cfn-vpn 1.3.4 → 1.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (26) hide show
  1. checksums.yaml +4 -4
  2. data/Gemfile.lock +2 -2
  3. data/docs/README.md +2 -1
  4. data/docs/certificate-users.md +1 -1
  5. data/docs/getting-started.md +35 -32
  6. data/docs/routes.md +48 -0
  7. data/docs/slack-notifications.md +35 -0
  8. data/lib/cfnvpn/actions/embedded.rb +3 -4
  9. data/lib/cfnvpn/actions/init.rb +8 -4
  10. data/lib/cfnvpn/actions/modify.rb +4 -2
  11. data/lib/cfnvpn/actions/revoke.rb +2 -3
  12. data/lib/cfnvpn/actions/routes.rb +20 -16
  13. data/lib/cfnvpn/actions/sessions.rb +4 -5
  14. data/lib/cfnvpn/actions/share.rb +3 -4
  15. data/lib/cfnvpn/actions/subnets.rb +2 -6
  16. data/lib/cfnvpn/clientvpn.rb +38 -22
  17. data/lib/cfnvpn/templates/lambdas/auto_route_populator/app.py +177 -92
  18. data/lib/cfnvpn/templates/lambdas/auto_route_populator/quotas.py +37 -0
  19. data/lib/cfnvpn/templates/lambdas/auto_route_populator/states.py +21 -0
  20. data/lib/cfnvpn/templates/lambdas/lib/slack.py +66 -0
  21. data/lib/cfnvpn/templates/lambdas/scheduler/app.py +42 -24
  22. data/lib/cfnvpn/templates/lambdas/scheduler/states.py +13 -0
  23. data/lib/cfnvpn/templates/lambdas.rb +10 -1
  24. data/lib/cfnvpn/templates/vpn.rb +81 -19
  25. data/lib/cfnvpn/version.rb +1 -1
  26. metadata +7 -2
data/lib/cfnvpn/templates/vpn.rb CHANGED
@@ -131,13 +131,22 @@ module CfnVpn
131
131
  cidr_routes = config[:routes].select {|route| route.has_key?(:cidr)}
132
132
 
133
133
  if dns_routes.any?
134
- auto_route_populator(name, config[:bucket])
134
+ auto_route_populator(name, config)
135
135
 
136
136
  dns_routes.each do |route|
137
+ # to aide in the migration from single to HA routes if the vpn is HA
138
+ if route[:subnets]
139
+ target_subnets = route[:subnets]
140
+ elsif config[:subnet_ids].include?(route[:subnet])
141
+ target_subnets = config[:subnet_ids]
142
+ else
143
+ target_subnets = [*route[:subnet]]
144
+ end
145
+
137
146
  input = {
138
147
  Record: route[:dns],
139
148
  ClientVpnEndpointId: "${ClientVpnEndpoint}",
140
- TargetSubnet: route[:subnet],
149
+ TargetSubnets: target_subnets,
141
150
  Description: route[:desc]
142
151
  }
143
152
 
@@ -146,6 +155,8 @@ module CfnVpn
146
155
  end
147
156
 
148
157
  Events_Rule(:"CfnVpnAutoRoutePopulatorEvent#{route[:dns].resource_safe}"[0..255]) {
158
+ Condition(:EnableSubnetAssociation)
159
+ DependsOn network_assoc_dependson if network_assoc_dependson.any?
149
160
  State 'ENABLED'
150
161
  Description "cfnvpn auto route populator schedule for #{route[:dns]}"
151
162
  ScheduleExpression "rate(5 minutes)"
@@ -162,12 +173,23 @@ module CfnVpn
162
173
 
163
174
  if cidr_routes.any?
164
175
  cidr_routes.each do |route|
165
- EC2_ClientVpnRoute(:"#{route[:cidr].resource_safe}VpnRoute") {
166
- Description "cfnvpn static route for #{route[:cidr]}. #{route[:desc]}".strip
167
- ClientVpnEndpointId Ref(:ClientVpnEndpoint)
168
- DestinationCidrBlock route[:cidr]
169
- TargetVpcSubnetId route[:subnet]
170
- }
176
+ # to aide in the migration from single to HA routes if the vpn is HA
177
+ if route[:subnets]
178
+ target_subnets = route[:subnets]
179
+ elsif config[:subnet_ids].include?(route[:subnet])
180
+ target_subnets = config[:subnet_ids]
181
+ else
182
+ target_subnets = [*route[:subnet]]
183
+ end
184
+
185
+ target_subnets.each do |subnet|
186
+ EC2_ClientVpnRoute(:"#{route[:cidr].resource_safe}VpnRouteTo#{subnet.resource_safe}"[0..255]) {
187
+ Description "cfnvpn static route for #{route[:cidr]}. #{route[:desc]}".strip
188
+ ClientVpnEndpointId Ref(:ClientVpnEndpoint)
189
+ DestinationCidrBlock route[:cidr]
190
+ TargetVpcSubnetId subnet
191
+ }
192
+ end
171
193
 
