cfn-vpn 1.1.1 → 1.3.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: bb42ae1b12eb544e6d2d54276bb387efb5383c2037502a2ec155fd41ad522221
-  data.tar.gz: c3e774c1baf08c3ca0cdca6dc7b11014191f69eb183b63fddd6bbb56be522362
+  metadata.gz: c46ffdf0579ffd7c1fd42efadc969bbd095f9f789dfcb5b9e3e2aef7f85e959c
+  data.tar.gz: 7a6e1a34fa32b2246a8998e8645381635e8c5adf7a6bf978c241ea4d7e4ee217
 SHA512:
-  metadata.gz: b7c73bf1fcd82cb53a571f3bf60223b8eff89183a7afca82beead5b1ceb422370165b3a39c08c90ccf823a64bca8560babbda4210079a4a7a3c2122f0edf2a79
-  data.tar.gz: 5e944fa67a1fee92a5a42bb2f6ae5117a9907443cca284dde9a49e25899fd719adc5e5e96e3a45095090e16e0f615b72348ddac24798a3d4636019c849f15d13
+  metadata.gz: 6aa8e34eab7fe87a36128e299a3603f6e2cad58bf55cc9a2ff4f3847306a0ce92ba20c6a9471f7356c43eee85ccd6a362bed7bf7feb14df2a97cb54cc0af546d
+  data.tar.gz: 5aefb22f6d9ea925877f0811897fdd3e4a47286769cb106e19a46df6ccd7d2ce29d30bdc93ea2c87c4fb686609a33c009186057b248af9b33645b15d72d8f22c

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    cfn-vpn (1.0.0)
+    cfn-vpn (1.2.0)
       aws-sdk-acm (~> 1, < 2)
       aws-sdk-cloudformation (~> 1, < 2)
       aws-sdk-ec2 (~> 1.95, < 2)
@@ -9,46 +9,48 @@ PATH
       aws-sdk-ssm (~> 1, < 2)
       cfndsl (~> 1, < 2)
       netaddr (= 2.0.4)
+      rubyzip (~> 2.3)
       terminal-table (~> 1, < 2)
       thor (~> 0.20)
 
 GEM
   remote: https://rubygems.org/
   specs:
-    aws-eventstream (1.1.0)
-    aws-partitions (1.390.0)
-    aws-sdk-acm (1.38.0)
-      aws-sdk-core (~> 3, >= 3.109.0)
+    aws-eventstream (1.1.1)
+    aws-partitions (1.432.0)
+    aws-sdk-acm (1.39.0)
+      aws-sdk-core (~> 3, >= 3.112.0)
       aws-sigv4 (~> 1.1)
-    aws-sdk-cloudformation (1.44.0)
-      aws-sdk-core (~> 3, >= 3.109.0)
+    aws-sdk-cloudformation (1.49.0)
+      aws-sdk-core (~> 3, >= 3.112.0)
       aws-sigv4 (~> 1.1)
-    aws-sdk-core (3.109.2)
+    aws-sdk-core (3.113.0)
       aws-eventstream (~> 1, >= 1.0.2)
       aws-partitions (~> 1, >= 1.239.0)
       aws-sigv4 (~> 1.1)
       jmespath (~> 1.0)
-    aws-sdk-ec2 (1.208.0)
+    aws-sdk-ec2 (1.220.0)
       aws-sdk-core (~> 3, >= 3.109.0)
       aws-sigv4 (~> 1.1)
-    aws-sdk-kms (1.39.0)
-      aws-sdk-core (~> 3, >= 3.109.0)
+    aws-sdk-kms (1.43.0)
+      aws-sdk-core (~> 3, >= 3.112.0)
       aws-sigv4 (~> 1.1)
-    aws-sdk-s3 (1.84.0)
-      aws-sdk-core (~> 3, >= 3.109.0)
+    aws-sdk-s3 (1.91.0)
+      aws-sdk-core (~> 3, >= 3.112.0)
       aws-sdk-kms (~> 1)
       aws-sigv4 (~> 1.1)
-    aws-sdk-ssm (1.97.0)
-      aws-sdk-core (~> 3, >= 3.109.0)
+    aws-sdk-ssm (1.104.0)
+      aws-sdk-core (~> 3, >= 3.112.0)
       aws-sigv4 (~> 1.1)
-    aws-sigv4 (1.2.2)
+    aws-sigv4 (1.2.3)
       aws-eventstream (~> 1, >= 1.0.2)
-    cfndsl (1.2.0)
+    cfndsl (1.3.1)
       hana (~> 1.3)
-    hana (1.3.6)
+    hana (1.3.7)
     jmespath (1.4.0)
     netaddr (2.0.4)
     rake (13.0.1)
+    rubyzip (2.3.0)
     terminal-table (1.8.0)
       unicode-display_width (~> 1.1, >= 1.1.1)
     thor (0.20.3)
@@ -63,4 +65,4 @@ DEPENDENCIES
   rake (~> 13.0)
 
