cfn-vpn 1.2.0 → 1.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 0faff982b39ef508e55845e2861754915ecca87a1db0df635eb75c718850c096
-  data.tar.gz: 6956ade9846ca34dab966f382f2c707921acd982be8d04f8f6fac47951a2ae44
+  metadata.gz: e435821426e5e0e4cf69244013bf0ac1cd2ae030a024fb7b12827543f81c87af
+  data.tar.gz: 9c8f7968839a339966f5eb8aa9680c625764c326f84946eb8bcf08d6da818cd1
 SHA512:
-  metadata.gz: 0dcb165737f775d3a8bb9c9dd649544c801ee397a5e2cb0c800e40de0a88b221b05e3bfd4e8346a0b4287c8f0076462c02715c16c0703ffdd083005d062294e3
-  data.tar.gz: a83c04ff87f444e440ea7cb1e99b835a380fb7c92d48013d59e653dec8e00b56d35fd1075f88cfe5d94a81d6766cab3089dd47678e6b9b3f6d00490129db7b9b
+  metadata.gz: 305a236f13203b9ffd4d5d68fc6a87ff912700d3947420b02fa477b787f4c57768e9d4485c8a22bba354547449b3d39ef57811ee43a1d9093623ecad24b690ee
+  data.tar.gz: 82f8ba462728afb71fc18e886c20fee0d9a5ea201a071262b6ead3bd83549f4c5eb58495c0603ee1567c94da90d8a3290b9d37fcf05312e1922678db529dcb15

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    cfn-vpn (1.0.0)
+    cfn-vpn (1.2.0)
       aws-sdk-acm (~> 1, < 2)
       aws-sdk-cloudformation (~> 1, < 2)
       aws-sdk-ec2 (~> 1.95, < 2)
@@ -9,46 +9,48 @@ PATH
       aws-sdk-ssm (~> 1, < 2)
       cfndsl (~> 1, < 2)
       netaddr (= 2.0.4)
+      rubyzip (~> 2.3)
       terminal-table (~> 1, < 2)
       thor (~> 0.20)
 
 GEM
   remote: https://rubygems.org/
   specs:
-    aws-eventstream (1.1.0)
-    aws-partitions (1.390.0)
-    aws-sdk-acm (1.38.0)
-      aws-sdk-core (~> 3, >= 3.109.0)
+    aws-eventstream (1.1.1)
+    aws-partitions (1.432.0)
+    aws-sdk-acm (1.39.0)
+      aws-sdk-core (~> 3, >= 3.112.0)
       aws-sigv4 (~> 1.1)
-    aws-sdk-cloudformation (1.44.0)
-      aws-sdk-core (~> 3, >= 3.109.0)
+    aws-sdk-cloudformation (1.49.0)
+      aws-sdk-core (~> 3, >= 3.112.0)
       aws-sigv4 (~> 1.1)
-    aws-sdk-core (3.109.2)
+    aws-sdk-core (3.113.0)
       aws-eventstream (~> 1, >= 1.0.2)
       aws-partitions (~> 1, >= 1.239.0)
       aws-sigv4 (~> 1.1)
       jmespath (~> 1.0)
-    aws-sdk-ec2 (1.208.0)
+    aws-sdk-ec2 (1.220.0)
       aws-sdk-core (~> 3, >= 3.109.0)
       aws-sigv4 (~> 1.1)
-    aws-sdk-kms (1.39.0)
-      aws-sdk-core (~> 3, >= 3.109.0)
+    aws-sdk-kms (1.43.0)
+      aws-sdk-core (~> 3, >= 3.112.0)
       aws-sigv4 (~> 1.1)
-    aws-sdk-s3 (1.84.0)
-      aws-sdk-core (~> 3, >= 3.109.0)
+    aws-sdk-s3 (1.91.0)
+      aws-sdk-core (~> 3, >= 3.112.0)
       aws-sdk-kms (~> 1)
       aws-sigv4 (~> 1.1)
-    aws-sdk-ssm (1.97.0)
-      aws-sdk-core (~> 3, >= 3.109.0)
+    aws-sdk-ssm (1.104.0)
+      aws-sdk-core (~> 3, >= 3.112.0)
       aws-sigv4 (~> 1.1)
-    aws-sigv4 (1.2.2)
+    aws-sigv4 (1.2.3)
       aws-eventstream (~> 1, >= 1.0.2)
-    cfndsl (1.2.0)
+    cfndsl (1.3.1)
       hana (~> 1.3)
-    hana (1.3.6)
+    hana (1.3.7)
     jmespath (1.4.0)
     netaddr (2.0.4)
     rake (13.0.1)
+    rubyzip (2.3.0)
     terminal-table (1.8.0)
       unicode-display_width (~> 1.1, >= 1.1.1)
     thor (0.20.3)
@@ -63,4 +65,4 @@ DEPENDENCIES
   rake (~> 13.0)
 
 BUNDLED WITH
-   2.0.1
+   2.1.4

data/cfn-vpn.gemspec

@@ -37,6 +37,7 @@ Gem::Specification.new do |spec|
   spec.add_dependency "terminal-table", '~> 1', '<2'
   spec.add_dependency 'cfndsl', '~> 1', '<2'
   spec.add_dependency 'netaddr', '2.0.4'
+  spec.add_dependency 'rubyzip', '~> 2.3'
   spec.add_runtime_dependency 'aws-sdk-ec2', '~> 1.95', '<2'
   spec.add_runtime_dependency 'aws-sdk-acm', '~> 1', '<2'
   spec.add_runtime_dependency 'aws-sdk-s3', '~> 1', '<2'

data/docs/README.md

@@ -31,7 +31,7 @@ dig @10.0.0.2 google.com
 
 ## Authentication Types
 
-`cfn-vpn` supports certificate and federated type authentication for AWS Client-VPN. It currently doesn't support Active Directory type authentication.
+`cfn-vpn` supports certificate, federated and active directory type authentication for AWS Client-VPN.
 For further information on the authentication types please visit https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/client-authentication.html
 
 ## CfnVpn Documentation
@@ -41,4 +41,4 @@ For further information on the authentication types please visit https://docs.aw
 3. [Managing Certificate Users](certificate-users.md)
 4. [Managing Routes](routes.md)
 5. [Stop and Start Client-VPN](scheduling.md)
-6. [Managing Sessions](sessions.md)
+6. [Managing Sessions](sessions.md)

data/docs/routes.md

@@ -4,24 +4,34 @@ Management of the VPN routes can be altered using the `routes` command or by usi
 
 **Note:** The default route via subnet association cannot be modified through this command. Use the `modify` command to alter the subnet associations.
 
