cfn-vpn 1.2.0 → 1.3.4

data/lib/cfnvpn/s3_bucket.rb

@@ -0,0 +1,48 @@
+require 'aws-sdk-s3'
+require 'fileutils'
+require 'securerandom'
+
+module CfnVpn
+  class S3Bucket
+
+    def initialize(region, name)
+      @client = Aws::S3::Client.new(region: region)
+      @name = name
+    end
+
+    def generate_bucket_name
+      return "cfnvpn-#{@name}-#{SecureRandom.hex}"
+    end
+
+    def create_bucket(bucket)
+      @client.create_bucket({
+        bucket: bucket,
+        acl: 'private'
+      })
+
+      @client.put_public_access_block({
+        bucket: bucket,
+        public_access_block_configuration: { 
+          block_public_acls: true,
+          ignore_public_acls: true,
+          block_public_policy: true,
+          restrict_public_buckets: true,
+        }
+      })
+
+      @client.put_bucket_encryption({
+        bucket: bucket,
+        server_side_encryption_configuration: {
+          rules: [
+            {
+              apply_server_side_encryption_by_default: {
+                sse_algorithm: "AES256"
+              }
+            }
+          ]
+        }
+      })
+    end
+
+  end
+end

data/lib/cfnvpn/string.rb

@@ -11,6 +11,10 @@ class String
     self.gsub(/[^a-zA-Z0-9]/, "").capitalize
   end
 
+  def event_id_safe
+    self.gsub('*', 'wildcard').gsub(/[^\.\-_A-Za-z0-9]+/, "").downcase
+  end
+
   def colorize(color_code)
     "\e[#{color_code}m#{self}\e[0m"
   end

