cfn-vpn 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 4e3b6334f24037b79137a09d3d93325a2513162f4e151b1e565875e74352aac7
+  data.tar.gz: d0e7e304876a4bcccab2b082fc8c298f8fc74b0769b4eb9338fdc98b5d5842a1
+SHA512:
+  metadata.gz: c75ae0f97eb239c6db309b98d09d5b08a688bde621aa5f23b091face28fab3737369d67d6d40c9f13e7615ba8f58c4ee3553fe24a55715ac0282f889b72946fd
+  data.tar.gz: d543e66f8ce62534e64de754d09be061c4a92b50bff6d8ddfbd0f8df03a48f830217c501024986e8810e4f2a300fa503a9631efb7ad0cb4a22c6c47019456df6

data/.gitignore

@@ -0,0 +1,10 @@
+/.bundle/
+/.yardoc
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/
+
+cfn-vpn-*.gem

data/.travis.yml

@@ -0,0 +1,17 @@
+sudo: required
+dist: trusty
+language: ruby
+rvm:
+  - 2.5
+script:
+  - bundle install
+  - gem build cfn-vpn.gemspec
+  - gem install cfn-vpn-*.gem
+  - cfn-vpn help
+deploy:
+  provider: rubygems
+  api_key: "${RUBYGEMS_API_KEY}"
+  gem: cfn-vpn
+  on:
+   all_branches: true
+   condition: $TRAVIS_BRANCH =~ ^develop|master &&  $TRAVIS_EVENT_TYPE =~ ^push|api$ && $TRAVIS_REPO_SLUG == "base2services/aws-client-vpn"

data/Gemfile

@@ -0,0 +1,4 @@
+source "https://rubygems.org"
+
+# Specify your gem's dependencies in cfn-vpn.gemspec
+gemspec

data/Gemfile.lock

@@ -0,0 +1,75 @@
+PATH
+  remote: .
+  specs:
+    cfn-vpn (0.1.0)
+      aws-sdk-acm (~> 1, < 2)
+      aws-sdk-cloudformation (~> 1, < 2)
+      aws-sdk-ec2 (~> 1.95, < 2)
+      aws-sdk-ssm (~> 1, < 2)
+      cfhighlander (~> 0.9, < 1)
+      cfndsl (~> 0.17, < 1)
+      thor (~> 0.20)
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    aws-eventstream (1.0.3)
+    aws-partitions (1.176.0)
+    aws-sdk-acm (1.23.0)
+      aws-sdk-core (~> 3, >= 3.56.0)
+      aws-sigv4 (~> 1.1)
+    aws-sdk-cloudformation (1.23.0)
+      aws-sdk-core (~> 3, >= 3.56.0)
+      aws-sigv4 (~> 1.1)
+    aws-sdk-core (3.56.0)
+      aws-eventstream (~> 1.0, >= 1.0.2)
+      aws-partitions (~> 1.0)
+      aws-sigv4 (~> 1.1)
+      jmespath (~> 1.0)
+    aws-sdk-ec2 (1.95.0)
+      aws-sdk-core (~> 3, >= 3.56.0)
+      aws-sigv4 (~> 1.1)
+    aws-sdk-kms (1.22.0)
+      aws-sdk-core (~> 3, >= 3.56.0)
+      aws-sigv4 (~> 1.1)
+    aws-sdk-s3 (1.43.0)
+      aws-sdk-core (~> 3, >= 3.56.0)
+      aws-sdk-kms (~> 1)
+      aws-sigv4 (~> 1.1)
+    aws-sdk-ssm (1.50.0)
+      aws-sdk-core (~> 3, >= 3.56.0)
+      aws-sigv4 (~> 1.1)
+    aws-sigv4 (1.1.0)
+      aws-eventstream (~> 1.0, >= 1.0.2)
+    cfhighlander (0.9.0)
+      aws-sdk-cloudformation (~> 1, < 2)
+      aws-sdk-core (~> 3, < 4)
+      aws-sdk-ec2 (~> 1, < 2)
+      aws-sdk-s3 (~> 1, < 2)
+      cfndsl (~> 0.16, < 1)
+      duplicate (~> 1.1)
+      git (~> 1.4, < 2)
+      highline (>= 1.7.10, < 1.8)
+      netaddr (~> 1.5, >= 1.5.1)
+      rubyzip (>= 1.2.1, < 2)
+      thor (~> 0.20, < 1)
+    cfndsl (0.17.0)
+    duplicate (1.1.1)
+    git (1.5.0)
+    highline (1.7.10)
+    jmespath (1.4.0)
+    netaddr (1.5.1)
+    rake (10.5.0)
+    rubyzip (1.2.3)
+    thor (0.20.3)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  bundler (~> 2.0)
+  cfn-vpn!
+  rake (~> 10.0)
+
+BUNDLED WITH
+   2.0.1