-## Routes Command
+CfnVpn can create static routes for CIDRs as well as dynamically lookup IPs for dns endpoints and continue to monitor and update the routes if the IPs change.
 
+```sh
+cfn-vpn help routes
+```
+
+## Dynamic DNS Routes
+
+Dynamic DNS routes takes a dns endpoint and will query the record every 5 minutes to see if the IPs have changed and update the routes.
+
+### Add New
+
+to add a new route run the routes command along with the `--dns` option
+
+```sh
+cfn-vpn routes [name] --dns example.com
 ```
-Options:
-  r, [--region=REGION]              # AWS Region
-                                    # Default: ap-southeast-2
-      [--verbose], [--no-verbose]   # set log level to debug
-      [--cidr=CIDR]                 # cidr range
-      [--subnet=SUBNET]             # the target vpc subnet to route through, if none is supplied the default subnet is used
-      [--desc=DESC]                 # description of the route
-      [--groups=one two three]      # override all authorised groups on thr route
-      [--add-groups=one two three]  # add authorised groups to an existing route
-      [--del-groups=one two three]  # remove authorised groups from an existing route
-      [--delete], [--no-delete]     # delete the route from the client vpn
-
-List, add or delete client vpn routes
+
+### Delete
+
+to delete a route run the routes command along with the `--dns` option of the route to delete and the delete option
+
+```sh
+cfn-vpn routes [name] --dns example.com --delete
 ```
 
+## Static CIDR Routes
+
 ### Add New
 
 to add a new route run the routes command along with the `--cidr` option
@@ -32,32 +42,32 @@ cfn-vpn routes [name] --cidr 10.151.0.0/16
 
 ### Delete
 
-to delete a  route run the routes command along with the `--cidr` option of the route to delete and the delete option
+to delete a route run the routes command along with the `--cidr` option of the route to delete and the delete option
 
 ```sh
 cfn-vpn routes [name] --cidr 10.151.0.0/16 --delete
 ```
 
-### Manage Authorization Groups
+## Manage Authorization Groups
 
-When using federated authentication groups can be used to control access to certain routes. These can be managed on the routes by providing the `--groups [list of groups]` along with a space delimited list of groups to the `routes` command.
+When using federated or active directory authentication groups can be used to control access to certain routes. These can be managed on the routes by providing the `--groups [list of groups]` along with a space delimited list of groups to the `routes` command. This is available for both DNS and CIDR routes
 
 To add groups to a new route or to override all groups on an exiting route use the `--groups` options
 
 ```sh
-cfn-vpn routes [name] --cidr 10.151.0.0/16 --groups devs ops
+cfn-vpn routes [name] [--cidr 10.151.0.0/16] [--dns example.com] --groups devs ops
 ```
 
 To add groups to an existing route use the `--add-groups` options
 
 ```sh
-cfn-vpn routes [name] --cidr 10.151.0.0/16 --add-groups admin
+cfn-vpn routes [name] [--cidr 10.151.0.0/16] [--dns example.com] --add-groups admin
 ```
 
 To delete groups from an existing route use the `--del-groups` options
 
 ```sh
-cfn-vpn routes [name] --cidr 10.151.0.0/16 --del-groups dev
+cfn-vpn routes [name] [--cidr 10.151.0.0/16] [--dns example.com] --del-groups dev
 ```
 