172
194
  if route[:groups].any?
173
195
  route[:groups].each do |group|
@@ -202,7 +224,7 @@ module CfnVpn
202
224
  }
203
225
 
204
226
  if config[:start] || config[:stop]
205
- scheduler(name, config[:start], config[:stop], config[:bucket])
227
+ scheduler(name, config)
206
228
  output(:Start, config[:start]) if config[:start]
207
229
  output(:Stop, config[:stop]) if config[:stop]
208
230
  end
@@ -228,7 +250,7 @@ module CfnVpn
228
250
  Output(name) { Value value }
229
251
  end
230
252
 
231
- def auto_route_populator(name, bucket)
253
+ def auto_route_populator(name, config)
232
254
  IAM_Role(:CfnVpnAutoRoutePopulatorRole) {
233
255
  AssumeRolePolicyDocument({
234
256
  Version: '2012-10-17',
@@ -283,7 +305,17 @@ module CfnVpn
283
305
  ])
284
306
  }
285
307
 
286
- s3_key = CfnVpn::Templates::Lambdas.package_lambda(name: name, bucket: bucket, func: 'auto_route_populator', files: ['app.py'])
308
+ s3_key = CfnVpn::Templates::Lambdas.package_lambda(
309
+ name: name,
310
+ bucket: config[:bucket],
311
+ func: 'auto_route_populator',
312
+ files: [
313
+ 'auto_route_populator/app.py',
314
+ 'auto_route_populator/quotas.py',
315
+ 'lib/slack.py',
316
+ 'auto_route_populator/states.py'
317
+ ]
318
+ )
287
319
 
288
320
  Lambda_Function(:CfnVpnAutoRoutePopulator) {
289
321
  Runtime 'python3.8'
@@ -292,9 +324,15 @@ module CfnVpn
292
324
  Handler 'app.handler'
293
325
  Timeout 60
294
326
  Code({
295
- S3Bucket: bucket,
327
+ S3Bucket: config[:bucket],
296
328
  S3Key: s3_key
297
329
  })
330
+ Environment({
331
+ Variables: {
332
+ SLACK_URL: config[:slack_webhook_url] || '',
333
+ AUTO_LIMIT_INCREASE: config[:auto_limit_increase]
334
+ }
335
+ })
298
336
  Tags([
299
337
  { Key: 'Name', Value: "#{name}-cfnvpn-auto-route-populator" },
300
338
  { Key: 'Environment', Value: 'cfnvpn' }
@@ -313,7 +351,7 @@ module CfnVpn
313
351
  }
314
352
  end
315
353
 
316
- def scheduler(name, start, stop, bucket)
354
+ def scheduler(name, config)
317
355
  IAM_Role(:ClientVpnSchedulerRole) {
318
356
  AssumeRolePolicyDocument({
319
357
  Version: '2012-10-17',
@@ -362,6 +400,25 @@ module CfnVpn
362
400
  }]
363
401
  }
364
402
  },
403
+ {
404
+ PolicyName: 'route-populator-events',
405
+ PolicyDocument: {
406
+ Version: '2012-10-17',
407
+ Statement: [{
408
+ Effect: 'Allow',
409
+ Action: [
410
+ 'events:PutRule',
411
+ 'events:PutTargets',
412
+ 'events:DeleteRule',
413
+ 'events:DescribeRule',
414
+ 'events:DisableRule',
415
+ 'events:EnableRule',
416
+ 'events:RemoveTargets'
417
+ ],
418
+ Resource: FnSub("arn:aws:events:${AWS::Region}:${AWS::AccountId}:rule/#{name}-cfnvpn-CfnVpnAutoRoutePopulator*")
419
+ }]
420
+ }
421
+ },
365
422
  {
366
423
  PolicyName: 'logging',
367
424
  PolicyDocument: {
@@ -386,7 +443,7 @@ module CfnVpn
386
443
  ])
387
444
  }
388
445
 