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2019 Guslington
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,74 @@
+# CfnVpn
+
+Manages the resources required to create a client vpn in AWS.
+Uses cloudformation to manage the state of the vpn resources.
+
+## Installation
+
+Install `cfn-vpn` gem
+
+```bash
+gem install cfn-vpn
+```
+
+Install [docker](https://docs.docker.com/install/)
+
+Docker is required to generate the certificates required for the client vpn.
+The gem uses [openvpn/easy-rsa](https://github.com/OpenVPN/easy-rsa) project in [base2/aws-client-vpn](https://hub.docker.com/r/base2/aws-client-vpn) dokcer image.
+
+## Usage
+
+### help
+
+Displays all possible commands
+
+```bash
+Commands:
+  cfn-vpn --version, -v                                            # print the version
+  cfn-vpn help [COMMAND]                                           # Describe available commands or one specific command
+  cfn-vpn init [name] --server-cn=SERVER_CN --subnet-id=SUBNET_ID  # Ciinabox configuration initialization
+```
+
+### init
+
+Initialises a new client vpn and creates all required resources to get it running.
+
+```bash
+Usage:
+  cfn-vpn init [name] --server-cn=SERVER_CN --subnet-id=SUBNET_ID
+
+Options:
+  p, [--profile=PROFILE]       # AWS Profile
+  r, [--region=REGION]         # AWS Region
+      --server-cn=SERVER_CN    # server certificate common name
+      [--client-cn=CLIENT_CN]  # client certificate common name
+      --subnet-id=SUBNET_ID    # subnet id to associate your vpn with
+      [--cidr=CIDR]            # cidr from which to assign client IP addresses
+                               # Default: 10.250.0.0/16
+
+Ciinabox configuration initialization
+```
+
+### config
+
+Downloads the opvn config file for the client vpn
+
+```bash
+Usage:
+  cfn-vpn config [name]
+
+Options:
+  [--profile=PROFILE]  # AWS Profile
+  [--region=REGION]    # AWS Region
+                       # Default: ap-southeast-2
+
+Ciinabox configuration initialization
+```
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/base2services/aws-client-vpn.
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).