 ## Modify Command
@@ -75,6 +85,10 @@ routes:
   desc: route to prod peered vpc
   groups:
   - ops
+- cidr: example.com
+  desc: my dev alb
+  groups:
+  - dev
 ```
 
 run the `modify` command and supply the yaml file to apply the changes

data/lib/cfnvpn/actions/init.rb

@@ -6,6 +6,7 @@ require 'cfnvpn/compiler'
 require 'cfnvpn/log'
 require 'cfnvpn/clientvpn'
 require 'cfnvpn/globals'
+require 'cfnvpn/s3_bucket'
 
 module CfnVpn::Actions
   class Init < Thor::Group
@@ -20,7 +21,7 @@ module CfnVpn::Actions
     class_option :server_cn, required: true, desc: 'server certificate common name'
     class_option :client_cn, desc: 'client certificate common name'
     class_option :easyrsa_local, type: :boolean, default: false, desc: 'run the easyrsa executable from your local rather than from docker'
-    class_option :bucket, desc: 's3 bucket'
+    class_option :bucket, desc: 's3 bucket, if not set one will be generated for you'
 
     class_option :subnet_ids, required: true, type: :array, desc: 'subnet id to associate your vpn with'
     class_option :default_groups, default: [], type: :array, desc: 'groups to allow through the subnet associations when using federated auth'
@@ -68,6 +69,18 @@ module CfnVpn::Actions
       }
     end
 
+    def create_bucket_if_bucket_not_set
+      if !@options['bucket']
+        CfnVpn::Log.logger.info "creating s3 bucket"
+        bucket = CfnVpn::S3Bucket.new(@options['region'], @name)
+        bucket_name = bucket.generate_bucket_name
+        bucket.create_bucket(bucket_name)
+        @config[:bucket] = bucket_name
+      else
+        @config[:bucket] = @options['bucket']
+      end
+    end
+
     def set_type
       if @options['saml_arn']
         @config[:type] = 'federated'
@@ -82,15 +95,6 @@ module CfnVpn::Actions
       CfnVpn::Log.logger.info "initialising #{@config[:type]} client vpn"
     end
 
-    def conditional_options_check
-      if @config[:type] == 'certificate'
-        if !@options['bucket']
-          CfnVpn::Log.logger.error "--bucket option must be specified if creating a client vpn with certificate based authentication"
-          exit 1
-        end
-      end
-    end
-
     def stack_exist
       @deployer = CfnVpn::Deployer.new(@options['region'],@name)
       if @deployer.does_cf_stack_exist()
@@ -114,7 +118,7 @@ module CfnVpn::Actions
          # we only need the server certificate to ACM if it is a SAML federated client vpn
         @config[:client_cert_arn] = cert.upload_certificates(@options['region'],@client_cn,'client')
         # and only need to upload the certs to s3 if using certificate authenitcation
-        s3 = CfnVpn::S3.new(@options['region'],@options['bucket'],@name)
+        s3 = CfnVpn::S3.new(@options['region'],@config[:bucket],@name)
         s3.store_object("#{@build_dir}/certificates/ca.tar.gz")
       end
     end

data/lib/cfnvpn/actions/modify.rb

@@ -8,6 +8,7 @@ require 'cfnvpn/log'
 require 'cfnvpn/clientvpn'
 require 'cfnvpn/globals'
 require 'cfnvpn/config'
+require 'cfnvpn/s3_bucket'
 
 module CfnVpn::Actions
   class Modify < Thor::Group
@@ -38,6 +39,8 @@ module CfnVpn::Actions
 
     class_option :param_yaml, type: :string, desc: 'pass in cfnvpn params through YAML file'
 
+    class_option :bucket, desc: 's3 bucket'
+
     def self.source_root
       File.dirname(__FILE__)
     end
@@ -95,6 +98,23 @@ module CfnVpn::Actions
       CfnVpn::Log.logger.debug "Modified config:\n#{@config}"
     end
 
+    def create_bucket_if_bucket_not_set
+      if !@options['bucket'] && !@config.has_key?(:bucket)
+        if yes? "no s3 bucket supplied in the command or found in the config, select (Y) to generate a new one ot select (N) and re run teh command with the --bucket flag to import the existing bucket." 
+          CfnVpn::Log.logger.info "creating s3 bucket"
+          bucket = CfnVpn::S3Bucket.new(@options['region'], @name)
+          bucket_name = bucket.generate_bucket_name
+          bucket.create_bucket(bucket_name)
+          @config[:bucket] = bucket_name
+        else
+          CfnVpn::Log.logger.info "rerun cfn-vpn modify #{name} command with the --bucket [BUCKET] flag"
+          exit 1
+        end
+      elsif @options['bucket']
+        @config[:bucket] = @options['bucket']
+      end
+    end
+
     def deploy_vpn
       compiler = CfnVpn::Compiler.new(@name, @config)
       template_body = compiler.compile

data/lib/cfnvpn/actions/routes.rb

@@ -13,6 +13,7 @@ module CfnVpn::Actions
     class_option :verbose, desc: 'set log level to debug', type: :boolean
 
     class_option :cidr, desc: 'cidr range'
+    class_option :dns, desc: 'dns record to auto lookup ip'
     class_option :subnet, desc: 'the target vpc subnet to route through, if none is supplied the default subnet is used'
     class_option :desc, desc: 'description of the route'
 
@@ -32,26 +33,50 @@ module CfnVpn::Actions
 
     def set_config
       @config = CfnVpn::Config.get_config(@options[:region], @name)
-      @route = @config[:routes].detect {|route| route[:cidr] == @options[:cidr]}      
+
+      if @options[:cidr] && @options[:dns]
+        CfnVpn::Log.logger.error "only one of --dns or --cidr can be set"
+        exit 1
+      end
+
+      if @options[:dns]
+        if @options[:dns].include?("*")
+          CfnVpn::Log.logger.error("wild card DNS resolution is not supported, use a record that will be resolved by the wild card instead")
+          exit 1
+        end
+        @route = @config[:routes].detect {|route| route[:dns] == @options[:dns]}      
+      elsif @options[:cidr]
+        @route = @config[:routes].detect {|route| route[:cidr] == @options[:cidr]}      
+      end
     end
 
     def set_route
       @skip_update = false
+      @dns_route_cleanup = nil
       if @route && @options[:delete]
-        CfnVpn::Log.logger.info "deleting route #{@options[:cidr]} "
-        @config[:routes].reject! {|route| route[:cidr] == @options[:cidr]}
+        if @options[:dns]
+          CfnVpn::Log.logger.info "deleting auto lookup route for endpoint #{@options[:dns]}"
+          @config[:routes].reject! {|route| route[:dns] == @options[:dns]}
