RubyGems - cfn-vpn - Versions diffs - 1.3.1 → 1.3.3 - Mend

cfn-vpn 1.3.1 → 1.3.3

Files changed (6) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 672ae92015c16fcc2ce33e05a22ca651b4974d4669d91115c2f5d49b36aa4062
-  data.tar.gz: 3e595961778b5d67112b6219d690cd589e8523813f22e7a3a196dfab6d77d59d
+  metadata.gz: c46ffdf0579ffd7c1fd42efadc969bbd095f9f789dfcb5b9e3e2aef7f85e959c
+  data.tar.gz: 7a6e1a34fa32b2246a8998e8645381635e8c5adf7a6bf978c241ea4d7e4ee217
 SHA512:
-  metadata.gz: fee3ea79a3c51a77aaa5b6be535fc950ecfd32de121e6aadd363ef4def0af7fe201b414624036d9553f8a7158cb9e6fe16189972b599bcfd8df688c0dec09051
-  data.tar.gz: 4bcc5243d2365706f57d07bf2c0cbad79debde39952d8535407cd58fb26d5d1e77857cedbf0170d726c8a56c7f70a2a90a26349991a0c3a7bf51fd824eae2bb4
+  metadata.gz: 6aa8e34eab7fe87a36128e299a3603f6e2cad58bf55cc9a2ff4f3847306a0ce92ba20c6a9471f7356c43eee85ccd6a362bed7bf7feb14df2a97cb54cc0af546d
+  data.tar.gz: 5aefb22f6d9ea925877f0811897fdd3e4a47286769cb106e19a46df6ccd7d2ce29d30bdc93ea2c87c4fb686609a33c009186057b248af9b33645b15d72d8f22c

