cfn-vpn 1.3.0 → 1.4.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (26) hide show
  1. checksums.yaml +4 -4
  2. data/Gemfile.lock +2 -2
  3. data/docs/README.md +2 -1
  4. data/docs/certificate-users.md +1 -1
  5. data/docs/getting-started.md +56 -27
  6. data/docs/routes.md +49 -1
  7. data/docs/slack-notifications.md +35 -0
  8. data/lib/cfnvpn/actions/embedded.rb +3 -4
  9. data/lib/cfnvpn/actions/init.rb +9 -3
  10. data/lib/cfnvpn/actions/modify.rb +4 -2
  11. data/lib/cfnvpn/actions/revoke.rb +2 -3
  12. data/lib/cfnvpn/actions/routes.rb +22 -18
  13. data/lib/cfnvpn/actions/sessions.rb +4 -5
  14. data/lib/cfnvpn/actions/share.rb +3 -4
  15. data/lib/cfnvpn/actions/subnets.rb +2 -6
  16. data/lib/cfnvpn/clientvpn.rb +38 -22
  17. data/lib/cfnvpn/templates/lambdas/auto_route_populator/app.py +177 -92
  18. data/lib/cfnvpn/templates/lambdas/auto_route_populator/quotas.py +37 -0
  19. data/lib/cfnvpn/templates/lambdas/auto_route_populator/states.py +21 -0
  20. data/lib/cfnvpn/templates/lambdas/lib/slack.py +66 -0
  21. data/lib/cfnvpn/templates/lambdas/scheduler/app.py +42 -24
  22. data/lib/cfnvpn/templates/lambdas/scheduler/states.py +13 -0
  23. data/lib/cfnvpn/templates/lambdas.rb +10 -1
  24. data/lib/cfnvpn/templates/vpn.rb +88 -23
  25. data/lib/cfnvpn/version.rb +1 -1
  26. metadata +8 -3
data/lib/cfnvpn/templates/vpn.rb CHANGED
@@ -33,7 +33,7 @@ module CfnVpn
33
33
  {
34
34
  FederatedAuthentication: {
35
35
  SAMLProviderArn: config[:saml_arn],
36
- SelfServiceSAMLProviderArn: config[:saml_arn]
36
+ SelfServiceSAMLProviderArn: config[:saml_self_service_arn].nil? ? config[:saml_arn] : config[:saml_self_service_arn]
37
37
  },
38
38
  Type: 'federated-authentication'
39
39
  }
@@ -131,13 +131,22 @@ module CfnVpn
131
131
  cidr_routes = config[:routes].select {|route| route.has_key?(:cidr)}
132
132
 
133
133
  if dns_routes.any?
134
- auto_route_populator(name, config[:bucket])
134
+ auto_route_populator(name, config)
135
135
 
136
136
  dns_routes.each do |route|
137
+ # to aide in the migration from single to HA routes if the vpn is HA
138
+ if route[:subnets]
139
+ target_subnets = route[:subnets]
140
+ elsif config[:subnet_ids].include?(route[:subnet])
141
+ target_subnets = config[:subnet_ids]
142
+ else
143
+ target_subnets = [*route[:subnet]]
144
+ end
145
+
137
146
  input = {
138
147
  Record: route[:dns],
139
148
  ClientVpnEndpointId: "${ClientVpnEndpoint}",
140
- TargetSubnet: route[:subnet],
149
+ TargetSubnets: target_subnets,
141
150
  Description: route[:desc]
142
151
  }
143
152
 
@@ -146,6 +155,8 @@ module CfnVpn
146
155
  end
147
156
 
148
157
  Events_Rule(:"CfnVpnAutoRoutePopulatorEvent#{route[:dns].resource_safe}"[0..255]) {
158
+ Condition(:EnableSubnetAssociation)
159
+ DependsOn network_assoc_dependson if network_assoc_dependson.any?
149
160
  State 'ENABLED'
150
161
  Description "cfnvpn auto route populator schedule for #{route[:dns]}"
151
162
  ScheduleExpression "rate(5 minutes)"
@@ -162,17 +173,28 @@ module CfnVpn
162
173
 