+          @dns_route_cleanup = @options[:dns]
+        elsif @options[:cidr]
+          CfnVpn::Log.logger.info "deleting route #{@options[:cidr]}"
+          @config[:routes].reject! {|route| route[:cidr] == @options[:cidr]}
+        end
       elsif @route
-        CfnVpn::Log.logger.info "modifying groups for existing route #{@options[:cidr]}"
+        CfnVpn::Log.logger.info "existing route for #{@options[:cidr] ? @options[:cidr] : @options[:dns]} found"
         if @options[:groups]
+          CfnVpn::Log.logger.info "replacing groups #{@route[:groups]} with new #{@options[:groups]} for route authorization rule"
           @route[:groups] = @options[:groups]
         end
 
         if @options[:add_groups]
+          CfnVpn::Log.logger.info "adding new group(s) #{@options[:add_groups]} to route authorization rule" 
           @route[:groups].concat(@options[:add_groups]).uniq!
         end
 
         if @options[:del_groups]
-          @route[:groups].reject! {|group| @options[:add_groups].include? group}
+          CfnVpn::Log.logger.info "removing new group(s) #{@options[:del_groups]} to route authorization rule" 
+          @route[:groups].reject! {|group| @options[:del_groups].include? group}
         end
 
         if @options[:desc]
@@ -65,7 +90,15 @@ module CfnVpn::Actions
         CfnVpn::Log.logger.info "adding new route for #{@options[:cidr]}"
         @config[:routes] << {
           cidr: @options[:cidr],
-          desc: @options.fetch(:desc, "route for cidr #{@options[:cidr]}"),
+          desc: @options.fetch(:desc, ""),
+          subnet: @options.fetch(:subnet, @config[:subnet_ids].first),
+          groups: @options.fetch(@options[:groups], []) + @options.fetch(@options[:add_groups], [])
+        }
+      elsif !@route && @options[:dns]
+        CfnVpn::Log.logger.info "adding new route lookup for dns record #{@options[:dns]}"
+        @config[:routes] << {
+          dns: @options[:dns],
+          desc: @options.fetch(:desc, ""),
           subnet: @options.fetch(:subnet, @config[:subnet_ids].first),
           groups: @options.fetch(@options[:groups], []) + @options.fetch(@options[:add_groups], [])
         }
@@ -76,6 +109,13 @@ module CfnVpn::Actions
       CfnVpn::Log.logger.debug "CONFIG: #{@config}"
     end
 
+    def create_bucket_if_bucket_not_set
+      if !@config.has_key?(:bucket)
+        CfnVpn::Log.logger.error "no bucket found in the config, run the cfn-vpn modify #{name} command to add a bucket"
+        exit 1
+      end
+    end
+
     def deploy_vpn
       unless @skip_update
         compiler = CfnVpn::Compiler.new(@name, @config)
@@ -123,8 +163,20 @@ module CfnVpn::Actions
       end
     end
 
-    def get_routes
+    def cleanup_dns_routes
       @vpn = CfnVpn::ClientVpn.new(@name,@options['region'])
+      unless @dns_route_cleanup.nil?
+        routes = @vpn.get_routes()
+        CfnVpn::Log.logger.info("Cleaning up expired routes for #{@dns_route_cleanup}")
+        expired_routes = routes.select {|route| route.description.include?(@dns_route_cleanup) }
+        expired_routes.each do |route|
+          @vpn.delete_route(route.destination_cidr, route.target_subnet)
+          @vpn.revoke_auth(route.destination_cidr)
+        end
+      end
+    end
+
+    def get_routes
       @endpoint = @vpn.get_endpoint_id()
       @routes = @vpn.get_routes()
     end

data/lib/cfnvpn/clientvpn.rb

@@ -9,6 +9,7 @@ module CfnVpn
     def initialize(name,region)
       @client = Aws::EC2::Client.new(region: region)
       @name = name
+      @endpoint_id = self.get_endpoint_id()
     end
 
     def get_endpoint()
@@ -116,5 +117,22 @@ module CfnVpn
       return associations
     end
 
+    def delete_route(cidr, subnet)
+      @client.delete_client_vpn_route({
+        client_vpn_endpoint_id: @endpoint_id,
+        target_vpc_subnet_id: subnet,
+        destination_cidr_block: cidr
+      })
+    end
+
+    def revoke_auth(cidr)
+      endpoint_id = get_endpoint_id()
+      @client.revoke_client_vpn_ingress({
+        client_vpn_endpoint_id: @endpoint_id,
+        target_network_cidr: cidr,
+        revoke_all_groups: true
+      })
+    end
+
   end
 end

data/lib/cfnvpn/s3.rb

@@ -63,5 +63,35 @@ module CfnVpn
       })
     end
 
+    def create_bucket
+      @client.create_bucket({
+        bucket: bucket,
+        acl: 'private'
+      })
+
+      @client.put_public_access_block({
+        bucket: bucket,
+        public_access_block_configuration: { 
+          block_public_acls: true,
+          ignore_public_acls: true,
+          block_public_policy: true,
+          restrict_public_buckets: true,
+        }
+      })
+
+      @client.put_bucket_encryption({
+        bucket: bucket,
+        server_side_encryption_configuration: {
+          rules: [
+            {
+              apply_server_side_encryption_by_default: {
+                sse_algorithm: "AES256"
+              }
+            }
+          ]
+        }
+      })
+    end
+
   end
 end

data/lib/cfnvpn/s3_bucket.rb

@@ -0,0 +1,48 @@
+require 'aws-sdk-s3'
+require 'fileutils'
+require 'securerandom'
+
+module CfnVpn
+  class S3Bucket
+
+    def initialize(region, name)
+      @client = Aws::S3::Client.new(region: region)
+      @name = name
+    end
+
+    def generate_bucket_name
+      return "cfnvpn-#{@name}-#{SecureRandom.hex}"
+    end
+
+    def create_bucket(bucket)
+      @client.create_bucket({
+        bucket: bucket,
+        acl: 'private'
+      })
+
+      @client.put_public_access_block({
+        bucket: bucket,
+        public_access_block_configuration: { 
+          block_public_acls: true,
+          ignore_public_acls: true,
+          block_public_policy: true,
+          restrict_public_buckets: true,
+        }
+      })
+
+      @client.put_bucket_encryption({
+        bucket: bucket,
+        server_side_encryption_configuration: {
+          rules: [
+            {
+              apply_server_side_encryption_by_default: {
+                sse_algorithm: "AES256"
+              }
+            }
+          ]
+        }
+      })
+    end
+
+  end
+end

