cfn-vpn 1.1.1 → 1.2.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/docs/getting-started.md +34 -5
- data/lib/cfnvpn/actions/init.rb +12 -2
- data/lib/cfnvpn/actions/modify.rb +1 -1
- data/lib/cfnvpn/templates/vpn.rb +9 -0
- data/lib/cfnvpn/version.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 0faff982b39ef508e55845e2861754915ecca87a1db0df635eb75c718850c096
|
4
|
+
data.tar.gz: 6956ade9846ca34dab966f382f2c707921acd982be8d04f8f6fac47951a2ae44
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 0dcb165737f775d3a8bb9c9dd649544c801ee397a5e2cb0c800e40de0a88b221b05e3bfd4e8346a0b4287c8f0076462c02715c16c0703ffdd083005d062294e3
|
7
|
+
data.tar.gz: a83c04ff87f444e440ea7cb1e99b835a380fb7c92d48013d59e653dec8e00b56d35fd1075f88cfe5d94a81d6766cab3089dd47678e6b9b3f6d00490129db7b9b
|
data/docs/getting-started.md
CHANGED
@@ -38,20 +38,26 @@ Optionally export the AWS region if not providing `--region` flag
|
|
38
38
|
export AWS_REGION="us-east-1"
|
39
39
|
```
|
40
40
|
|
41
|
-
|
41
|
+
|
42
|
+
## Initializing CfnVpn
|
42
43
|
|
43
44
|
to launch a new CfnVpn stack run the `init` command along with the options.
|
44
45
|
|
45
46
|
### Certificate Authenticated VPN
|
46
47
|
|
47
|
-
|
48
|
+
This is the default option when launching a ClientVPN using certificated based authentication. https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/client-authentication.html#mutual
|
49
|
+
|
50
|
+
The following command and required options will launch a new certificate based Client-VPN
|
48
51
|
|
49
52
|
```sh
|
50
53
|
cfn-vpn init [name] --bucket [s3-bucket] --server-cn [server certificate name] --subnet-ids [list of subets to associate with the vpn]
|
51
54
|
```
|
52
55
|
|
56
|
+
|
53
57
|
### Federated SAML Authenticated VPN
|
54
58
|
|
59
|
+
This option is for when you want to manage users through an external directory provider like AWS SSO, OKTA or AzureAD. https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/client-authentication.html#federated-authentication
|
60
|
+
|
55
61
|
**Prerequisites:** Client-VPN requires a IAM SAML identity provider ARN, see the [AWS docs](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html) to create one.
|
56
62
|
|
57
63
|
The following command and required option will launch a new federated based Client-VPN
|
@@ -60,18 +66,41 @@ The following command and required option will launch a new federated based Clie
|
|
60
66
|
cfn-vpn init [name] --server-cn [server certificate name] --subnet-ids [list of subets to associate with the vpn] --saml-arn [identity providor arn]
|
61
67
|
```
|
62
68
|
|
63
|
-
The default authorization rule for the associated
|
69
|
+
The default authorization rule for the associated subnets allows all. You can optionally change this by using the `--default-groups` flag to set groups on the default authorization rule.
|
64
70
|
|
65
71
|
```sh
|
66
72
|
cfn-vpn init [name] --server-cn [server certificate name] --subnet-ids [list of subets to associate with the vpn] --saml-arn [identity providor arn] --default-groups [list of group ids]
|
67
73
|
```
|
68
74
|
|
69
|
-
|
75
|
+
**AWS SSO**
|
76
|
+
|
77
|
+
If using AWS SSO as your SAML provider check this guide on how to set up SAML using AWS SSO https://codeburst.io/the-aws-client-vpn-federated-authentication-missing-example-655e0a1ff7f4
|
78
|
+
|
79
|
+
|
80
|
+
### AWS Directory Services Authenticated VPN
|
81
|
+
|
82
|
+
This option integrates Microsoft Active Directory or Simple AD through AWS Directory Service with AWS Client VPN.
|
83
|
+
|
84
|
+
The following command and required option will launch a new directory service based Client-VPN
|
85
|
+
|
86
|
+
```sh
|
87
|
+
cfn-vpn init simple-ad --server-cn [server certificate name] --subnet-ids [list of subets to associate with the vpn] --directory-id [aws directirory serivce id]
|
88
|
+
```
|
89
|
+
|
90
|
+
The default authorization rule for the associated subnets allows all. You can optionally change this by using the `--default-groups` flag to set groups on the default authorization rule. The group Id is the Active Directory Group ID or SID.
