cfn-vpn 1.3.1 → 1.3.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 672ae92015c16fcc2ce33e05a22ca651b4974d4669d91115c2f5d49b36aa4062
4
- data.tar.gz: 3e595961778b5d67112b6219d690cd589e8523813f22e7a3a196dfab6d77d59d
3
+ metadata.gz: c46ffdf0579ffd7c1fd42efadc969bbd095f9f789dfcb5b9e3e2aef7f85e959c
4
+ data.tar.gz: 7a6e1a34fa32b2246a8998e8645381635e8c5adf7a6bf978c241ea4d7e4ee217
5
5
  SHA512:
6
- metadata.gz: fee3ea79a3c51a77aaa5b6be535fc950ecfd32de121e6aadd363ef4def0af7fe201b414624036d9553f8a7158cb9e6fe16189972b599bcfd8df688c0dec09051
7
- data.tar.gz: 4bcc5243d2365706f57d07bf2c0cbad79debde39952d8535407cd58fb26d5d1e77857cedbf0170d726c8a56c7f70a2a90a26349991a0c3a7bf51fd824eae2bb4
6
+ metadata.gz: 6aa8e34eab7fe87a36128e299a3603f6e2cad58bf55cc9a2ff4f3847306a0ce92ba20c6a9471f7356c43eee85ccd6a362bed7bf7feb14df2a97cb54cc0af546d
7
+ data.tar.gz: 5aefb22f6d9ea925877f0811897fdd3e4a47286769cb106e19a46df6ccd7d2ce29d30bdc93ea2c87c4fb686609a33c009186057b248af9b33645b15d72d8f22c
@@ -63,19 +63,38 @@ This option is for when you want to manage users through an external directory p
63
63
  The following command and required option will launch a new federated based Client-VPN
64
64
 
65
65
  ```sh
66
- cfn-vpn init [name] --server-cn [server certificate name] --subnet-ids [list of subets to associate with the vpn] --saml-arn [identity providor arn]
66
+ cfn-vpn init [name] --server-cn [server certificate name] \
67
+ --subnet-ids [list of subets to associate with the vpn] \
68
+ --saml-arn [identity providor arn]
67
69
  ```
68
70
 
69
71
  The default authorization rule for the associated subnets allows all. You can optionally change this by using the `--default-groups` flag to set groups on the default authorization rule.
70
72
 
73
+ ```diff
74
+ ! Group id's must be used if creating authorisation rules.
75
+ ! Each SAML providor will have different group id's and means of retrieving them.
76
+ ```
77
+
71
78
  ```sh
72
- cfn-vpn init [name] --server-cn [server certificate name] --subnet-ids [list of subets to associate with the vpn] --saml-arn [identity providor arn] --default-groups [list of group ids]
79
+ cfn-vpn init [name] --server-cn [server certificate name] \
80
+ --subnet-ids [list of subnet to associate with the vpn] \
81
+ --saml-arn [identity provider arn] \
82
+ --default-groups [list of group ids]
73
83
  ```
74
84
 
75
85
  **AWS SSO**
76
86
 
77
87
  If using AWS SSO as your SAML provider check this guide on how to set up SAML using AWS SSO https://codeburst.io/the-aws-client-vpn-federated-authentication-missing-example-655e0a1ff7f4
78
88
 
89
+ If you want to leverage the Self Service Portal you need to add the specify the `--saml-self-service-arn [self service identity provider arn]` You can follow the example here https://aws.amazon.com/blogs/security/authenticate-aws-client-vpn-users-with-aws-single-sign-on/ on how to setup the self sign-on sso application
90
+
91
+ ```sh
92
+ cfn-vpn init [name] --server-cn [server certificate name] \
93
+ --subnet-ids [list of subnet to associate with the vpn] \
94
+ --saml-arn [identity provider arn] \
95
+ --saml-self-service-arn [self service identity provider arn] \
96
+ --default-groups [list of group ids]
97
+ ```
79
98
 
80
99
  ### AWS Directory Services Authenticated VPN
81
100
 
@@ -84,13 +103,18 @@ This option integrates Microsoft Active Directory or Simple AD through AWS Direc
84
103
  The following command and required option will launch a new directory service based Client-VPN
85
104
 
86
105
  ```sh
87
- cfn-vpn init simple-ad --server-cn [server certificate name] --subnet-ids [list of subets to associate with the vpn] --directory-id [aws directirory serivce id]
106
+ cfn-vpn init simple-ad --server-cn [server certificate name] \
107
+ --subnet-ids [list of subets to associate with the vpn] \
108
+ --directory-id [aws directirory serivce id]
88
109
  ```
89
110
 
90
111
  The default authorization rule for the associated subnets allows all. You can optionally change this by using the `--default-groups` flag to set groups on the default authorization rule. The group Id is the Active Directory Group ID or SID.
91
112
 
92
113
  ```sh
93
- cfn-vpn init simple-ad --server-cn [server certificate name] --subnet-ids [list of subets to associate with the vpn] --directory-id [aws directirory serivce id] --default-groups [list of group ids]
114
+ cfn-vpn init simple-ad --server-cn [server certificate name] \
115
+ --subnet-ids [list of subets to associate with the vpn] \
116
+ --directory-id [aws directirory serivce id] \
117
+ --default-groups [list of group ids]
94
118
  ```
95
119
 
96
120
  See this guide for further help on setting up https://shogokobayashi.com/2019/05/18/aws-client-vpn-with-simplead/
@@ -104,25 +128,27 @@ When using a federated ClientVPN you can modify the default auth to only allow s
104
128
 
