cfn-vpn 1.3.4 → 1.4.3

data/lib/cfnvpn/templates/vpn.rb

@@ -131,13 +131,22 @@ module CfnVpn
         cidr_routes = config[:routes].select {|route| route.has_key?(:cidr)}
 
         if dns_routes.any?
-          auto_route_populator(name, config[:bucket])
+          auto_route_populator(name, config)
 
           dns_routes.each do |route|
+            # to aide in the migration from single to HA routes if the vpn is HA
+            if route[:subnets]
+              target_subnets = route[:subnets]
+            elsif config[:subnet_ids].include?(route[:subnet])
+              target_subnets = config[:subnet_ids]
+            else
+              target_subnets = [*route[:subnet]]
+            end
+
             input = { 
               Record: route[:dns],
               ClientVpnEndpointId: "${ClientVpnEndpoint}",
-              TargetSubnet: route[:subnet],
+              TargetSubnets: target_subnets,
               Description: route[:desc]
             }
             
@@ -146,13 +155,15 @@ module CfnVpn
             end
 
             Events_Rule(:"CfnVpnAutoRoutePopulatorEvent#{route[:dns].resource_safe}"[0..255]) {
+              Condition(:EnableSubnetAssociation)
+              DependsOn network_assoc_dependson if network_assoc_dependson.any?
               State 'ENABLED'
               Description "cfnvpn auto route populator schedule for #{route[:dns]}"
               ScheduleExpression "rate(5 minutes)"
               Targets([
                 { 
                   Arn: FnGetAtt(:CfnVpnAutoRoutePopulator, :Arn),
-                  Id: "cfnvpnautoroutepopulator#{route[:dns].event_id_safe}",
+                  Id: "auto-route-populator",
                   Input: FnSub(input.to_json)
                 }
               ])
@@ -162,12 +173,23 @@ module CfnVpn
 
         if cidr_routes.any?
           cidr_routes.each do |route|
-            EC2_ClientVpnRoute(:"#{route[:cidr].resource_safe}VpnRoute") {
-              Description "cfnvpn static route for #{route[:cidr]}. #{route[:desc]}".strip
-              ClientVpnEndpointId Ref(:ClientVpnEndpoint)
-              DestinationCidrBlock route[:cidr]
-              TargetVpcSubnetId route[:subnet]
-            }
+            # to aide in the migration from single to HA routes if the vpn is HA
+            if route[:subnets]
+              target_subnets = route[:subnets]
+            elsif config[:subnet_ids].include?(route[:subnet])
+              target_subnets = config[:subnet_ids]
+            else
+              target_subnets = [*route[:subnet]]
+            end
+
+            target_subnets.each do |subnet|
+              EC2_ClientVpnRoute(:"#{route[:cidr].resource_safe}VpnRouteTo#{subnet.resource_safe}"[0..255]) {
+                Description "cfnvpn static route for #{route[:cidr]}. #{route[:desc]}".strip
+                ClientVpnEndpointId Ref(:ClientVpnEndpoint)
+                DestinationCidrBlock route[:cidr]
+                TargetVpcSubnetId subnet
+              }
+            end
 
             if route[:groups].any?
               route[:groups].each do |group|
@@ -202,7 +224,7 @@ module CfnVpn
         }
 
         if config[:start] || config[:stop]
-          scheduler(name, config[:start], config[:stop], config[:bucket])
+          scheduler(name, config)
           output(:Start, config[:start]) if config[:start]
           output(:Stop, config[:stop]) if config[:stop]
         end
@@ -228,7 +250,7 @@ module CfnVpn
         Output(name) { Value value }
       end
 
-      def auto_route_populator(name, bucket)
+      def auto_route_populator(name, config)
         IAM_Role(:CfnVpnAutoRoutePopulatorRole) {
           AssumeRolePolicyDocument({
             Version: '2012-10-17',
@@ -275,6 +297,31 @@ module CfnVpn
                   Resource: '*'
                 }]
               }
+            },
+            {
+              PolicyName: 'vpn-quotas',
+              PolicyDocument: {
+                Version: '2012-10-17',
+                Statement: [
+                  {
+                    Effect: 'Allow',
+                    Action: [
+                      'servicequotas:ListRequestedServiceQuotaChangeHistoryByQuota',
+                    ],
+                    Resource: '*'
+                  },
+                  {
+                    Effect: 'Allow',
+                    Action: [
+                      'servicequotas:RequestServiceQuotaIncrease'
+                    ],
+                    Resource: [
+                      FnSub('arn:aws:servicequotas:${AWS::Region}:${AWS::AccountId}:ec2/L-401D78F7'),
+                      FnSub('arn:aws:servicequotas:${AWS::Region}:${AWS::AccountId}:ec2/L-9A1BC94B')
+                    ]
+                  }
+                ]
+              }
             }
           ])
           Tags([
@@ -283,7 +330,17 @@ module CfnVpn
           ])
         }
 
-        s3_key = CfnVpn::Templates::Lambdas.package_lambda(name: name, bucket: bucket, func: 'auto_route_populator', files: ['app.py'])
+        s3_key = CfnVpn::Templates::Lambdas.package_lambda(
+          name: name,
+          bucket: config[:bucket],
+          func: 'auto_route_populator',
+          files: [
+            'auto_route_populator/app.py',
+            'auto_route_populator/quotas.py',
+            'lib/slack.py',
+            'auto_route_populator/states.py'
+          ]
+        )
         