 BUNDLED WITH
-   2.0.1
+   2.1.4

data/cfn-vpn.gemspec

@@ -37,6 +37,7 @@ Gem::Specification.new do |spec|
   spec.add_dependency "terminal-table", '~> 1', '<2'
   spec.add_dependency 'cfndsl', '~> 1', '<2'
   spec.add_dependency 'netaddr', '2.0.4'
+  spec.add_dependency 'rubyzip', '~> 2.3'
   spec.add_runtime_dependency 'aws-sdk-ec2', '~> 1.95', '<2'
   spec.add_runtime_dependency 'aws-sdk-acm', '~> 1', '<2'
   spec.add_runtime_dependency 'aws-sdk-s3', '~> 1', '<2'

data/docs/README.md

@@ -31,7 +31,7 @@ dig @10.0.0.2 google.com
 
 ## Authentication Types
 
-`cfn-vpn` supports certificate and federated type authentication for AWS Client-VPN. It currently doesn't support Active Directory type authentication.
+`cfn-vpn` supports certificate, federated and active directory type authentication for AWS Client-VPN.
 For further information on the authentication types please visit https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/client-authentication.html
 
 ## CfnVpn Documentation
@@ -41,4 +41,4 @@ For further information on the authentication types please visit https://docs.aw
 3. [Managing Certificate Users](certificate-users.md)
 4. [Managing Routes](routes.md)
 5. [Stop and Start Client-VPN](scheduling.md)
-6. [Managing Sessions](sessions.md)
+6. [Managing Sessions](sessions.md)

data/docs/getting-started.md

@@ -38,62 +38,117 @@ Optionally export the AWS region if not providing `--region` flag
 export AWS_REGION="us-east-1"
 ```
 
-## Initialising CfnVpn
+
+## Initializing CfnVpn
 
 to launch a new CfnVpn stack run the `init` command along with the options.
 
 ### Certificate Authenticated VPN
 
-The following command and required option will launch a new certificate based Client-VPN
+This is the default option when launching a ClientVPN using certificated based authentication. https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/client-authentication.html#mutual
+
+The following command and required options will launch a new certificate based Client-VPN
 
 ```sh
 cfn-vpn init [name] --bucket [s3-bucket] --server-cn [server certificate name] --subnet-ids [list of subets to associate with the vpn]
 ```
 
+
 ### Federated SAML Authenticated VPN
 
+This option is for when you want to manage users through an external directory provider like AWS SSO, OKTA or AzureAD. https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/client-authentication.html#federated-authentication
+
 **Prerequisites:** Client-VPN requires a IAM SAML identity provider ARN, see the [AWS docs](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html) to create one.
 
 The following command and required option will launch a new federated based Client-VPN
 
