cfn-vpn 1.2.0 → 1.3.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 0faff982b39ef508e55845e2861754915ecca87a1db0df635eb75c718850c096
-  data.tar.gz: 6956ade9846ca34dab966f382f2c707921acd982be8d04f8f6fac47951a2ae44
+  metadata.gz: 87da472b980570d8b77eaab6e47aa173d9d0cbdbc04ff35a99aa94000949afa7
+  data.tar.gz: ba179c5ecafe598cb2e706f295fb46a4f929424673cff094e76c701023a2381a
 SHA512:
-  metadata.gz: 0dcb165737f775d3a8bb9c9dd649544c801ee397a5e2cb0c800e40de0a88b221b05e3bfd4e8346a0b4287c8f0076462c02715c16c0703ffdd083005d062294e3
-  data.tar.gz: a83c04ff87f444e440ea7cb1e99b835a380fb7c92d48013d59e653dec8e00b56d35fd1075f88cfe5d94a81d6766cab3089dd47678e6b9b3f6d00490129db7b9b
+  metadata.gz: a2a230d146fe3f6f4226dd4aad4d5f40cc6322e75b84e5ca46b3fddeee5f728424e744357cbae0e1205a188d68d100a9b630cb3b028285d906d0e4be8ad91b77
+  data.tar.gz: c6be3bf8d173086327c4024fe6fdcaa116be743ff15498a56f2a22209608880b8da6458a608235687eb236e356f9b8bf73d704baa137c653c7f81712f803bd6e

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    cfn-vpn (1.0.0)
+    cfn-vpn (1.2.0)
       aws-sdk-acm (~> 1, < 2)
       aws-sdk-cloudformation (~> 1, < 2)
       aws-sdk-ec2 (~> 1.95, < 2)
@@ -9,46 +9,48 @@ PATH
       aws-sdk-ssm (~> 1, < 2)
       cfndsl (~> 1, < 2)
       netaddr (= 2.0.4)
+      rubyzip (~> 2.3)
       terminal-table (~> 1, < 2)
       thor (~> 0.20)
 
 GEM
   remote: https://rubygems.org/
   specs:
-    aws-eventstream (1.1.0)
-    aws-partitions (1.390.0)
-    aws-sdk-acm (1.38.0)
-      aws-sdk-core (~> 3, >= 3.109.0)
+    aws-eventstream (1.1.1)
+    aws-partitions (1.432.0)
+    aws-sdk-acm (1.39.0)
+      aws-sdk-core (~> 3, >= 3.112.0)
       aws-sigv4 (~> 1.1)
-    aws-sdk-cloudformation (1.44.0)
-      aws-sdk-core (~> 3, >= 3.109.0)
+    aws-sdk-cloudformation (1.49.0)
+      aws-sdk-core (~> 3, >= 3.112.0)
       aws-sigv4 (~> 1.1)
-    aws-sdk-core (3.109.2)
+    aws-sdk-core (3.113.0)
       aws-eventstream (~> 1, >= 1.0.2)
       aws-partitions (~> 1, >= 1.239.0)
       aws-sigv4 (~> 1.1)
       jmespath (~> 1.0)
-    aws-sdk-ec2 (1.208.0)
+    aws-sdk-ec2 (1.220.0)
       aws-sdk-core (~> 3, >= 3.109.0)
       aws-sigv4 (~> 1.1)
-    aws-sdk-kms (1.39.0)
-      aws-sdk-core (~> 3, >= 3.109.0)
+    aws-sdk-kms (1.43.0)
+      aws-sdk-core (~> 3, >= 3.112.0)
       aws-sigv4 (~> 1.1)
-    aws-sdk-s3 (1.84.0)
-      aws-sdk-core (~> 3, >= 3.109.0)
+    aws-sdk-s3 (1.91.0)
+      aws-sdk-core (~> 3, >= 3.112.0)
       aws-sdk-kms (~> 1)
       aws-sigv4 (~> 1.1)
-    aws-sdk-ssm (1.97.0)
-      aws-sdk-core (~> 3, >= 3.109.0)
+    aws-sdk-ssm (1.104.0)
+      aws-sdk-core (~> 3, >= 3.112.0)
       aws-sigv4 (~> 1.1)
-    aws-sigv4 (1.2.2)
+    aws-sigv4 (1.2.3)
       aws-eventstream (~> 1, >= 1.0.2)
-    cfndsl (1.2.0)
+    cfndsl (1.3.1)
       hana (~> 1.3)
-    hana (1.3.6)
+    hana (1.3.7)
     jmespath (1.4.0)
     netaddr (2.0.4)
     rake (13.0.1)
+    rubyzip (2.3.0)
     terminal-table (1.8.0)
       unicode-display_width (~> 1.1, >= 1.1.1)
     thor (0.20.3)
@@ -63,4 +65,4 @@ DEPENDENCIES
   rake (~> 13.0)
 
