cfn-vpn 1.1.1 → 1.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: bb42ae1b12eb544e6d2d54276bb387efb5383c2037502a2ec155fd41ad522221
-  data.tar.gz: c3e774c1baf08c3ca0cdca6dc7b11014191f69eb183b63fddd6bbb56be522362
+  metadata.gz: 0faff982b39ef508e55845e2861754915ecca87a1db0df635eb75c718850c096
+  data.tar.gz: 6956ade9846ca34dab966f382f2c707921acd982be8d04f8f6fac47951a2ae44
 SHA512:
-  metadata.gz: b7c73bf1fcd82cb53a571f3bf60223b8eff89183a7afca82beead5b1ceb422370165b3a39c08c90ccf823a64bca8560babbda4210079a4a7a3c2122f0edf2a79
-  data.tar.gz: 5e944fa67a1fee92a5a42bb2f6ae5117a9907443cca284dde9a49e25899fd719adc5e5e96e3a45095090e16e0f615b72348ddac24798a3d4636019c849f15d13
+  metadata.gz: 0dcb165737f775d3a8bb9c9dd649544c801ee397a5e2cb0c800e40de0a88b221b05e3bfd4e8346a0b4287c8f0076462c02715c16c0703ffdd083005d062294e3
+  data.tar.gz: a83c04ff87f444e440ea7cb1e99b835a380fb7c92d48013d59e653dec8e00b56d35fd1075f88cfe5d94a81d6766cab3089dd47678e6b9b3f6d00490129db7b9b

data/docs/getting-started.md

@@ -38,20 +38,26 @@ Optionally export the AWS region if not providing `--region` flag
 export AWS_REGION="us-east-1"
 ```
 
-## Initialising CfnVpn
+
+## Initializing CfnVpn
 
 to launch a new CfnVpn stack run the `init` command along with the options.
 
 ### Certificate Authenticated VPN
 
-The following command and required option will launch a new certificate based Client-VPN
+This is the default option when launching a ClientVPN using certificated based authentication. https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/client-authentication.html#mutual
+
+The following command and required options will launch a new certificate based Client-VPN
 
 ```sh
 cfn-vpn init [name] --bucket [s3-bucket] --server-cn [server certificate name] --subnet-ids [list of subets to associate with the vpn]
 ```
 
+
 ### Federated SAML Authenticated VPN
 
+This option is for when you want to manage users through an external directory provider like AWS SSO, OKTA or AzureAD. https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/client-authentication.html#federated-authentication
+
 **Prerequisites:** Client-VPN requires a IAM SAML identity provider ARN, see the [AWS docs](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html) to create one.
 
 The following command and required option will launch a new federated based Client-VPN
@@ -60,18 +66,41 @@ The following command and required option will launch a new federated based Clie
 cfn-vpn init [name] --server-cn [server certificate name] --subnet-ids [list of subets to associate with the vpn] --saml-arn [identity providor arn]
 ```
 
-The default authorization rule for the associated subets allows all. You can optionally change this by using the `--default-groups` flag to set groups on the default authorization rule. 
+The default authorization rule for the associated subnets allows all. You can optionally change this by using the `--default-groups` flag to set groups on the default authorization rule. 
 
 ```sh
 cfn-vpn init [name] --server-cn [server certificate name] --subnet-ids [list of subets to associate with the vpn] --saml-arn [identity providor arn] --default-groups [list of group ids]
 ```
 
-## Subnet Associations and Authorisation
+**AWS SSO**
+
+If using AWS SSO as your SAML provider check this guide on how to set up SAML using AWS SSO https://codeburst.io/the-aws-client-vpn-federated-authentication-missing-example-655e0a1ff7f4
+
+
+### AWS Directory Services Authenticated VPN
+
+This option integrates Microsoft Active Directory or Simple AD through AWS Directory Service with AWS Client VPN.
+
+The following command and required option will launch a new directory service based Client-VPN
+
+```sh
+cfn-vpn init simple-ad --server-cn [server certificate name] --subnet-ids [list of subets to associate with the vpn] --directory-id [aws directirory serivce id]
+```
+
+The default authorization rule for the associated subnets allows all. You can optionally change this by using the `--default-groups` flag to set groups on the default authorization rule. The group Id is the Active Directory Group ID or SID.
+
+```sh
+cfn-vpn init simple-ad --server-cn [server certificate name] --subnet-ids [list of subets to associate with the vpn] --directory-id [aws directirory serivce id] --default-groups [list of group ids]
+```
+
+See this guide for further help on setting up https://shogokobayashi.com/2019/05/18/aws-client-vpn-with-simplead/
+
+## Subnet Associations and Authorization
 