data/lib/cfnvpn/templates/lambdas/auto_route_populator/app.py

@@ -0,0 +1,175 @@
+import socket
+import boto3
+from botocore.exceptions import ClientError
+import logging
+
+logger = logging.getLogger()
+logger.setLevel(logging.INFO)
+
+
+def delete_route(client, vpn_endpoint, subnet, cidr):
+    client.delete_client_vpn_route(
+      ClientVpnEndpointId=vpn_endpoint,
+      TargetVpcSubnetId=subnet,
+      DestinationCidrBlock=cidr,
+    )
+
+  
+def create_route(client, event, cidr):
+  client.create_client_vpn_route(
+    ClientVpnEndpointId=event['ClientVpnEndpointId'],
+    DestinationCidrBlock=cidr,
+    TargetVpcSubnetId=event['TargetSubnet'],
+    Description=f"cfnvpn auto generated route for endpoint {event['Record']}. {event['Description']}"
+  )
+
+
+def revoke_route_auth(client, event, cidr, group = None):
+  args = {
+    'ClientVpnEndpointId': event['ClientVpnEndpointId'],
+    'TargetNetworkCidr': cidr
+  }
+  
+  if group is None:
+    args['RevokeAllGroups'] = True
+  else:
+    args['AccessGroupId'] = group
+    
+  client.revoke_client_vpn_ingress(**args)
+
+
+def authorize_route(client, event, cidr, group = None):
+  args = {
+    'ClientVpnEndpointId': event['ClientVpnEndpointId'],
+    'TargetNetworkCidr': cidr,
+    'Description': f"cfnvpn auto generated authorization for endpoint {event['Record']}. {event['Description']}"
+  }
+  
+  if group is None:
+    args['AuthorizeAllGroups'] = True
+  else:
+    args['AccessGroupId'] = group
+    
+  client.authorize_client_vpn_ingress(**args)
+
+
+def get_routes(client, event):
+  response = client.describe_client_vpn_routes(
+    ClientVpnEndpointId=event['ClientVpnEndpointId'],
+    Filters=[
+      {
+        'Name': 'origin',
+        'Values': ['add-route']
+      }
+    ]
+  )
+  
+  routes = [route for route in response['Routes'] if event['Record'] in route['Description']]
+  logger.info(f"found {len(routes)} exisiting routes for {event['Record']}")
+  return routes
+
+
+def get_rules(client, vpn_endpoint, cidr):
+  response = client.describe_client_vpn_authorization_rules(
+    ClientVpnEndpointId=vpn_endpoint,
+    Filters=[
+        {
+            'Name': 'destination-cidr',
+            'Values': [cidr]
+        }
+    ]
+  )
+  return response['AuthorizationRules']
+
+
+def handler(event,context):
+  
+  # DNS lookup on the dns record and return all IPS for the endpoint
+  try:
+    cidrs = [ ip + "/32" for ip in socket.gethostbyname_ex(event['Record'])[-1]]
+    logger.info(f"resolved endpoint {event['Record']} to {cidrs}")
+  except socket.gaierror as e:
+    logger.exception(f"failed to resolve record {event['Record']}")
+    return 'KO'
+  
+  client = boto3.client('ec2')
+  routes = get_routes(client, event)
+
+  for cidr in cidrs:
+    route = next((route for route in routes if route['DestinationCidr'] == cidr), None)
+    
+    # if there are no existing routes for the endpoint cidr create a new route
+    if route is None:
+      try:
+        create_route(client, event, cidr)
+        if 'Groups' in event:
+          for group in event['Groups']:
+            authorize_route(client, event, cidr, group)
+        else:
+          authorize_route(client, event, cidr)
+      except ClientError as e:
+        if e.response['Error']['Code'] == 'InvalidClientVpnDuplicateRoute':
+          logger.error(f"route for CIDR {cidr} already exists with a different endpoint")
+          continue
+        raise e
+        
+    # if the route already exists
+    else:
+      
+      logger.info(f"route for cidr {cidr} is already in place")
+      
+      # if the target subnet has changed in the payload, recreate the routes to use the new subnet
+      if route['TargetSubnet'] != event['TargetSubnet']:
+        logger.info(f"target subnet for route for {cidr} has changed, recreating the route")
+        delete_route(client, event['ClientVpnEndpointId'], route['TargetSubnet'], cidr)
+        create_route(client, event, cidr)
+      
+      logger.info(f"checking authorization rules for the route")
+      
+      # check the rules match the payload
+      rules = get_rules(client, event['ClientVpnEndpointId'], cidr)
+      existing_groups = [rule['GroupId'] for rule in rules]
+      if 'Groups' in event:
+        # remove expired rules not defined in the payload anymore
+        expired_rules = [rule for rule in rules if rule['GroupId'] not in event['Groups']]
+        for rule in expired_rules:
+          logger.info(f"removing expired authorization rule for group {rule['GroupId']} for route {cidr}")
+          revoke_route_auth(client, event, cidr, rule['GroupId'])
+        # add new rules defined in the payload
+        new_rules =  [group for group in event['Groups'] if group not in existing_groups]
+        for group in new_rules:
+          logger.info(f"creating new authorization rule for group {rule['GroupId']} for route {cidr}")
+          authorize_route(client, event, cidr, group)
+      else:
+        # if amount of rules for the cidr is greater than 1 when no groups are specified in the payload 
+        # we'll assume that all groups have been removed from the payload so we'll remove all existing rules and add a rule for allow all 
+        if len(rules) > 1:
+          logger.info(f"creating an allow all rule for route {cidr}")
+          revoke_route_auth(client, event, cidr)
+          authorize_route(client, event, cidr)
+          
+      
+
+  
+  # clean up any expired routes when the ips for an endpoint change
+  expired_routes = [route for route in routes if route['DestinationCidr'] not in cidrs]
+  for route in expired_routes:
+    logger.info(f"removing expired route {route['DestinationCidr']} for endpoint {event['Record']}")
+    
+    try:
+      revoke_route_auth(client, event, route['DestinationCidr'])
+    except ClientError as e:
+      if e.response['Error']['Code'] == 'InvalidClientVpnEndpointAuthorizationRuleNotFound':
+        pass
+      else:
+        raise e
+                          
+    try:
+      delete_route(client, event['ClientVpnEndpointId'], route['TargetSubnet'], route['DestinationCidr'])
+    except ClientError as e:
+      if e.response['Error']['Code'] == 'InvalidClientVpnRouteNotFound':
+        pass
+      else:
+        raise e
+  
+  return 'OK'

