cfn-vpn 0.5.0.2 → 0.5.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.travis.yml +17 -0
- data/Dockerfile +8 -9
- data/Gemfile.lock +30 -39
- data/README.md +15 -0
- data/lib/cfnvpn/certificates.rb +0 -59
- data/lib/cfnvpn/cloudformation.rb +3 -3
- data/lib/cfnvpn/modify.rb +9 -9
- data/lib/cfnvpn/version.rb +1 -1
- data/lib/cfnvpn.rb +0 -4
- metadata +5 -7
- data/.github/workflows/build-gem.yml +0 -28
- data/.github/workflows/release-gem.yml +0 -34
- data/.github/workflows/release-image.yml +0 -33
- data/lib/cfnvpn/renew_certificate.rb +0 -123
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: a41e3f9d96119e2dd991397c46dd76a4b2a3512b96019ca0a26882423ffd4d58
|
4
|
+
data.tar.gz: ed90e797f95c1a36cdbc740102bd8f764f1168b3fa13cfb0b30cd76b57d857dd
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 739c501d83e59f546eff20f0e6e5f1e4cbe521ee744b469eaa686209738c561c8fc06168354ad110647525e6074919387b8fe46bce6d652d5a52a583d787d0f2
|
7
|
+
data.tar.gz: 7ec851a23a53e3f6d670fde5fd7348fe4f23f3b01c372efb3bc1487682514555a57a9b173f273e46b3808c8878b4589a6350ce7fc6c2471c5c5273139fbb437c
|
data/.travis.yml
ADDED
@@ -0,0 +1,17 @@
|
|
1
|
+
sudo: required
|
2
|
+
dist: trusty
|
3
|
+
language: ruby
|
4
|
+
rvm:
|
5
|
+
- 2.5
|
6
|
+
script:
|
7
|
+
- bundle install
|
8
|
+
- gem build cfn-vpn.gemspec
|
9
|
+
- gem install cfn-vpn-*.gem
|
10
|
+
- cfn-vpn help
|
11
|
+
deploy:
|
12
|
+
provider: rubygems
|
13
|
+
api_key: "${RUBYGEMS_API_KEY}"
|
14
|
+
gem: cfn-vpn
|
15
|
+
on:
|
16
|
+
all_branches: true
|
17
|
+
condition: $TRAVIS_BRANCH =~ ^develop|master && $TRAVIS_EVENT_TYPE =~ ^push|api$ && $TRAVIS_REPO_SLUG == "base2services/aws-client-vpn"
|
data/Dockerfile
CHANGED
@@ -1,15 +1,14 @@
|
|
1
|
-
FROM ruby:2.7
|
1
|
+
FROM ruby:2.7-alpine
|
2
2
|
|
3
|
-
RUN
|
4
|
-
|
5
|
-
|
6
|
-
git \
|
3
|
+
RUN apk add --no-cache easy-rsa git \
|
4
|
+
# Hack until easy-rsa 3.0.7 is released https://github.com/OpenVPN/easy-rsa/issues/261
|
5
|
+
&& sed -i 's/^RANDFILE\s*=\s\$ENV.*/#&/' /usr/share/easy-rsa/openssl-easyrsa.cnf \
|
7
6
|
&& ln -s /usr/share/easy-rsa/easyrsa /usr/bin/
|
8
7
|
|
9
8
|
ENV EASYRSA=/usr/share/easy-rsa
|
10
9
|
ENV EASYRSA_BATCH=yes
|
11
10
|
|
12
|
-
ARG CFNVPN_VERSION="
|
11
|
+
ARG CFNVPN_VERSION="0.5.0"
|
13
12
|
|
14
13
|
COPY . /src
|
15
14
|
|
@@ -18,9 +17,9 @@ WORKDIR /src
|
|
18
17
|
RUN gem build cfn-vpn.gemspec \
|
19
18
|
&& gem install cfn-vpn-${CFNVPN_VERSION}.gem \
|
20
19
|
&& rm -rf /src
|
21
|
-
|
22
|
-
RUN addgroup
|
23
|
-
adduser
|
20
|
+
|
21
|
+
RUN addgroup -g 1000 cfnvpn && \
|
22
|
+
adduser -D -u 1000 -G cfnvpn cfnvpn
|
24
23
|
|
25
24
|
USER cfnvpn
|
26
25
|
|
data/Gemfile.lock
CHANGED
@@ -1,75 +1,66 @@
|
|
1
1
|
PATH
|
2
2
|
remote: .