 BUNDLED WITH
-   2.0.1
+   2.1.4

data/cfn-vpn.gemspec

@@ -37,6 +37,7 @@ Gem::Specification.new do |spec|
   spec.add_dependency "terminal-table", '~> 1', '<2'
   spec.add_dependency 'cfndsl', '~> 1', '<2'
   spec.add_dependency 'netaddr', '2.0.4'
+  spec.add_dependency 'rubyzip', '~> 2.3'
   spec.add_runtime_dependency 'aws-sdk-ec2', '~> 1.95', '<2'
   spec.add_runtime_dependency 'aws-sdk-acm', '~> 1', '<2'
   spec.add_runtime_dependency 'aws-sdk-s3', '~> 1', '<2'

data/docs/README.md

@@ -31,7 +31,7 @@ dig @10.0.0.2 google.com
 
 ## Authentication Types
 
-`cfn-vpn` supports certificate and federated type authentication for AWS Client-VPN. It currently doesn't support Active Directory type authentication.
+`cfn-vpn` supports certificate, federated and active directory type authentication for AWS Client-VPN.
 For further information on the authentication types please visit https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/client-authentication.html
 
 ## CfnVpn Documentation
@@ -41,4 +41,4 @@ For further information on the authentication types please visit https://docs.aw
 3. [Managing Certificate Users](certificate-users.md)
 4. [Managing Routes](routes.md)
 5. [Stop and Start Client-VPN](scheduling.md)
-6. [Managing Sessions](sessions.md)
+6. [Managing Sessions](sessions.md)

data/docs/getting-started.md

@@ -63,19 +63,38 @@ This option is for when you want to manage users through an external directory p
 The following command and required option will launch a new federated based Client-VPN
 
 ```sh
-cfn-vpn init [name] --server-cn [server certificate name] --subnet-ids [list of subets to associate with the vpn] --saml-arn [identity providor arn]
+cfn-vpn init [name] --server-cn [server certificate name] \
+  --subnet-ids [list of subets to associate with the vpn] \
+  --saml-arn [identity providor arn]
 ```
 
 The default authorization rule for the associated subnets allows all. You can optionally change this by using the `--default-groups` flag to set groups on the default authorization rule. 
 
+```diff
+! Group id's must be used if creating authorisation rules. 
+! Each SAML providor will have different group id's and means of retrieving them.
+```
+
 ```sh
-cfn-vpn init [name] --server-cn [server certificate name] --subnet-ids [list of subets to associate with the vpn] --saml-arn [identity providor arn] --default-groups [list of group ids]
+cfn-vpn init [name] --server-cn [server certificate name] \
+  --subnet-ids [list of subnet to associate with the vpn] \
+  --saml-arn [identity provider arn]  \
+  --default-groups [list of group ids]
 ```
 
 **AWS SSO**
 
 If using AWS SSO as your SAML provider check this guide on how to set up SAML using AWS SSO https://codeburst.io/the-aws-client-vpn-federated-authentication-missing-example-655e0a1ff7f4
 
+If you want to leverage the Self Service Portal you need to add the specify the `--saml-self-service-arn [self service identity provider arn]` You can follow the example here https://aws.amazon.com/blogs/security/authenticate-aws-client-vpn-users-with-aws-single-sign-on/ on how to setup the self sign-on sso application
+
+```sh
+cfn-vpn init [name] --server-cn [server certificate name] \
+  --subnet-ids [list of subnet to associate with the vpn] \
+  --saml-arn [identity provider arn]  \
+  --saml-self-service-arn [self service identity provider arn] \
+  --default-groups [list of group ids]
+```
 