data/lib/cfnvpn/templates/lambdas/scheduler/app.py

@@ -0,0 +1,36 @@
+import boto3
+import logging
+
+logger = logging.getLogger()
+logger.setLevel(logging.INFO)
+
+def handler(event, context):
+
+  logger.info(f"updating cfn-vpn stack {event['StackName']} parameter AssociateSubnets with value {event['AssociateSubnets']}")
+
+  if event['AssociateSubnets'] == 'false':
+    logger.info(f"terminating current vpn sessions to {event['ClientVpnEndpointId']}")
+    ec2 = boto3.client('ec2')
+    resp = ec2.describe_client_vpn_connections(ClientVpnEndpointId=event['ClientVpnEndpointId'])
+    for conn in resp['Connections']:
+      if conn['Status']['Code'] == 'active':
+        ec2.terminate_client_vpn_connections(
+          ClientVpnEndpointId=event['ClientVpnEndpointId'],
+          ConnectionId=conn['ConnectionId']
+        )
+        logger.info(f"terminated session {conn['ConnectionId']}")
+
+  client = boto3.client('cloudformation')
+  logger.info(client.update_stack(
+    StackName=event['StackName'],
+    UsePreviousTemplate=True,
+    Capabilities=['CAPABILITY_IAM'],
+    Parameters=[
+      {
+        'ParameterKey': 'AssociateSubnets',
+        'ParameterValue': event['AssociateSubnets']
+      }
+    ]
+  ))
+
+  return 'OK'

data/lib/cfnvpn/templates/lambdas.rb

@@ -0,0 +1,35 @@
+require 'zip'
+require 'securerandom'
+require 'aws-sdk-s3'
+require 'cfnvpn/log'
+
+module CfnVpn
+  module Templates
+    class Lambdas
+
+      def self.package_lambda(name:, bucket:, func:, files:)
+        lambdas_dir = File.join(File.dirname(File.expand_path(__FILE__)), 'lambdas')
+        FileUtils.mkdir_p(lambdas_dir)
+
+        CfnVpn::Log.logger.debug "zipping lambda function #{func}"
+        zipfile_name = "#{func}-#{SecureRandom.hex}.zip"
+        zipfile_path = "#{CfnVpn.cfnvpn_path}/#{name}/lambdas"
+        FileUtils.mkdir_p(zipfile_path)
+        Zip::File.open("#{zipfile_path}/#{zipfile_name}", Zip::File::CREATE) do |zipfile|
+          files.each do |file|
+            zipfile.add(file, File.join("#{lambdas_dir}/#{func}", file))
+          end
+        end
+
+        bucket = Aws::S3::Bucket.new(bucket)
+        object = bucket.object("cfnvpn/lambdas/#{name}/#{zipfile_name}")
+        CfnVpn::Log.logger.debug "uploading #{zipfile_name} to s3://#{bucket}/#{object.key}"
+        object.upload_file("#{zipfile_path}/#{zipfile_name}")
+
+        return object.key
+      end
+      
+    end
+  end
+end
+

data/lib/cfnvpn/templates/vpn.rb

@@ -1,5 +1,6 @@
 require 'cfndsl'
 require 'cfnvpn/templates/helper'
+require 'cfnvpn/templates/lambdas'
 
 module CfnVpn
   module Templates
@@ -32,7 +33,7 @@ module CfnVpn
             {
               FederatedAuthentication: {
                 SAMLProviderArn: config[:saml_arn],
-                SelfServiceSAMLProviderArn: config[:saml_arn]
+                SelfServiceSAMLProviderArn: config[:saml_self_service_arn].nil? ? config[:saml_arn] : config[:saml_self_service_arn]
               },
               Type: 'federated-authentication'
             }
@@ -69,6 +70,7 @@ module CfnVpn
           SplitTunnel config[:split_tunnel]
         }
 