|
3
3
|
specs:
|
4
|
-
cfn-vpn (0.
|
4
|
+
cfn-vpn (0.2.0)
|
5
5
|
aws-sdk-acm (~> 1, < 2)
|
6
6
|
aws-sdk-cloudformation (~> 1, < 2)
|
7
7
|
aws-sdk-ec2 (~> 1.95, < 2)
|
8
8
|
aws-sdk-s3 (~> 1, < 2)
|
9
9
|
cfhighlander (~> 0.9, < 1)
|
10
|
-
|
10
|
+
cfndsl (~> 0.17, < 1)
|
11
11
|
terminal-table (~> 1, < 2)
|
12
12
|
thor (~> 0.20)
|
13
13
|
|
14
14
|
GEM
|
15
15
|
remote: https://rubygems.org/
|
16
16
|
specs:
|
17
|
-
|
18
|
-
|
19
|
-
aws-
|
20
|
-
|
21
|
-
aws-sdk-acm (1.55.0)
|
22
|
-
aws-sdk-core (~> 3, >= 3.165.0)
|
17
|
+
aws-eventstream (1.0.3)
|
18
|
+
aws-partitions (1.253.0)
|
19
|
+
aws-sdk-acm (1.23.0)
|
20
|
+
aws-sdk-core (~> 3, >= 3.56.0)
|
23
21
|
aws-sigv4 (~> 1.1)
|
24
|
-
aws-sdk-cloudformation (1.
|
25
|
-
aws-sdk-core (~> 3, >= 3.
|
22
|
+
aws-sdk-cloudformation (1.29.0)
|
23
|
+
aws-sdk-core (~> 3, >= 3.71.0)
|
26
24
|
aws-sigv4 (~> 1.1)
|
27
|
-
aws-sdk-core (3.
|
28
|
-
aws-eventstream (~> 1, >= 1.0.2)
|
29
|
-
aws-partitions (~> 1, >= 1.
|
30
|
-
aws-sigv4 (~> 1.5)
|
31
|
-
jmespath (~> 1, >= 1.6.1)
|
32
|
-
aws-sdk-ec2 (1.364.0)
|
33
|
-
aws-sdk-core (~> 3, >= 3.165.0)
|
25
|
+
aws-sdk-core (3.85.1)
|
26
|
+
aws-eventstream (~> 1.0, >= 1.0.2)
|
27
|
+
aws-partitions (~> 1, >= 1.239.0)
|
34
28
|
aws-sigv4 (~> 1.1)
|
35
|
-
|
36
|
-
|
29
|
+
jmespath (~> 1.0)
|
30
|
+
aws-sdk-ec2 (1.124.0)
|
31
|
+
aws-sdk-core (~> 3, >= 3.71.0)
|
37
32
|
aws-sigv4 (~> 1.1)
|
38
|
-
aws-sdk-
|
39
|
-
aws-sdk-core (~> 3, >= 3.
|
33
|
+
aws-sdk-kms (1.27.0)
|
34
|
+
aws-sdk-core (~> 3, >= 3.71.0)
|
35
|
+
aws-sigv4 (~> 1.1)
|
36
|
+
aws-sdk-s3 (1.59.0)
|
37
|
+
aws-sdk-core (~> 3, >= 3.83.0)
|
40
38
|
aws-sdk-kms (~> 1)
|
41
|
-
aws-sigv4 (~> 1.
|
42
|
-
aws-sigv4 (1.
|
43
|
-
aws-eventstream (~> 1, >= 1.0.2)
|
44
|
-
cfhighlander (0.
|
39
|
+
aws-sigv4 (~> 1.1)
|
40
|
+
aws-sigv4 (1.1.0)
|
41
|
+
aws-eventstream (~> 1.0, >= 1.0.2)
|
42
|
+
cfhighlander (0.10.7)
|
45
43
|
aws-sdk-cloudformation (~> 1, < 2)
|
46
44
|
aws-sdk-core (~> 3, < 4)
|
47
45
|
aws-sdk-ec2 (~> 1, < 2)
|
48
46
|
aws-sdk-s3 (~> 1, < 2)
|
49
|
-
cfndsl (
|
47
|
+
cfndsl (= 0.17.2)
|
50
48
|
duplicate (~> 1.1)
|
51
49
|
git (~> 1.4, < 2)
|
52
50
|
highline (>= 1.7.10, < 1.8)
|
53
51
|
rubyzip (>= 2.0.0, < 3)
|
54
52
|
thor (~> 0.20, < 1)
|
55
|
-
cfndsl (
|
56
|
-
hana (~> 1.3)
|
53
|
+
cfndsl (0.17.2)
|
57
54
|
duplicate (1.1.1)
|
58
|
-
git (1.
