cfn-vpn 1.3.0 → 1.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (26) hide show
  1. checksums.yaml +4 -4
  2. data/Gemfile.lock +2 -2
  3. data/docs/README.md +2 -1
  4. data/docs/certificate-users.md +1 -1
  5. data/docs/getting-started.md +56 -27
  6. data/docs/routes.md +49 -1
  7. data/docs/slack-notifications.md +35 -0
  8. data/lib/cfnvpn/actions/embedded.rb +3 -4
  9. data/lib/cfnvpn/actions/init.rb +9 -3
  10. data/lib/cfnvpn/actions/modify.rb +4 -2
  11. data/lib/cfnvpn/actions/revoke.rb +2 -3
  12. data/lib/cfnvpn/actions/routes.rb +22 -18
  13. data/lib/cfnvpn/actions/sessions.rb +4 -5
  14. data/lib/cfnvpn/actions/share.rb +3 -4
  15. data/lib/cfnvpn/actions/subnets.rb +2 -6
  16. data/lib/cfnvpn/clientvpn.rb +38 -22
  17. data/lib/cfnvpn/templates/lambdas/auto_route_populator/app.py +177 -92
  18. data/lib/cfnvpn/templates/lambdas/auto_route_populator/quotas.py +37 -0
  19. data/lib/cfnvpn/templates/lambdas/auto_route_populator/states.py +21 -0
  20. data/lib/cfnvpn/templates/lambdas/lib/slack.py +66 -0
  21. data/lib/cfnvpn/templates/lambdas/scheduler/app.py +42 -24
  22. data/lib/cfnvpn/templates/lambdas/scheduler/states.py +13 -0
  23. data/lib/cfnvpn/templates/lambdas.rb +10 -1
  24. data/lib/cfnvpn/templates/vpn.rb +88 -23
  25. data/lib/cfnvpn/version.rb +1 -1
  26. metadata +8 -3
data/lib/cfnvpn/templates/vpn.rb CHANGED
@@ -33,7 +33,7 @@ module CfnVpn
33
33
  {
34
34
  FederatedAuthentication: {
35
35
  SAMLProviderArn: config[:saml_arn],
36
- SelfServiceSAMLProviderArn: config[:saml_arn]
36
+ SelfServiceSAMLProviderArn: config[:saml_self_service_arn].nil? ? config[:saml_arn] : config[:saml_self_service_arn]
37
37
  },
38
38
  Type: 'federated-authentication'
39
39
  }
@@ -131,13 +131,22 @@ module CfnVpn
131
131
  cidr_routes = config[:routes].select {|route| route.has_key?(:cidr)}
132
132
 
133
133
  if dns_routes.any?
134
- auto_route_populator(name, config[:bucket])
134
+ auto_route_populator(name, config)
135
135
 
136
136
  dns_routes.each do |route|
137
+ # to aide in the migration from single to HA routes if the vpn is HA
138
+ if route[:subnets]
139
+ target_subnets = route[:subnets]
140
+ elsif config[:subnet_ids].include?(route[:subnet])
141
+ target_subnets = config[:subnet_ids]
142
+ else
143
+ target_subnets = [*route[:subnet]]
144
+ end
145
+
137
146
  input = {
138
147
  Record: route[:dns],
139
148
  ClientVpnEndpointId: "${ClientVpnEndpoint}",
140
- TargetSubnet: route[:subnet],
149
+ TargetSubnets: target_subnets,
141
150
  Description: route[:desc]
142
151
  }
143
152
 
@@ -146,6 +155,8 @@ module CfnVpn
146
155
  end
147
156
 
148
157
  Events_Rule(:"CfnVpnAutoRoutePopulatorEvent#{route[:dns].resource_safe}"[0..255]) {
158
+ Condition(:EnableSubnetAssociation)
159
+ DependsOn network_assoc_dependson if network_assoc_dependson.any?
149
160
  State 'ENABLED'
150
161
  Description "cfnvpn auto route populator schedule for #{route[:dns]}"
151
162
  ScheduleExpression "rate(5 minutes)"
@@ -162,17 +173,28 @@ module CfnVpn
162
173
 