+        network_assoc_dependson = []
         config[:subnet_ids].each_with_index do |subnet, index|
           suffix = index == 0 ? "" : "For#{subnet.resource_safe}"
 
@@ -78,74 +80,112 @@ module CfnVpn
             SubnetId subnet
           }
 
-          if config[:default_groups].any?
-            config[:default_groups].each do |group|
-              EC2_ClientVpnAuthorizationRule(:"TargetNetworkAuthorizationRule#{suffix}#{group.resource_safe}"[0..255]) {
-                Condition(:EnableSubnetAssociation)
-                DependsOn "ClientVpnTargetNetworkAssociation#{suffix}"
-                Description FnSub("#{name} client-vpn auth rule for subnet association")
-                AccessGroupId group
-                ClientVpnEndpointId Ref(:ClientVpnEndpoint)
-                TargetNetworkCidr CfnVpn::Templates::Helper.get_auth_cidr(config[:region], subnet)
-              }
-            end
-          else
-            EC2_ClientVpnAuthorizationRule(:"TargetNetworkAuthorizationRule#{suffix}") {
+          network_assoc_dependson << "ClientVpnTargetNetworkAssociation#{suffix}"
+        end
+
+        if config[:default_groups].any?
+          config[:default_groups].each do |group|
+            EC2_ClientVpnAuthorizationRule(:"TargetNetworkAuthorizationRule#{group.resource_safe}"[0..255]) {
               Condition(:EnableSubnetAssociation)
-              DependsOn "ClientVpnTargetNetworkAssociation#{suffix}"
+              DependsOn network_assoc_dependson if network_assoc_dependson.any?
               Description FnSub("#{name} client-vpn auth rule for subnet association")
-              AuthorizeAllGroups true
+              AccessGroupId group
               ClientVpnEndpointId Ref(:ClientVpnEndpoint)
-              TargetNetworkCidr CfnVpn::Templates::Helper.get_auth_cidr(config[:region], subnet)
+              TargetNetworkCidr CfnVpn::Templates::Helper.get_auth_cidr(config[:region], config[:subnet_ids].first)
             }
           end
+        else
+          EC2_ClientVpnAuthorizationRule(:"TargetNetworkAuthorizationRule") {
+            Condition(:EnableSubnetAssociation)
+            DependsOn network_assoc_dependson if network_assoc_dependson.any?
+            Description FnSub("#{name} client-vpn auth rule for subnet association")
+            AuthorizeAllGroups true
+            ClientVpnEndpointId Ref(:ClientVpnEndpoint)
+            TargetNetworkCidr CfnVpn::Templates::Helper.get_auth_cidr(config[:region], config[:subnet_ids].first)
+          }
+        end
 