|
59
|
-
addressable (~> 2.8)
|
60
|
-
rchardet (~> 1.8)
|
61
|
-
hana (1.3.7)
|
55
|
+
git (1.5.0)
|
62
56
|
highline (1.7.10)
|
63
|
-
jmespath (1.
|
64
|
-
netaddr (2.0.4)
|
65
|
-
public_suffix (5.0.1)
|
57
|
+
jmespath (1.4.0)
|
66
58
|
rake (10.5.0)
|
67
|
-
|
68
|
-
rubyzip (2.3.2)
|
59
|
+
rubyzip (2.0.0)
|
69
60
|
terminal-table (1.8.0)
|
70
61
|
unicode-display_width (~> 1.1, >= 1.1.1)
|
71
62
|
thor (0.20.3)
|
72
|
-
unicode-display_width (1.
|
63
|
+
unicode-display_width (1.6.0)
|
73
64
|
|
74
65
|
PLATFORMS
|
75
66
|
ruby
|
@@ -80,4 +71,4 @@ DEPENDENCIES
|
|
80
71
|
rake (~> 10.0)
|
81
72
|
|
82
73
|
BUNDLED WITH
|
83
|
-
2.
|
74
|
+
2.0.1
|
data/README.md
CHANGED
@@ -16,11 +16,22 @@ Install `cfn-vpn` gem
|
|
16
16
|
gem install cfn-vpn
|
17
17
|
```
|
18
18
|
|
19
|
+
### easy-rsa
|
20
|
+
|
21
|
+
**Option 1 - Docker**
|
22
|
+
|
19
23
|
Install [docker](https://docs.docker.com/install/)
|
20
24
|
|
21
25
|
Docker is required to generate the certificates required for the client vpn.
|
22
26
|
The gem uses [openvpn/easy-rsa](https://github.com/OpenVPN/easy-rsa) project in [base2/aws-client-vpn](https://hub.docker.com/r/base2/aws-client-vpn) docker image. [repo](https://github.com/base2Services/ciinabox-containers/tree/master/easy-rsa)
|
23
27
|
|
28
|
+
**Option 1 - local**
|
29
|
+
|
30
|
+
If you would rather setup easy-rsa than install docker, you can use the `--easyrsa-local` flag when running the commands to use a local copy of easy-rsa, the binary just needs to be available in the `$PATH`. Install from [openvpn/easy-rsa](https://github.com/OpenVPN/easy-rsa)
|
31
|
+
|
32
|
+
|
33
|
+
### AWS Credentials
|
34
|
+
|
24
35
|
Setup your [AWS credentials](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html) by either setting a profile or exporting them as environment variables.
|
25
36
|
|
26
37
|
```bash
|
@@ -35,6 +46,10 @@ Optionally export the AWS region if not providing `--region` flag
|
|
35
46
|
export AWS_REGION="us-east-1"
|
36
47
|
```
|
37
48
|
|
49
|
+
## Docker Image
|
50
|
+
|
51
|
+
[base2/cfn-vpn](https://hub.docker.com/r/base2/cfn-vpn) docker image for usage in a pipeline which comes pre packaged with all dependencies.
|
52
|
+
|
38
53
|
## Scenarios
|
39
54
|
|
40
55
|
For further AWS documentation please visit https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/scenario.html
|
data/lib/cfnvpn/certificates.rb
CHANGED
@@ -48,65 +48,6 @@ module CfnVpn
|
|
48
48
|
end
|
49
49
|
end
|
50
50
|
|
51
|
-
def renew(server_cn,client_cn,expiry=nil)
|
52
|
-
opts = ""
|
53
|
-
unless expiry.nil?