 ```sh
-cfn-vpn init [name] --server-cn [server certificate name] --subnet-ids [list of subets to associate with the vpn] --saml-arn [identity providor arn]
+cfn-vpn init [name] --server-cn [server certificate name] \
+  --subnet-ids [list of subets to associate with the vpn] \
+  --saml-arn [identity providor arn]
+```
+
+The default authorization rule for the associated subnets allows all. You can optionally change this by using the `--default-groups` flag to set groups on the default authorization rule. 
+
+```diff
+! Group id's must be used if creating authorisation rules. 
+! Each SAML providor will have different group id's and means of retrieving them.
+```
+
+```sh
+cfn-vpn init [name] --server-cn [server certificate name] \
+  --subnet-ids [list of subnet to associate with the vpn] \
+  --saml-arn [identity provider arn]  \
+  --default-groups [list of group ids]
+```
+
+**AWS SSO**
+
+If using AWS SSO as your SAML provider check this guide on how to set up SAML using AWS SSO https://codeburst.io/the-aws-client-vpn-federated-authentication-missing-example-655e0a1ff7f4
+
+If you want to leverage the Self Service Portal you need to add the specify the `--saml-self-service-arn [self service identity provider arn]` You can follow the example here https://aws.amazon.com/blogs/security/authenticate-aws-client-vpn-users-with-aws-single-sign-on/ on how to setup the self sign-on sso application
+
+```sh
+cfn-vpn init [name] --server-cn [server certificate name] \
+  --subnet-ids [list of subnet to associate with the vpn] \
+  --saml-arn [identity provider arn]  \
+  --saml-self-service-arn [self service identity provider arn] \
+  --default-groups [list of group ids]
+```
+
+### AWS Directory Services Authenticated VPN
+
+This option integrates Microsoft Active Directory or Simple AD through AWS Directory Service with AWS Client VPN.
+
+The following command and required option will launch a new directory service based Client-VPN
+
+```sh
+cfn-vpn init simple-ad --server-cn [server certificate name] \
+  --subnet-ids [list of subets to associate with the vpn] \
+  --directory-id [aws directirory serivce id]
 ```
 
-The default authorization rule for the associated subets allows all. You can optionally change this by using the `--default-groups` flag to set groups on the default authorization rule. 
+The default authorization rule for the associated subnets allows all. You can optionally change this by using the `--default-groups` flag to set groups on the default authorization rule. The group Id is the Active Directory Group ID or SID.
 
 ```sh
-cfn-vpn init [name] --server-cn [server certificate name] --subnet-ids [list of subets to associate with the vpn] --saml-arn [identity providor arn] --default-groups [list of group ids]
+cfn-vpn init simple-ad --server-cn [server certificate name] \
+  --subnet-ids [list of subets to associate with the vpn] \
+  --directory-id [aws directirory serivce id] \
+  --default-groups [list of group ids]
 ```
 
-## Subnet Associations and Authorisation
+See this guide for further help on setting up https://shogokobayashi.com/2019/05/18/aws-client-vpn-with-simplead/
+
+## Subnet Associations and Authorization
 
 AWS ClientVPN requires one or more subnets to be associated with the vpn. These subnets setup the default routes and by default cfn-vpn creates a allow all auth for the default routes.
 When using a federated ClientVPN you can modify the default auth to only allow specific groups by setting the groups in the `--default-groups` flag. This can also be modified later using the `modify` command.
 
-## Additional Initialising Options
+## Additional Initializing Options
 