-          if subnet == config[:internet_route]
-            EC2_ClientVpnRoute(:RouteToInternet) {
-              Condition(:EnableSubnetAssociation)
-              DependsOn "ClientVpnTargetNetworkAssociation#{suffix}"
-              Description 'Route to the internet'
-              ClientVpnEndpointId Ref(:ClientVpnEndpoint)
-              DestinationCidrBlock '0.0.0.0/0'
-              TargetVpcSubnetId config[:internet_route]
+        if !config[:internet_route].nil?
+          EC2_ClientVpnRoute(:RouteToInternet) {
+            Condition(:EnableSubnetAssociation)
+            DependsOn network_assoc_dependson if network_assoc_dependson.any?
+            Description "Route to the internet through subnet #{config[:internet_route]}"
+            ClientVpnEndpointId Ref(:ClientVpnEndpoint)
+            DestinationCidrBlock '0.0.0.0/0'
+            TargetVpcSubnetId config[:internet_route]
+          }
+        
+          EC2_ClientVpnAuthorizationRule(:RouteToInternetAuthorizationRule) {
+            Condition(:EnableSubnetAssociation)
+            DependsOn network_assoc_dependson if network_assoc_dependson.any?
+            Description "Internet route authorization from subnet #{config[:internet_route]}"
+            AuthorizeAllGroups true
+            ClientVpnEndpointId Ref(:ClientVpnEndpoint)
+            TargetNetworkCidr '0.0.0.0/0'
+          }
+
+          output(:InternetRoute, config[:internet_route])
+        end
+
+        dns_routes = config[:routes].select {|route| route.has_key?(:dns)}
+        cidr_routes = config[:routes].select {|route| route.has_key?(:cidr)}
+
+        if dns_routes.any?
+          auto_route_populator(name, config[:bucket])
+
+          dns_routes.each do |route|
+            input = { 
+              Record: route[:dns],
+              ClientVpnEndpointId: "${ClientVpnEndpoint}",
+              TargetSubnet: route[:subnet],
+              Description: route[:desc]
             }
-          
-            EC2_ClientVpnAuthorizationRule(:RouteToInternetAuthorizationRule) {
-              Condition(:EnableSubnetAssociation)
-              DependsOn "ClientVpnTargetNetworkAssociation#{suffix}"
-              Description 'Route to the internet'
-              AuthorizeAllGroups true
-              ClientVpnEndpointId Ref(:ClientVpnEndpoint)
-              TargetNetworkCidr '0.0.0.0/0'
+            
+            if route[:groups].any?
+              input[:Groups] = route[:groups]
+            end
+
+            Events_Rule(:"CfnVpnAutoRoutePopulatorEvent#{route[:dns].resource_safe}"[0..255]) {
+              State 'ENABLED'
+              Description "cfnvpn auto route populator schedule for #{route[:dns]}"
+              ScheduleExpression "rate(5 minutes)"
+              Targets([
+                { 
+                  Arn: FnGetAtt(:CfnVpnAutoRoutePopulator, :Arn),
+                  Id: "cfnvpnautoroutepopulator#{route[:dns].event_id_safe}",
+                  Input: FnSub(input.to_json)
+                }
+              ])
             }
-  
-            output(:InternetRoute, config[:internet_route])
           end
         end
 
-        config[:routes].each do |route|
-          EC2_ClientVpnRoute(:"#{route[:cidr].resource_safe}VpnRoute") {
-            Description route[:desc]
-            ClientVpnEndpointId Ref(:ClientVpnEndpoint)
-            DestinationCidrBlock route[:cidr]
-            TargetVpcSubnetId route[:subnet]
-          }
-          if route[:groups].any?
-            route[:groups].each do |group|
-              EC2_ClientVpnAuthorizationRule(:"#{route[:cidr].resource_safe}AuthorizationRule#{group.resource_safe}"[0..255]) {
-                Description route[:desc]
-                AccessGroupId group
+        if cidr_routes.any?
+          cidr_routes.each do |route|
+            EC2_ClientVpnRoute(:"#{route[:cidr].resource_safe}VpnRoute") {
+              Description "cfnvpn static route for #{route[:cidr]}. #{route[:desc]}".strip
+              ClientVpnEndpointId Ref(:ClientVpnEndpoint)
+              DestinationCidrBlock route[:cidr]
+              TargetVpcSubnetId route[:subnet]
+            }
+
+            if route[:groups].any?
+              route[:groups].each do |group|
+                EC2_ClientVpnAuthorizationRule(:"#{route[:cidr].resource_safe}AuthorizationRule#{group.resource_safe}"[0..255]) {
+                  Description "cfnvpn static authorization rule for group #{group} to route #{route[:cidr]}. #{route[:desc]}".strip
+                  AccessGroupId group
+                  ClientVpnEndpointId Ref(:ClientVpnEndpoint)
+                  TargetNetworkCidr route[:cidr]
+                }
+              end
+            else
+              EC2_ClientVpnAuthorizationRule(:"#{route[:cidr].resource_safe}AllowAllAuthorizationRule") {
+                Description "cfnvpn static allow all authorization rule to route #{route[:cidr]}. #{route[:desc]}".strip
+                AuthorizeAllGroups true
                 ClientVpnEndpointId Ref(:ClientVpnEndpoint)
                 TargetNetworkCidr route[:cidr]
               }
             end
-          else
-            EC2_ClientVpnAuthorizationRule(:"#{route[:cidr].resource_safe}AllowAllAuthorizationRule") {
-              Description route[:desc]
-              AuthorizeAllGroups true
-              ClientVpnEndpointId Ref(:ClientVpnEndpoint)
-              TargetNetworkCidr route[:cidr]
-            }
           end
         end
         