|
54
|
-
opts += "--days=#{expiry}"
|
55
|
-
end
|
56
|
-
|
57
|
-
if @easyrsa_local
|
58
|
-
ENV["EASYRSA_REQ_CN"] = server_cn
|
59
|
-
ENV["EASYRSA_PKI"] = @pki_dir
|
60
|
-
system("tar xzfv #{@cert_dir}/ca.tar.gz --directory #{@build_dir}")
|
61
|
-
system("easyrsa #{opts} renew server nopass")
|
62
|
-
system("easyrsa #{opts} renew #{client_cn} nopass")
|
63
|
-
FileUtils.cp(["#{@pki_dir}/ca.crt", "#{@pki_dir}/issued/server.crt", "#{@pki_dir}/private/server.key", "#{@pki_dir}/issued/#{client_cn}.crt", "#{@pki_dir}/private/#{client_cn}.key"], @cert_dir)
|
64
|
-
system("tar czfv #{@cert_dir}/ca.tar.gz -C #{@build_dir} pki/")
|
65
|
-
else
|
66
|
-
@docker_cmd << "-e EASYRSA_REQ_CN=#{server_cn}"
|
67
|
-
@docker_cmd << "-e EASYRSA_CLIENT_CN=#{client_cn}"
|
68
|
-
@docker_cmd << "-e EASYRSA_OPTS=\"#{opts}\""
|
69
|
-
@docker_cmd << "-v #{@cert_dir}:/easy-rsa/output"
|
70
|
-
@docker_cmd << @easyrsa_image
|
71
|
-
@docker_cmd << "sh -c 'renew'"
|
72
|
-
CfnVpn::Log.logger.debug `#{@docker_cmd.join(' ')}`
|
73
|
-
end
|
74
|
-
end
|
75
|
-
|
76
|
-
def rebuild(server_cn,client_cn,expiry=nil)
|
77
|
-
timestamp = Time.now.getutc.to_i
|
78
|
-
opts = ""
|
79
|
-
unless expiry.nil?
|
80
|
-
opts += "--days=#{expiry}"
|
81
|
-
end
|
82
|
-
|
83
|
-
if @easyrsa_local
|
84
|
-
ENV["EASYRSA_REQ_CN"] = server_cn
|
85
|
-
ENV["EASYRSA_PKI"] = @pki_dir
|
86
|
-
system("tar xzfv #{@cert_dir}/ca.tar.gz --directory #{@build_dir}")
|
87
|
-
|
88
|
-
FileUtils.mv("#{@pki_dir}/reqs/server.req", "#{@pki_dir}/reqs/server.req.bak-#{timestamp}")
|
89
|
-
FileUtils.mv("#{@pki_dir}/issued/server.crt", "#{@pki_dir}/issued/server.req.bak-#{timestamp}")
|
90
|
-
FileUtils.mv("#{@pki_dir}/private/server.key", "#{@pki_dir}/private/server.req.bak-#{timestamp}")
|
91
|
-
FileUtils.mv("#{@pki_dir}/reqs/#{client_cn}.req", "#{@pki_dir}/reqs/#{client_cn}.req.bak-#{timestamp}")
|
92
|
-
FileUtils.mv("#{@pki_dir}/issued/#{client_cn}.crt", "#{@pki_dir}/issued/#{client_cn}.req.bak-#{timestamp}")
|
93
|
-
FileUtils.mv("#{@pki_dir}/private/#{client_cn}.key", "#{@pki_dir}/private/#{client_cn}.req.bak-#{timestamp}")
|
94
|
-
|
95
|
-
system("easyrsa #{opts} build-server-full server nopass")
|
96
|
-
system("easyrsa #{opts} build-client-full #{client_cn} nopass")
|
97
|
-
FileUtils.cp(["#{@pki_dir}/ca.crt", "#{@pki_dir}/issued/server.crt", "#{@pki_dir}/private/server.key", "#{@pki_dir}/issued/#{client_cn}.crt", "#{@pki_dir}/private/#{client_cn}.key"], @cert_dir)
|
98
|
-
system("tar czfv #{@cert_dir}/ca.tar.gz -C #{@build_dir} pki/")
|
99
|
-
else
|
100
|
-
@docker_cmd << "-e EASYRSA_REQ_CN=#{server_cn}"
|
101
|
-
@docker_cmd << "-e EASYRSA_CLIENT_CN=#{client_cn}"
|
102
|
-
@docker_cmd << "-e EASYRSA_OPTS=\"#{opts}\""
|
103
|
-
@docker_cmd << "-v #{@cert_dir}:/easy-rsa/output"
|
104
|
-
@docker_cmd << @easyrsa_image
|
105
|
-
@docker_cmd << "sh -c 'rebuild'"
|
106
|
-
CfnVpn::Log.logger.debug `#{@docker_cmd.join(' ')}`
|
107
|
-
end
|
108
|
-
end
|
109
|
-
|
110
51
|
def generate_client(client_cn)
|
111
52
|
if @easyrsa_local
|
112
53
|
ENV["EASYRSA_PKI"] = @pki_dir
|
@@ -41,11 +41,11 @@ module CfnVpn
|
|
41
41
|
|
42
42
|
params.each do |param|
|
43
43
|
if !parameters[param[:parameter_key]].nil?