389
- s3_key = CfnVpn::Templates::Lambdas.package_lambda(name: name, bucket: bucket, func: 'scheduler', files: ['app.py'])
446
+ s3_key = CfnVpn::Templates::Lambdas.package_lambda(name: name, bucket: config[:bucket], func: 'scheduler', files: ['scheduler/app.py', 'lib/slack.py', 'scheduler/states.py'])
390
447
 
391
448
  Lambda_Function(:ClientVpnSchedulerFunction) {
392
449
  Runtime 'python3.8'
@@ -394,8 +451,13 @@ module CfnVpn
394
451
  MemorySize '128'
395
452
  Handler 'app.handler'
396
453
  Timeout 60
454
+ Environment({
455
+ Variables: {
456
+ SLACK_URL: config[:slack_webhook_url] || ''
457
+ }
458
+ })
397
459
  Code({
398
- S3Bucket: bucket,
460
+ S3Bucket: config[:bucket],
399
461
  S3Key: s3_key
400
462
  })
401
463
  Tags([
@@ -415,11 +477,11 @@ module CfnVpn
415
477
  Principal 'events.amazonaws.com'
416
478
  }
417
479
 
418
- if start
480
+ if config[:start]
419
481
  Events_Rule(:ClientVpnSchedulerStart) {
420
482
  State 'ENABLED'
421
483
  Description "cfnvpn start schedule"
422
- ScheduleExpression "cron(#{start})"
484
+ ScheduleExpression "cron(#{config[:start]})"
423
485
  Targets([
424
486
  {
425
487
  Arn: FnGetAtt(:ClientVpnSchedulerFunction, :Arn),
@@ -430,11 +492,11 @@ module CfnVpn
430
492
  }
431
493
  end
432
494
 
433
- if stop
495
+ if config[:stop]
434
496
  Events_Rule(:ClientVpnSchedulerStop) {
435
497
  State 'ENABLED'
436
498
  Description "cfnvpn stop schedule"
437
- ScheduleExpression "cron(#{stop})"
499
+ ScheduleExpression "cron(#{config[:stop]})"
438
500
  Targets([
439
501
  {
440
502
  Arn: FnGetAtt(:ClientVpnSchedulerFunction, :Arn),
data/lib/cfnvpn/version.rb CHANGED
@@ -1,4 +1,4 @@
1
1
  module CfnVpn
2
- VERSION = "1.3.4".freeze
2
+ VERSION = "1.4.0".freeze
3
3
  CHANGE_SET_VERSION = VERSION.gsub('.', '-').freeze
4
4
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: cfn-vpn
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.3.4
4
+ version: 1.4.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Guslington
8
8
  autorequire:
9
9
  bindir: exe
10
10
  cert_chain: []
11
- date: 2021-11-10 00:00:00.000000000 Z
11
+ date: 2021-12-15 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: thor
@@ -247,6 +247,7 @@ files:
247
247
  - docs/routes.md
248
248
  - docs/scheduling.md
249
249
  - docs/sessions.md
250
+ - docs/slack-notifications.md
250
251
  - exe/cfn-vpn
251
252
  - lib/cfnvpn.rb
252
253
  - lib/cfnvpn/acm.rb
@@ -273,7 +274,11 @@ files:
273
274
  - lib/cfnvpn/templates/helper.rb
274
275
  - lib/cfnvpn/templates/lambdas.rb
275
276
  - lib/cfnvpn/templates/lambdas/auto_route_populator/app.py
277
+ - lib/cfnvpn/templates/lambdas/auto_route_populator/quotas.py
278
+ - lib/cfnvpn/templates/lambdas/auto_route_populator/states.py
279
+ - lib/cfnvpn/templates/lambdas/lib/slack.py
276
280
  - lib/cfnvpn/templates/lambdas/scheduler/app.py
281
+ - lib/cfnvpn/templates/lambdas/scheduler/states.py
277
282
  - lib/cfnvpn/templates/vpn.rb
278
283
  - lib/cfnvpn/version.rb
279
284
  homepage: https://github.com/base2services/aws-client-vpn