 ### AWS Directory Services Authenticated VPN
 
@@ -84,13 +103,18 @@ This option integrates Microsoft Active Directory or Simple AD through AWS Direc
 The following command and required option will launch a new directory service based Client-VPN
 
 ```sh
-cfn-vpn init simple-ad --server-cn [server certificate name] --subnet-ids [list of subets to associate with the vpn] --directory-id [aws directirory serivce id]
+cfn-vpn init simple-ad --server-cn [server certificate name] \
+  --subnet-ids [list of subets to associate with the vpn] \
+  --directory-id [aws directirory serivce id]
 ```
 
 The default authorization rule for the associated subnets allows all. You can optionally change this by using the `--default-groups` flag to set groups on the default authorization rule. The group Id is the Active Directory Group ID or SID.
 
 ```sh
-cfn-vpn init simple-ad --server-cn [server certificate name] --subnet-ids [list of subets to associate with the vpn] --directory-id [aws directirory serivce id] --default-groups [list of group ids]
+cfn-vpn init simple-ad --server-cn [server certificate name] \
+  --subnet-ids [list of subets to associate with the vpn] \
+  --directory-id [aws directirory serivce id] \
+  --default-groups [list of group ids]
 ```
 
 See this guide for further help on setting up https://shogokobayashi.com/2019/05/18/aws-client-vpn-with-simplead/
@@ -104,25 +128,27 @@ When using a federated ClientVPN you can modify the default auth to only allow s
 
 ```
 Options:
-  r, [--region=REGION]                         # AWS Region
-                                               # Default: ap-southeast-2
-      [--verbose], [--no-verbose]              # set log level to debug
-      --server-cn=SERVER_CN                    # server certificate common name
-      [--client-cn=CLIENT_CN]                  # client certificate common name
-      [--easyrsa-local], [--no-easyrsa-local]  # run the easyrsa executable from your local rather than from docker
-      [--bucket=BUCKET]                        # s3 bucket
-      --subnet-ids=one two three               # subnet id to associate your vpn with
-      [--default-groups=one two three]         # groups to allow through the subnet associations when using federated auth
-      [--cidr=CIDR]                            # cidr from which to assign client IP addresses
-                                               # Default: 10.250.0.0/16
-      [--dns-servers=one two three]            # DNS Servers to push to clients.
-      [--split-tunnel], [--no-split-tunnel]    # only push routes to the client on the vpn endpoint
-                                               # Default: true
-      [--internet-route=INTERNET_ROUTE]        # [subnet-id] create a default route to the internet through a subnet
-      [--protocol=PROTOCOL]                    # set the protocol for the vpn connections
-                                               # Default: udp
-                                               # Possible values: udp, tcp
-      [--start=START]                          # cloudwatch event cron schedule in UTC to associate subnets to the client vpn
-      [--stop=STOP]                            # cloudwatch event cron schedule in UTC to disassociate subnets to the client vpn
-      [--saml-arn=SAML_ARN]                    # IAM SAML idenditiy providor arn if using SAML federated authentication
-```
+  r, [--region=REGION]                                 # AWS Region
+                                                       # Default: ap-southeast-2
+      [--verbose], [--no-verbose]                      # set log level to debug
+      --server-cn=SERVER_CN                            # server certificate common name
+      [--client-cn=CLIENT_CN]                          # client certificate common name
+      [--easyrsa-local], [--no-easyrsa-local]          # run the easyrsa executable from your local rather than from docker
+      [--bucket=BUCKET]                                # s3 bucket, if not set one will be generated for you