data/Rakefile

@@ -0,0 +1,2 @@
+require "bundler/gem_tasks"
+task :default => :spec

data/cfn-vpn.gemspec

@@ -0,0 +1,48 @@
+
+lib = File.expand_path("../lib", __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require "cfnvpn/version"
+
+Gem::Specification.new do |spec|
+  spec.name          = "cfn-vpn"
+  spec.version       = CfnVpn::VERSION
+  spec.authors       = ["Guslington"]
+  spec.email         = ["guslington@gmail.com"]
+
+  spec.summary       = %q{creates and manages resources for the aws client vpn}
+  spec.description   = %q{creates and manages resources for the aws client vpn}
+  spec.homepage      = "https://github.com/base2services/aws-client-vpn"
+  spec.license       = "MIT"
+
+  # Prevent pushing this gem to RubyGems.org. To allow pushes either set the 'allowed_push_host'
+  # to allow pushing to a single host or delete this section to allow pushing to any host.
+  if spec.respond_to?(:metadata)
+    spec.metadata["allowed_push_host"] = 'https://rubygems.org'
+
+    spec.metadata["homepage_uri"] = spec.homepage
+    spec.metadata["source_code_uri"] = "https://github.com/base2services/aws-client-vpn"
+  else
+    raise "RubyGems 2.0 or newer is required to protect against " \
+      "public gem pushes."
+  end
+
+  # Specify which files should be added to the gem when it is released.
+  # The `git ls-files -z` loads the files in the RubyGem that have been added into git.
+  spec.files         = Dir.chdir(File.expand_path('..', __FILE__)) do
+    `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+  end
+  spec.bindir        = "exe"
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ["lib"]
+
+  spec.add_dependency "thor", "~> 0.20"
+  spec.add_dependency 'cfhighlander', '~> 0.9', '<1'
+  spec.add_dependency 'cfndsl', '~> 0.17', '<1'
+  spec.add_runtime_dependency 'aws-sdk-ec2', '~> 1.95', '<2'
+  spec.add_runtime_dependency 'aws-sdk-acm', '~> 1', '<2'
+  spec.add_runtime_dependency 'aws-sdk-ssm', '~> 1', '<2'
+  spec.add_runtime_dependency 'aws-sdk-cloudformation', '~> 1', '<2'
+
+  spec.add_development_dependency "bundler", "~> 2.0"
+  spec.add_development_dependency "rake", "~> 10.0"
+end

data/exe/cfn-vpn

@@ -0,0 +1,4 @@
+#!/usr/bin/env ruby
+require "cfnvpn"
+
+CfnVpn::Cli.start( ARGV )

data/lib/cfnvpn.rb

@@ -0,0 +1,26 @@
+require 'thor'
+require 'cfnvpn/version'
+require 'cfnvpn/init'
+require 'cfnvpn/config'
+
+module CfnVpn
+  class Cli < Thor
+
+    map %w[--version -v] => :__print_version
+    desc "--version, -v", "print the version"
+    def __print_version
+      puts CfnVpn::VERSION
+    end
+
+    # Initializes ciinabox configuration
+    register CfnVpn::Init, 'init', 'init [name]', 'Ciinabox configuration initialization'
+    tasks["init"].options = CfnVpn::Init.class_options
+
+    register CfnVpn::Config, 'config', 'config [name]', 'Ciinabox configuration initialization'
+    tasks["config"].options = CfnVpn::Config.class_options
+
+  end
+
+  # Aws.config[:retry_limit] = if ENV.key? 'CFNVPN_AWS_RETRY_LIMIT' then (ENV['CFNVPN_AWS_RETRY_LIMIT'].to_i) else 10 end
+
+end

data/lib/cfnvpn/acm.rb

@@ -0,0 +1,49 @@
+require 'aws-sdk-acm'
+require 'fileutils'
+
+module CfnVpn
+  class Acm
+
+    def initialize(region,cert_dir)
+      @client = Aws::ACM::Client.new(region: region)
+      @cert_dir = cert_dir
+    end
+
+    def import_certificate(cert,key,ca)
+      cert_body = load_certificate(cert)
+      key_body = load_certificate(key)
+      ca_body = load_certificate(ca)
+
+      resp = @client.import_certificate({
+        certificate: cert_body,
+        private_key: key_body,
+        certificate_chain: ca_body
+      })
+      return resp.certificate_arn
+    end
+
+    def tag_certificate(arn,name,type,cfnvpn_name)
+      @client.add_tags_to_certificate({
+        certificate_arn: arn,
+        tags: [
+          { key: "Name", value: name },
+          { key: "cfnvpn:name", value: cfnvpn_name },
+          { key: "cfnvpn:certificate:type", value: type }
+        ]
+      })
+    end
+
+    def load_certificate(cert)
+      File.read("#{@cert_dir}/#{cert}")
+    end
+
+    def certificate_exists?(name)
+      return true
+    end
+
+    def get_certificate(name)
+      return 'arn'
+    end
+
+  end
+end