data/lib/cfnvpn/string.rb

@@ -11,6 +11,10 @@ class String
     self.gsub(/[^a-zA-Z0-9]/, "").capitalize
   end
 
+  def event_id_safe
+    self.gsub('*', 'wildcard').gsub(/[^\.\-_A-Za-z0-9]+/, "").downcase
+  end
+
   def colorize(color_code)
     "\e[#{color_code}m#{self}\e[0m"
   end

data/lib/cfnvpn/templates/lambdas.rb

@@ -0,0 +1,35 @@
+require 'zip'
+require 'securerandom'
+require 'aws-sdk-s3'
+require 'cfnvpn/log'
+
+module CfnVpn
+  module Templates
+    class Lambdas
+
+      def self.package_lambda(name:, bucket:, func:, files:)
+        lambdas_dir = File.join(File.dirname(File.expand_path(__FILE__)), 'lambdas')
+        FileUtils.mkdir_p(lambdas_dir)
+
+        CfnVpn::Log.logger.debug "zipping lambda function #{func}"
+        zipfile_name = "#{func}-#{SecureRandom.hex}.zip"
+        zipfile_path = "#{CfnVpn.cfnvpn_path}/#{name}/lambdas"
+        FileUtils.mkdir_p(zipfile_path)
+        Zip::File.open("#{zipfile_path}/#{zipfile_name}", Zip::File::CREATE) do |zipfile|
+          files.each do |file|
+            zipfile.add(file, File.join("#{lambdas_dir}/#{func}", file))
+          end
+        end
+
+        bucket = Aws::S3::Bucket.new(bucket)
+        object = bucket.object("cfnvpn/lambdas/#{name}/#{zipfile_name}")
+        CfnVpn::Log.logger.debug "uploading #{zipfile_name} to s3://#{bucket}/#{object.key}"
+        object.upload_file("#{zipfile_path}/#{zipfile_name}")
+
+        return object.key
+      end
+      
+    end
+  end
+end
+

data/lib/cfnvpn/templates/lambdas/auto_route_populator/app.py

@@ -0,0 +1,175 @@
+import socket
+import boto3
+from botocore.exceptions import ClientError
+import logging
+
+logger = logging.getLogger()
+logger.setLevel(logging.INFO)
+
+
+def delete_route(client, vpn_endpoint, subnet, cidr):
+    client.delete_client_vpn_route(
+      ClientVpnEndpointId=vpn_endpoint,
+      TargetVpcSubnetId=subnet,
+      DestinationCidrBlock=cidr,
+    )
+
+  
+def create_route(client, event, cidr):
+  client.create_client_vpn_route(
+    ClientVpnEndpointId=event['ClientVpnEndpointId'],
+    DestinationCidrBlock=cidr,
+    TargetVpcSubnetId=event['TargetSubnet'],
+    Description=f"cfnvpn auto generated route for endpoint {event['Record']}. {event['Description']}"
+  )
+
+
+def revoke_route_auth(client, event, cidr, group = None):
+  args = {
+    'ClientVpnEndpointId': event['ClientVpnEndpointId'],
+    'TargetNetworkCidr': cidr
+  }
+  
+  if group is None:
+    args['RevokeAllGroups'] = True
+  else:
+    args['AccessGroupId'] = group
+    
+  client.revoke_client_vpn_ingress(**args)
+
+
+def authorize_route(client, event, cidr, group = None):
+  args = {
+    'ClientVpnEndpointId': event['ClientVpnEndpointId'],
+    'TargetNetworkCidr': cidr,
+    'Description': f"cfnvpn auto generated authorization for endpoint {event['Record']}. {event['Description']}"
+  }
+  
+  if group is None:
+    args['AuthorizeAllGroups'] = True
+  else:
+    args['AccessGroupId'] = group
+    
+  client.authorize_client_vpn_ingress(**args)
+
+
+def get_routes(client, event):
+  response = client.describe_client_vpn_routes(
+    ClientVpnEndpointId=event['ClientVpnEndpointId'],
+    Filters=[
+      {
+        'Name': 'origin',
+        'Values': ['add-route']
+      }
+    ]
+  )
+  
+  routes = [route for route in response['Routes'] if event['Record'] in route['Description']]
+  logger.info(f"found {len(routes)} exisiting routes for {event['Record']}")
+  return routes
+
+
+def get_rules(client, vpn_endpoint, cidr):
+  response = client.describe_client_vpn_authorization_rules(
+    ClientVpnEndpointId=vpn_endpoint,
+    Filters=[
+        {
+            'Name': 'destination-cidr',
+            'Values': [cidr]
+        }
+    ]
+  )
+  return response['AuthorizationRules']
+
+
+def handler(event,context):
+  
+  # DNS lookup on the dns record and return all IPS for the endpoint
+  try:
+    cidrs = [ ip + "/32" for ip in socket.gethostbyname_ex(event['Record'])[-1]]
+    logger.info(f"resolved endpoint {event['Record']} to {cidrs}")
+  except socket.gaierror as e:
+    logger.exception(f"failed to resolve record {event['Record']}")
+    return 'KO'
+  
+  client = boto3.client('ec2')
+  routes = get_routes(client, event)
+
+  for cidr in cidrs:
+    route = next((route for route in routes if route['DestinationCidr'] == cidr), None)
+    
+    # if there are no existing routes for the endpoint cidr create a new route
+    if route is None:
+      try:
+        create_route(client, event, cidr)
+        if 'Groups' in event:
+          for group in event['Groups']:
+            authorize_route(client, event, cidr, group)
+        else:
+          authorize_route(client, event, cidr)
+      except ClientError as e:
+        if e.response['Error']['Code'] == 'InvalidClientVpnDuplicateRoute':
+          logger.error(f"route for CIDR {cidr} already exists with a different endpoint")
+          continue
+        raise e
+        
+    # if the route already exists
+    else:
+      
+      logger.info(f"route for cidr {cidr} is already in place")
+      
+      # if the target subnet has changed in the payload, recreate the routes to use the new subnet
+      if route['TargetSubnet'] != event['TargetSubnet']:
+        logger.info(f"target subnet for route for {cidr} has changed, recreating the route")
+        delete_route(client, event['ClientVpnEndpointId'], route['TargetSubnet'], cidr)
+        create_route(client, event, cidr)
+      
+      logger.info(f"checking authorization rules for the route")
+      
+      # check the rules match the payload
+      rules = get_rules(client, event['ClientVpnEndpointId'], cidr)
+      existing_groups = [rule['GroupId'] for rule in rules]
+      if 'Groups' in event:
+        # remove expired rules not defined in the payload anymore
+        expired_rules = [rule for rule in rules if rule['GroupId'] not in event['Groups']]
+        for rule in expired_rules:
+          logger.info(f"removing expired authorization rule for group {rule['GroupId']} for route {cidr}")
+          revoke_route_auth(client, event, cidr, rule['GroupId'])