 ```
 Options:
-  r, [--region=REGION]                         # AWS Region
-                                               # Default: ap-southeast-2
-      [--verbose], [--no-verbose]              # set log level to debug
-      --server-cn=SERVER_CN                    # server certificate common name
-      [--client-cn=CLIENT_CN]                  # client certificate common name
-      [--easyrsa-local], [--no-easyrsa-local]  # run the easyrsa executable from your local rather than from docker
-      [--bucket=BUCKET]                        # s3 bucket
-      --subnet-ids=one two three               # subnet id to associate your vpn with
-      [--default-groups=one two three]         # groups to allow through the subnet associations when using federated auth
-      [--cidr=CIDR]                            # cidr from which to assign client IP addresses
-                                               # Default: 10.250.0.0/16
-      [--dns-servers=one two three]            # DNS Servers to push to clients.
-      [--split-tunnel], [--no-split-tunnel]    # only push routes to the client on the vpn endpoint
-                                               # Default: true
-      [--internet-route=INTERNET_ROUTE]        # [subnet-id] create a default route to the internet through a subnet
-      [--protocol=PROTOCOL]                    # set the protocol for the vpn connections
-                                               # Default: udp
-                                               # Possible values: udp, tcp
-      [--start=START]                          # cloudwatch event cron schedule in UTC to associate subnets to the client vpn
-      [--stop=STOP]                            # cloudwatch event cron schedule in UTC to disassociate subnets to the client vpn
-      [--saml-arn=SAML_ARN]                    # IAM SAML idenditiy providor arn if using SAML federated authentication
-```
+  r, [--region=REGION]                                 # AWS Region
+                                                       # Default: ap-southeast-2
+      [--verbose], [--no-verbose]                      # set log level to debug
+      --server-cn=SERVER_CN                            # server certificate common name
+      [--client-cn=CLIENT_CN]                          # client certificate common name
+      [--easyrsa-local], [--no-easyrsa-local]          # run the easyrsa executable from your local rather than from docker
+      [--bucket=BUCKET]                                # s3 bucket, if not set one will be generated for you
+      --subnet-ids=one two three                       # subnet id to associate your vpn with
+      [--default-groups=one two three]                 # groups to allow through the subnet associations when using federated auth
+      [--cidr=CIDR]                                    # cidr from which to assign client IP addresses
+                                                       # Default: 10.250.0.0/16
+      [--dns-servers=one two three]                    # DNS Servers to push to clients.
+      [--split-tunnel], [--no-split-tunnel]            # only push routes to the client on the vpn endpoint
+                                                       # Default: true
+      [--internet-route=INTERNET_ROUTE]                # [subnet-id] create a default route to the internet through a subnet
+      [--protocol=PROTOCOL]                            # set the protocol for the vpn connections
+                                                       # Default: udp
+                                                       # Possible values: udp, tcp
+      [--start=START]                                  # cloudwatch event cron schedule in UTC to associate subnets to the client vpn
+      [--stop=STOP]                                    # cloudwatch event cron schedule in UTC to disassociate subnets to the client vpn
+      [--saml-arn=SAML_ARN]                            # IAM SAML idenditiy providor arn if using SAML federated authentication
+      [--saml-self-service-arn=SAML_SELF_SERVICE_ARN]  # IAM SAML idenditiy providor arn for the self service portal
+      [--directory-id=DIRECTORY_ID]                    # AWS Directory Service directory id if using Active Directory authentication
+```

data/docs/routes.md

@@ -4,24 +4,34 @@ Management of the VPN routes can be altered using the `routes` command or by usi
 
 **Note:** The default route via subnet association cannot be modified through this command. Use the `modify` command to alter the subnet associations.
 
-## Routes Command
+CfnVpn can create static routes for CIDRs as well as dynamically lookup IPs for dns endpoints and continue to monitor and update the routes if the IPs change.
 