|
44
|
-
param[
|
45
|
-
param[
|
44
|
+
param[:parameter_value] = parameters[param[:parameter_key]]
|
45
|
+
param[:use_previous_value] = false
|
46
46
|
end
|
47
47
|
end
|
48
|
-
|
48
|
+
|
49
49
|
template_body = File.read(template_path)
|
50
50
|
Log.logger.debug "Creating changeset"
|
51
51
|
change_set = @client.create_change_set({
|
data/lib/cfnvpn/modify.rb
CHANGED
@@ -23,9 +23,9 @@ module CfnVpn
|
|
23
23
|
class_option :cidr, desc: 'cidr from which to assign client IP addresses'
|
24
24
|
class_option :dns_servers, desc: 'DNS Servers to push to clients.'
|
25
25
|
|
26
|
-
class_option :split_tunnel, type: :boolean,
|
27
|
-
class_option :internet_route, type: :boolean,
|
28
|
-
class_option :protocol, type: :string,
|
26
|
+
class_option :split_tunnel, type: :boolean, desc: 'only push routes to the client on the vpn endpoint'
|
27
|
+
class_option :internet_route, type: :boolean, desc: 'create a default route to the internet'
|
28
|
+
class_option :protocol, type: :string, enum: ['udp','tcp'], desc: 'set the protocol for the vpn connections'
|
29
29
|
|
30
30
|
def self.source_root
|
31
31
|
File.dirname(__FILE__)
|
@@ -44,12 +44,12 @@ module CfnVpn
|
|
44
44
|
def initialize_config
|
45
45
|
@config = {}
|
46
46
|
@config['parameters'] = {}
|
47
|
-
@config['parameters']['AssociationSubnetId'] = @options['subnet_id']
|
48
|
-
@config['parameters']['ClientCidrBlock'] = @options['cidr']
|
49
|
-
@config['parameters']['DnsServers'] = @options['dns_servers']
|
50
|
-
@config['parameters']['SplitTunnel'] = @options['split_tunnel'].to_s
|
51
|
-
@config['parameters']['InternetRoute'] = @options['internet_route'].to_s
|
52
|
-
@config['parameters']['Protocol'] = @options['protocol']
|
47
|
+
@config['parameters']['AssociationSubnetId'] = @options['subnet_id'] unless @options['subnet_id'].nil?
|
48
|
+
@config['parameters']['ClientCidrBlock'] = @options['cidr'] unless @options['cidr'].nil?
|
49
|
+
@config['parameters']['DnsServers'] = @options['dns_servers'] unless @options['dns_servers'].nil?
|
50
|
+
@config['parameters']['SplitTunnel'] = @options['split_tunnel'].to_s unless @options['split_tunnel'].nil?
|
51
|
+
@config['parameters']['InternetRoute'] = @options['internet_route'].to_s unless @options['internet_route'].nil?
|
52
|
+
@config['parameters']['Protocol'] = @options['protocol'] unless @options['protocol'].nil?
|
53
53
|
@config['template_version'] = '0.2.0'
|
54
54
|
end
|
55
55
|
|
data/lib/cfnvpn/version.rb
CHANGED
data/lib/cfnvpn.rb
CHANGED
@@ -9,7 +9,6 @@ require 'cfnvpn/sessions'
|
|
9
9
|
require 'cfnvpn/routes'
|
10
10
|
require 'cfnvpn/share'
|
11
11
|
require 'cfnvpn/embedded'
|
12
|
-
require 'cfnvpn/renew_certificate'
|
13
12
|
|
14
13
|
module CfnVpn
|
15
14
|
class Cli < Thor
|
@@ -22,9 +21,6 @@ module CfnVpn
|
|
22
21
|
|
23
22
|
register CfnVpn::Init, 'init', 'init [name]', 'Create a AWS Client VPN'
|
24
23
|
tasks["init"].options = CfnVpn::Init.class_options
|
25
|
-
|
26
|
-
register CfnVpn::RenewCertificate, 'renew', 'renew [name]', 'Create a AWS Client VPN'
|
27
|
-
tasks["renew"].options = CfnVpn::RenewCertificate.class_options
|
28
24
|
|
29
25
|
register CfnVpn::Modify, 'modify', 'modify [name]', 'Modify your AWS Client VPN'
|
30
26
|
tasks["modify"].options = CfnVpn::Modify.class_options
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: cfn-vpn
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.5.
