cfn-vpn 1.3.4 → 1.4.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/Gemfile.lock +2 -2
- data/docs/README.md +2 -1
- data/docs/certificate-users.md +1 -1
- data/docs/getting-started.md +35 -32
- data/docs/routes.md +48 -0
- data/docs/slack-notifications.md +35 -0
- data/lib/cfnvpn/actions/embedded.rb +3 -4
- data/lib/cfnvpn/actions/init.rb +8 -4
- data/lib/cfnvpn/actions/modify.rb +4 -2
- data/lib/cfnvpn/actions/revoke.rb +2 -3
- data/lib/cfnvpn/actions/routes.rb +20 -16
- data/lib/cfnvpn/actions/sessions.rb +4 -5
- data/lib/cfnvpn/actions/share.rb +3 -4
- data/lib/cfnvpn/actions/subnets.rb +2 -6
- data/lib/cfnvpn/clientvpn.rb +38 -22
- data/lib/cfnvpn/templates/lambdas/auto_route_populator/app.py +177 -92
- data/lib/cfnvpn/templates/lambdas/auto_route_populator/quotas.py +37 -0
- data/lib/cfnvpn/templates/lambdas/auto_route_populator/states.py +21 -0
- data/lib/cfnvpn/templates/lambdas/lib/slack.py +66 -0
- data/lib/cfnvpn/templates/lambdas/scheduler/app.py +42 -24
- data/lib/cfnvpn/templates/lambdas/scheduler/states.py +13 -0
- data/lib/cfnvpn/templates/lambdas.rb +10 -1
- data/lib/cfnvpn/templates/vpn.rb +81 -19
- data/lib/cfnvpn/version.rb +1 -1
- metadata +7 -2
data/lib/cfnvpn/templates/vpn.rb
CHANGED
|
@@ -131,13 +131,22 @@ module CfnVpn
|
|
|
131
131
|
cidr_routes = config[:routes].select {|route| route.has_key?(:cidr)}
|
|
132
132
|
|
|
133
133
|
if dns_routes.any?
|
|
134
|
-
auto_route_populator(name, config
|
|
134
|
+
auto_route_populator(name, config)
|
|
135
135
|
|
|
136
136
|
dns_routes.each do |route|
|
|
137
|
+
# to aide in the migration from single to HA routes if the vpn is HA
|
|
138
|
+
if route[:subnets]
|
|
139
|
+
target_subnets = route[:subnets]
|
|
140
|
+
elsif config[:subnet_ids].include?(route[:subnet])
|
|
141
|
+
target_subnets = config[:subnet_ids]
|
|
142
|
+
else
|
|
143
|
+
target_subnets = [*route[:subnet]]
|
|
144
|
+
end
|
|
145
|
+
|
|
137
146
|
input = {
|
|
138
147
|
Record: route[:dns],
|
|
139
148
|
ClientVpnEndpointId: "${ClientVpnEndpoint}",
|
|
140
|
-
|
|
149
|
+
TargetSubnets: target_subnets,
|
|
141
150
|
Description: route[:desc]
|
|
142
151
|
}
|
|
143
152
|
|
|
@@ -146,6 +155,8 @@ module CfnVpn
|
|
|
146
155
|
end
|
|
147
156
|
|
|
148
157
|
Events_Rule(:"CfnVpnAutoRoutePopulatorEvent#{route[:dns].resource_safe}"[0..255]) {
|
|
158
|
+
Condition(:EnableSubnetAssociation)
|
|
159
|
+
DependsOn network_assoc_dependson if network_assoc_dependson.any?
|
|
149
160
|
State 'ENABLED'
|
|
150
161
|
Description "cfnvpn auto route populator schedule for #{route[:dns]}"
|
|
151
162
|
ScheduleExpression "rate(5 minutes)"
|
|
@@ -162,12 +173,23 @@ module CfnVpn
|
|
|
162
173
|
|
|
163
174
|
if cidr_routes.any?
|
|
164
175
|
cidr_routes.each do |route|
|
|
165
|
-
|
|
166
|
-
|
|
167
|
-
|
|
168
|
-
|
|
169
|
-
|
|
170
|
-
|
|
176
|
+
# to aide in the migration from single to HA routes if the vpn is HA
|
|
177
|
+
if route[:subnets]
|
|
178
|
+
target_subnets = route[:subnets]
|
|
179
|
+
elsif config[:subnet_ids].include?(route[:subnet])
|
|
180
|
+
target_subnets = config[:subnet_ids]
|
|
181
|
+
else
|
|
182
|
+
target_subnets = [*route[:subnet]]
|
|
183
|
+
end
|
|
184
|
+
|
|
185
|
+
target_subnets.each do |subnet|
|
|
186
|
+
EC2_ClientVpnRoute(:"#{route[:cidr].resource_safe}VpnRouteTo#{subnet.resource_safe}"[0..255]) {
|
|
187
|
+
Description "cfnvpn static route for #{route[:cidr]}. #{route[:desc]}".strip
|
|
188
|
+
ClientVpnEndpointId Ref(:ClientVpnEndpoint)
|
|
189
|
+
DestinationCidrBlock route[:cidr]
|
|
190
|
+
TargetVpcSubnetId subnet
|
|
191
|
+
}
|
|
192
|
+
end
|
|
171
193
|
|
|
172
194
|
if route[:groups].any?