data/lib/cfnvpn/certificates.rb

@@ -0,0 +1,55 @@
+require 'fileutils'
+require 'cfnvpn/acm'
+require 'cfnvpn/ssm'
+require 'cfnvpn/log'
+
+module CfnVpn
+  class Certificates
+    include CfnVpn::Log
+
+    def initialize(build_dir,cfnvpn_name)
+      @cfnvpn_name = cfnvpn_name
+      @config_dir = "#{build_dir}/config"
+      @cert_dir = "#{build_dir}/certificates"
+      FileUtils.mkdir_p(@cert_dir)
+    end
+
+    def generate(server_cn,client_cn)
+      cmd = ["docker", "run", "-it", "--rm"]
+      cmd << "-e EASYRSA_REQ_CN=#{server_cn}"
+      cmd << "-e EASYRSA_CLIENT_CN=#{client_cn}"
+      cmd << "-v #{@cert_dir}:/easy-rsa/output"
+      cmd << "base2/aws-client-vpn:3.0.5"
+      return `#{cmd.join(' ')}`
+    end
+
+    def upload_certificates(region,cert,type,cn=nil)
+      cn = cn.nil? ? cert : cn
+      acm = CfnVpn::Acm.new(region, @cert_dir)
+      arn = acm.import_certificate("#{cert}.crt", "#{cert}.key", "ca.crt")
+      Log.logger.debug "Uploaded #{type} certificate to ACM #{arn}"
+      acm.tag_certificate(arn,cn,type,@cfnvpn_name)
+      return arn
+    end
+
+    def store_certificate(region,cert)
+      ssm = CfnVpn::SSM.new(@cfnvpn_name, region, @cert_dir)
+      ssm.put_parameter(cert)
+    end
+
+    def write_certificate(cert_body,name,force)
+      file = "#{@config_dir}/#{name}"
+      if File.file?(file)
+        if force
+          Log.logger.warn "overriding existing #{name}"
+          File.write(file, cert_body)
+        else
+          Log.logger.info "#{name} already exists"
+        end
+      else
+        File.write(file, cert_body)
+      end
+    end
+
+  end
+end

data/lib/cfnvpn/cfhighlander.rb

@@ -0,0 +1,49 @@
+require 'cfhighlander.publisher'
+require 'cfhighlander.factory'
+require 'cfhighlander.validator'
+
+require 'cfnvpn/version'
+
+module CfnVpn
+  class CfHiglander
+
+    def initialize(region, name, config, output_dir)
+      @component_name = name
+      @region = region
+      @config = config
+      @cfn_output_format = 'yaml'
+      ENV['CFHIGHLANDER_WORKDIR'] = output_dir
+    end
+
+    def render()
+      component = load_component(@component_name)
+      compiled = compile_component(component)
+      validate_component(component,compiled.cfn_template_paths)
+      cfn_template_paths = compiled.cfn_template_paths
+      return cfn_template_paths.select { |path| path.match(@component_name) }.first
+    end
+
+    private
+
+    def load_component(component_name)
+      factory = Cfhighlander::Factory::ComponentFactory.new
+      component = factory.loadComponentFromTemplate(component_name)
+      component.config = @config
+      component.version = CfnVpn::VERSION
+      component.load()
+      return component
+    end
+
+    def compile_component(component)
+      component_compiler = Cfhighlander::Compiler::ComponentCompiler.new(component)
+      component_compiler.compileCloudFormation(@cfn_output_format)
+      return component_compiler
+    end
+
+    def validate_component(component,template_paths)
+      component_validator = Cfhighlander::Cloudformation::Validator.new(component)
+      component_validator.validate(template_paths, @cfn_output_format)
+    end
+
+  end
+end

data/lib/cfnvpn/clientvpn.rb

@@ -0,0 +1,36 @@
+require 'aws-sdk-ec2'
+require 'cfnvpn/log'
+
+module CfnVpn
+  class ClientVpn
+    include CfnVpn::Log
+
+    def initialize(name,region)
+      @client = Aws::EC2::Client.new(region: region)
+      @name = name
+    end
+
+    def get_endpoint()
+      resp = @client.describe_client_vpn_endpoints({
+        filters: [{ name: "tag:cfnvpn:name", values: [@name] }]
+      })
+      if resp.client_vpn_endpoints.empty?
+        Log.logger.error "unable to find endpoint with tag Key: cfnvpn:name with Value: #{@name}"
+        raise "Unable to find client vpn"
+      end
+      resp.client_vpn_endpoints.first
+    end
+
+    def get_endpoint_id()
+      return get_endpoint().client_vpn_endpoint_id
+    end
+
+    def get_config(endpoint_id)
+      resp = @client.export_client_vpn_client_configuration({
+        client_vpn_endpoint_id: endpoint_id
+      })
+      return resp.client_configuration
+    end
+
+  end
+end