163
174
  if cidr_routes.any?
164
175
  cidr_routes.each do |route|
165
- EC2_ClientVpnRoute(:"#{route[:cidr].resource_safe}VpnRoute") {
166
- Description "cfnvpn static route for #{route[:cidr]}. #{route[:desc]}"
167
- ClientVpnEndpointId Ref(:ClientVpnEndpoint)
168
- DestinationCidrBlock route[:cidr]
169
- TargetVpcSubnetId route[:subnet]
170
- }
176
+ # to aide in the migration from single to HA routes if the vpn is HA
177
+ if route[:subnets]
178
+ target_subnets = route[:subnets]
179
+ elsif config[:subnet_ids].include?(route[:subnet])
180
+ target_subnets = config[:subnet_ids]
181
+ else
182
+ target_subnets = [*route[:subnet]]
183
+ end
184
+
185
+ target_subnets.each do |subnet|
186
+ EC2_ClientVpnRoute(:"#{route[:cidr].resource_safe}VpnRouteTo#{subnet.resource_safe}"[0..255]) {
187
+ Description "cfnvpn static route for #{route[:cidr]}. #{route[:desc]}".strip
188
+ ClientVpnEndpointId Ref(:ClientVpnEndpoint)
189
+ DestinationCidrBlock route[:cidr]
190
+ TargetVpcSubnetId subnet
191
+ }
192
+ end
171
193
 
172
194
  if route[:groups].any?
173
195
  route[:groups].each do |group|
174
196
  EC2_ClientVpnAuthorizationRule(:"#{route[:cidr].resource_safe}AuthorizationRule#{group.resource_safe}"[0..255]) {
175
- Description "cfnvpn static authorization rule for group #{group} to route #{route[:cidr]}. #{route[:desc]}"
197
+ Description "cfnvpn static authorization rule for group #{group} to route #{route[:cidr]}. #{route[:desc]}".strip
176
198
  AccessGroupId group
177
199
  ClientVpnEndpointId Ref(:ClientVpnEndpoint)
178
200
  TargetNetworkCidr route[:cidr]
@@ -180,7 +202,7 @@ module CfnVpn
180
202
  end
181
203
  else
182
204
  EC2_ClientVpnAuthorizationRule(:"#{route[:cidr].resource_safe}AllowAllAuthorizationRule") {
183
- Description "cfnvpn static allow all authorization rule to route #{route[:cidr]}. #{route[:desc]}"
205
+ Description "cfnvpn static allow all authorization rule to route #{route[:cidr]}. #{route[:desc]}".strip
184
206
  AuthorizeAllGroups true
185
207
  ClientVpnEndpointId Ref(:ClientVpnEndpoint)
186
208
  TargetNetworkCidr route[:cidr]
@@ -202,7 +224,7 @@ module CfnVpn
202
224
  }
203
225
 
204
226
  if config[:start] || config[:stop]
205
- scheduler(name, config[:start], config[:stop], config[:bucket])
227
+ scheduler(name, config)
206
228
  output(:Start, config[:start]) if config[:start]
207
229
  output(:Stop, config[:stop]) if config[:stop]
208
230
  end
@@ -228,7 +250,7 @@ module CfnVpn
228
250
  Output(name) { Value value }
229
251
  end
230
252
 
231
- def auto_route_populator(name, bucket)
253
+ def auto_route_populator(name, config)
232
254
  IAM_Role(:CfnVpnAutoRoutePopulatorRole) {
233
255
  AssumeRolePolicyDocument({
234
256
  Version: '2012-10-17',
@@ -283,7 +305,17 @@ module CfnVpn
283
305
  ])
284
306
  }
285
307
 