+      --subnet-ids=one two three                       # subnet id to associate your vpn with
+      [--default-groups=one two three]                 # groups to allow through the subnet associations when using federated auth
+      [--cidr=CIDR]                                    # cidr from which to assign client IP addresses
+                                                       # Default: 10.250.0.0/16
+      [--dns-servers=one two three]                    # DNS Servers to push to clients.
+      [--split-tunnel], [--no-split-tunnel]            # only push routes to the client on the vpn endpoint
+                                                       # Default: true
+      [--internet-route=INTERNET_ROUTE]                # [subnet-id] create a default route to the internet through a subnet
+      [--protocol=PROTOCOL]                            # set the protocol for the vpn connections
+                                                       # Default: udp
+                                                       # Possible values: udp, tcp
+      [--start=START]                                  # cloudwatch event cron schedule in UTC to associate subnets to the client vpn
+      [--stop=STOP]                                    # cloudwatch event cron schedule in UTC to disassociate subnets to the client vpn
+      [--saml-arn=SAML_ARN]                            # IAM SAML idenditiy providor arn if using SAML federated authentication
+      [--saml-self-service-arn=SAML_SELF_SERVICE_ARN]  # IAM SAML idenditiy providor arn for the self service portal
+      [--directory-id=DIRECTORY_ID]                    # AWS Directory Service directory id if using Active Directory authentication
+```

data/docs/routes.md

@@ -4,24 +4,34 @@ Management of the VPN routes can be altered using the `routes` command or by usi
 
 **Note:** The default route via subnet association cannot be modified through this command. Use the `modify` command to alter the subnet associations.
 
-## Routes Command
+CfnVpn can create static routes for CIDRs as well as dynamically lookup IPs for dns endpoints and continue to monitor and update the routes if the IPs change.
 
+```sh
+cfn-vpn help routes
+```
+
+## Dynamic DNS Routes
+
+Dynamic DNS routes takes a dns endpoint and will query the record every 5 minutes to see if the IPs have changed and update the routes.
+
+### Add New
+
+to add a new route run the routes command along with the `--dns` option
+
+```sh
+cfn-vpn routes [name] --dns example.com
 ```
-Options:
-  r, [--region=REGION]              # AWS Region
-                                    # Default: ap-southeast-2
-      [--verbose], [--no-verbose]   # set log level to debug
-      [--cidr=CIDR]                 # cidr range
-      [--subnet=SUBNET]             # the target vpc subnet to route through, if none is supplied the default subnet is used
-      [--desc=DESC]                 # description of the route
-      [--groups=one two three]      # override all authorised groups on thr route
-      [--add-groups=one two three]  # add authorised groups to an existing route
-      [--del-groups=one two three]  # remove authorised groups from an existing route
-      [--delete], [--no-delete]     # delete the route from the client vpn
-
-List, add or delete client vpn routes
+
+### Delete
+
+to delete a route run the routes command along with the `--dns` option of the route to delete and the delete option
+
+```sh
+cfn-vpn routes [name] --dns example.com --delete
 ```
 
+## Static CIDR Routes
+
 ### Add New
 
 to add a new route run the routes command along with the `--cidr` option
@@ -32,32 +42,32 @@ cfn-vpn routes [name] --cidr 10.151.0.0/16
 
 ### Delete
 
-to delete a  route run the routes command along with the `--cidr` option of the route to delete and the delete option
+to delete a route run the routes command along with the `--cidr` option of the route to delete and the delete option
 