|
91
|
+
|
92
|
+
```sh
|
93
|
+
cfn-vpn init simple-ad --server-cn [server certificate name] --subnet-ids [list of subets to associate with the vpn] --directory-id [aws directirory serivce id] --default-groups [list of group ids]
|
94
|
+
```
|
95
|
+
|
96
|
+
See this guide for further help on setting up https://shogokobayashi.com/2019/05/18/aws-client-vpn-with-simplead/
|
97
|
+
|
98
|
+
## Subnet Associations and Authorization
|
70
99
|
|
71
100
|
AWS ClientVPN requires one or more subnets to be associated with the vpn. These subnets setup the default routes and by default cfn-vpn creates a allow all auth for the default routes.
|
72
101
|
When using a federated ClientVPN you can modify the default auth to only allow specific groups by setting the groups in the `--default-groups` flag. This can also be modified later using the `modify` command.
|
73
102
|
|
74
|
-
## Additional
|
103
|
+
## Additional Initializing Options
|
75
104
|
|
76
105
|
```
|
77
106
|
Options:
|
data/lib/cfnvpn/actions/init.rb
CHANGED
@@ -35,6 +35,7 @@ module CfnVpn::Actions
|
|
35
35
|
class_option :stop, type: :string, desc: 'cloudwatch event cron schedule in UTC to disassociate subnets to the client vpn'
|
36
36
|
|
37
37
|
class_option :saml_arn, desc: 'IAM SAML idenditiy providor arn if using SAML federated authentication'
|
38
|
+
class_option :directory_id, desc: 'AWS Directory Service directory id if using Active Directory authentication'
|
38
39
|
|
39
40
|
def self.source_root
|
40
41
|
File.dirname(__FILE__)
|
@@ -62,13 +63,22 @@ module CfnVpn::Actions
|
|
62
63
|
start: @options['start'],
|
63
64
|
stop: @options['stop'],
|
64
65
|
saml_arn: @options['saml_arn'],
|
66
|
+
directory_id: @options['directory_id'],
|
65
67
|
routes: []
|
66
68
|
}
|
67
69
|
end
|
68
70
|
|
69
71
|
def set_type
|
70
|
-
|
71
|
-
|
72
|
+
if @options['saml_arn']
|
73
|
+
@config[:type] = 'federated'
|
74
|
+
@config[:default_groups] = @options['default_groups']
|
75
|
+
elsif @options['directory_id']
|
76
|
+
@config[:type] = 'active-directory'
|
77
|
+
@config[:default_groups] = @options['default_groups']
|
78
|
+
else
|
79
|
+
@config[:type] = 'certificate'
|
80
|
+
@config[:default_groups] = []
|
81
|
+
end
|
72
82
|
CfnVpn::Log.logger.info "initialising #{@config[:type]} client vpn"
|
73
83
|
end
|
74
84
|
|
data/lib/cfnvpn/templates/vpn.rb
CHANGED
@@ -36,6 +36,13 @@ module CfnVpn
|
|
36
36
|
},
|
37
37
|
Type: 'federated-authentication'
|
38
38
|
}
|
39
|
+
elsif config[:type] == 'active-directory'
|
40
|
+
{
|
41
|
+
ActiveDirectory: {
|
42
|
+
DirectoryId: config[:directory_id]
|
43
|
+
},
|
44
|
+
Type: 'directory-service-authentication'
|
45
|
+
}
|
39
46
|
else
|
40
47
|
{
|
41
48
|
MutualAuthentication: {
|
@@ -170,6 +177,8 @@ module CfnVpn
|
|
170
177
|
|
171
178
|
if config[:type] == 'federated'
|
172
179
|
output(:SamlArn, config[:saml_arn])
|
180
|
+
elsif config[:type] == 'active-directory'
|
181
|
+
output(:DirectoryId, config[:directory_id])
|
173
182
|
else
|
174
183
|
output(:ClientCertArn, config[:client_cert_arn])
|
175
184
|
end
|
data/lib/cfnvpn/version.rb
CHANGED
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: cfn-vpn
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 1.
|
4
|
+
version: 1.2.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Guslington
|
8
8
|
autorequire:
|
9
9
|
bindir: exe
|
10
10
|
cert_chain: []
|
11
|
-
date: 2021-
|
11
|
+
date: 2021-03-18 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: thor
|