDocument: {
+                Version: '2012-10-17',
+                Statement: [{
+                  Effect: 'Allow',
+                  Action: [ 
+                    'ec2:AssociateClientVpnTargetNetwork',
+                    'ec2:DisassociateClientVpnTargetNetwork',
+                    'ec2:DescribeClientVpnTargetNetworks',
+                    'ec2:AuthorizeClientVpnIngress',
+                    'ec2:RevokeClientVpnIngress',
+                    'ec2:DescribeClientVpnAuthorizationRules',
+                    'ec2:DescribeClientVpnEndpoints',
+                    'ec2:DescribeClientVpnConnections',
+                    'ec2:TerminateClientVpnConnections'
+                  ],
+                  Resource: '*'
+                }]
+              }
+            },
+            {
+              PolicyName: 'logging',
+              PolicyDocument: {
+                Version: '2012-10-17',
+                Statement: [{
+                  Effect: 'Allow',
+                  Action: [
+                    'logs:DescribeLogGroups',
+                    'logs:CreateLogGroup',
+                    'logs:CreateLogStream',
+                    'logs:DescribeLogStreams',
+                    'logs:PutLogEvents'
+                  ],
+                  Resource: '*'
+                }]
+              }
+            }
+          ])
+          Tags([
+            { Key: 'Name', Value: "#{name}-cfnvpn-scheduler-role" },
+            { Key: 'Environment', Value: 'cfnvpn' }
+          ])
+        }
+
+        Lambda_Function(:ClientVpnSchedulerFunction) {
+          Runtime 'python3.7'
+          Role FnGetAtt(:ClientVpnSchedulerRole, :Arn)
+          MemorySize '128'
+          Handler 'index.handler'
+          Code({
+            ZipFile: <<~EOS
+            import boto3
+
+            def handler(event, context):
+
+              print(f"updating cfn-vpn stack {event['StackName']} parameter AssociateSubnets with value {event['AssociateSubnets']}")
+
+              if event['AssociateSubnets'] == 'false':
+                print(f"terminating current vpn sessions to {event['ClientVpnEndpointId']}")
+                ec2 = boto3.client('ec2')
+                resp = ec2.describe_client_vpn_connections(ClientVpnEndpointId=event['ClientVpnEndpointId'])
+                for conn in resp['Connections']:
+                  if conn['Status']['Code'] == 'active':
+                    ec2.terminate_client_vpn_connections(
+                      ClientVpnEndpointId=event['ClientVpnEndpointId'],
+                      ConnectionId=conn['ConnectionId']
+                    )
+                    print(f"terminated session {conn['ConnectionId']}")
+
+              client = boto3.client('cloudformation')
+              print(client.update_stack(
+                StackName=event['StackName'],
+                UsePreviousTemplate=True,
+                Capabilities=['CAPABILITY_IAM'],
+                Parameters=[
+                  {
+                    'ParameterKey': 'AssociateSubnets',
+                    'ParameterValue': event['AssociateSubnets']
+                  }
+                ]
+              ))
+
+              return 'OK'
+            EOS
+          })
+          Tags([
+            { Key: 'Name', Value: "#{name}-cfnvpn-scheduler-function" },
+            { Key: 'Environment', Value: 'cfnvpn' }
+          ])
+        }
+
+        Logs_LogGroup(:ClientVpnSchedulerLogGroup) {
+          LogGroupName FnSub("/aws/lambda/${ClientVpnSchedulerFunction}")
+          RetentionInDays 30
+        }
+
+        Lambda_Permission(:ClientVpnSchedulerFunctionPermissions) {
+          FunctionName Ref(:ClientVpnSchedulerFunction)
+          Action 'lambda:InvokeFunction'
+          Principal 'events.amazonaws.com'
+        }
+
+        if start
+          Events_Rule(:ClientVpnSchedulerStart) {
+            State 'ENABLED'
+            Description "cfnvpn start schedule"
+            ScheduleExpression "cron(#{start})"
+            Targets([
+              { 
+                Arn: FnGetAtt(:ClientVpnSchedulerFunction, :Arn),
+                Id: 'cfnvpnschedulerstart',
+                Input: FnSub({ StackName: "#{name}-cfnvpn", AssociateSubnets: 'true', ClientVpnEndpointId: "${ClientVpnEndpoint}" }.to_json)
+              }
+            ])
+          }
+        end
+
+        if stop
+          Events_Rule(:ClientVpnSchedulerStop) {
+            State 'ENABLED'
+            Description "cfnvpn stop schedule"
+            ScheduleExpression "cron(#{stop})"
+            Targets([
+              { 
+                Arn: FnGetAtt(:ClientVpnSchedulerFunction, :Arn),
+                Id: 'cfnvpnschedulerstop',
+                Input: FnSub({ StackName: "#{name}-cfnvpn", AssociateSubnets: 'false', ClientVpnEndpointId: "${ClientVpnEndpoint}" }.to_json)
+              }
+            ])
+          }
+        end
+
+      end
+
+    end
+  end
+end