 ```sh
 cfn-vpn routes [name] --cidr 10.151.0.0/16 --delete
 ```
 
-### Manage Authorization Groups
+## Manage Authorization Groups
 
-When using federated authentication groups can be used to control access to certain routes. These can be managed on the routes by providing the `--groups [list of groups]` along with a space delimited list of groups to the `routes` command.
+When using federated or active directory authentication groups can be used to control access to certain routes. These can be managed on the routes by providing the `--groups [list of groups]` along with a space delimited list of groups to the `routes` command. This is available for both DNS and CIDR routes
 
 To add groups to a new route or to override all groups on an exiting route use the `--groups` options
 
 ```sh
-cfn-vpn routes [name] --cidr 10.151.0.0/16 --groups devs ops
+cfn-vpn routes [name] [--cidr 10.151.0.0/16] [--dns example.com] --groups devs ops
 ```
 
 To add groups to an existing route use the `--add-groups` options
 
 ```sh
-cfn-vpn routes [name] --cidr 10.151.0.0/16 --add-groups admin
+cfn-vpn routes [name] [--cidr 10.151.0.0/16] [--dns example.com] --add-groups admin
 ```
 
 To delete groups from an existing route use the `--del-groups` options
 
 ```sh
-cfn-vpn routes [name] --cidr 10.151.0.0/16 --del-groups dev
+cfn-vpn routes [name] [--cidr 10.151.0.0/16] [--dns example.com] --del-groups dev
 ```
 
 ## Modify Command
@@ -75,6 +85,10 @@ routes:
   desc: route to prod peered vpc
   groups:
   - ops
+- dns: example.com
+  desc: my dev alb
+  groups:
+  - dev
 ```
 
 run the `modify` command and supply the yaml file to apply the changes

data/lib/cfnvpn/actions/init.rb

@@ -6,6 +6,7 @@ require 'cfnvpn/compiler'
 require 'cfnvpn/log'
 require 'cfnvpn/clientvpn'
 require 'cfnvpn/globals'
+require 'cfnvpn/s3_bucket'
 
 module CfnVpn::Actions
   class Init < Thor::Group
@@ -20,7 +21,7 @@ module CfnVpn::Actions
     class_option :server_cn, required: true, desc: 'server certificate common name'
     class_option :client_cn, desc: 'client certificate common name'
     class_option :easyrsa_local, type: :boolean, default: false, desc: 'run the easyrsa executable from your local rather than from docker'
-    class_option :bucket, desc: 's3 bucket'
+    class_option :bucket, desc: 's3 bucket, if not set one will be generated for you'
 
     class_option :subnet_ids, required: true, type: :array, desc: 'subnet id to associate your vpn with'
     class_option :default_groups, default: [], type: :array, desc: 'groups to allow through the subnet associations when using federated auth'
@@ -35,6 +36,7 @@ module CfnVpn::Actions
     class_option :stop, type: :string, desc: 'cloudwatch event cron schedule in UTC to disassociate subnets to the client vpn'
 
     class_option :saml_arn, desc: 'IAM SAML idenditiy providor arn if using SAML federated authentication'
+    class_option :saml_self_service_arn, desc: 'IAM SAML idenditiy providor arn for the self service portal'
     class_option :directory_id, desc: 'AWS Directory Service directory id if using Active Directory authentication'
 
     def self.source_root
@@ -63,11 +65,24 @@ module CfnVpn::Actions
         start: @options['start'],
         stop: @options['stop'],
         saml_arn: @options['saml_arn'],
+        saml_self_service_arn: @options['saml_self_service_arn'],
         directory_id: @options['directory_id'],
         routes: []
       }
     end
 
+    def create_bucket_if_bucket_not_set
+      if !@options['bucket']
+        CfnVpn::Log.logger.info "creating s3 bucket"
+        bucket = CfnVpn::S3Bucket.new(@options['region'], @name)
+        bucket_name = bucket.generate_bucket_name
+        bucket.create_bucket(bucket_name)
+        @config[:bucket] = bucket_name
+      else
+        @config[:bucket] = @options['bucket']
+      end
+    end
+
     def set_type
       if @options['saml_arn']
         @config[:type] = 'federated'
@@ -82,15 +97,6 @@ module CfnVpn::Actions
       CfnVpn::Log.logger.info "initialising #{@config[:type]} client vpn"
     end
 
-    def conditional_options_check
-      if @config[:type] == 'certificate'
-        if !@options['bucket']
-          CfnVpn::Log.logger.error "--bucket option must be specified if creating a client vpn with certificate based authentication"
-          exit 1
-        end
-      end
-    end
-
     def stack_exist
       @deployer = CfnVpn::Deployer.new(@options['region'],@name)
       if @deployer.does_cf_stack_exist()
@@ -114,7 +120,7 @@ module CfnVpn::Actions
          # we only need the server certificate to ACM if it is a SAML federated client vpn
         @config[:client_cert_arn] = cert.upload_certificates(@options['region'],@client_cn,'client')
         # and only need to upload the certs to s3 if using certificate authenitcation
-        s3 = CfnVpn::S3.new(@options['region'],@options['bucket'],@name)
+        s3 = CfnVpn::S3.new(@options['region'],@config[:bucket],@name)
         s3.store_object("#{@build_dir}/certificates/ca.tar.gz")
       end
     end

data/lib/cfnvpn/actions/modify.rb

@@ -8,6 +8,7 @@ require 'cfnvpn/log'
 require 'cfnvpn/clientvpn'
 require 'cfnvpn/globals'
 require 'cfnvpn/config'
+require 'cfnvpn/s3_bucket'
 
 module CfnVpn::Actions
   class Modify < Thor::Group
@@ -38,6 +39,8 @@ module CfnVpn::Actions
 
     class_option :param_yaml, type: :string, desc: 'pass in cfnvpn params through YAML file'
 
