cfn-vpn 0.5.1 → 1.1.0

data/lib/cfnvpn/s3.rb

@@ -14,7 +14,7 @@ module CfnVpn
     def store_object(file)
       body = File.open(file, 'rb').read
       file_name = file.split('/').last
-      Log.logger.debug("uploading #{file} to s3://#{@bucket}/#{@path}/#{file_name}")
+      CfnVpn::Log.logger.debug("uploading #{file} to s3://#{@bucket}/#{@path}/#{file_name}")
       @client.put_object({
         body: body,
         bucket: @bucket,
@@ -26,7 +26,7 @@ module CfnVpn
 
     def get_object(file)
       file_name = file.split('/').last
-      Log.logger.debug("downloading s3://#{@bucket}/#{@path}/#{file_name} to #{file}")
+      CfnVpn::Log.logger.debug("downloading s3://#{@bucket}/#{@path}/#{file_name} to #{file}")
       @client.get_object(
         response_target: file,
         bucket: @bucket,
@@ -34,7 +34,7 @@ module CfnVpn
     end
 
     def store_config(config)
-      Log.logger.debug("uploading config to s3://#{@bucket}/#{@path}/#{@name}.config.ovpn")
+      CfnVpn::Log.logger.debug("uploading config to s3://#{@bucket}/#{@path}/#{@name}.config.ovpn")
       @client.put_object({
         body: config,
         bucket: @bucket,
@@ -54,7 +54,7 @@ module CfnVpn
     end
 
     def store_embedded_config(config, cn)
-      Log.logger.debug("uploading config to s3://#{@bucket}/#{@path}/#{@name}_#{cn}.config.ovpn")
+      CfnVpn::Log.logger.debug("uploading config to s3://#{@bucket}/#{@path}/#{@name}_#{cn}.config.ovpn")
       @client.put_object({
         body: config,
         bucket: @bucket,

data/lib/cfnvpn/string.rb

@@ -0,0 +1,29 @@
+class String
+  def underscore
+    self.gsub(/::/, '/').
+    gsub(/([A-Z]+)([A-Z][a-z])/,'\1_\2').
+    gsub(/([a-z\d])([A-Z])/,'\1_\2').
+    tr("-", "_").
+    downcase
+  end
+
+  def resource_safe
+    self.gsub(/[^a-zA-Z0-9]/, "").capitalize
+  end
+
+  def colorize(color_code)
+    "\e[#{color_code}m#{self}\e[0m"
+  end
+
+  def red
+    colorize(31)
+  end
+
+  def green
+    colorize(32)
+  end
+
+  def yellow
+    colorize(33)
+  end
+end

data/lib/cfnvpn/templates/helper.rb

@@ -0,0 +1,14 @@
+require 'aws-sdk-ec2'
+
+module CfnVpn
+  module Templates
+    class Helper
+      def self.get_auth_cidr(region, subnet_id)
+        client = Aws::EC2::Client.new(region: region)
+        subnets = client.describe_subnets({subnet_ids:[subnet_id]})
+        vpcs = client.describe_vpcs({vpc_ids:[subnets.subnets[0].vpc_id]})
+        return vpcs.vpcs[0].cidr_block
+      end
+    end
+  end
+end