data/lib/cfnvpn/cloudformation.rb

@@ -0,0 +1,75 @@
+require 'aws-sdk-cloudformation'
+require 'fileutils'
+require 'cfnvpn/version'
+require 'cfnvpn/log'
+
+module CfnVpn
+  class Cloudformation
+    include CfnVpn::Log
+
+    def initialize(region,name)
+      @name = name
+      @stack_name = "#{@name}-cfnvpn"
+      @client = Aws::CloudFormation::Client.new(region: region)
+    end
+
+    # TODO: check for REVIEW_IN_PROGRESS
+    def does_cf_stack_exist()
+      begin
+        resp = @client.describe_stacks({
+          stack_name: @stack_name,
+        })
+      rescue Aws::CloudFormation::Errors::ValidationError
+        return false
+      end
+      return resp.size > 0
+    end
+
+    def get_change_set_type()
+      return does_cf_stack_exist() ? 'UPDATE' : 'CREATE'
+    end
+
+    def create_change_set(template_path)
+      change_set_name = "#{@stack_name}-#{CfnVpn::CHANGE_SET_VERSION}"
+      change_set_type = get_change_set_type()
+      template_body = File.read(template_path)
+      Log.logger.debug "Creating changeset"
+      change_set = @client.create_change_set({
+        stack_name: @stack_name,
+        template_body: template_body,
+        tags: [
+          {
+            key: "cfnvpn:version",
+            value: CfnVpn::VERSION,
+          },
+          {
+            key: "cfnvpn:name",
+            value: @name,
+          }
+        ],
+        change_set_name: change_set_name,
+        change_set_type: change_set_type
+      })
+      return change_set, change_set_type
+    end
+
+    def wait_for_changeset(change_set_id)
+      Log.logger.debug "Waiting for changeset to be created"
+      @client.wait_until :change_set_create_complete, change_set_name: change_set_id
+    end
+
+    def execute_change_set(change_set_id)
+      Log.logger.debug "Executing the changeset"
+      stack = @client.execute_change_set({
+        change_set_name: change_set_id
+      })
+    end
+
+    def wait_for_execute(change_set_type)
+      waiter = change_set_type == 'CREATE' ? :stack_create_complete : :stack_update_complete
+      Log.logger.info "Waiting for changeset to #{change_set_type}"
+      resp = @client.wait_until waiter, stack_name: @stack_name
+    end
+
+  end
+end