|
4
|
+
version: 0.5.1
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Guslington
|
8
8
|
autorequire:
|
9
9
|
bindir: exe
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2020-05-18 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: thor
|
@@ -194,10 +194,8 @@ executables:
|
|
194
194
|
extensions: []
|
195
195
|
extra_rdoc_files: []
|
196
196
|
files:
|
197
|
-
- ".github/workflows/build-gem.yml"
|
198
|
-
- ".github/workflows/release-gem.yml"
|
199
|
-
- ".github/workflows/release-image.yml"
|
200
197
|
- ".gitignore"
|
198
|
+
- ".travis.yml"
|
201
199
|
- Dockerfile
|
202
200
|
- Gemfile
|
203
201
|
- Gemfile.lock
|
@@ -219,7 +217,6 @@ files:
|
|
219
217
|
- lib/cfnvpn/init.rb
|
220
218
|
- lib/cfnvpn/log.rb
|
221
219
|
- lib/cfnvpn/modify.rb
|
222
|
-
- lib/cfnvpn/renew_certificate.rb
|
223
220
|
- lib/cfnvpn/revoke.rb
|
224
221
|
- lib/cfnvpn/routes.rb
|
225
222
|
- lib/cfnvpn/s3.rb
|
@@ -249,7 +246,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
249
246
|
- !ruby/object:Gem::Version
|
250
247
|
version: '0'
|
251
248
|
requirements: []
|
252
|
-
|
249
|
+
rubyforge_project:
|
250
|
+
rubygems_version: 2.7.6
|
253
251
|
signing_key:
|
254
252
|
specification_version: 4
|
255
253
|
summary: creates and manages resources for the aws client vpn
|
@@ -1,28 +0,0 @@
|
|
1
|
-
name: test and build gem
|
2
|
-
on:
|
3
|
-
push:
|
4
|
-
branches: [ master ]
|
5
|
-
pull_request:
|
6
|
-
branches: [ master ]
|
7
|
-
|
8
|
-
jobs:
|
9
|
-
build:
|
10
|
-
name: test + build
|
11
|
-
runs-on: ubuntu-latest
|
12
|
-
|
13
|
-
steps:
|
14
|
-
- uses: actions/checkout@v3
|
15
|
-
|
16
|
-
- name: Set up ruby 2.7
|
17
|
-
uses: ruby/setup-ruby@v1
|
18
|
-
with:
|
19
|
-
ruby-version: 2.7
|
20
|
-
|
21
|
-
- name: rspec
|
22
|
-
run: |
|
23
|
-
gem install rspec
|
24
|
-
rspec
|
25
|
-
|
26
|
-
- name: build gem
|
27
|
-
run: |
|
28
|
-
gem build cfn-vpn.gemspec
|
@@ -1,34 +0,0 @@
|
|
1
|
-
name: release gem
|
2
|
-
|
3
|
-
on:
|
4
|
-
release:
|
5
|
-
types: [published]
|
6
|
-
|
7
|
-
jobs:
|
8
|
-
build:
|
9
|
-
name: Build + Publish Gem
|
10
|
-
runs-on: ubuntu-latest
|
11
|
-
|
12
|
-
steps:
|
13
|
-
- name: Check out the repo
|
14
|
-
uses: actions/checkout@v3
|
15
|
-
|
16
|
-
- name: Set up ruby 2.7
|
17
|
-
uses: ruby/setup-ruby@v1
|
18
|
-
with:
|
19
|
-
ruby-version: 2.7
|
20
|
-
|
21
|
-
- name: rspec
|
22
|
-
run: |
|
23
|
-
gem install rspec
|
24
|
-
rspec
|
25
|
-
|
26
|
-
- name: build gem
|
27
|
-
run: |
|
28
|
-
gem build cfn-vpn.gemspec
|
29
|
-
|
30
|
-
- name: Publish gem
|
31
|
-
uses: dawidd6/action-publish-gem@v1
|
32
|
-
with:
|
33
|
-
api_key: ${{secrets.RUBYGEMS_API_KEY}}
|
34
|
-
github_token: ${{secrets.GITHUB_TOKEN}}
|
@@ -1,33 +0,0 @@
|
|
1
|
-
name: release docker image
|
2
|
-
|
3
|
-
on:
|
4
|
-
release:
|
5
|
-
types: [published]
|
6
|
-
|
7
|
-
jobs:
|
8
|
-
build:
|
9
|
-
name: Build + Publish Container Image
|
10
|
-
runs-on: ubuntu-latest
|
11
|
-
|
12
|
-
steps:
|
13
|
-
- name: Check out the repo
|
14
|
-
uses: actions/checkout@v3
|
15
|
-
|
16
|
-
- name: Set up Docker Buildx
|
17
|
-
uses: docker/setup-buildx-action@v1
|
18
|
-
|
19
|
-
- name: Login to GitHub Container Repository
|
20
|
-
uses: docker/login-action@v1
|
21
|
-
with:
|
22
|
-
registry: ghcr.io
|
23
|
-
username: ${{ github.repository_owner }}
|
24
|
-
password: ${{ secrets.GHCR_PUSH_TOKEN }}
|
25
|
-
|
26
|
-
- name: Build and push Container Image to GitHub Container Repository
|
27
|
-
uses: docker/build-push-action@v3
|
28
|
-
with:
|
29
|
-
context: .