data/lib/cfnvpn/templates/vpn.rb

@@ -0,0 +1,344 @@
+require 'cfndsl'
+require 'cfnvpn/templates/helper'
+
+module CfnVpn
+  module Templates
+    class Vpn < CfnDsl::CloudFormationTemplate
+
+      def initialize
+        super
+      end
+
+      def render(name, config)
+        Description "cfnvpn #{name} AWS Client-VPN"
+        Parameter(:AssociateSubnets) {
+          Type 'String'
+          Default 'true'
+          AllowedValues ['true', 'false']
+          Description 'Toggle to false to disassociate all Client VPN subnet associations'
+        }
+
+        Condition(:EnableSubnetAssociation, FnEquals(Ref(:AssociateSubnets), 'true'))
+
+        Logs_LogGroup(:ClientVpnLogGroup) {
+          LogGroupName FnSub("#{name}-ClientVpn")
+          RetentionInDays 30
+        }
+
+        EC2_ClientVpnEndpoint(:ClientVpnEndpoint) {
+          Description FnSub("cfnvpn #{name} AWS Client-VPN")
+          AuthenticationOptions([
+          if config[:type] == 'federated'
+            {
+              FederatedAuthentication: {
+                SAMLProviderArn: config[:saml_arn],
+                SelfServiceSAMLProviderArn: config[:saml_arn]
+              },
+              Type: 'federated-authentication'
+            }
+          else
+            {
+              MutualAuthentication: {
+                ClientRootCertificateChainArn: config[:client_cert_arn]
+              },
+              Type: 'certificate-authentication'
+            }
+          end
+          ])
+          ServerCertificateArn config[:server_cert_arn]
+          ClientCidrBlock config[:cidr]
+          ConnectionLogOptions({
+            CloudwatchLogGroup: Ref(:ClientVpnLogGroup),
+            Enabled: true
+          })
+          DnsServers config[:dns_servers].any? ? config[:dns_servers] : Ref('AWS::NoValue')
+          TagSpecifications([{
+            ResourceType: "client-vpn-endpoint",
+            Tags: [
+              { Key: 'Name', Value: name }
+            ]
+          }])
+          TransportProtocol config[:protocol]
+          SplitTunnel config[:split_tunnel]
+        }
+
+        config[:subnet_ids].each_with_index do |subnet, index|
+          suffix = index == 0 ? "" : "For#{subnet.resource_safe}"
+
+          EC2_ClientVpnTargetNetworkAssociation(:"ClientVpnTargetNetworkAssociation#{suffix}") {
+            Condition(:EnableSubnetAssociation)
+            ClientVpnEndpointId Ref(:ClientVpnEndpoint)
+            SubnetId subnet
+          }
+
+          if config[:default_groups].any?
+            config[:default_groups].each do |group|
+              EC2_ClientVpnAuthorizationRule(:"TargetNetworkAuthorizationRule#{suffix}#{group.resource_safe}"[0..255]) {
+                Condition(:EnableSubnetAssociation)
+                DependsOn "ClientVpnTargetNetworkAssociation#{suffix}"
+                Description FnSub("#{name} client-vpn auth rule for subnet association")
+                AccessGroupId group
+                ClientVpnEndpointId Ref(:ClientVpnEndpoint)
+                TargetNetworkCidr CfnVpn::Templates::Helper.get_auth_cidr(config[:region], subnet)
+              }
+            end
+          else
+            EC2_ClientVpnAuthorizationRule(:"TargetNetworkAuthorizationRule#{suffix}") {
+              Condition(:EnableSubnetAssociation)
+              DependsOn "ClientVpnTargetNetworkAssociation#{suffix}"
+              Description FnSub("#{name} client-vpn auth rule for subnet association")
+              AuthorizeAllGroups true
+              ClientVpnEndpointId Ref(:ClientVpnEndpoint)
+              TargetNetworkCidr CfnVpn::Templates::Helper.get_auth_cidr(config[:region], subnet)
+            }
+          end
+
+          if subnet == config[:internet_route]
+            EC2_ClientVpnRoute(:RouteToInternet) {
+              Condition(:EnableSubnetAssociation)
+              DependsOn "ClientVpnTargetNetworkAssociation#{suffix}"
+              Description 'Route to the internet'
+              ClientVpnEndpointId Ref(:ClientVpnEndpoint)
+              DestinationCidrBlock '0.0.0.0/0'
+              TargetVpcSubnetId config[:internet_route]
+            }
+          
+            EC2_ClientVpnAuthorizationRule(:RouteToInternetAuthorizationRule) {
+              Condition(:EnableSubnetAssociation)