163
174
  if cidr_routes.any?
164
175
  cidr_routes.each do |route|
165
- EC2_ClientVpnRoute(:"#{route[:cidr].resource_safe}VpnRoute") {
166
- Description "cfnvpn static route for #{route[:cidr]}. #{route[:desc]}"
167
- ClientVpnEndpointId Ref(:ClientVpnEndpoint)
168
- DestinationCidrBlock route[:cidr]
169
- TargetVpcSubnetId route[:subnet]
170
- }
176
+ # to aide in the migration from single to HA routes if the vpn is HA
177
+ if route[:subnets]
178
+ target_subnets = route[:subnets]
179
+ elsif config[:subnet_ids].include?(route[:subnet])
180
+ target_subnets = config[:subnet_ids]
181
+ else
182
+ target_subnets = [*route[:subnet]]
183
+ end
184
+
185
+ target_subnets.each do |subnet|
186
+ EC2_ClientVpnRoute(:"#{route[:cidr].resource_safe}VpnRouteTo#{subnet.resource_safe}"[0..255]) {
187
+ Description "cfnvpn static route for #{route[:cidr]}. #{route[:desc]}".strip
188
+ ClientVpnEndpointId Ref(:ClientVpnEndpoint)
189
+ DestinationCidrBlock route[:cidr]
190
+ TargetVpcSubnetId subnet
191
+ }
192
+ end
171
193
 
172
194
  if route[:groups].any?
173
195
  route[:groups].each do |group|
174
196
  EC2_ClientVpnAuthorizationRule(:"#{route[:cidr].resource_safe}AuthorizationRule#{group.resource_safe}"[0..255]) {
175
- Description "cfnvpn static authorization rule for group #{group} to route #{route[:cidr]}. #{route[:desc]}"
197
+ Description "cfnvpn static authorization rule for group #{group} to route #{route[:cidr]}. #{route[:desc]}".strip
176
198
  AccessGroupId group
177
199
  ClientVpnEndpointId Ref(:ClientVpnEndpoint)
178
200
  TargetNetworkCidr route[:cidr]
@@ -180,7 +202,7 @@ module CfnVpn
180
202
  end
181
203
  else
182
204
  EC2_ClientVpnAuthorizationRule(:"#{route[:cidr].resource_safe}AllowAllAuthorizationRule") {
183
- Description "cfnvpn static allow all authorization rule to route #{route[:cidr]}. #{route[:desc]}"
205
+ Description "cfnvpn static allow all authorization rule to route #{route[:cidr]}. #{route[:desc]}".strip
184
206
  AuthorizeAllGroups true
185
207
  ClientVpnEndpointId Ref(:ClientVpnEndpoint)
186
208
  TargetNetworkCidr route[:cidr]
@@ -202,7 +224,7 @@ module CfnVpn
202
224
  }
203
225
 
204
226
  if config[:start] || config[:stop]
205
- scheduler(name, config[:start], config[:stop], config[:bucket])
227
+ scheduler(name, config)
206
228
  output(:Start, config[:start]) if config[:start]
207
229
  output(:Stop, config[:stop]) if config[:stop]
208
230
  end
@@ -228,7 +250,7 @@ module CfnVpn
228
250
  Output(name) { Value value }
229
251
  end
230
252
 
231
- def auto_route_populator(name, bucket)
253
+ def auto_route_populator(name, config)
232
254
  IAM_Role(:CfnVpnAutoRoutePopulatorRole) {
233
255
  AssumeRolePolicyDocument({
234
256
  Version: '2012-10-17',
@@ -283,7 +305,17 @@ module CfnVpn
283
305
  ])
284
306
  }
285
307
 