|
30
|
-
file: ./Dockerfile
|
31
|
-
push: true
|
32
|
-
tags: ghcr.io/base2services/cfnvpn:${{ github.event.release.tag_name }}
|
33
|
-
build-args: CFNVPN_VERSION=${{ github.event.release.tag_name }}
|
@@ -1,123 +0,0 @@
|
|
1
|
-
require 'thor'
|
2
|
-
require 'fileutils'
|
3
|
-
require 'cfnvpn/cloudformation'
|
4
|
-
require 'cfnvpn/certificates'
|
5
|
-
require 'cfnvpn/cfhighlander'
|
6
|
-
require 'cfnvpn/cloudformation'
|
7
|
-
require 'cfnvpn/log'
|
8
|
-
require 'cfnvpn/clientvpn'
|
9
|
-
require 'cfnvpn/globals'
|
10
|
-
|
11
|
-
module CfnVpn
|
12
|
-
class RenewCertificate < Thor::Group
|
13
|
-
include Thor::Actions
|
14
|
-
include CfnVpn::Log
|
15
|
-
|
16
|
-
argument :name
|
17
|
-
|
18
|
-
class_option :profile, aliases: :p, desc: 'AWS Profile'
|
19
|
-
class_option :region, aliases: :r, default: ENV['AWS_REGION'], desc: 'AWS Region'
|
20
|
-
class_option :verbose, desc: 'set log level to debug', type: :boolean
|
21
|
-
|
22
|
-
class_option :server_cn, required: true, desc: 'server certificate common name'
|
23
|
-
class_option :client_cn, desc: 'client certificate common name'
|
24
|
-
class_option :easyrsa_local, type: :boolean, default: false, desc: 'run the easyrsa executable from your local rather than from docker'
|
25
|
-
class_option :certificate_expiry, type: :string, desc: 'value in days for when the server certificates expire, defaults to 825 days'
|
26
|
-
class_option :rebuild, type: :boolean, default: false, desc: 'generates new certificates from the existing CA for certiciate type VPNs'
|
27
|
-
class_option :bucket, required: true, desc: 's3 bucket'
|
28
|
-
|
29
|
-
def self.source_root
|
30
|
-
File.dirname(__FILE__)
|
31
|
-
end
|
32
|
-
|
33
|
-
def set_loglevel
|
34
|
-
Log.logger.level = Logger::DEBUG if @options['verbose']
|
35
|
-
end
|
36
|
-
|
37
|
-
def create_build_directory
|
38
|
-
@build_dir = "#{CfnVpn.cfnvpn_path}/#{@name}"
|
39
|
-
@cert_dir = "#{@build_dir}/certificates"
|
40
|
-
Log.logger.debug "creating directory #{@cert_dir}"
|
41
|
-
FileUtils.mkdir_p(@cert_dir)
|
42
|
-
end
|
43
|
-
|
44
|
-
def initialize_config
|
45
|
-
@config = {}
|
46
|
-
@config['parameters'] = {}
|
47
|
-
@config['template_version'] = '0.2.0'
|
48
|
-
end
|
49
|
-
|
50
|
-
def stack_exist
|
51
|
-
@cfn = CfnVpn::Cloudformation.new(@options['region'],@name)
|
52
|
-
if !@cfn.does_cf_stack_exist()
|
53
|
-
Log.logger.error "#{@name}-cfnvpn stack doesn't exists in this account in region #{@options['region']}\n Try running `cfn-vpn init #{@name}` to setup the stack"
|
54
|
-
exit 1
|
55
|
-
end
|
56
|
-
end
|
57
|
-
|
58
|
-
def set_client_cn
|
59
|
-
@client_cn = @options['client_cn'] ? @options['client_cn'] : "client-vpn.#{@options['server_cn']}"
|
60
|
-
end
|
61
|
-
|
62
|
-
# create certificates
|
63
|
-
def generate_server_certificates
|
64
|
-
s3 = CfnVpn::S3.new(@options['region'],@options['bucket'],@name)
|
65
|
-
s3.get_object("#{@cert_dir}/ca.tar.gz")
|
66