+        # add new rules defined in the payload
+        new_rules =  [group for group in event['Groups'] if group not in existing_groups]
+        for group in new_rules:
+          logger.info(f"creating new authorization rule for group {rule['GroupId']} for route {cidr}")
+          authorize_route(client, event, cidr, group)
+      else:
+        # if amount of rules for the cidr is greater than 1 when no groups are specified in the payload 
+        # we'll assume that all groups have been removed from the payload so we'll remove all existing rules and add a rule for allow all 
+        if len(rules) > 1:
+          logger.info(f"creating an allow all rule for route {cidr}")
+          revoke_route_auth(client, event, cidr)
+          authorize_route(client, event, cidr)
+          
+      
+
+  
+  # clean up any expired routes when the ips for an endpoint change
+  expired_routes = [route for route in routes if route['DestinationCidr'] not in cidrs]
+  for route in expired_routes:
+    logger.info(f"removing expired route {route['DestinationCidr']} for endpoint {event['Record']}")
+    
+    try:
+      revoke_route_auth(client, event, route['DestinationCidr'])
+    except ClientError as e:
+      if e.response['Error']['Code'] == 'InvalidClientVpnEndpointAuthorizationRuleNotFound':
+        pass
+      else:
+        raise e
+                          
+    try:
+      delete_route(client, event['ClientVpnEndpointId'], route['TargetSubnet'], route['DestinationCidr'])
+    except ClientError as e:
+      if e.response['Error']['Code'] == 'InvalidClientVpnRouteNotFound':
+        pass
+      else:
+        raise e
+  
+  return 'OK'

data/lib/cfnvpn/templates/lambdas/scheduler/app.py

@@ -0,0 +1,36 @@
+import boto3
+import logging
+
+logger = logging.getLogger()
+logger.setLevel(logging.INFO)
+
+def handler(event, context):
+
+  logger.info(f"updating cfn-vpn stack {event['StackName']} parameter AssociateSubnets with value {event['AssociateSubnets']}")
+
+  if event['AssociateSubnets'] == 'false':
+    logger.info(f"terminating current vpn sessions to {event['ClientVpnEndpointId']}")
+    ec2 = boto3.client('ec2')
+    resp = ec2.describe_client_vpn_connections(ClientVpnEndpointId=event['ClientVpnEndpointId'])
+    for conn in resp['Connections']:
+      if conn['Status']['Code'] == 'active':
+        ec2.terminate_client_vpn_connections(
+          ClientVpnEndpointId=event['ClientVpnEndpointId'],
+          ConnectionId=conn['ConnectionId']
+        )
+        logger.info(f"terminated session {conn['ConnectionId']}")
+
+  client = boto3.client('cloudformation')
+  logger.info(client.update_stack(
+    StackName=event['StackName'],
+    UsePreviousTemplate=True,
+    Capabilities=['CAPABILITY_IAM'],
+    Parameters=[
+      {
+        'ParameterKey': 'AssociateSubnets',
+        'ParameterValue': event['AssociateSubnets']
+      }
+    ]
+  ))
+
+  return 'OK'

data/lib/cfnvpn/templates/vpn.rb

@@ -1,5 +1,6 @@
 require 'cfndsl'
 require 'cfnvpn/templates/helper'
+require 'cfnvpn/templates/lambdas'
 
 module CfnVpn
   module Templates
@@ -69,6 +70,7 @@ module CfnVpn
           SplitTunnel config[:split_tunnel]
         }
 
+        network_assoc_dependson = []
         config[:subnet_ids].each_with_index do |subnet, index|
           suffix = index == 0 ? "" : "For#{subnet.resource_safe}"
 
@@ -78,74 +80,112 @@ module CfnVpn
             SubnetId subnet
           }
 
-          if config[:default_groups].any?
-            config[:default_groups].each do |group|
-              EC2_ClientVpnAuthorizationRule(:"TargetNetworkAuthorizationRule#{suffix}#{group.resource_safe}"[0..255]) {
-                Condition(:EnableSubnetAssociation)
-                DependsOn "ClientVpnTargetNetworkAssociation#{suffix}"
-                Description FnSub("#{name} client-vpn auth rule for subnet association")
-                AccessGroupId group
-                ClientVpnEndpointId Ref(:ClientVpnEndpoint)
-                TargetNetworkCidr CfnVpn::Templates::Helper.get_auth_cidr(config[:region], subnet)
-              }
-            end
-          else
-            EC2_ClientVpnAuthorizationRule(:"TargetNetworkAuthorizationRule#{suffix}") {
+          network_assoc_dependson << "ClientVpnTargetNetworkAssociation#{suffix}"
+        end
+
+        if config[:default_groups].any?
+          config[:default_groups].each do |group|
+            EC2_ClientVpnAuthorizationRule(:"TargetNetworkAuthorizationRule#{group.resource_safe}"[0..255]) {
               Condition(:EnableSubnetAssociation)
-              DependsOn "ClientVpnTargetNetworkAssociation#{suffix}"
+              DependsOn network_assoc_dependson if network_assoc_dependson.any?
               Description FnSub("#{name} client-vpn auth rule for subnet association")
-              AuthorizeAllGroups true
+              AccessGroupId group
               ClientVpnEndpointId Ref(:ClientVpnEndpoint)
-              TargetNetworkCidr CfnVpn::Templates::Helper.get_auth_cidr(config[:region], subnet)
+              TargetNetworkCidr CfnVpn::Templates::Helper.get_auth_cidr(config[:region], config[:subnet_ids].first)
             }
           end
+        else
+          EC2_ClientVpnAuthorizationRule(:"TargetNetworkAuthorizationRule") {
+            Condition(:EnableSubnetAssociation)
+            DependsOn network_assoc_dependson if network_assoc_dependson.any?
+            Description FnSub("#{name} client-vpn auth rule for subnet association")
+            AuthorizeAllGroups true
+            ClientVpnEndpointId Ref(:ClientVpnEndpoint)
+            TargetNetworkCidr CfnVpn::Templates::Helper.get_auth_cidr(config[:region], config[:subnet_ids].first)
+          }
+        end
 
-          if subnet == config[:internet_route]
-            EC2_ClientVpnRoute(:RouteToInternet) {
-              Condition(:EnableSubnetAssociation)
-              DependsOn "ClientVpnTargetNetworkAssociation#{suffix}"
-              Description 'Route to the internet'
-              ClientVpnEndpointId Ref(:ClientVpnEndpoint)
-              DestinationCidrBlock '0.0.0.0/0'
-              TargetVpcSubnetId config[:internet_route]