data/lib/cfnvpn/config.rb

@@ -0,0 +1,77 @@
+require 'cfnvpn/clientvpn'
+require 'cfnvpn/ssm'
+require 'cfnvpn/log'
+
+module CfnVpn
+  class Config < Thor::Group
+    include Thor::Actions
+    include CfnVpn::Log
+
+    argument :name
+
+    class_option :profile, desc: 'AWS Profile'
+    class_option :region, default: ENV['AWS_REGION'], desc: 'AWS Region'
+    class_option :force, default: false, type: :boolean, desc: 'AWS Region'
+    class_option :verbose, desc: 'set log level to debug', type: :boolean
+
+    def self.source_root
+      File.dirname(__FILE__)
+    end
+
+    def set_loglevel
+      Log.logger.level = Logger::DEBUG if @options['verbose']
+    end
+
+    def create_config_directory
+      @home_dir = "#{ENV['HOME']}/.cfnvpn/#{@name}"
+      @config_dir = "#{@home_dir}/config"
+      Log.logger.debug("Creating config directory #{@config_dir}")
+      FileUtils.mkdir_p(@config_dir)
+    end
+
+    def download_config
+      vpn = CfnVpn::ClientVpn.new(@name,@options['region'])
+      @endpoint_id = vpn.get_endpoint_id()
+      Log.logger.info "downloading client config for #{@endpoint_id}"
+      @config = vpn.get_config(@endpoint_id)
+    end
+
+    def download_certificate
+      ssm = CfnVpn::SSM.new(@name,@options['region'],@home_dir)
+      cert_body = ssm.get_parameter("#{@name}.crt")
+      if cert_body
+        cert = CfnVpn::Certificates.new(@home_dir,@name)
+        cert.write_certificate(cert_body,"#{@name}.crt",@options['force'])
+        Log.logger.info "downloaded client certificate #{@name}.crt"
+      else
+        Log.logger.error "unable to find client certificate #{@name}.crt"
+      end
+    end
+
+    def download_key
+      ssm = CfnVpn::SSM.new(@name,@options['region'],@home_dir)
+      cert_body = ssm.get_parameter("#{@name}.key")
+      if cert_body
+        cert = CfnVpn::Certificates.new(@home_dir,@name)
+        cert.write_certificate(cert_body,"#{@name}.key",@options['force'])
+        Log.logger.info "downloaded client key #{@name}.key"
+      else
+        Log.logger.error "unable to find client certificate #{@name}.crt"
+      end
+    end
+
+    def alter_config
+      string = (0...8).map { (65 + rand(26)).chr.downcase }.join
+      @config.sub!(@endpoint_id, "#{string}.#{@endpoint_id}")
+      @config.concat("\n\ncert #{@config_dir}/#{@name}.crt")
+      @config.concat("\nkey #{@config_dir}/#{@name}.key\n")
+    end
+
+    def write_config
+      config_file = "#{@config_dir}/#{@name}.ovpn"
+      File.write(config_file, @config)
+      Log.logger.info "downloaded client config #{config_file}"
+    end
+
+  end
+end

data/lib/cfnvpn/init.rb

@@ -0,0 +1,93 @@
+require 'thor'
+require 'fileutils'
+require 'cfnvpn/cloudformation'
+require 'cfnvpn/certificates'
+require 'cfnvpn/cfhighlander'
+require 'cfnvpn/cloudformation'
+require 'cfnvpn/log'
+require 'cfnvpn/clientvpn'
+
+module CfnVpn
+  class Init < Thor::Group
+    include Thor::Actions
+    include CfnVpn::Log
+
+    argument :name
+
+    class_option :profile, aliases: :p, desc: 'AWS Profile'
+    class_option :region, aliases: :r, default: ENV['AWS_REGION'], desc: 'AWS Region'
+    class_option :verbose, desc: 'set log level to debug', type: :boolean
+
+    class_option :server_cn, required: true, desc: 'server certificate common name'
+    class_option :client_cn, desc: 'client certificate common name'
+
+    class_option :subnet_id, required: true, desc: 'subnet id to associate your vpn with'
+    class_option :cidr, default: '10.250.0.0/16', desc: 'cidr from which to assign client IP addresses'
+
+    def self.source_root
+      File.dirname(__FILE__)
+    end
+
+    def set_loglevel
+      Log.logger.level = Logger::DEBUG if @options['verbose']
+    end
+
+    def create_build_directory
+      @build_dir = "#{ENV['HOME']}/.cfnvpn/#{@name}"
+      Log.logger.debug "creating directory #{@build_dir}"
+      FileUtils.mkdir_p(@build_dir)
+    end
+
+    def initialize_config
+      @config = {}
+      @config['subnet_id'] = @options['subnet_id']
+      @config['cidr'] = @options['cidr']
+    end
+
+    def stack_exist
+      @cfn = CfnVpn::Cloudformation.new(@options['region'],@name)
+      if @cfn.does_cf_stack_exist()
+        Log.logger.error "#{@name}-cfnvpn stack already exists in this account in region #{@options['region']}"
+        exit 1
+      end
+    end
+
+    # create certificates
+    def generate_server_certificates
+      Log.logger.info "Generating certificates using openvpn easy-rsa"
+      cert = CfnVpn::Certificates.new(@build_dir,@name)
+      @client_cn = @options['client_cn'] ? @options['client_cn'] : "#{@name}.#{@options['server_cn']}"
+      Log.logger.debug cert.generate(@options['server_cn'],@client_cn)
+    end
+
+    def upload_certificates
+      cert = CfnVpn::Certificates.new(@build_dir,@name)
+      @config['server_cert_arn'] = cert.upload_certificates(@options['region'],'server','server',@options['server_cn'])
+      @config['client_cert_arn'] = cert.upload_certificates(@options['region'],@client_cn,'client')
+      cert.store_certificate(@options['region'],"#{@client_cn}.crt")
+      cert.store_certificate(@options['region'],"#{@client_cn}.key")
+    end
+
+    def deploy_vpn
+      template('templates/cfnvpn.cfhighlander.rb.tt', "#{@build_dir}/#{@name}.cfhighlander.rb", @config)
+      Log.logger.debug "Generating cloudformation from #{@build_dir}/#{@name}.cfhighlander.rb"
+      cfhl = CfnVpn::CfHiglander.new(@options['region'],@name,@config,@build_dir)
+      template_path = cfhl.render()
+      Log.logger.debug "Cloudformation template #{template_path} generated and validated"
+      Log.logger.info "Launching cloudformation stack #{@name}-cfnvpn in #{@options['region']}"
+      cfn = CfnVpn::Cloudformation.new(@options['region'],@name)
+      change_set, change_set_type = cfn.create_change_set(template_path)
+      cfn.wait_for_changeset(change_set.id)
+      cfn.execute_change_set(change_set.id)
+      cfn.wait_for_execute(change_set_type)
+      Log.logger.debug "Changeset #{change_set_type} complete"
+    end
+
+    def finish
+      vpn = CfnVpn::ClientVpn.new(@name,@options['region'])
+      @endpoint_id = vpn.get_endpoint_id()
+      Log.logger.info "Client VPN #{@endpoint_id} created. Run `cfn-vpn config #{@name}` to setup the client config"
+    end
+
+  end
+end