|
|
173
195
|
route[:groups].each do |group|
|
|
@@ -202,7 +224,7 @@ module CfnVpn
|
|
|
202
224
|
}
|
|
203
225
|
|
|
204
226
|
if config[:start] || config[:stop]
|
|
205
|
-
scheduler(name, config
|
|
227
|
+
scheduler(name, config)
|
|
206
228
|
output(:Start, config[:start]) if config[:start]
|
|
207
229
|
output(:Stop, config[:stop]) if config[:stop]
|
|
208
230
|
end
|
|
@@ -228,7 +250,7 @@ module CfnVpn
|
|
|
228
250
|
Output(name) { Value value }
|
|
229
251
|
end
|
|
230
252
|
|
|
231
|
-
def auto_route_populator(name,
|
|
253
|
+
def auto_route_populator(name, config)
|
|
232
254
|
IAM_Role(:CfnVpnAutoRoutePopulatorRole) {
|
|
233
255
|
AssumeRolePolicyDocument({
|
|
234
256
|
Version: '2012-10-17',
|
|
@@ -283,7 +305,17 @@ module CfnVpn
|
|
|
283
305
|
])
|
|
284
306
|
}
|
|
285
307
|
|
|
286
|
-
s3_key = CfnVpn::Templates::Lambdas.package_lambda(
|
|
308
|
+
s3_key = CfnVpn::Templates::Lambdas.package_lambda(
|
|
309
|
+
name: name,
|
|
310
|
+
bucket: config[:bucket],
|
|
311
|
+
func: 'auto_route_populator',
|
|
312
|
+
files: [
|
|
313
|
+
'auto_route_populator/app.py',
|
|
314
|
+
'auto_route_populator/quotas.py',
|
|
315
|
+
'lib/slack.py',
|
|
316
|
+
'auto_route_populator/states.py'
|
|
317
|
+
]
|
|
318
|
+
)
|
|
287
319
|
|
|
288
320
|
Lambda_Function(:CfnVpnAutoRoutePopulator) {
|
|
289
321
|
Runtime 'python3.8'
|
|
@@ -292,9 +324,15 @@ module CfnVpn
|
|
|
292
324
|
Handler 'app.handler'
|
|
293
325
|
Timeout 60
|
|
294
326
|
Code({
|
|
295
|
-
S3Bucket: bucket,
|
|
327
|
+
S3Bucket: config[:bucket],
|
|
296
328
|
S3Key: s3_key
|
|
297
329
|
})
|
|
330
|
+
Environment({
|
|
331
|
+
Variables: {
|
|
332
|
+
SLACK_URL: config[:slack_webhook_url] || '',
|
|
333
|
+
AUTO_LIMIT_INCREASE: config[:auto_limit_increase]
|
|
334
|
+
}
|
|
335
|
+
})
|
|
298
336
|
Tags([
|
|
299
337
|
{ Key: 'Name', Value: "#{name}-cfnvpn-auto-route-populator" },
|
|
300
338
|
{ Key: 'Environment', Value: 'cfnvpn' }
|
|
@@ -313,7 +351,7 @@ module CfnVpn
|
|
|
313
351
|
}
|
|
314
352
|
end
|
|
315
353
|
|
|
316
|
-
def scheduler(name,
|
|
354
|
+
def scheduler(name, config)
|
|
317
355
|
IAM_Role(:ClientVpnSchedulerRole) {
|
|
318
356
|
AssumeRolePolicyDocument({
|
|
319
357
|
Version: '2012-10-17',
|
|
@@ -362,6 +400,25 @@ module CfnVpn
|
|
|
362
400
|
}]
|
|
363
401
|
}
|
|
364
402
|
},
|
|
403
|
+
{
|
|
404
|
+
PolicyName: 'route-populator-events',
|
|
405
|
+
PolicyDocument: {
|
|
406
|
+
Version: '2012-10-17',
|
|
407
|
+
Statement: [{
|
|
408
|
+
Effect: 'Allow',
|
|
409
|
+
Action: [
|
|
410
|
+
'events:PutRule',
|
|
411
|
+
'events:PutTargets',
|
|
412
|
+
'events:DeleteRule',
|
|
413
|
+
'events:DescribeRule',
|
|
414
|
+
'events:DisableRule',
|
|
415
|
+
'events:EnableRule',
|
|
416
|
+
'events:RemoveTargets'
|
|
417
|
+
],
|
|
418
|
+
Resource: FnSub("arn:aws:events:${AWS::Region}:${AWS::AccountId}:rule/#{name}-cfnvpn-CfnVpnAutoRoutePopulator*")
|
|
419
|
+
}]
|
|
420
|
+
}
|
|
421
|
+
},
|
|
365
422
|
{
|
|
366
423
|
PolicyName: 'logging',
|
|
367
424
|
PolicyDocument: {
|
|
@@ -386,7 +443,7 @@ module CfnVpn
|
|
|
386
443
|
])
|
|
387
444
|
}
|
|
388
445
|
|
|
389
|
-