+              DependsOn "ClientVpnTargetNetworkAssociation#{suffix}"
+              Description 'Route to the internet'
+              AuthorizeAllGroups true
+              ClientVpnEndpointId Ref(:ClientVpnEndpoint)
+              TargetNetworkCidr '0.0.0.0/0'
+            }
+  
+            output(:InternetRoute, config[:internet_route])
+          end
+        end
+
+        config[:routes].each do |route|
+          EC2_ClientVpnRoute(:"#{route[:cidr].resource_safe}VpnRoute") {
+            Description route[:desc]
+            ClientVpnEndpointId Ref(:ClientVpnEndpoint)
+            DestinationCidrBlock route[:cidr]
+            TargetVpcSubnetId route[:subnet]
+          }
+          if route[:groups].any?
+            route[:groups].each do |group|
+              EC2_ClientVpnAuthorizationRule(:"#{route[:cidr].resource_safe}AuthorizationRule#{group.resource_safe}"[0..255]) {
+                Description route[:desc]
+                AccessGroupId group
+                ClientVpnEndpointId Ref(:ClientVpnEndpoint)
+                TargetNetworkCidr route[:cidr]
+              }
+            end
+          else
+            EC2_ClientVpnAuthorizationRule(:"#{route[:cidr].resource_safe}AllowAllAuthorizationRule") {
+              Description route[:desc]
+              AuthorizeAllGroups true
+              ClientVpnEndpointId Ref(:ClientVpnEndpoint)
+              TargetNetworkCidr route[:cidr]
+            }
+          end
+        end
+        
+        SSM_Parameter(:CfnVpnConfig) {
+          Description "#{name} cfnvpn config"
+          Name "/cfnvpn/config/#{name}"
+          Tier 'Standard'
+          Type 'String'
+          Value config.to_json
+          Tags({
+            Name:  "#{name}-cfnvpn-config",
+            Environment: 'cfnvpn'
+          })
+        }
+
+        if config[:start] || config[:stop]
+          scheduler(name, config[:start], config[:stop])
+          output(:Start, config[:start]) if config[:start]
+          output(:Stop, config[:stop]) if config[:stop]
+        end
+
+        output(:ServerCertArn, config[:server_cert_arn])
+        output(:Cidr, config[:cidr])
+        output(:DnsServers, config.fetch(:dns_servers, []).join(','))
+        output(:SubnetIds, config[:subnet_ids].join(','))
+        output(:SplitTunnel, config[:split_tunnel])
+        output(:Protocol, config[:protocol])
+        output(:Type, config[:type])
+
+        if config[:type] == 'federated'
+          output(:SamlArn, config[:saml_arn])
+        else
+          output(:ClientCertArn, config[:client_cert_arn])
+        end
+      end
+
+      def output(name, value)
+        Output(name) { Value value }
+      end
+
+      def scheduler(name, start, stop)
+        IAM_Role(:ClientVpnSchedulerRole) {
+          AssumeRolePolicyDocument({
+            Version: '2012-10-17',
+            Statement: [{
+              Effect: 'Allow',
+              Principal: { Service: [ 'lambda.amazonaws.com' ] },
+              Action: [ 'sts:AssumeRole' ]
+            }]
+          })
+          Path '/cfnvpn/'
+          Policies([
+            {
+              PolicyName: 'cloudformation',
+              PolicyDocument: {
+                Version: '2012-10-17',
+                Statement: [{
+                  Effect: 'Allow',
+                  Action: [
+                    'cloudformation:UpdateStack'
+                  ],
+                  Resource: FnSub("arn:aws:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/#{name}-cfnvpn/*")
+                }]
+              }
+            },
+            {
+              PolicyName: 'client-vpn',
+              PolicyDocument: {
+                Version: '2012-10-17',
+                Statement: [{
+                  Effect: 'Allow',
+                  Action: [ 
+                    'ec2:AssociateClientVpnTargetNetwork',
+                    'ec2:DisassociateClientVpnTargetNetwork',
+                    'ec2:DescribeClientVpnTargetNetworks',
+                    'ec2:AuthorizeClientVpnIngress',
+                    'ec2:RevokeClientVpnIngress',
+                    'ec2:DescribeClientVpnAuthorizationRules',
+                    'ec2:DescribeClientVpnEndpoints',
+                    'ec2:DescribeClientVpnConnections',