105
129
  ```
106
130
  Options:
107
- r, [--region=REGION] # AWS Region
108
- # Default: ap-southeast-2
109
- [--verbose], [--no-verbose] # set log level to debug
110
- --server-cn=SERVER_CN # server certificate common name
111
- [--client-cn=CLIENT_CN] # client certificate common name
112
- [--easyrsa-local], [--no-easyrsa-local] # run the easyrsa executable from your local rather than from docker
113
- [--bucket=BUCKET] # s3 bucket
114
- --subnet-ids=one two three # subnet id to associate your vpn with
115
- [--default-groups=one two three] # groups to allow through the subnet associations when using federated auth
116
- [--cidr=CIDR] # cidr from which to assign client IP addresses
117
- # Default: 10.250.0.0/16
118
- [--dns-servers=one two three] # DNS Servers to push to clients.
119
- [--split-tunnel], [--no-split-tunnel] # only push routes to the client on the vpn endpoint
120
- # Default: true
121
- [--internet-route=INTERNET_ROUTE] # [subnet-id] create a default route to the internet through a subnet
122
- [--protocol=PROTOCOL] # set the protocol for the vpn connections
123
- # Default: udp
124
- # Possible values: udp, tcp
125
- [--start=START] # cloudwatch event cron schedule in UTC to associate subnets to the client vpn
126
- [--stop=STOP] # cloudwatch event cron schedule in UTC to disassociate subnets to the client vpn
127
- [--saml-arn=SAML_ARN] # IAM SAML idenditiy providor arn if using SAML federated authentication
128
- ```
131
+ r, [--region=REGION] # AWS Region
132
+ # Default: ap-southeast-2
133
+ [--verbose], [--no-verbose] # set log level to debug
134
+ --server-cn=SERVER_CN # server certificate common name
135
+ [--client-cn=CLIENT_CN] # client certificate common name
136
+ [--easyrsa-local], [--no-easyrsa-local] # run the easyrsa executable from your local rather than from docker
137
+ [--bucket=BUCKET] # s3 bucket, if not set one will be generated for you
138
+ --subnet-ids=one two three # subnet id to associate your vpn with
139
+ [--default-groups=one two three] # groups to allow through the subnet associations when using federated auth
140
+ [--cidr=CIDR] # cidr from which to assign client IP addresses
141
+ # Default: 10.250.0.0/16
142
+ [--dns-servers=one two three] # DNS Servers to push to clients.
143
+ [--split-tunnel], [--no-split-tunnel] # only push routes to the client on the vpn endpoint
144
+ # Default: true
145
+ [--internet-route=INTERNET_ROUTE] # [subnet-id] create a default route to the internet through a subnet
146
+ [--protocol=PROTOCOL] # set the protocol for the vpn connections
147
+ # Default: udp
148
+ # Possible values: udp, tcp
149
+ [--start=START] # cloudwatch event cron schedule in UTC to associate subnets to the client vpn
150
+ [--stop=STOP] # cloudwatch event cron schedule in UTC to disassociate subnets to the client vpn
151
+ [--saml-arn=SAML_ARN] # IAM SAML idenditiy providor arn if using SAML federated authentication
152
+ [--saml-self-service-arn=SAML_SELF_SERVICE_ARN] # IAM SAML idenditiy providor arn for the self service portal
153
+ [--directory-id=DIRECTORY_ID] # AWS Directory Service directory id if using Active Directory authentication
154
+ ```
@@ -36,6 +36,7 @@ module CfnVpn::Actions
36
36
  class_option :stop, type: :string, desc: 'cloudwatch event cron schedule in UTC to disassociate subnets to the client vpn'
37
37
 
38
38
  class_option :saml_arn, desc: 'IAM SAML idenditiy providor arn if using SAML federated authentication'
39
+ class_option :saml_self_service_arn, desc: 'IAM SAML idenditiy providor arn for the self service portal'
39
40
  class_option :directory_id, desc: 'AWS Directory Service directory id if using Active Directory authentication'
40
41
 
41
42
  def self.source_root
@@ -64,6 +65,7 @@ module CfnVpn::Actions
64
65
  start: @options['start'],
65
66
  stop: @options['stop'],
66
67
  saml_arn: @options['saml_arn'],
68
+ saml_self_service_arn: @options['saml_self_service_arn'],
67
69
  directory_id: @options['directory_id'],
68
70
  routes: []
69
71
  }
@@ -33,7 +33,7 @@ module CfnVpn
33
33
  {
34
34
  FederatedAuthentication: {
35
35
  SAMLProviderArn: config[:saml_arn],
36
- SelfServiceSAMLProviderArn: config[:saml_arn]
36
+ SelfServiceSAMLProviderArn: config[:saml_self_service_arn].nil? ? config[:saml_arn] : config[:saml_self_service_arn]
37
37
  },
38
38
  Type: 'federated-authentication'
39
39
  }
@@ -1,4 +1,4 @@
1
1
  module CfnVpn
2
- VERSION = "1.3.1".freeze
2
+ VERSION = "1.3.3".freeze
3
3
  CHANGE_SET_VERSION = VERSION.gsub('.', '-').freeze
4
4
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: cfn-vpn
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.3.1
4
+ version: 1.3.3
5
5
  platform: ruby
6
6
  authors:
7
7
  - Guslington
8
8
  autorequire:
9
9
  bindir: exe
10
10
  cert_chain: []
11
- date: 2021-06-04 00:00:00.000000000 Z
11
+ date: 2021-11-04 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: thor