+        if !config[:internet_route].nil?
+          EC2_ClientVpnRoute(:RouteToInternet) {
+            Condition(:EnableSubnetAssociation)
+            DependsOn network_assoc_dependson if network_assoc_dependson.any?
+            Description "Route to the internet through subnet #{config[:internet_route]}"
+            ClientVpnEndpointId Ref(:ClientVpnEndpoint)
+            DestinationCidrBlock '0.0.0.0/0'
+            TargetVpcSubnetId config[:internet_route]
+          }
+        
+          EC2_ClientVpnAuthorizationRule(:RouteToInternetAuthorizationRule) {
+            Condition(:EnableSubnetAssociation)
+            DependsOn network_assoc_dependson if network_assoc_dependson.any?
+            Description "Internet route authorization from subnet #{config[:internet_route]}"
+            AuthorizeAllGroups true
+            ClientVpnEndpointId Ref(:ClientVpnEndpoint)
+            TargetNetworkCidr '0.0.0.0/0'
+          }
+
+          output(:InternetRoute, config[:internet_route])
+        end
+
+        dns_routes = config[:routes].select {|route| route.has_key?(:dns)}
+        cidr_routes = config[:routes].select {|route| route.has_key?(:cidr)}
+
+        if dns_routes.any?
+          auto_route_populator(name, config[:bucket])
+
+          dns_routes.each do |route|
+            input = { 
+              Record: route[:dns],
+              ClientVpnEndpointId: "${ClientVpnEndpoint}",
+              TargetSubnet: route[:subnet],
+              Description: route[:desc]
             }
-          
-            EC2_ClientVpnAuthorizationRule(:RouteToInternetAuthorizationRule) {
-              Condition(:EnableSubnetAssociation)
-              DependsOn "ClientVpnTargetNetworkAssociation#{suffix}"
-              Description 'Route to the internet'
-              AuthorizeAllGroups true
-              ClientVpnEndpointId Ref(:ClientVpnEndpoint)
-              TargetNetworkCidr '0.0.0.0/0'
+            
+            if route[:groups].any?
+              input[:Groups] = route[:groups]
+            end
+
+            Events_Rule(:"CfnVpnAutoRoutePopulatorEvent#{route[:dns].resource_safe}"[0..255]) {
+              State 'ENABLED'
+              Description "cfnvpn auto route populator schedule for #{route[:dns]}"
+              ScheduleExpression "rate(5 minutes)"
+              Targets([
+                { 
+                  Arn: FnGetAtt(:CfnVpnAutoRoutePopulator, :Arn),
+                  Id: "cfnvpnautoroutepopulator#{route[:dns].event_id_safe}",
+                  Input: FnSub(input.to_json)
+                }
+              ])
             }
-  
-            output(:InternetRoute, config[:internet_route])
           end
         end
 
-        config[:routes].each do |route|
-          EC2_ClientVpnRoute(:"#{route[:cidr].resource_safe}VpnRoute") {
-            Description route[:desc]
-            ClientVpnEndpointId Ref(:ClientVpnEndpoint)
-            DestinationCidrBlock route[:cidr]
-            TargetVpcSubnetId route[:subnet]
-          }
-          if route[:groups].any?
-            route[:groups].each do |group|
-              EC2_ClientVpnAuthorizationRule(:"#{route[:cidr].resource_safe}AuthorizationRule#{group.resource_safe}"[0..255]) {
-                Description route[:desc]
-                AccessGroupId group
+        if cidr_routes.any?
+          cidr_routes.each do |route|
+            EC2_ClientVpnRoute(:"#{route[:cidr].resource_safe}VpnRoute") {
+              Description "cfnvpn static route for #{route[:cidr]}. #{route[:desc]}"
+              ClientVpnEndpointId Ref(:ClientVpnEndpoint)
+              DestinationCidrBlock route[:cidr]
+              TargetVpcSubnetId route[:subnet]
+            }
+
+            if route[:groups].any?
+              route[:groups].each do |group|
+                EC2_ClientVpnAuthorizationRule(:"#{route[:cidr].resource_safe}AuthorizationRule#{group.resource_safe}"[0..255]) {
+                  Description "cfnvpn static authorization rule for group #{group} to route #{route[:cidr]}. #{route[:desc]}"
+                  AccessGroupId group
+                  ClientVpnEndpointId Ref(:ClientVpnEndpoint)
+                  TargetNetworkCidr route[:cidr]
+                }
+              end
+            else
+              EC2_ClientVpnAuthorizationRule(:"#{route[:cidr].resource_safe}AllowAllAuthorizationRule") {
+                Description "cfnvpn static allow all authorization rule to route #{route[:cidr]}. #{route[:desc]}"
+                AuthorizeAllGroups true
                 ClientVpnEndpointId Ref(:ClientVpnEndpoint)
                 TargetNetworkCidr route[:cidr]
               }
             end
-          else
-            EC2_ClientVpnAuthorizationRule(:"#{route[:cidr].resource_safe}AllowAllAuthorizationRule") {
-              Description route[:desc]
-              AuthorizeAllGroups true
-              ClientVpnEndpointId Ref(:ClientVpnEndpoint)
-              TargetNetworkCidr route[:cidr]
-            }
           end
         end
         
@@ -156,13 +196,13 @@ module CfnVpn
           Type 'String'
           Value config.to_json
           Tags({
-            Name:  "#{name}-cfnvpn-config",
+            Name: "#{name}-cfnvpn-config",
             Environment: 'cfnvpn'
           })
         }
 
         if config[:start] || config[:stop]
-          scheduler(name, config[:start], config[:stop])
+          scheduler(name, config[:start], config[:stop], config[:bucket])
           output(:Start, config[:start]) if config[:start]
           output(:Stop, config[:stop]) if config[:stop]
         end
@@ -188,7 +228,92 @@ module CfnVpn
         Output(name) { Value value }
       end
 
-      def scheduler(name, start, stop)
+      def auto_route_populator(name, bucket)
+        IAM_Role(:CfnVpnAutoRoutePopulatorRole) {
+          AssumeRolePolicyDocument({
+            Version: '2012-10-17',
+            Statement: [{
+              Effect: 'Allow',
+              Principal: { Service: [ 'lambda.amazonaws.com' ] },
+              Action: [ 'sts:AssumeRole' ]
+            }]
+          })
+          Path '/cfnvpn/'