s3_key = CfnVpn::Templates::Lambdas.package_lambda(name: name, bucket: bucket, func: 'scheduler', files: ['app.py'])
|
|
446
|
+
s3_key = CfnVpn::Templates::Lambdas.package_lambda(name: name, bucket: config[:bucket], func: 'scheduler', files: ['scheduler/app.py', 'lib/slack.py', 'scheduler/states.py'])
|
|
390
447
|
|
|
391
448
|
Lambda_Function(:ClientVpnSchedulerFunction) {
|
|
392
449
|
Runtime 'python3.8'
|
|
@@ -394,8 +451,13 @@ module CfnVpn
|
|
|
394
451
|
MemorySize '128'
|
|
395
452
|
Handler 'app.handler'
|
|
396
453
|
Timeout 60
|
|
454
|
+
Environment({
|
|
455
|
+
Variables: {
|
|
456
|
+
SLACK_URL: config[:slack_webhook_url] || ''
|
|
457
|
+
}
|
|
458
|
+
})
|
|
397
459
|
Code({
|
|
398
|
-
S3Bucket: bucket,
|
|
460
|
+
S3Bucket: config[:bucket],
|
|
399
461
|
S3Key: s3_key
|
|
400
462
|
})
|
|
401
463
|
Tags([
|
|
@@ -415,11 +477,11 @@ module CfnVpn
|
|
|
415
477
|
Principal 'events.amazonaws.com'
|
|
416
478
|
}
|
|
417
479
|
|
|
418
|
-
if start
|
|
480
|
+
if config[:start]
|
|
419
481
|
Events_Rule(:ClientVpnSchedulerStart) {
|
|
420
482
|
State 'ENABLED'
|
|
421
483
|
Description "cfnvpn start schedule"
|
|
422
|
-
ScheduleExpression "cron(#{start})"
|
|
484
|
+
ScheduleExpression "cron(#{config[:start]})"
|
|
423
485
|
Targets([
|
|
424
486
|
{
|
|
425
487
|
Arn: FnGetAtt(:ClientVpnSchedulerFunction, :Arn),
|
|
@@ -430,11 +492,11 @@ module CfnVpn
|
|
|
430
492
|
}
|
|
431
493
|
end
|
|
432
494
|
|
|
433
|
-
if stop
|
|
495
|
+
if config[:stop]
|
|
434
496
|
Events_Rule(:ClientVpnSchedulerStop) {
|
|
435
497
|
State 'ENABLED'
|
|
436
498
|
Description "cfnvpn stop schedule"
|
|
437
|
-
ScheduleExpression "cron(#{stop})"
|
|
499
|
+
ScheduleExpression "cron(#{config[:stop]})"
|
|
438
500
|
Targets([
|
|
439
501
|
{
|
|
440
502
|
Arn: FnGetAtt(:ClientVpnSchedulerFunction, :Arn),
|
data/lib/cfnvpn/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: cfn-vpn
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.
|
|
4
|
+
version: 1.4.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Guslington
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2021-
|
|
11
|
+
date: 2021-12-15 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: thor
|
|
@@ -247,6 +247,7 @@ files:
|
|
|
247
247
|
- docs/routes.md
|
|
248
248
|
- docs/scheduling.md
|
|
249
249
|
- docs/sessions.md
|
|
250
|
+
- docs/slack-notifications.md
|
|
250
251
|
- exe/cfn-vpn
|
|
251
252
|
- lib/cfnvpn.rb
|
|
252
253
|
- lib/cfnvpn/acm.rb
|
|
@@ -273,7 +274,11 @@ files:
|
|
|
273
274
|
- lib/cfnvpn/templates/helper.rb
|
|
274
275
|
- lib/cfnvpn/templates/lambdas.rb
|
|
275
276
|
- lib/cfnvpn/templates/lambdas/auto_route_populator/app.py
|
|
277
|
+
- lib/cfnvpn/templates/lambdas/auto_route_populator/quotas.py
|
|
278
|
+
- lib/cfnvpn/templates/lambdas/auto_route_populator/states.py
|
|
279
|
+
- lib/cfnvpn/templates/lambdas/lib/slack.py
|
|
276
280
|
- lib/cfnvpn/templates/lambdas/scheduler/app.py
|
|
281
|
+
- lib/cfnvpn/templates/lambdas/scheduler/states.py
|
|
277
282
|
- lib/cfnvpn/templates/vpn.rb
|
|
278
283
|
- lib/cfnvpn/version.rb
|
|
279
284
|
homepage: https://github.com/base2services/aws-client-vpn
|