data/lib/cfnvpn/log.rb

@@ -0,0 +1,38 @@
+require 'logger'
+
+module CfnVpn
+  module Log
+
+    def self.colors
+      @colors ||= {
+        ERROR: 31, # red
+        WARN: 33, # yellow
+        INFO: 0,
+        DEBUG: 32 # grenn
+      }
+    end
+
+    def self.logger
+      if @logger.nil?
+        @logger = Logger.new(STDOUT)
+        @logger.level = Logger::INFO
+        @logger.formatter = proc do |severity, datetime, progname, msg|
+          "\e[#{colors[severity.to_sym]}m#{severity}: - #{msg}\e[0m\n"
+        end
+      end
+      @logger
+    end
+
+    def self.logger=(logger)
+      @logger = logger
+    end
+
+    levels = %w(debug info warn error fatal)
+    levels.each do |level|
+      define_method("#{level.to_sym}") do |msg|
+        self.logger.send(level, msg)
+      end
+    end
+
+  end
+end

data/lib/cfnvpn/ssm.rb

@@ -0,0 +1,50 @@
+require 'aws-sdk-ssm'
+require 'fileutils'
+require 'cfnvpn/log'
+
+module CfnVpn
+  class SSM
+    include CfnVpn::Log
+
+    def initialize(name,region,cert_dir)
+      @name = name
+      @cert_dir = cert_dir
+      @path_prefix = "/cfnvpn/#{@name}"
+      @client = Aws::SSM::Client.new(region: region)
+    end
+
+    def get_parameter(cert)
+      begin
+        resp = @client.get_parameter({
+          name: "#{@path_prefix}/#{cert}",
+          with_decryption: true
+        })
+      rescue Aws::SSM::Errors::ParameterNotFound
+        Log.logger.debug("Parameter #{@path_prefix}/#{cert} not found")
+        return false
+      end
+      Log.logger.debug("found parameter #{@path_prefix}/#{cert}")
+      return resp.parameter.value
+    end
+
+    def put_parameter(cert)
+      certificate = File.read("#{@cert_dir}/#{cert}")
+      Log.logger.debug("Reading certificate #{@cert_dir}/#{cert}")
+      ext = cert.split('.').last
+      @client.put_parameter({
+        name: "#{@path_prefix}/#{@name}.#{ext}",
+        description: "cfn-vpn #{@name} #{cert}",
+        value: certificate,
+        type: "SecureString",
+        overwrite: false,
+        tags: [
+          { key: "cfnvpn:name", value: @name },
+          { key: "cfnvpn:certificate", value: cert }
+        ],
+        tier: "Advanced",
+      })
+      Log.logger.info("Stored #{cert} in ssm parameter #{@path_prefix}/#{@name}.#{ext}")
+    end
+
+  end
+end