+```sh
+cfn-vpn help routes
+```
+
+## Dynamic DNS Routes
+
+Dynamic DNS routes takes a dns endpoint and will query the record every 5 minutes to see if the IPs have changed and update the routes.
+
+### Add New
+
+to add a new route run the routes command along with the `--dns` option
+
+```sh
+cfn-vpn routes [name] --dns example.com
 ```
-Options:
-  r, [--region=REGION]              # AWS Region
-                                    # Default: ap-southeast-2
-      [--verbose], [--no-verbose]   # set log level to debug
-      [--cidr=CIDR]                 # cidr range
-      [--subnet=SUBNET]             # the target vpc subnet to route through, if none is supplied the default subnet is used
-      [--desc=DESC]                 # description of the route
-      [--groups=one two three]      # override all authorised groups on thr route
-      [--add-groups=one two three]  # add authorised groups to an existing route
-      [--del-groups=one two three]  # remove authorised groups from an existing route
-      [--delete], [--no-delete]     # delete the route from the client vpn
-
-List, add or delete client vpn routes
+
+### Delete
+
+to delete a route run the routes command along with the `--dns` option of the route to delete and the delete option
+
+```sh
+cfn-vpn routes [name] --dns example.com --delete
 ```
 
+## Static CIDR Routes
+
 ### Add New
 
 to add a new route run the routes command along with the `--cidr` option
@@ -32,32 +42,32 @@ cfn-vpn routes [name] --cidr 10.151.0.0/16
 
 ### Delete
 
-to delete a  route run the routes command along with the `--cidr` option of the route to delete and the delete option
+to delete a route run the routes command along with the `--cidr` option of the route to delete and the delete option
 
 ```sh
 cfn-vpn routes [name] --cidr 10.151.0.0/16 --delete
 ```
 
-### Manage Authorization Groups
+## Manage Authorization Groups
 
-When using federated authentication groups can be used to control access to certain routes. These can be managed on the routes by providing the `--groups [list of groups]` along with a space delimited list of groups to the `routes` command.
+When using federated or active directory authentication groups can be used to control access to certain routes. These can be managed on the routes by providing the `--groups [list of groups]` along with a space delimited list of groups to the `routes` command. This is available for both DNS and CIDR routes
 
 To add groups to a new route or to override all groups on an exiting route use the `--groups` options
 
 ```sh
-cfn-vpn routes [name] --cidr 10.151.0.0/16 --groups devs ops
+cfn-vpn routes [name] [--cidr 10.151.0.0/16] [--dns example.com] --groups devs ops
 ```
 
 To add groups to an existing route use the `--add-groups` options
 
 ```sh
-cfn-vpn routes [name] --cidr 10.151.0.0/16 --add-groups admin
+cfn-vpn routes [name] [--cidr 10.151.0.0/16] [--dns example.com] --add-groups admin
 ```
 
 To delete groups from an existing route use the `--del-groups` options
 
 ```sh
-cfn-vpn routes [name] --cidr 10.151.0.0/16 --del-groups dev
+cfn-vpn routes [name] [--cidr 10.151.0.0/16] [--dns example.com] --del-groups dev
 ```
 
