cfn-vpn 1.1.1 → 1.3.3

data/lib/cfnvpn/s3.rb

@@ -63,5 +63,35 @@ module CfnVpn
       })
     end
 
+    def create_bucket
+      @client.create_bucket({
+        bucket: bucket,
+        acl: 'private'
+      })
+
+      @client.put_public_access_block({
+        bucket: bucket,
+        public_access_block_configuration: { 
+          block_public_acls: true,
+          ignore_public_acls: true,
+          block_public_policy: true,
+          restrict_public_buckets: true,
+        }
+      })
+
+      @client.put_bucket_encryption({
+        bucket: bucket,
+        server_side_encryption_configuration: {
+          rules: [
+            {
+              apply_server_side_encryption_by_default: {
+                sse_algorithm: "AES256"
+              }
+            }
+          ]
+        }
+      })
+    end
+
   end
 end

data/lib/cfnvpn/s3_bucket.rb

@@ -0,0 +1,48 @@
+require 'aws-sdk-s3'
+require 'fileutils'
+require 'securerandom'
+
+module CfnVpn
+  class S3Bucket
+
+    def initialize(region, name)
+      @client = Aws::S3::Client.new(region: region)
+      @name = name
+    end
+
+    def generate_bucket_name
+      return "cfnvpn-#{@name}-#{SecureRandom.hex}"
+    end
+
+    def create_bucket(bucket)
+      @client.create_bucket({
+        bucket: bucket,
+        acl: 'private'
+      })
+
+      @client.put_public_access_block({
+        bucket: bucket,
+        public_access_block_configuration: { 
+          block_public_acls: true,
+          ignore_public_acls: true,
+          block_public_policy: true,
+          restrict_public_buckets: true,
+        }
+      })
+
+      @client.put_bucket_encryption({
+        bucket: bucket,
+        server_side_encryption_configuration: {
+          rules: [
+            {
+              apply_server_side_encryption_by_default: {
+                sse_algorithm: "AES256"
+              }
+            }
+          ]
+        }
+      })
+    end
+
+  end
+end

data/lib/cfnvpn/string.rb

@@ -11,6 +11,10 @@ class String
     self.gsub(/[^a-zA-Z0-9]/, "").capitalize
   end
 
+  def event_id_safe
+    self.gsub('*', 'wildcard').gsub(/[^\.\-_A-Za-z0-9]+/, "").downcase
+  end
+
   def colorize(color_code)
     "\e[#{color_code}m#{self}\e[0m"
   end