data/lib/cfnvpn/templates/cfnvpn.cfhighlander.rb.tt

@@ -0,0 +1,14 @@
+CfhighlanderTemplate do
+
+  Parameters do
+    ComponentParam 'EnvironmentName', '<%= @name %>'
+  end
+
+  Component template: 'client-vpn', name: 'vpn', render: Inline do
+    parameter name: 'AssociationSubnetId', value: '<%= @config['subnet_id'] %>'
+    parameter name: 'ClientCidrBlock', value: '<%= @config['cidr'] %>'
+    parameter name: 'ClientCertificateArn', value: '<%= @config['client_cert_arn'] %>'
+    parameter name: 'ServerCertificateArn', value: '<%= @config['server_cert_arn'] %>'
+  end
+
+end

data/lib/cfnvpn/version.rb

@@ -0,0 +1,4 @@
+module CfnVpn
+  VERSION = "0.1.0".freeze
+  CHANGE_SET_VERSION = VERSION.gsub('.', '-').freeze
+end

metadata

@@ -0,0 +1,231 @@
+--- !ruby/object:Gem::Specification
+name: cfn-vpn
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Guslington
+autorequire: 
+bindir: exe
+cert_chain: []
+date: 2019-06-21 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: thor
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.20'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.20'
+- !ruby/object:Gem::Dependency
+  name: cfhighlander
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.9'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '1'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.9'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '1'
+- !ruby/object:Gem::Dependency
+  name: cfndsl
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.17'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '1'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.17'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '1'
+- !ruby/object:Gem::Dependency
+  name: aws-sdk-ec2
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.95'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '2'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.95'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '2'
+- !ruby/object:Gem::Dependency
+  name: aws-sdk-acm
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '2'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '2'
+- !ruby/object:Gem::Dependency
+  name: aws-sdk-ssm
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '2'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '2'
+- !ruby/object:Gem::Dependency
+  name: aws-sdk-cloudformation
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '2'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '2'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+description: creates and manages resources for the aws client vpn
+email:
+- guslington@gmail.com
+executables:
+- cfn-vpn
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".travis.yml"
+- Gemfile
+- Gemfile.lock
+- LICENSE.txt
+- README.md
+- Rakefile
+- cfn-vpn.gemspec
+- exe/cfn-vpn
+- lib/cfnvpn.rb
+- lib/cfnvpn/acm.rb
+- lib/cfnvpn/certificates.rb
+- lib/cfnvpn/cfhighlander.rb
+- lib/cfnvpn/clientvpn.rb
+- lib/cfnvpn/cloudformation.rb
+- lib/cfnvpn/config.rb
+- lib/cfnvpn/init.rb
+- lib/cfnvpn/log.rb
+- lib/cfnvpn/ssm.rb
+- lib/cfnvpn/templates/cfnvpn.cfhighlander.rb.tt
+- lib/cfnvpn/version.rb
+homepage: https://github.com/base2services/aws-client-vpn
+licenses:
+- MIT
+metadata:
+  allowed_push_host: https://rubygems.org
+  homepage_uri: https://github.com/base2services/aws-client-vpn
+  source_code_uri: https://github.com/base2services/aws-client-vpn
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.7.6
+signing_key: 
+specification_version: 4
+summary: creates and manages resources for the aws client vpn
+test_files: []