 ## Modify Command
@@ -75,6 +85,10 @@ routes:
   desc: route to prod peered vpc
   groups:
   - ops
+- dns: example.com
+  desc: my dev alb
+  groups:
+  - dev
 ```
 
 run the `modify` command and supply the yaml file to apply the changes

data/lib/cfnvpn/actions/init.rb

@@ -6,6 +6,7 @@ require 'cfnvpn/compiler'
 require 'cfnvpn/log'
 require 'cfnvpn/clientvpn'
 require 'cfnvpn/globals'
+require 'cfnvpn/s3_bucket'
 
 module CfnVpn::Actions
   class Init < Thor::Group
@@ -20,7 +21,7 @@ module CfnVpn::Actions
     class_option :server_cn, required: true, desc: 'server certificate common name'
     class_option :client_cn, desc: 'client certificate common name'
     class_option :easyrsa_local, type: :boolean, default: false, desc: 'run the easyrsa executable from your local rather than from docker'
-    class_option :bucket, desc: 's3 bucket'
+    class_option :bucket, desc: 's3 bucket, if not set one will be generated for you'
 
     class_option :subnet_ids, required: true, type: :array, desc: 'subnet id to associate your vpn with'
     class_option :default_groups, default: [], type: :array, desc: 'groups to allow through the subnet associations when using federated auth'
@@ -35,6 +36,8 @@ module CfnVpn::Actions
     class_option :stop, type: :string, desc: 'cloudwatch event cron schedule in UTC to disassociate subnets to the client vpn'
 
     class_option :saml_arn, desc: 'IAM SAML idenditiy providor arn if using SAML federated authentication'
+    class_option :saml_self_service_arn, desc: 'IAM SAML idenditiy providor arn for the self service portal'
+    class_option :directory_id, desc: 'AWS Directory Service directory id if using Active Directory authentication'
 
     def self.source_root
       File.dirname(__FILE__)
@@ -62,23 +65,36 @@ module CfnVpn::Actions
         start: @options['start'],
         stop: @options['stop'],
         saml_arn: @options['saml_arn'],
+        saml_self_service_arn: @options['saml_self_service_arn'],
+        directory_id: @options['directory_id'],
         routes: []
       }
     end
 
-    def set_type
-      @config[:type] = @options['saml_arn'] ? 'federated' : 'certificate'
-      @config[:default_groups] = @options['saml_arn'] ? @options['default_groups'] : []
-      CfnVpn::Log.logger.info "initialising #{@config[:type]} client vpn"
+    def create_bucket_if_bucket_not_set
+      if !@options['bucket']
+        CfnVpn::Log.logger.info "creating s3 bucket"
+        bucket = CfnVpn::S3Bucket.new(@options['region'], @name)
+        bucket_name = bucket.generate_bucket_name
+        bucket.create_bucket(bucket_name)
+        @config[:bucket] = bucket_name
+      else
+        @config[:bucket] = @options['bucket']
+      end
     end
 
-    def conditional_options_check
-      if @config[:type] == 'certificate'
-        if !@options['bucket']
-          CfnVpn::Log.logger.error "--bucket option must be specified if creating a client vpn with certificate based authentication"
-          exit 1
-        end
+    def set_type
+      if @options['saml_arn']
+        @config[:type] = 'federated'
+        @config[:default_groups] = @options['default_groups']
+      elsif @options['directory_id']
+        @config[:type] = 'active-directory'
+        @config[:default_groups] = @options['default_groups']
+      else
+        @config[:type] = 'certificate'
+        @config[:default_groups] = []
       end
+      CfnVpn::Log.logger.info "initialising #{@config[:type]} client vpn"
     end
 
     def stack_exist
@@ -104,7 +120,7 @@ module CfnVpn::Actions
          # we only need the server certificate to ACM if it is a SAML federated client vpn
         @config[:client_cert_arn] = cert.upload_certificates(@options['region'],@client_cn,'client')
         # and only need to upload the certs to s3 if using certificate authenitcation
-        s3 = CfnVpn::S3.new(@options['region'],@options['bucket'],@name)
+        s3 = CfnVpn::S3.new(@options['region'],@config[:bucket],@name)