+                    'ec2:TerminateClientVpnConnections'
+                  ],
+                  Resource: '*'
+                }]
+              }
+            },
+            {
+              PolicyName: 'logging',
+              PolicyDocument: {
+                Version: '2012-10-17',
+                Statement: [{
+                  Effect: 'Allow',
+                  Action: [
+                    'logs:DescribeLogGroups',
+                    'logs:CreateLogGroup',
+                    'logs:CreateLogStream',
+                    'logs:DescribeLogStreams',
+                    'logs:PutLogEvents'
+                  ],
+                  Resource: '*'
+                }]
+              }
+            }
+          ])
+          Tags([
+            { Key: 'Name', Value: "#{name}-cfnvpn-scheduler-role" },
+            { Key: 'Environment', Value: 'cfnvpn' }
+          ])
+        }
+
+        Lambda_Function(:ClientVpnSchedulerFunction) {
+          Runtime 'python3.7'
+          Role FnGetAtt(:ClientVpnSchedulerRole, :Arn)
+          MemorySize '128'
+          Handler 'index.handler'
+          Code({
+            ZipFile: <<~EOS
+            import boto3
+
+            def handler(event, context):
+
+              print(f"updating cfn-vpn stack {event['StackName']} parameter AssociateSubnets with value {event['AssociateSubnets']}")
+
+              if event['AssociateSubnets'] == 'false':
+                print(f"terminating current vpn sessions to {event['ClientVpnEndpointId']}")
+                ec2 = boto3.client('ec2')
+                resp = ec2.describe_client_vpn_connections(ClientVpnEndpointId=event['ClientVpnEndpointId'])
+                for conn in resp['Connections']:
+                  if conn['Status']['Code'] == 'active':
+                    ec2.terminate_client_vpn_connections(
+                      ClientVpnEndpointId=event['ClientVpnEndpointId'],
+                      ConnectionId=conn['ConnectionId']
+                    )
+                    print(f"terminated session {conn['ConnectionId']}")
+
+              client = boto3.client('cloudformation')
+              print(client.update_stack(
+                StackName=event['StackName'],
+                UsePreviousTemplate=True,
+                Capabilities=['CAPABILITY_IAM'],
+                Parameters=[
+                  {
+                    'ParameterKey': 'AssociateSubnets',
+                    'ParameterValue': event['AssociateSubnets']
+                  }
+                ]
+              ))
+
+              return 'OK'
+            EOS
+          })
+          Tags([
+            { Key: 'Name', Value: "#{name}-cfnvpn-scheduler-function" },
+            { Key: 'Environment', Value: 'cfnvpn' }
+          ])
+        }
+
+        Logs_LogGroup(:ClientVpnSchedulerLogGroup) {
+          LogGroupName FnSub("/aws/lambda/${ClientVpnSchedulerFunction}")
+          RetentionInDays 30
+        }
+
+        Lambda_Permission(:ClientVpnSchedulerFunctionPermissions) {
+          FunctionName Ref(:ClientVpnSchedulerFunction)
+          Action 'lambda:InvokeFunction'
+          Principal 'events.amazonaws.com'
+        }
+
+        if start
+          Events_Rule(:ClientVpnSchedulerStart) {
+            State 'ENABLED'
+            Description "cfnvpn start schedule"
+            ScheduleExpression "cron(#{start})"
+            Targets([
+              { 
+                Arn: FnGetAtt(:ClientVpnSchedulerFunction, :Arn),
+                Id: 'cfnvpnschedulerstart',
+                Input: FnSub({ StackName: "#{name}-cfnvpn", AssociateSubnets: 'true', ClientVpnEndpointId: "${ClientVpnEndpoint}" }.to_json)
+              }
+            ])
+          }
+        end
+
+        if stop
+          Events_Rule(:ClientVpnSchedulerStop) {
+            State 'ENABLED'
+            Description "cfnvpn stop schedule"
+            ScheduleExpression "cron(#{stop})"
+            Targets([
+              { 
+                Arn: FnGetAtt(:ClientVpnSchedulerFunction, :Arn),
+                Id: 'cfnvpnschedulerstop',
+                Input: FnSub({ StackName: "#{name}-cfnvpn", AssociateSubnets: 'false', ClientVpnEndpointId: "${ClientVpnEndpoint}" }.to_json)
+              }
+            ])
+          }
+        end
+
+      end
+
+    end
+  end
+end