 AWS ClientVPN requires one or more subnets to be associated with the vpn. These subnets setup the default routes and by default cfn-vpn creates a allow all auth for the default routes.
 When using a federated ClientVPN you can modify the default auth to only allow specific groups by setting the groups in the `--default-groups` flag. This can also be modified later using the `modify` command.
 
-## Additional Initialising Options
+## Additional Initializing Options
 
 ```
 Options:

data/lib/cfnvpn/actions/init.rb

@@ -35,6 +35,7 @@ module CfnVpn::Actions
     class_option :stop, type: :string, desc: 'cloudwatch event cron schedule in UTC to disassociate subnets to the client vpn'
 
     class_option :saml_arn, desc: 'IAM SAML idenditiy providor arn if using SAML federated authentication'
+    class_option :directory_id, desc: 'AWS Directory Service directory id if using Active Directory authentication'
 
     def self.source_root
       File.dirname(__FILE__)
@@ -62,13 +63,22 @@ module CfnVpn::Actions
         start: @options['start'],
         stop: @options['stop'],
         saml_arn: @options['saml_arn'],
+        directory_id: @options['directory_id'],
         routes: []
       }
     end
 
     def set_type
-      @config[:type] = @options['saml_arn'] ? 'federated' : 'certificate'
-      @config[:default_groups] = @options['saml_arn'] ? @options['default_groups'] : []
+      if @options['saml_arn']
+        @config[:type] = 'federated'
+        @config[:default_groups] = @options['default_groups']
+      elsif @options['directory_id']
+        @config[:type] = 'active-directory'
+        @config[:default_groups] = @options['default_groups']
+      else
+        @config[:type] = 'certificate'
+        @config[:default_groups] = []
+      end
       CfnVpn::Log.logger.info "initialising #{@config[:type]} client vpn"
     end
 

data/lib/cfnvpn/actions/modify.rb

@@ -88,7 +88,7 @@ module CfnVpn::Actions
         end
       end
 
-      if @config[:saml_arn] && @options[:default_groups]
+      if (@config[:saml_arn] || @config[:directory_id]) && @options[:default_groups]
         @config[:default_groups] = @options[:default_groups]
       end
 

data/lib/cfnvpn/templates/vpn.rb

@@ -36,6 +36,13 @@ module CfnVpn
               },
               Type: 'federated-authentication'
             }
+          elsif config[:type] == 'active-directory'
+            {
+              ActiveDirectory: {
+                DirectoryId: config[:directory_id]
+              },
+              Type: 'directory-service-authentication'
+            }
           else
             {
               MutualAuthentication: {
@@ -170,6 +177,8 @@ module CfnVpn
 
         if config[:type] == 'federated'
           output(:SamlArn, config[:saml_arn])
+        elsif config[:type] == 'active-directory'
+          output(:DirectoryId, config[:directory_id])
         else
           output(:ClientCertArn, config[:client_cert_arn])
         end

data/lib/cfnvpn/version.rb

@@ -1,4 +1,4 @@
 module CfnVpn
-  VERSION = "1.1.1".freeze
+  VERSION = "1.2.0".freeze
   CHANGE_SET_VERSION = VERSION.gsub('.', '-').freeze
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: cfn-vpn
 version: !ruby/object:Gem::Version
-  version: 1.1.1
+  version: 1.2.0
 platform: ruby
 authors:
 - Guslington
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2021-02-15 00:00:00.000000000 Z
+date: 2021-03-18 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: thor