|
-
cert = CfnVpn::Certificates.new(@build_dir,@name,@options['easyrsa_local'])
|
67
|
-
if @options['rebuild']
|
68
|
-
Log.logger.info "rebuilding certificates using openvpn easy-rsa"
|
69
|
-
cert.rebuild(@options['server_cn'],@client_cn,@options['certificate_expiry'])
|
70
|
-
else
|
71
|
-
Log.logger.info "renewing certificates using openvpn easy-rsa"
|
72
|
-
cert.renew(@options['server_cn'],@client_cn,@options['certificate_expiry'])
|
73
|
-
end
|
74
|
-
end
|
75
|
-
|
76
|
-
def upload_certificates
|
77
|
-
cert = CfnVpn::Certificates.new(@build_dir,@name,@options['easyrsa_local'])
|
78
|
-
@config['parameters']['ServerCertificateArn'] = cert.upload_certificates(@options['region'],'server','server',@options['server_cn'])
|
79
|
-
@config['parameters']['ClientCertificateArn'] = cert.upload_certificates(@options['region'],@client_cn,'client')
|
80
|
-
s3 = CfnVpn::S3.new(@options['region'],@options['bucket'],@name)
|
81
|
-
s3.store_object("#{@build_dir}/certificates/ca.tar.gz")
|
82
|
-
end
|
83
|
-
|
84
|
-
def deploy_vpn
|
85
|
-
template('templates/cfnvpn.cfhighlander.rb.tt', "#{@build_dir}/#{@name}.cfhighlander.rb", @config, force: true)
|
86
|
-
Log.logger.debug "Generating cloudformation from #{@build_dir}/#{@name}.cfhighlander.rb"
|
87
|
-
cfhl = CfnVpn::CfHiglander.new(@options['region'],@name,@config,@build_dir)
|
88
|
-
template_path = cfhl.render()
|
89
|
-
Log.logger.debug "Cloudformation template #{template_path} generated and validated"
|
90
|
-
|
91
|
-
Log.logger.info "Modifying cloudformation stack #{@name}-cfnvpn in #{@options['region']}"
|
92
|
-
cfn = CfnVpn::Cloudformation.new(@options['region'],@name)
|
93
|
-
change_set, change_set_type = cfn.create_change_set(template_path,@config['parameters'])
|
94
|
-
cfn.wait_for_changeset(change_set.id)
|
95
|
-
changes = cfn.get_change_set(change_set.id)
|
96
|
-
|
97
|
-
Log.logger.warn("The following changes to the cfnvpn stack will be made")
|
98
|
-
changes.changes.each do |change|
|
99
|
-
Log.logger.warn("ID: #{change.resource_change.logical_resource_id} Action: #{change.resource_change.action}")
|
100
|
-
change.resource_change.details.each do |details|
|
101
|
-
Log.logger.warn("Name: #{details.target.name} Attribute: #{details.target.attribute} Cause: #{details.causing_entity}")
|
102
|
-
end
|
103
|
-
end
|
104
|
-
|
105
|
-
continue = yes? "Continue?", :green
|
106
|
-
if !continue
|
107
|
-
Log.logger.error("Cancelled cfn-vpn modifiy #{@name}")
|
108
|
-
exit 1
|
109
|
-
end
|
110
|
-
|
111
|
-
cfn.execute_change_set(change_set.id)
|
112
|
-
cfn.wait_for_execute(change_set_type)
|
113
|
-
Log.logger.debug "Changeset #{change_set_type} complete"
|
114
|
-
end
|
115
|
-
|
116
|
-
def finish
|
117
|
-
vpn = CfnVpn::ClientVpn.new(@name,@options['region'])
|
118
|
-
@endpoint_id = vpn.get_endpoint_id()
|
119
|
-
Log.logger.info "Client VPN #{@endpoint_id} modified."
|
120
|
-
end
|
121
|
-
|
122
|
-
end
|
123
|
-
end
|