@@ -156,13 +196,13 @@ module CfnVpn
           Type 'String'
           Value config.to_json
           Tags({
-            Name:  "#{name}-cfnvpn-config",
+            Name: "#{name}-cfnvpn-config",
             Environment: 'cfnvpn'
           })
         }
 
         if config[:start] || config[:stop]
-          scheduler(name, config[:start], config[:stop])
+          scheduler(name, config[:start], config[:stop], config[:bucket])
           output(:Start, config[:start]) if config[:start]
           output(:Stop, config[:stop]) if config[:stop]
         end
@@ -188,7 +228,92 @@ module CfnVpn
         Output(name) { Value value }
       end
 
-      def scheduler(name, start, stop)
+      def auto_route_populator(name, bucket)
+        IAM_Role(:CfnVpnAutoRoutePopulatorRole) {
+          AssumeRolePolicyDocument({
+            Version: '2012-10-17',
+            Statement: [{
+              Effect: 'Allow',
+              Principal: { Service: [ 'lambda.amazonaws.com' ] },
+              Action: [ 'sts:AssumeRole' ]
+            }]
+          })
+          Path '/cfnvpn/'
+          Policies([
+            {
+              PolicyName: 'client-vpn',
+              PolicyDocument: {
+                Version: '2012-10-17',
+                Statement: [{
+                  Effect: 'Allow',
+                  Action: [ 
+                    'ec2:AuthorizeClientVpnIngress',
+                    'ec2:RevokeClientVpnIngress',
+                    'ec2:DescribeClientVpnAuthorizationRules',
+                    'ec2:DescribeClientVpnEndpoints',
+                    'ec2:DescribeClientVpnRoutes',
+                    'ec2:CreateClientVpnRoute',
+                    'ec2:DeleteClientVpnRoute'
+                  ],
+                  Resource: '*'
+                }]
+              }
+            },
+            {
+              PolicyName: 'logging',
+              PolicyDocument: {
+                Version: '2012-10-17',
+                Statement: [{
+                  Effect: 'Allow',
+                  Action: [
+                    'logs:DescribeLogGroups',
+                    'logs:CreateLogGroup',
+                    'logs:CreateLogStream',
+                    'logs:DescribeLogStreams',
+                    'logs:PutLogEvents'
+                  ],
+                  Resource: '*'
+                }]
+              }
+            }
+          ])
+          Tags([
+            { Key: 'Name', Value: "#{name}-cfnvpn-auto-route-populator-role" },
+            { Key: 'Environment', Value: 'cfnvpn' }
+          ])
+        }
+
+        s3_key = CfnVpn::Templates::Lambdas.package_lambda(name: name, bucket: bucket, func: 'auto_route_populator', files: ['app.py'])
+        
+        Lambda_Function(:CfnVpnAutoRoutePopulator) {
+          Runtime 'python3.8'
+          Role FnGetAtt(:CfnVpnAutoRoutePopulatorRole, :Arn)
+          MemorySize '128'
+          Handler 'app.handler'
+          Timeout 60
+          Code({
+            S3Bucket: bucket,
+            S3Key: s3_key
+          })
+          Tags([
+            { Key: 'Name', Value: "#{name}-cfnvpn-auto-route-populator" },
+            { Key: 'Environment', Value: 'cfnvpn' }
+          ])
+        }
+
+        Logs_LogGroup(:CfnVpnAutoRoutePopulatorLogGroup) {
+          LogGroupName FnSub("/aws/lambda/${CfnVpnAutoRoutePopulator}")
+          RetentionInDays 30
+        }
+
+        Lambda_Permission(:CfnVpnAutoRoutePopulatorFunctionPermissions) {
+          FunctionName Ref(:CfnVpnAutoRoutePopulator)
+          Action 'lambda:InvokeFunction'
+          Principal 'events.amazonaws.com'
+        }
+      end
+
+      def scheduler(name, start, stop, bucket)
         IAM_Role(:ClientVpnSchedulerRole) {
           AssumeRolePolicyDocument({
             Version: '2012-10-17',
@@ -228,7 +353,10 @@ module CfnVpn
                     'ec2:DescribeClientVpnAuthorizationRules',
                     'ec2:DescribeClientVpnEndpoints',
                     'ec2:DescribeClientVpnConnections',
-                    'ec2:TerminateClientVpnConnections'
+                    'ec2:TerminateClientVpnConnections',
+                    'ec2:DescribeClientVpnRoutes',
+                    'ec2:CreateClientVpnRoute',
+                    'ec2:DeleteClientVpnRoute'
                   ],
                   Resource: '*'
                 }]
@@ -258,46 +386,17 @@ module CfnVpn
           ])
         }
 