286
- s3_key = CfnVpn::Templates::Lambdas.package_lambda(name: name, bucket: bucket, func: 'auto_route_populator', files: ['app.py'])
308
+ s3_key = CfnVpn::Templates::Lambdas.package_lambda(
309
+ name: name,
310
+ bucket: config[:bucket],
311
+ func: 'auto_route_populator',
312
+ files: [
313
+ 'auto_route_populator/app.py',
314
+ 'auto_route_populator/quotas.py',
315
+ 'lib/slack.py',
316
+ 'auto_route_populator/states.py'
317
+ ]
318
+ )
287
319
 
288
320
  Lambda_Function(:CfnVpnAutoRoutePopulator) {
289
321
  Runtime 'python3.8'
@@ -292,9 +324,15 @@ module CfnVpn
292
324
  Handler 'app.handler'
293
325
  Timeout 60
294
326
  Code({
295
- S3Bucket: bucket,
327
+ S3Bucket: config[:bucket],
296
328
  S3Key: s3_key
297
329
  })
330
+ Environment({
331
+ Variables: {
332
+ SLACK_URL: config[:slack_webhook_url] || '',
333
+ AUTO_LIMIT_INCREASE: config[:auto_limit_increase]
334
+ }
335
+ })
298
336
  Tags([
299
337
  { Key: 'Name', Value: "#{name}-cfnvpn-auto-route-populator" },
300
338
  { Key: 'Environment', Value: 'cfnvpn' }
@@ -313,7 +351,7 @@ module CfnVpn
313
351
  }
314
352
  end
315
353
 
316
- def scheduler(name, start, stop, bucket)
354
+ def scheduler(name, config)
317
355
  IAM_Role(:ClientVpnSchedulerRole) {
318
356
  AssumeRolePolicyDocument({
319
357
  Version: '2012-10-17',
@@ -353,12 +391,34 @@ module CfnVpn
353
391
  'ec2:DescribeClientVpnAuthorizationRules',
354
392
  'ec2:DescribeClientVpnEndpoints',
355
393
  'ec2:DescribeClientVpnConnections',
356
- 'ec2:TerminateClientVpnConnections'
394
+ 'ec2:TerminateClientVpnConnections',
395
+ 'ec2:DescribeClientVpnRoutes',
396
+ 'ec2:CreateClientVpnRoute',
397
+ 'ec2:DeleteClientVpnRoute'
357
398
  ],
358
399
  Resource: '*'
359
400
  }]
360
401
  }
361
402
  },
403
+ {
404
+ PolicyName: 'route-populator-events',
405
+ PolicyDocument: {
406
+ Version: '2012-10-17',
407
+ Statement: [{
408
+ Effect: 'Allow',
409
+ Action: [
410
+ 'events:PutRule',
411
+ 'events:PutTargets',
412
+ 'events:DeleteRule',
413
+ 'events:DescribeRule',
414
+ 'events:DisableRule',
415
+ 'events:EnableRule',
416
+ 'events:RemoveTargets'
417
+ ],
418
+ Resource: FnSub("arn:aws:events:${AWS::Region}:${AWS::AccountId}:rule/#{name}-cfnvpn-CfnVpnAutoRoutePopulator*")
419
+ }]
420
+ }
421
+ },
362
422
  {
363
423
  PolicyName: 'logging',
364
424
  PolicyDocument: {
@@ -383,7 +443,7 @@ module CfnVpn
383
443
  ])
384
444
  }
385
445
 
386
- s3_key = CfnVpn::Templates::Lambdas.package_lambda(name: name, bucket: bucket, func: 'scheduler', files: ['app.py'])
446
+ s3_key = CfnVpn::Templates::Lambdas.package_lambda(name: name, bucket: config[:bucket], func: 'scheduler', files: ['scheduler/app.py', 'lib/slack.py', 'scheduler/states.py'])
387
447
 