286
- s3_key = CfnVpn::Templates::Lambdas.package_lambda(name: name, bucket: bucket, func: 'auto_route_populator', files: ['app.py'])
308
+ s3_key = CfnVpn::Templates::Lambdas.package_lambda(
309
+ name: name,
310
+ bucket: config[:bucket],
311
+ func: 'auto_route_populator',
312
+ files: [
313
+ 'auto_route_populator/app.py',
314
+ 'auto_route_populator/quotas.py',
315
+ 'lib/slack.py',
316
+ 'auto_route_populator/states.py'
317
+ ]
318
+ )
287
319
 
288
320
  Lambda_Function(:CfnVpnAutoRoutePopulator) {
289
321
  Runtime 'python3.8'
@@ -292,9 +324,15 @@ module CfnVpn
292
324
  Handler 'app.handler'
293
325
  Timeout 60
294
326
  Code({
295
- S3Bucket: bucket,
327
+ S3Bucket: config[:bucket],
296
328
  S3Key: s3_key
297
329
  })
330
+ Environment({
331
+ Variables: {
332
+ SLACK_URL: config[:slack_webhook_url] || '',
333
+ AUTO_LIMIT_INCREASE: config[:auto_limit_increase]
334
+ }
335
+ })
298
336
  Tags([
299
337
  { Key: 'Name', Value: "#{name}-cfnvpn-auto-route-populator" },
300
338
  { Key: 'Environment', Value: 'cfnvpn' }
@@ -313,7 +351,7 @@ module CfnVpn
313
351
  }
314
352
  end
315
353
 
316
- def scheduler(name, start, stop, bucket)
354
+ def scheduler(name, config)
317
355
  IAM_Role(:ClientVpnSchedulerRole) {
318
356
  AssumeRolePolicyDocument({
319
357
  Version: '2012-10-17',
@@ -353,12 +391,34 @@ module CfnVpn
353
391
  'ec2:DescribeClientVpnAuthorizationRules',
354
392
  'ec2:DescribeClientVpnEndpoints',
355
393
  'ec2:DescribeClientVpnConnections',
356
- 'ec2:TerminateClientVpnConnections'
394
+ 'ec2:TerminateClientVpnConnections',
395
+ 'ec2:DescribeClientVpnRoutes',
396
+ 'ec2:CreateClientVpnRoute',
397
+ 'ec2:DeleteClientVpnRoute'
357
398
  ],
358
399
  Resource: '*'
359
400
  }]
360
401
  }
361
402
  },
403
+ {
404
+ PolicyName: 'route-populator-events',
405
+ PolicyDocument: {
406
+ Version: '2012-10-17',
407
+ Statement: [{
408
+ Effect: 'Allow',
409
+ Action: [
410
+ 'events:PutRule',
411
+ 'events:PutTargets',
412
+ 'events:DeleteRule',
413
+ 'events:DescribeRule',
414
+ 'events:DisableRule',
415
+ 'events:EnableRule',
416
+ 'events:RemoveTargets'
417
+ ],
418
+ Resource: FnSub("arn:aws:events:${AWS::Region}:${AWS::AccountId}:rule/#{name}-cfnvpn-CfnVpnAutoRoutePopulator*")
419
+ }]
420
+ }
421
+ },
362
422
  {
363
423
  PolicyName: 'logging',
364
424
  PolicyDocument: {
@@ -383,7 +443,7 @@ module CfnVpn
383
443
  ])
384
444
  }
385
445
 
386
- s3_key = CfnVpn::Templates::Lambdas.package_lambda(name: name, bucket: bucket, func: 'scheduler', files: ['app.py'])
446
+ s3_key = CfnVpn::Templates::Lambdas.package_lambda(name: name, bucket: config[:bucket], func: 'scheduler', files: ['scheduler/app.py', 'lib/slack.py', 'scheduler/states.py'])
387
447
 