+        s3_key = CfnVpn::Templates::Lambdas.package_lambda(name: name, bucket: bucket, func: 'scheduler', files: ['app.py'])
+
         Lambda_Function(:ClientVpnSchedulerFunction) {
-          Runtime 'python3.7'
+          Runtime 'python3.8'
           Role FnGetAtt(:ClientVpnSchedulerRole, :Arn)
           MemorySize '128'
-          Handler 'index.handler'
+          Handler 'app.handler'
+          Timeout 60
           Code({
-            ZipFile: <<~EOS
-            import boto3
-
-            def handler(event, context):
-
-              print(f"updating cfn-vpn stack {event['StackName']} parameter AssociateSubnets with value {event['AssociateSubnets']}")
-
-              if event['AssociateSubnets'] == 'false':
-                print(f"terminating current vpn sessions to {event['ClientVpnEndpointId']}")
-                ec2 = boto3.client('ec2')
-                resp = ec2.describe_client_vpn_connections(ClientVpnEndpointId=event['ClientVpnEndpointId'])
-                for conn in resp['Connections']:
-                  if conn['Status']['Code'] == 'active':
-                    ec2.terminate_client_vpn_connections(
-                      ClientVpnEndpointId=event['ClientVpnEndpointId'],
-                      ConnectionId=conn['ConnectionId']
-                    )
-                    print(f"terminated session {conn['ConnectionId']}")
-
-              client = boto3.client('cloudformation')
-              print(client.update_stack(
-                StackName=event['StackName'],
-                UsePreviousTemplate=True,
-                Capabilities=['CAPABILITY_IAM'],
-                Parameters=[
-                  {
-                    'ParameterKey': 'AssociateSubnets',
-                    'ParameterValue': event['AssociateSubnets']
-                  }
-                ]
-              ))
-
-              return 'OK'
-            EOS
+            S3Bucket: bucket,
+            S3Key: s3_key
           })
           Tags([
             { Key: 'Name', Value: "#{name}-cfnvpn-scheduler-function" },

data/lib/cfnvpn/version.rb

@@ -1,4 +1,4 @@
 module CfnVpn
-  VERSION = "1.2.0".freeze
+  VERSION = "1.3.4".freeze
   CHANGE_SET_VERSION = VERSION.gsub('.', '-').freeze
 end