+    class_option :bucket, desc: 's3 bucket'
+
     def self.source_root
       File.dirname(__FILE__)
     end
@@ -95,6 +98,23 @@ module CfnVpn::Actions
       CfnVpn::Log.logger.debug "Modified config:\n#{@config}"
     end
 
+    def create_bucket_if_bucket_not_set
+      if !@options['bucket'] && !@config.has_key?(:bucket)
+        if yes? "no s3 bucket supplied in the command or found in the config, select (Y) to generate a new one ot select (N) and re run teh command with the --bucket flag to import the existing bucket." 
+          CfnVpn::Log.logger.info "creating s3 bucket"
+          bucket = CfnVpn::S3Bucket.new(@options['region'], @name)
+          bucket_name = bucket.generate_bucket_name
+          bucket.create_bucket(bucket_name)
+          @config[:bucket] = bucket_name
+        else
+          CfnVpn::Log.logger.info "rerun cfn-vpn modify #{name} command with the --bucket [BUCKET] flag"
+          exit 1
+        end
+      elsif @options['bucket']
+        @config[:bucket] = @options['bucket']
+      end
+    end
+
     def deploy_vpn
       compiler = CfnVpn::Compiler.new(@name, @config)
       template_body = compiler.compile

data/lib/cfnvpn/actions/routes.rb

@@ -13,6 +13,7 @@ module CfnVpn::Actions
     class_option :verbose, desc: 'set log level to debug', type: :boolean
 
     class_option :cidr, desc: 'cidr range'
+    class_option :dns, desc: 'dns record to auto lookup ip'
     class_option :subnet, desc: 'the target vpc subnet to route through, if none is supplied the default subnet is used'
     class_option :desc, desc: 'description of the route'
 
@@ -32,26 +33,50 @@ module CfnVpn::Actions
 
     def set_config
       @config = CfnVpn::Config.get_config(@options[:region], @name)
-      @route = @config[:routes].detect {|route| route[:cidr] == @options[:cidr]}      
+
+      if @options[:cidr] && @options[:dns]
+        CfnVpn::Log.logger.error "only one of --dns or --cidr can be set"
+        exit 1
+      end
+
+      if @options[:dns]
+        if @options[:dns].include?("*")
+          CfnVpn::Log.logger.error("wild card DNS resolution is not supported, use a record that will be resolved by the wild card instead")
+          exit 1
+        end
+        @route = @config[:routes].detect {|route| route[:dns] == @options[:dns]}      
+      elsif @options[:cidr]
+        @route = @config[:routes].detect {|route| route[:cidr] == @options[:cidr]}      
+      end
     end
 
     def set_route
       @skip_update = false
+      @dns_route_cleanup = nil
       if @route && @options[:delete]
-        CfnVpn::Log.logger.info "deleting route #{@options[:cidr]} "
-        @config[:routes].reject! {|route| route[:cidr] == @options[:cidr]}
+        if @options[:dns]
+          CfnVpn::Log.logger.info "deleting auto lookup route for endpoint #{@options[:dns]}"
+          @config[:routes].reject! {|route| route[:dns] == @options[:dns]}
+          @dns_route_cleanup = @options[:dns]
+        elsif @options[:cidr]
+          CfnVpn::Log.logger.info "deleting route #{@options[:cidr]}"
+          @config[:routes].reject! {|route| route[:cidr] == @options[:cidr]}
+        end
       elsif @route
-        CfnVpn::Log.logger.info "modifying groups for existing route #{@options[:cidr]}"
+        CfnVpn::Log.logger.info "existing route for #{@options[:cidr] ? @options[:cidr] : @options[:dns]} found"
         if @options[:groups]
+          CfnVpn::Log.logger.info "replacing groups #{@route[:groups]} with new #{@options[:groups]} for route authorization rule"
           @route[:groups] = @options[:groups]
         end
 
         if @options[:add_groups]
+          CfnVpn::Log.logger.info "adding new group(s) #{@options[:add_groups]} to route authorization rule" 
           @route[:groups].concat(@options[:add_groups]).uniq!
         end
 
         if @options[:del_groups]
-          @route[:groups].reject! {|group| @options[:add_groups].include? group}
+          CfnVpn::Log.logger.info "removing new group(s) #{@options[:del_groups]} to route authorization rule" 
+          @route[:groups].reject! {|group| @options[:del_groups].include? group}
         end
 