388
448
  Lambda_Function(:ClientVpnSchedulerFunction) {
389
449
  Runtime 'python3.8'
@@ -391,8 +451,13 @@ module CfnVpn
391
451
  MemorySize '128'
392
452
  Handler 'app.handler'
393
453
  Timeout 60
454
+ Environment({
455
+ Variables: {
456
+ SLACK_URL: config[:slack_webhook_url] || ''
457
+ }
458
+ })
394
459
  Code({
395
- S3Bucket: bucket,
460
+ S3Bucket: config[:bucket],
396
461
  S3Key: s3_key
397
462
  })
398
463
  Tags([
@@ -412,11 +477,11 @@ module CfnVpn
412
477
  Principal 'events.amazonaws.com'
413
478
  }
414
479
 
415
- if start
480
+ if config[:start]
416
481
  Events_Rule(:ClientVpnSchedulerStart) {
417
482
  State 'ENABLED'
418
483
  Description "cfnvpn start schedule"
419
- ScheduleExpression "cron(#{start})"
484
+ ScheduleExpression "cron(#{config[:start]})"
420
485
  Targets([
421
486
  {
422
487
  Arn: FnGetAtt(:ClientVpnSchedulerFunction, :Arn),
@@ -427,11 +492,11 @@ module CfnVpn
427
492
  }
428
493
  end
429
494
 
430
- if stop
495
+ if config[:stop]
431
496
  Events_Rule(:ClientVpnSchedulerStop) {
432
497
  State 'ENABLED'
433
498
  Description "cfnvpn stop schedule"
434
- ScheduleExpression "cron(#{stop})"
499
+ ScheduleExpression "cron(#{config[:stop]})"
435
500
  Targets([
436
501
  {
437
502
  Arn: FnGetAtt(:ClientVpnSchedulerFunction, :Arn),
data/lib/cfnvpn/version.rb CHANGED
@@ -1,4 +1,4 @@
1
1
  module CfnVpn
2
- VERSION = "1.3.0".freeze
2
+ VERSION = "1.4.0".freeze
3
3
  CHANGE_SET_VERSION = VERSION.gsub('.', '-').freeze
4
4
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: cfn-vpn
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.3.0
4
+ version: 1.4.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Guslington
8
8
  autorequire:
9
9
  bindir: exe
10
10
  cert_chain: []
11
- date: 2021-04-01 00:00:00.000000000 Z
11
+ date: 2021-12-15 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: thor
@@ -247,6 +247,7 @@ files:
247
247
  - docs/routes.md
248
248
  - docs/scheduling.md
249
249
  - docs/sessions.md
250
+ - docs/slack-notifications.md
250
251
  - exe/cfn-vpn
251
252
  - lib/cfnvpn.rb
252
253
  - lib/cfnvpn/acm.rb
@@ -273,7 +274,11 @@ files:
273
274
  - lib/cfnvpn/templates/helper.rb
274
275
  - lib/cfnvpn/templates/lambdas.rb
275
276
  - lib/cfnvpn/templates/lambdas/auto_route_populator/app.py
277
+ - lib/cfnvpn/templates/lambdas/auto_route_populator/quotas.py
278
+ - lib/cfnvpn/templates/lambdas/auto_route_populator/states.py
279
+ - lib/cfnvpn/templates/lambdas/lib/slack.py
276
280
  - lib/cfnvpn/templates/lambdas/scheduler/app.py
281
+ - lib/cfnvpn/templates/lambdas/scheduler/states.py
277
282
  - lib/cfnvpn/templates/vpn.rb
278
283
  - lib/cfnvpn/version.rb
279
284
  homepage: https://github.com/base2services/aws-client-vpn
@@ -297,7 +302,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
297
302
  - !ruby/object:Gem::Version
298
303
  version: '0'
299
304
  requirements: []
300
- rubygems_version: 3.1.4
305
+ rubygems_version: 3.1.6
301
306
  signing_key:
302
307
  specification_version: 4
303
308
  summary: creates and manages resources for the aws client vpn