data/docs/getting-started.md CHANGED Viewed

@@ -63,19 +63,38 @@ This option is for when you want to manage users through an external directory p
 The following command and required option will launch a new federated based Client-VPN
 ```sh
-cfn-vpn init [name] --server-cn [server certificate name] --subnet-ids [list of subets to associate with the vpn] --saml-arn [identity providor arn]
+cfn-vpn init [name] --server-cn [server certificate name] \
+  --subnet-ids [list of subets to associate with the vpn] \
+  --saml-arn [identity providor arn]
 ```
 The default authorization rule for the associated subnets allows all. You can optionally change this by using the `--default-groups` flag to set groups on the default authorization rule.
+```diff
+! Group id's must be used if creating authorisation rules.
+! Each SAML providor will have different group id's and means of retrieving them.
+```
 ```sh
-cfn-vpn init [name] --server-cn [server certificate name] --subnet-ids [list of subets to associate with the vpn] --saml-arn [identity providor arn] --default-groups [list of group ids]
+cfn-vpn init [name] --server-cn [server certificate name] \
+  --subnet-ids [list of subnet to associate with the vpn] \
+  --saml-arn [identity provider arn]  \
+  --default-groups [list of group ids]
 ```
 **AWS SSO**
 If using AWS SSO as your SAML provider check this guide on how to set up SAML using AWS SSO https://codeburst.io/the-aws-client-vpn-federated-authentication-missing-example-655e0a1ff7f4
+If you want to leverage the Self Service Portal you need to add the specify the `--saml-self-service-arn [self service identity provider arn]` You can follow the example here https://aws.amazon.com/blogs/security/authenticate-aws-client-vpn-users-with-aws-single-sign-on/ on how to setup the self sign-on sso application
+```sh
+cfn-vpn init [name] --server-cn [server certificate name] \
+  --subnet-ids [list of subnet to associate with the vpn] \
+  --saml-arn [identity provider arn]  \
+  --saml-self-service-arn [self service identity provider arn] \
+  --default-groups [list of group ids]
+```
 ### AWS Directory Services Authenticated VPN
@@ -84,13 +103,18 @@ This option integrates Microsoft Active Directory or Simple AD through AWS Direc
 The following command and required option will launch a new directory service based Client-VPN
 ```sh
-cfn-vpn init simple-ad --server-cn [server certificate name] --subnet-ids [list of subets to associate with the vpn] --directory-id [aws directirory serivce id]
+cfn-vpn init simple-ad --server-cn [server certificate name] \
+  --subnet-ids [list of subets to associate with the vpn] \
+  --directory-id [aws directirory serivce id]
 ```
 The default authorization rule for the associated subnets allows all. You can optionally change this by using the `--default-groups` flag to set groups on the default authorization rule. The group Id is the Active Directory Group ID or SID.
 ```sh
-cfn-vpn init simple-ad --server-cn [server certificate name] --subnet-ids [list of subets to associate with the vpn] --directory-id [aws directirory serivce id] --default-groups [list of group ids]
+cfn-vpn init simple-ad --server-cn [server certificate name] \
+  --subnet-ids [list of subets to associate with the vpn] \
+  --directory-id [aws directirory serivce id] \
+  --default-groups [list of group ids]
 ```
 See this guide for further help on setting up https://shogokobayashi.com/2019/05/18/aws-client-vpn-with-simplead/
@@ -104,25 +128,27 @@ When using a federated ClientVPN you can modify the default auth to only allow s
 ```
 Options:
-  r, [--region=REGION]                         # AWS Region
-                                               # Default: ap-southeast-2
-      [--verbose], [--no-verbose]              # set log level to debug
-      --server-cn=SERVER_CN                    # server certificate common name
-      [--client-cn=CLIENT_CN]                  # client certificate common name
-      [--easyrsa-local], [--no-easyrsa-local]  # run the easyrsa executable from your local rather than from docker
-      [--bucket=BUCKET]                        # s3 bucket
-      --subnet-ids=one two three               # subnet id to associate your vpn with
-      [--default-groups=one two three]         # groups to allow through the subnet associations when using federated auth
-      [--cidr=CIDR]                            # cidr from which to assign client IP addresses
-                                               # Default: 10.250.0.0/16
-      [--dns-servers=one two three]            # DNS Servers to push to clients.
-      [--split-tunnel], [--no-split-tunnel]    # only push routes to the client on the vpn endpoint
-                                               # Default: true
-      [--internet-route=INTERNET_ROUTE]        # [subnet-id] create a default route to the internet through a subnet
-      [--protocol=PROTOCOL]                    # set the protocol for the vpn connections
-                                               # Default: udp
-                                               # Possible values: udp, tcp
-      [--start=START]                          # cloudwatch event cron schedule in UTC to associate subnets to the client vpn
-      [--stop=STOP]                            # cloudwatch event cron schedule in UTC to disassociate subnets to the client vpn
-      [--saml-arn=SAML_ARN]                    # IAM SAML idenditiy providor arn if using SAML federated authentication
-```
+  r, [--region=REGION]                                 # AWS Region
+                                                       # Default: ap-southeast-2
+      [--verbose], [--no-verbose]                      # set log level to debug
+      --server-cn=SERVER_CN                            # server certificate common name
+      [--client-cn=CLIENT_CN]                          # client certificate common name
+      [--easyrsa-local], [--no-easyrsa-local]          # run the easyrsa executable from your local rather than from docker
+      [--bucket=BUCKET]                                # s3 bucket, if not set one will be generated for you
+      --subnet-ids=one two three                       # subnet id to associate your vpn with
+      [--default-groups=one two three]                 # groups to allow through the subnet associations when using federated auth
+      [--cidr=CIDR]                                    # cidr from which to assign client IP addresses
+                                                       # Default: 10.250.0.0/16
+      [--dns-servers=one two three]                    # DNS Servers to push to clients.
+      [--split-tunnel], [--no-split-tunnel]            # only push routes to the client on the vpn endpoint
+                                                       # Default: true
+      [--internet-route=INTERNET_ROUTE]                # [subnet-id] create a default route to the internet through a subnet
+      [--protocol=PROTOCOL]                            # set the protocol for the vpn connections
+                                                       # Default: udp
+                                                       # Possible values: udp, tcp
+      [--start=START]                                  # cloudwatch event cron schedule in UTC to associate subnets to the client vpn
+      [--stop=STOP]                                    # cloudwatch event cron schedule in UTC to disassociate subnets to the client vpn
+      [--saml-arn=SAML_ARN]                            # IAM SAML idenditiy providor arn if using SAML federated authentication
+      [--saml-self-service-arn=SAML_SELF_SERVICE_ARN]  # IAM SAML idenditiy providor arn for the self service portal
+      [--directory-id=DIRECTORY_ID]                    # AWS Directory Service directory id if using Active Directory authentication
+```

data/lib/cfnvpn/actions/init.rb CHANGED Viewed

@@ -36,6 +36,7 @@ module CfnVpn::Actions
     class_option :stop, type: :string, desc: 'cloudwatch event cron schedule in UTC to disassociate subnets to the client vpn'
     class_option :saml_arn, desc: 'IAM SAML idenditiy providor arn if using SAML federated authentication'
+    class_option :saml_self_service_arn, desc: 'IAM SAML idenditiy providor arn for the self service portal'
     class_option :directory_id, desc: 'AWS Directory Service directory id if using Active Directory authentication'
     def self.source_root
@@ -64,6 +65,7 @@ module CfnVpn::Actions
         start: @options['start'],
         stop: @options['stop'],
         saml_arn: @options['saml_arn'],
+        saml_self_service_arn: @options['saml_self_service_arn'],
         directory_id: @options['directory_id'],
         routes: []
       }

data/lib/cfnvpn/templates/vpn.rb CHANGED Viewed

@@ -33,7 +33,7 @@ module CfnVpn
             {
               FederatedAuthentication: {
                 SAMLProviderArn: config[:saml_arn],
-                SelfServiceSAMLProviderArn: config[:saml_arn]
+                SelfServiceSAMLProviderArn: config[:saml_self_service_arn].nil? ? config[:saml_arn] : config[:saml_self_service_arn]
               },
               Type: 'federated-authentication'
             }

data/lib/cfnvpn/version.rb CHANGED Viewed

@@ -1,4 +1,4 @@
 module CfnVpn
-  VERSION = "1.3.1".freeze
+  VERSION = "1.3.3".freeze
   CHANGE_SET_VERSION = VERSION.gsub('.', '-').freeze
 end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: cfn-vpn
 version: !ruby/object:Gem::Version
-  version: 1.3.1
+  version: 1.3.3
 platform: ruby
 authors:
 - Guslington
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2021-06-04 00:00:00.000000000 Z
+date: 2021-11-04 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: thor