data/lib/cfnvpn/templates/lambdas/auto_route_populator/app.py

@@ -0,0 +1,175 @@
+import socket
+import boto3
+from botocore.exceptions import ClientError
+import logging
+
+logger = logging.getLogger()
+logger.setLevel(logging.INFO)
+
+
+def delete_route(client, vpn_endpoint, subnet, cidr):
+    client.delete_client_vpn_route(
+      ClientVpnEndpointId=vpn_endpoint,
+      TargetVpcSubnetId=subnet,
+      DestinationCidrBlock=cidr,
+    )
+
+  
+def create_route(client, event, cidr):
+  client.create_client_vpn_route(
+    ClientVpnEndpointId=event['ClientVpnEndpointId'],
+    DestinationCidrBlock=cidr,
+    TargetVpcSubnetId=event['TargetSubnet'],
+    Description=f"cfnvpn auto generated route for endpoint {event['Record']}. {event['Description']}"
+  )
+
+
+def revoke_route_auth(client, event, cidr, group = None):
+  args = {
+    'ClientVpnEndpointId': event['ClientVpnEndpointId'],
+    'TargetNetworkCidr': cidr
+  }
+  
+  if group is None:
+    args['RevokeAllGroups'] = True
+  else:
+    args['AccessGroupId'] = group
+    
+  client.revoke_client_vpn_ingress(**args)
+
+
+def authorize_route(client, event, cidr, group = None):
+  args = {
+    'ClientVpnEndpointId': event['ClientVpnEndpointId'],
+    'TargetNetworkCidr': cidr,
+    'Description': f"cfnvpn auto generated authorization for endpoint {event['Record']}. {event['Description']}"
+  }
+  
+  if group is None:
+    args['AuthorizeAllGroups'] = True
+  else:
+    args['AccessGroupId'] = group
+    
+  client.authorize_client_vpn_ingress(**args)
+
+
+def get_routes(client, event):
+  response = client.describe_client_vpn_routes(
+    ClientVpnEndpointId=event['ClientVpnEndpointId'],
+    Filters=[
+      {
+        'Name': 'origin',
+        'Values': ['add-route']
+      }
+    ]
+  )
+  
+  routes = [route for route in response['Routes'] if event['Record'] in route['Description']]
+  logger.info(f"found {len(routes)} exisiting routes for {event['Record']}")
+  return routes
+
+
+def get_rules(client, vpn_endpoint, cidr):
+  response = client.describe_client_vpn_authorization_rules(
+    ClientVpnEndpointId=vpn_endpoint,
+    Filters=[
+        {
+            'Name': 'destination-cidr',
+            'Values': [cidr]
+        }
+    ]
+  )
+  return response['AuthorizationRules']
+
+
+def handler(event,context):
+  
+  # DNS lookup on the dns record and return all IPS for the endpoint
+  try:
+    cidrs = [ ip + "/32" for ip in socket.gethostbyname_ex(event['Record'])[-1]]
+    logger.info(f"resolved endpoint {event['Record']} to {cidrs}")
+  except socket.gaierror as e:
+    logger.exception(f"failed to resolve record {event['Record']}")
+    return 'KO'
+  
+  client = boto3.client('ec2')
+  routes = get_routes(client, event)
+
+  for cidr in cidrs:
+    route = next((route for route in routes if route['DestinationCidr'] == cidr), None)
+    
+    # if there are no existing routes for the endpoint cidr create a new route
+    if route is None:
+      try:
+        create_route(client, event, cidr)
+        if 'Groups' in event:
+          for group in event['Groups']:
+            authorize_route(client, event, cidr, group)
+        else:
+          authorize_route(client, event, cidr)
+      except ClientError as e:
+        if e.response['Error']['Code'] == 'InvalidClientVpnDuplicateRoute':
+          logger.error(f"route for CIDR {cidr} already exists with a different endpoint")
+          continue
+        raise e
+        
+    # if the route already exists
+    else:
+      
+      logger.info(f"route for cidr {cidr} is already in place")
+      
+      # if the target subnet has changed in the payload, recreate the routes to use the new subnet
+      if route['TargetSubnet'] != event['TargetSubnet']:
+        logger.info(f"target subnet for route for {cidr} has changed, recreating the route")
+        delete_route(client, event['ClientVpnEndpointId'], route['TargetSubnet'], cidr)
+        create_route(client, event, cidr)
+      
+      logger.info(f"checking authorization rules for the route")
+      
+      # check the rules match the payload
+      rules = get_rules(client, event['ClientVpnEndpointId'], cidr)
+      existing_groups = [rule['GroupId'] for rule in rules]
+      if 'Groups' in event:
+        # remove expired rules not defined in the payload anymore
+        expired_rules = [rule for rule in rules if rule['GroupId'] not in event['Groups']]
+        for rule in expired_rules:
+          logger.info(f"removing expired authorization rule for group {rule['GroupId']} for route {cidr}")
+          revoke_route_auth(client, event, cidr, rule['GroupId'])
+        # add new rules defined in the payload
+        new_rules =  [group for group in event['Groups'] if group not in existing_groups]
+        for group in new_rules:
+          logger.info(f"creating new authorization rule for group {rule['GroupId']} for route {cidr}")
+          authorize_route(client, event, cidr, group)
+      else:
+        # if amount of rules for the cidr is greater than 1 when no groups are specified in the payload 
+        # we'll assume that all groups have been removed from the payload so we'll remove all existing rules and add a rule for allow all 
+        if len(rules) > 1:
+          logger.info(f"creating an allow all rule for route {cidr}")
+          revoke_route_auth(client, event, cidr)
+          authorize_route(client, event, cidr)
+          
+      
+
+  
+  # clean up any expired routes when the ips for an endpoint change
+  expired_routes = [route for route in routes if route['DestinationCidr'] not in cidrs]
+  for route in expired_routes:
+    logger.info(f"removing expired route {route['DestinationCidr']} for endpoint {event['Record']}")
+    
+    try:
+      revoke_route_auth(client, event, route['DestinationCidr'])
+    except ClientError as e:
+      if e.response['Error']['Code'] == 'InvalidClientVpnEndpointAuthorizationRuleNotFound':
+        pass
+      else:
+        raise e
+                          
+    try:
+      delete_route(client, event['ClientVpnEndpointId'], route['TargetSubnet'], route['DestinationCidr'])
+    except ClientError as e:
+      if e.response['Error']['Code'] == 'InvalidClientVpnRouteNotFound':
+        pass
+      else:
+        raise e
+  
+  return 'OK'