388
448
  Lambda_Function(:ClientVpnSchedulerFunction) {
389
449
  Runtime 'python3.8'
@@ -391,8 +451,13 @@ module CfnVpn
391
451
  MemorySize '128'
392
452
  Handler 'app.handler'
393
453
  Timeout 60
454
+ Environment({
455
+ Variables: {
456
+ SLACK_URL: config[:slack_webhook_url] || ''
457
+ }
458
+ })
394
459
  Code({
395
- S3Bucket: bucket,
460
+ S3Bucket: config[:bucket],
396
461
  S3Key: s3_key
397
462
  })
398
463
  Tags([
@@ -412,11 +477,11 @@ module CfnVpn
412
477
  Principal 'events.amazonaws.com'
413
478
  }
414
479
 
415
- if start
480
+ if config[:start]
416
481
  Events_Rule(:ClientVpnSchedulerStart) {
417
482
  State 'ENABLED'
418
483
  Description "cfnvpn start schedule"
419
- ScheduleExpression "cron(#{start})"
484
+ ScheduleExpression "cron(#{config[:start]})"
420
485
  Targets([
421
486
  {
422
487
  Arn: FnGetAtt(:ClientVpnSchedulerFunction, :Arn),
@@ -427,11 +492,11 @@ module CfnVpn
427
492
  }
428
493
  end
429
494
 
430
- if stop
495
+ if config[:stop]
431
496
  Events_Rule(:ClientVpnSchedulerStop) {
432
497
  State 'ENABLED'
433
498
  Description "cfnvpn stop schedule"
434
- ScheduleExpression "cron(#{stop})"
499
+ ScheduleExpression "cron(#{config[:stop]})"
435
500
  Targets([
436
501
  {
437
502
  Arn: FnGetAtt(:ClientVpnSchedulerFunction, :Arn),
data/lib/cfnvpn/version.rb CHANGED
@@ -1,4 +1,4 @@
1
1
  module CfnVpn
2
- VERSION = "1.3.0".freeze
2
+ VERSION = "1.4.0".freeze
3
3
  CHANGE_SET_VERSION = VERSION.gsub('.', '-').freeze
4
4
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: cfn-vpn
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.3.0
4
+ version: 1.4.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Guslington
8
8
  autorequire:
9
9
  bindir: exe
10
10
  cert_chain: []
11
- date: 2021-04-01 00:00:00.000000000 Z
11
+ date: 2021-12-15 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: thor
@@ -247,6 +247,7 @@ files:
247
247
  - docs/routes.md
248
248
  - docs/scheduling.md
249
249
  - docs/sessions.md
250
+ - docs/slack-notifications.md
250
251
  - exe/cfn-vpn
251
252
  - lib/cfnvpn.rb
252
253
  - lib/cfnvpn/acm.rb
@@ -273,7 +274,11 @@ files:
273
274
  - lib/cfnvpn/templates/helper.rb
274
275
  - lib/cfnvpn/templates/lambdas.rb
275
276
  - lib/cfnvpn/templates/lambdas/auto_route_populator/app.py
277
+ - lib/cfnvpn/templates/lambdas/auto_route_populator/quotas.py
278
+ - lib/cfnvpn/templates/lambdas/auto_route_populator/states.py
279
+ - lib/cfnvpn/templates/lambdas/lib/slack.py
276
280
  - lib/cfnvpn/templates/lambdas/scheduler/app.py
281
+ - lib/cfnvpn/templates/lambdas/scheduler/states.py
277
282
  - lib/cfnvpn/templates/vpn.rb
278
283
  - lib/cfnvpn/version.rb
279
284
  homepage: https://github.com/base2services/aws-client-vpn
@@ -297,7 +302,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
297
302
  - !ruby/object:Gem::Version
298
303
  version: '0'
299
304
  requirements: []
300
- rubygems_version: 3.1.4
305
+ rubygems_version: 3.1.6
301
306
  signing_key:
302
307
  specification_version: 4
303
308
  summary: creates and manages resources for the aws client vpn