+          Policies([
+            {
+              PolicyName: 'client-vpn',
+              PolicyDocument: {
+                Version: '2012-10-17',
+                Statement: [{
+                  Effect: 'Allow',
+                  Action: [ 
+                    'ec2:AuthorizeClientVpnIngress',
+                    'ec2:RevokeClientVpnIngress',
+                    'ec2:DescribeClientVpnAuthorizationRules',
+                    'ec2:DescribeClientVpnEndpoints',
+                    'ec2:DescribeClientVpnRoutes',
+                    'ec2:CreateClientVpnRoute',
+                    'ec2:DeleteClientVpnRoute'
+                  ],
+                  Resource: '*'
+                }]
+              }
+            },
+            {
+              PolicyName: 'logging',
+              PolicyDocument: {
+                Version: '2012-10-17',
+                Statement: [{
+                  Effect: 'Allow',
+                  Action: [
+                    'logs:DescribeLogGroups',
+                    'logs:CreateLogGroup',
+                    'logs:CreateLogStream',
+                    'logs:DescribeLogStreams',
+                    'logs:PutLogEvents'
+                  ],
+                  Resource: '*'
+                }]
+              }
+            }
+          ])
+          Tags([
+            { Key: 'Name', Value: "#{name}-cfnvpn-auto-route-populator-role" },
+            { Key: 'Environment', Value: 'cfnvpn' }
+          ])
+        }
+
+        s3_key = CfnVpn::Templates::Lambdas.package_lambda(name: name, bucket: bucket, func: 'auto_route_populator', files: ['app.py'])
+        
+        Lambda_Function(:CfnVpnAutoRoutePopulator) {
+          Runtime 'python3.8'
+          Role FnGetAtt(:CfnVpnAutoRoutePopulatorRole, :Arn)
+          MemorySize '128'
+          Handler 'app.handler'
+          Timeout 60
+          Code({
+            S3Bucket: bucket,
+            S3Key: s3_key
+          })
+          Tags([
+            { Key: 'Name', Value: "#{name}-cfnvpn-auto-route-populator" },
+            { Key: 'Environment', Value: 'cfnvpn' }
+          ])
+        }
+
+        Logs_LogGroup(:CfnVpnAutoRoutePopulatorLogGroup) {
+          LogGroupName FnSub("/aws/lambda/${CfnVpnAutoRoutePopulator}")
+          RetentionInDays 30
+        }
+
+        Lambda_Permission(:CfnVpnAutoRoutePopulatorFunctionPermissions) {
+          FunctionName Ref(:CfnVpnAutoRoutePopulator)
+          Action 'lambda:InvokeFunction'
+          Principal 'events.amazonaws.com'
+        }
+      end
+
+      def scheduler(name, start, stop, bucket)
         IAM_Role(:ClientVpnSchedulerRole) {
           AssumeRolePolicyDocument({
             Version: '2012-10-17',
@@ -258,46 +383,17 @@ module CfnVpn
           ])
         }
 
+        s3_key = CfnVpn::Templates::Lambdas.package_lambda(name: name, bucket: bucket, func: 'scheduler', files: ['app.py'])
+
         Lambda_Function(:ClientVpnSchedulerFunction) {
-          Runtime 'python3.7'
+          Runtime 'python3.8'
           Role FnGetAtt(:ClientVpnSchedulerRole, :Arn)
           MemorySize '128'
-          Handler 'index.handler'
+          Handler 'app.handler'
+          Timeout 60
           Code({
-            ZipFile: <<~EOS
-            import boto3
-
-            def handler(event, context):
-
-              print(f"updating cfn-vpn stack {event['StackName']} parameter AssociateSubnets with value {event['AssociateSubnets']}")
-
-              if event['AssociateSubnets'] == 'false':
-                print(f"terminating current vpn sessions to {event['ClientVpnEndpointId']}")
-                ec2 = boto3.client('ec2')
-                resp = ec2.describe_client_vpn_connections(ClientVpnEndpointId=event['ClientVpnEndpointId'])
-                for conn in resp['Connections']:
-                  if conn['Status']['Code'] == 'active':
-                    ec2.terminate_client_vpn_connections(
-                      ClientVpnEndpointId=event['ClientVpnEndpointId'],
-                      ConnectionId=conn['ConnectionId']
-                    )
-                    print(f"terminated session {conn['ConnectionId']}")
-
-              client = boto3.client('cloudformation')
-              print(client.update_stack(
-                StackName=event['StackName'],
-                UsePreviousTemplate=True,
-                Capabilities=['CAPABILITY_IAM'],
-                Parameters=[
-                  {
-                    'ParameterKey': 'AssociateSubnets',
-                    'ParameterValue': event['AssociateSubnets']
-                  }
-                ]
-              ))
-
-              return 'OK'
-            EOS
+            S3Bucket: bucket,
+            S3Key: s3_key
           })
           Tags([
             { Key: 'Name', Value: "#{name}-cfnvpn-scheduler-function" },

data/lib/cfnvpn/version.rb

@@ -1,4 +1,4 @@
 module CfnVpn
-  VERSION = "1.2.0".freeze
+  VERSION = "1.3.0".freeze
   CHANGE_SET_VERSION = VERSION.gsub('.', '-').freeze
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: cfn-vpn
 version: !ruby/object:Gem::Version
-  version: 1.2.0
+  version: 1.3.0
 platform: ruby
 authors:
 - Guslington
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2021-03-18 00:00:00.000000000 Z
+date: 2021-04-01 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: thor
@@ -78,6 +78,20 @@ dependencies:
     - - '='
       - !ruby/object:Gem::Version
         version: 2.0.4
+- !ruby/object:Gem::Dependency
+  name: rubyzip
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.3'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.3'
 - !ruby/object:Gem::Dependency
   name: aws-sdk-ec2
   requirement: !ruby/object:Gem::Requirement
@@ -254,8 +268,12 @@ files:
 - lib/cfnvpn/globals.rb
 - lib/cfnvpn/log.rb
 - lib/cfnvpn/s3.rb
+- lib/cfnvpn/s3_bucket.rb
 - lib/cfnvpn/string.rb
 - lib/cfnvpn/templates/helper.rb
+- lib/cfnvpn/templates/lambdas.rb
+- lib/cfnvpn/templates/lambdas/auto_route_populator/app.py
+- lib/cfnvpn/templates/lambdas/scheduler/app.py
 - lib/cfnvpn/templates/vpn.rb
 - lib/cfnvpn/version.rb
 homepage: https://github.com/base2services/aws-client-vpn