         if @options[:desc]
@@ -65,9 +90,17 @@ module CfnVpn::Actions
         CfnVpn::Log.logger.info "adding new route for #{@options[:cidr]}"
         @config[:routes] << {
           cidr: @options[:cidr],
-          desc: @options.fetch(:desc, "route for cidr #{@options[:cidr]}"),
+          desc: @options.fetch(:desc, ""),
+          subnet: @options.fetch(:subnet, @config[:subnet_ids].first),
+          groups: @options.fetch(:groups, []) + @options.fetch(:add_groups, [])
+        }
+      elsif !@route && @options[:dns]
+        CfnVpn::Log.logger.info "adding new route lookup for dns record #{@options[:dns]}"
+        @config[:routes] << {
+          dns: @options[:dns],
+          desc: @options.fetch(:desc, ""),
           subnet: @options.fetch(:subnet, @config[:subnet_ids].first),
-          groups: @options.fetch(@options[:groups], []) + @options.fetch(@options[:add_groups], [])
+          groups: @options.fetch(:groups, []) + @options.fetch(:add_groups, [])
         }
       else
         @skip_update = true
@@ -76,6 +109,13 @@ module CfnVpn::Actions
       CfnVpn::Log.logger.debug "CONFIG: #{@config}"
     end
 
+    def create_bucket_if_bucket_not_set
+      if !@config.has_key?(:bucket)
+        CfnVpn::Log.logger.error "no bucket found in the config, run the cfn-vpn modify #{name} command to add a bucket"
+        exit 1
+      end
+    end
+
     def deploy_vpn
       unless @skip_update
         compiler = CfnVpn::Compiler.new(@name, @config)
@@ -123,8 +163,20 @@ module CfnVpn::Actions
       end
     end
 
-    def get_routes
+    def cleanup_dns_routes
       @vpn = CfnVpn::ClientVpn.new(@name,@options['region'])
+      unless @dns_route_cleanup.nil?
+        routes = @vpn.get_routes()
+        CfnVpn::Log.logger.info("Cleaning up expired routes for #{@dns_route_cleanup}")
+        expired_routes = routes.select {|route| route.description.include?(@dns_route_cleanup) }
+        expired_routes.each do |route|
+          @vpn.delete_route(route.destination_cidr, route.target_subnet)
+          @vpn.revoke_auth(route.destination_cidr)
+        end
+      end
+    end
+
+    def get_routes
       @endpoint = @vpn.get_endpoint_id()
       @routes = @vpn.get_routes()
     end

data/lib/cfnvpn/clientvpn.rb

@@ -9,6 +9,7 @@ module CfnVpn
     def initialize(name,region)
       @client = Aws::EC2::Client.new(region: region)
       @name = name
+      @endpoint_id = self.get_endpoint_id()
     end
 
     def get_endpoint()
@@ -116,5 +117,22 @@ module CfnVpn
       return associations
     end
 
+    def delete_route(cidr, subnet)
+      @client.delete_client_vpn_route({
+        client_vpn_endpoint_id: @endpoint_id,
+        target_vpc_subnet_id: subnet,
+        destination_cidr_block: cidr
+      })
+    end
+
+    def revoke_auth(cidr)
+      endpoint_id = get_endpoint_id()
+      @client.revoke_client_vpn_ingress({
+        client_vpn_endpoint_id: @endpoint_id,
+        target_network_cidr: cidr,
+        revoke_all_groups: true
+      })
+    end
+
   end
 end

data/lib/cfnvpn/s3.rb

@@ -63,5 +63,35 @@ module CfnVpn
       })
     end
 
+    def create_bucket
+      @client.create_bucket({
+        bucket: bucket,
+        acl: 'private'
+      })
+
+      @client.put_public_access_block({
+        bucket: bucket,
+        public_access_block_configuration: { 
+          block_public_acls: true,
+          ignore_public_acls: true,
+          block_public_policy: true,
+          restrict_public_buckets: true,
+        }
+      })
+
+      @client.put_bucket_encryption({
+        bucket: bucket,
+        server_side_encryption_configuration: {
+          rules: [
+            {
+              apply_server_side_encryption_by_default: {
+                sse_algorithm: "AES256"
+              }
+            }
+          ]
+        }
+      })
+    end
+
   end
 end