data/lib/cfnvpn/templates/lambdas/scheduler/app.py

@@ -0,0 +1,36 @@
+import boto3
+import logging
+
+logger = logging.getLogger()
+logger.setLevel(logging.INFO)
+
+def handler(event, context):
+
+  logger.info(f"updating cfn-vpn stack {event['StackName']} parameter AssociateSubnets with value {event['AssociateSubnets']}")
+
+  if event['AssociateSubnets'] == 'false':
+    logger.info(f"terminating current vpn sessions to {event['ClientVpnEndpointId']}")
+    ec2 = boto3.client('ec2')
+    resp = ec2.describe_client_vpn_connections(ClientVpnEndpointId=event['ClientVpnEndpointId'])
+    for conn in resp['Connections']:
+      if conn['Status']['Code'] == 'active':
+        ec2.terminate_client_vpn_connections(
+          ClientVpnEndpointId=event['ClientVpnEndpointId'],
+          ConnectionId=conn['ConnectionId']
+        )
+        logger.info(f"terminated session {conn['ConnectionId']}")
+
+  client = boto3.client('cloudformation')
+  logger.info(client.update_stack(
+    StackName=event['StackName'],
+    UsePreviousTemplate=True,
+    Capabilities=['CAPABILITY_IAM'],
+    Parameters=[
+      {
+        'ParameterKey': 'AssociateSubnets',
+        'ParameterValue': event['AssociateSubnets']
+      }
+    ]
+  ))
+
+  return 'OK'

data/lib/cfnvpn/templates/lambdas.rb

@@ -0,0 +1,35 @@
+require 'zip'
+require 'securerandom'
+require 'aws-sdk-s3'
+require 'cfnvpn/log'
+
+module CfnVpn
+  module Templates
+    class Lambdas
+
+      def self.package_lambda(name:, bucket:, func:, files:)
+        lambdas_dir = File.join(File.dirname(File.expand_path(__FILE__)), 'lambdas')
+        FileUtils.mkdir_p(lambdas_dir)
+
+        CfnVpn::Log.logger.debug "zipping lambda function #{func}"
+        zipfile_name = "#{func}-#{SecureRandom.hex}.zip"
+        zipfile_path = "#{CfnVpn.cfnvpn_path}/#{name}/lambdas"
+        FileUtils.mkdir_p(zipfile_path)
+        Zip::File.open("#{zipfile_path}/#{zipfile_name}", Zip::File::CREATE) do |zipfile|
+          files.each do |file|
+            zipfile.add(file, File.join("#{lambdas_dir}/#{func}", file))
+          end
+        end
+
+        bucket = Aws::S3::Bucket.new(bucket)
+        object = bucket.object("cfnvpn/lambdas/#{name}/#{zipfile_name}")
+        CfnVpn::Log.logger.debug "uploading #{zipfile_name} to s3://#{bucket}/#{object.key}"
+        object.upload_file("#{zipfile_path}/#{zipfile_name}")
+
+        return object.key
+      end
+      
+    end
+  end
+end
+