         s3.store_object("#{@build_dir}/certificates/ca.tar.gz")
       end
     end

data/lib/cfnvpn/actions/modify.rb

@@ -8,6 +8,7 @@ require 'cfnvpn/log'
 require 'cfnvpn/clientvpn'
 require 'cfnvpn/globals'
 require 'cfnvpn/config'
+require 'cfnvpn/s3_bucket'
 
 module CfnVpn::Actions
   class Modify < Thor::Group
@@ -38,6 +39,8 @@ module CfnVpn::Actions
 
     class_option :param_yaml, type: :string, desc: 'pass in cfnvpn params through YAML file'
 
+    class_option :bucket, desc: 's3 bucket'
+
     def self.source_root
       File.dirname(__FILE__)
     end
@@ -88,13 +91,30 @@ module CfnVpn::Actions
         end
       end
 
-      if @config[:saml_arn] && @options[:default_groups]
+      if (@config[:saml_arn] || @config[:directory_id]) && @options[:default_groups]
         @config[:default_groups] = @options[:default_groups]
       end
 
       CfnVpn::Log.logger.debug "Modified config:\n#{@config}"
     end
 
+    def create_bucket_if_bucket_not_set
+      if !@options['bucket'] && !@config.has_key?(:bucket)
+        if yes? "no s3 bucket supplied in the command or found in the config, select (Y) to generate a new one ot select (N) and re run teh command with the --bucket flag to import the existing bucket." 
+          CfnVpn::Log.logger.info "creating s3 bucket"
+          bucket = CfnVpn::S3Bucket.new(@options['region'], @name)
+          bucket_name = bucket.generate_bucket_name
+          bucket.create_bucket(bucket_name)
+          @config[:bucket] = bucket_name
+        else
+          CfnVpn::Log.logger.info "rerun cfn-vpn modify #{name} command with the --bucket [BUCKET] flag"
+          exit 1
+        end
+      elsif @options['bucket']
+        @config[:bucket] = @options['bucket']
+      end
+    end
+
     def deploy_vpn
       compiler = CfnVpn::Compiler.new(@name, @config)
       template_body = compiler.compile

data/lib/cfnvpn/actions/routes.rb

@@ -13,6 +13,7 @@ module CfnVpn::Actions
     class_option :verbose, desc: 'set log level to debug', type: :boolean
 
     class_option :cidr, desc: 'cidr range'
+    class_option :dns, desc: 'dns record to auto lookup ip'
     class_option :subnet, desc: 'the target vpc subnet to route through, if none is supplied the default subnet is used'
     class_option :desc, desc: 'description of the route'
 
@@ -32,26 +33,50 @@ module CfnVpn::Actions
 
     def set_config
       @config = CfnVpn::Config.get_config(@options[:region], @name)
-      @route = @config[:routes].detect {|route| route[:cidr] == @options[:cidr]}      
+
+      if @options[:cidr] && @options[:dns]
+        CfnVpn::Log.logger.error "only one of --dns or --cidr can be set"
+        exit 1
+      end
+
+      if @options[:dns]
+        if @options[:dns].include?("*")
+          CfnVpn::Log.logger.error("wild card DNS resolution is not supported, use a record that will be resolved by the wild card instead")
+          exit 1
+        end
+        @route = @config[:routes].detect {|route| route[:dns] == @options[:dns]}      
+      elsif @options[:cidr]
+        @route = @config[:routes].detect {|route| route[:cidr] == @options[:cidr]}      
+      end
     end
 
     def set_route
       @skip_update = false
+      @dns_route_cleanup = nil
       if @route && @options[:delete]
-        CfnVpn::Log.logger.info "deleting route #{@options[:cidr]} "
-        @config[:routes].reject! {|route| route[:cidr] == @options[:cidr]}
+        if @options[:dns]
+          CfnVpn::Log.logger.info "deleting auto lookup route for endpoint #{@options[:dns]}"
+          @config[:routes].reject! {|route| route[:dns] == @options[:dns]}
+          @dns_route_cleanup = @options[:dns]
+        elsif @options[:cidr]
+          CfnVpn::Log.logger.info "deleting route #{@options[:cidr]}"
+          @config[:routes].reject! {|route| route[:cidr] == @options[:cidr]}
+        end
       elsif @route
-        CfnVpn::Log.logger.info "modifying groups for existing route #{@options[:cidr]}"