         Lambda_Function(:CfnVpnAutoRoutePopulator) {
           Runtime 'python3.8'
@@ -292,9 +349,15 @@ module CfnVpn
           Handler 'app.handler'
           Timeout 60
           Code({
-            S3Bucket: bucket,
+            S3Bucket: config[:bucket],
             S3Key: s3_key
           })
+          Environment({
+            Variables: {
+              SLACK_URL: config[:slack_webhook_url] || '',
+              AUTO_LIMIT_INCREASE: config[:auto_limit_increase] || true
+            }
+          })
           Tags([
             { Key: 'Name', Value: "#{name}-cfnvpn-auto-route-populator" },
             { Key: 'Environment', Value: 'cfnvpn' }
@@ -313,7 +376,7 @@ module CfnVpn
         }
       end
 
-      def scheduler(name, start, stop, bucket)
+      def scheduler(name, config)
         IAM_Role(:ClientVpnSchedulerRole) {
           AssumeRolePolicyDocument({
             Version: '2012-10-17',
@@ -362,6 +425,25 @@ module CfnVpn
                 }]
               }
             },
+            {
+              PolicyName: 'route-populator-events',
+              PolicyDocument: {
+                Version: '2012-10-17',
+                Statement: [{
+                  Effect: 'Allow',
+                  Action: [
+                    'events:PutRule',
+                    'events:PutTargets',
+                    'events:DeleteRule',
+                    'events:DescribeRule',
+                    'events:DisableRule',
+                    'events:EnableRule',
+                    'events:RemoveTargets'
+                  ],
+                  Resource: FnSub("arn:aws:events:${AWS::Region}:${AWS::AccountId}:rule/#{name}-cfnvpn-CfnVpnAutoRoutePopulator*")
+                }]
+              }
+            },
             {
               PolicyName: 'logging',
               PolicyDocument: {
@@ -386,7 +468,7 @@ module CfnVpn
           ])
         }
 
-        s3_key = CfnVpn::Templates::Lambdas.package_lambda(name: name, bucket: bucket, func: 'scheduler', files: ['app.py'])
+        s3_key = CfnVpn::Templates::Lambdas.package_lambda(name: name, bucket: config[:bucket], func: 'scheduler', files: ['scheduler/app.py', 'lib/slack.py', 'scheduler/states.py'])
 
         Lambda_Function(:ClientVpnSchedulerFunction) {
           Runtime 'python3.8'
@@ -394,8 +476,13 @@ module CfnVpn
           MemorySize '128'
           Handler 'app.handler'
           Timeout 60
+          Environment({
+            Variables: {
+              SLACK_URL: config[:slack_webhook_url] || ''
+            }
+          })
           Code({
-            S3Bucket: bucket,
+            S3Bucket: config[:bucket],
             S3Key: s3_key
           })
           Tags([
@@ -415,11 +502,11 @@ module CfnVpn
           Principal 'events.amazonaws.com'
         }
 
-        if start
+        if config[:start]
           Events_Rule(:ClientVpnSchedulerStart) {
             State 'ENABLED'
             Description "cfnvpn start schedule"
-            ScheduleExpression "cron(#{start})"
+            ScheduleExpression "cron(#{config[:start]})"
             Targets([
               { 
                 Arn: FnGetAtt(:ClientVpnSchedulerFunction, :Arn),
@@ -430,11 +517,11 @@ module CfnVpn
           }
         end
 
-        if stop
+        if config[:stop]
           Events_Rule(:ClientVpnSchedulerStop) {
             State 'ENABLED'
             Description "cfnvpn stop schedule"
-            ScheduleExpression "cron(#{stop})"
+            ScheduleExpression "cron(#{config[:stop]})"
             Targets([
               { 
                 Arn: FnGetAtt(:ClientVpnSchedulerFunction, :Arn),

data/lib/cfnvpn/version.rb

@@ -1,4 +1,4 @@
 module CfnVpn
-  VERSION = "1.3.4".freeze
+  VERSION = "1.4.3".freeze
   CHANGE_SET_VERSION = VERSION.gsub('.', '-').freeze
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: cfn-vpn
 version: !ruby/object:Gem::Version
-  version: 1.3.4
+  version: 1.4.3
 platform: ruby
 authors:
 - Guslington
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2021-11-10 00:00:00.000000000 Z
+date: 2021-12-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: thor
@@ -247,6 +247,7 @@ files:
 - docs/routes.md
 - docs/scheduling.md
 - docs/sessions.md
+- docs/slack-notifications.md
 - exe/cfn-vpn
 - lib/cfnvpn.rb
 - lib/cfnvpn/acm.rb
@@ -273,7 +274,11 @@ files:
 - lib/cfnvpn/templates/helper.rb
 - lib/cfnvpn/templates/lambdas.rb
 - lib/cfnvpn/templates/lambdas/auto_route_populator/app.py
+- lib/cfnvpn/templates/lambdas/auto_route_populator/quotas.py
+- lib/cfnvpn/templates/lambdas/auto_route_populator/states.py
+- lib/cfnvpn/templates/lambdas/lib/slack.py
 - lib/cfnvpn/templates/lambdas/scheduler/app.py
+- lib/cfnvpn/templates/lambdas/scheduler/states.py
 - lib/cfnvpn/templates/vpn.rb
 - lib/cfnvpn/version.rb
 homepage: https://github.com/base2services/aws-client-vpn