data/lib/cfnvpn/version.rb

@@ -1,4 +1,4 @@
 module CfnVpn
-  VERSION = "0.5.1".freeze
+  VERSION = "1.1.0".freeze
   CHANGE_SET_VERSION = VERSION.gsub('.', '-').freeze
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: cfn-vpn
 version: !ruby/object:Gem::Version
-  version: 0.5.1
+  version: 1.1.0
 platform: ruby
 authors:
 - Guslington
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2020-05-18 00:00:00.000000000 Z
+date: 2021-02-03 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: thor
@@ -45,25 +45,25 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '2'
 - !ruby/object:Gem::Dependency
-  name: cfhighlander
+  name: cfndsl
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.9'
+        version: '1'
     - - "<"
       - !ruby/object:Gem::Version
-        version: '1'
+        version: '2'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.9'
+        version: '1'
     - - "<"
       - !ruby/object:Gem::Version
-        version: '1'
+        version: '2'
 - !ruby/object:Gem::Dependency
   name: netaddr
   requirement: !ruby/object:Gem::Requirement
@@ -158,6 +158,26 @@ dependencies:
     - - "<"
       - !ruby/object:Gem::Version
         version: '2'
+- !ruby/object:Gem::Dependency
+  name: aws-sdk-ssm
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '2'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '2'
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
@@ -178,14 +198,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: '13.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: '13.0'
 description: creates and manages resources for the aws client vpn
 email:
 - guslington@gmail.com
@@ -194,6 +214,9 @@ executables:
 extensions: []
 extra_rdoc_files: []
 files:
+- ".github/workflows/build-gem.yml"
+- ".github/workflows/release-gem.yml"
+- ".github/workflows/release-image.yml"
 - ".gitignore"
 - ".travis.yml"
 - Dockerfile
@@ -203,26 +226,37 @@ files:
 - README.md
 - Rakefile
 - cfn-vpn.gemspec
+- docs/README.md
+- docs/certificate-users.md
+- docs/getting-started.md
+- docs/modifying.md
+- docs/routes.md
+- docs/scheduling.md
+- docs/sessions.md
 - exe/cfn-vpn
 - lib/cfnvpn.rb
 - lib/cfnvpn/acm.rb
+- lib/cfnvpn/actions/client.rb
+- lib/cfnvpn/actions/embedded.rb
+- lib/cfnvpn/actions/init.rb
+- lib/cfnvpn/actions/modify.rb
+- lib/cfnvpn/actions/params.rb
+- lib/cfnvpn/actions/revoke.rb
+- lib/cfnvpn/actions/routes.rb
+- lib/cfnvpn/actions/sessions.rb
+- lib/cfnvpn/actions/share.rb
+- lib/cfnvpn/actions/subnets.rb
 - lib/cfnvpn/certificates.rb
-- lib/cfnvpn/cfhighlander.rb
-- lib/cfnvpn/client.rb
 - lib/cfnvpn/clientvpn.rb
-- lib/cfnvpn/cloudformation.rb
+- lib/cfnvpn/compiler.rb
 - lib/cfnvpn/config.rb
-- lib/cfnvpn/embedded.rb
+- lib/cfnvpn/deployer.rb
 - lib/cfnvpn/globals.rb
-- lib/cfnvpn/init.rb
 - lib/cfnvpn/log.rb
-- lib/cfnvpn/modify.rb
-- lib/cfnvpn/revoke.rb
-- lib/cfnvpn/routes.rb
 - lib/cfnvpn/s3.rb
-- lib/cfnvpn/sessions.rb
-- lib/cfnvpn/share.rb
-- lib/cfnvpn/templates/cfnvpn.cfhighlander.rb.tt
+- lib/cfnvpn/string.rb
+- lib/cfnvpn/templates/helper.rb
+- lib/cfnvpn/templates/vpn.rb
 - lib/cfnvpn/version.rb
 homepage: https://github.com/base2services/aws-client-vpn
 licenses:
@@ -246,8 +280,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.7.6
+rubygems_version: 3.1.4
 signing_key: 
 specification_version: 4
 summary: creates and manages resources for the aws client vpn