+        CfnVpn::Log.logger.info "existing route for #{@options[:cidr] ? @options[:cidr] : @options[:dns]} found"
         if @options[:groups]
+          CfnVpn::Log.logger.info "replacing groups #{@route[:groups]} with new #{@options[:groups]} for route authorization rule"
           @route[:groups] = @options[:groups]
         end
 
         if @options[:add_groups]
+          CfnVpn::Log.logger.info "adding new group(s) #{@options[:add_groups]} to route authorization rule" 
           @route[:groups].concat(@options[:add_groups]).uniq!
         end
 
         if @options[:del_groups]
-          @route[:groups].reject! {|group| @options[:add_groups].include? group}
+          CfnVpn::Log.logger.info "removing new group(s) #{@options[:del_groups]} to route authorization rule" 
+          @route[:groups].reject! {|group| @options[:del_groups].include? group}
         end
 
         if @options[:desc]
@@ -65,9 +90,17 @@ module CfnVpn::Actions
         CfnVpn::Log.logger.info "adding new route for #{@options[:cidr]}"
         @config[:routes] << {
           cidr: @options[:cidr],
-          desc: @options.fetch(:desc, "route for cidr #{@options[:cidr]}"),
+          desc: @options.fetch(:desc, ""),
+          subnet: @options.fetch(:subnet, @config[:subnet_ids].first),
+          groups: @options.fetch(:groups, []) + @options.fetch(:add_groups, [])
+        }
+      elsif !@route && @options[:dns]
+        CfnVpn::Log.logger.info "adding new route lookup for dns record #{@options[:dns]}"
+        @config[:routes] << {
+          dns: @options[:dns],
+          desc: @options.fetch(:desc, ""),
           subnet: @options.fetch(:subnet, @config[:subnet_ids].first),
-          groups: @options.fetch(@options[:groups], []) + @options.fetch(@options[:add_groups], [])
+          groups: @options.fetch(:groups, []) + @options.fetch(:add_groups, [])
         }
       else
         @skip_update = true
@@ -76,6 +109,13 @@ module CfnVpn::Actions
       CfnVpn::Log.logger.debug "CONFIG: #{@config}"
     end
 
+    def create_bucket_if_bucket_not_set
+      if !@config.has_key?(:bucket)
+        CfnVpn::Log.logger.error "no bucket found in the config, run the cfn-vpn modify #{name} command to add a bucket"
+        exit 1
+      end
+    end
+
     def deploy_vpn
       unless @skip_update
         compiler = CfnVpn::Compiler.new(@name, @config)
@@ -123,8 +163,20 @@ module CfnVpn::Actions
       end
     end
 
-    def get_routes
+    def cleanup_dns_routes
       @vpn = CfnVpn::ClientVpn.new(@name,@options['region'])
+      unless @dns_route_cleanup.nil?
+        routes = @vpn.get_routes()
+        CfnVpn::Log.logger.info("Cleaning up expired routes for #{@dns_route_cleanup}")
+        expired_routes = routes.select {|route| route.description.include?(@dns_route_cleanup) }
+        expired_routes.each do |route|
+          @vpn.delete_route(route.destination_cidr, route.target_subnet)
+          @vpn.revoke_auth(route.destination_cidr)
+        end
+      end
+    end
+
+    def get_routes
       @endpoint = @vpn.get_endpoint_id()
       @routes = @vpn.get_routes()
     end

data/lib/cfnvpn/clientvpn.rb

@@ -9,6 +9,7 @@ module CfnVpn
     def initialize(name,region)
       @client = Aws::EC2::Client.new(region: region)
       @name = name
+      @endpoint_id = self.get_endpoint_id()
     end
 
     def get_endpoint()
@@ -116,5 +117,22 @@ module CfnVpn
       return associations
     end
 
+    def delete_route(cidr, subnet)
+      @client.delete_client_vpn_route({
+        client_vpn_endpoint_id: @endpoint_id,
+        target_vpc_subnet_id: subnet,
+        destination_cidr_block: cidr
+      })
+    end
+
+    def revoke_auth(cidr)
+      endpoint_id = get_endpoint_id()
+      @client.revoke_client_vpn_ingress({
+        client_vpn_endpoint_id: @endpoint_id,
+        target_network_cidr: cidr,
+        revoke_all_groups: true
+      })
+    end
+
   end
 end