cfn-vpn 1.4.3 → 1.4.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 54a7ba46c0bd16d5e70bf048aa90e4ea079e8dd5be0e6245afafb4730f804017
-  data.tar.gz: 0e9b6ed2c904b6debf40777232f780d15fc12904abc3014fccf7c8b5c65049ae
+  metadata.gz: 7c3fd1a4b4105ebcd008d105ea5eb5dd493ef698f3468d6a28bdf8ae3b194633
+  data.tar.gz: e0cd2db1d7619b8ab5ac88a29a85f96e2b352edee7cf7883f7ba3f30d8ac1077
 SHA512:
-  metadata.gz: 402f81e5c8976cca51b685220219370a056875c9885a86f989e06d021d5848f5e18f09f1022df6bf64d4e9b72e8546fa206a5fff3be3501b5db7c401d72175a0
-  data.tar.gz: 19b44819f370cbdada8e747764c93d1366e2974cfe56436a96f087805ff898094bd3f63f082ca09f1410565a86c2b35129c2d1f64c29325f325995c654ca4cc4
+  metadata.gz: 821ec1eb8281f6f7ecadfb8c76d6e1ece81a49af10e05e01f78cfecbb14470f4231d61ea6b7cd5c7206001a4e363f3e648b487cb15c3cdff1c16c1ff52a0d79e
+  data.tar.gz: d60cdf23880b0903be48c83cbd6ee997820be1b4a149329c726eab7fac8f686a49fdd483f53b35c429c3caaa46867d05f6627022001b269eeea4e9f9feb1a242

data/Gemfile.lock

@@ -47,7 +47,7 @@ GEM
     cfndsl (1.3.1)
       hana (~> 1.3)
     hana (1.3.7)
-    jmespath (1.4.0)
+    jmespath (1.6.1)
     netaddr (2.0.4)
     rake (13.0.1)
     rubyzip (2.3.0)

data/docs/README.md

@@ -42,4 +42,5 @@ For further information on the authentication types please visit https://docs.aw
 4. [Managing Routes](routes.md)
 5. [Stop and Start Client-VPN](scheduling.md)
 6. [Managing Sessions](sessions.md)
-7. [Slack Notifications](slack-notifications.md)
+7. [Slack Notifications](slack-notifications.md)
+8. [YAML Configuration](yaml-config.md)

data/docs/modifying.md

@@ -29,12 +29,12 @@ cfn-vpn params [name] --diff-yaml cfnvpn.[name].yaml
 
 ## Modifying
 
-### With CLI Options
+### With YAML File
 
-to modify the VPN properties run the modify command with the desired options
+cfn-vpn configuration can be managed through a YAML file using the `modify` command to apply the config changes to the vpn stack. See the [YAML docs](yaml-config.md) for config options.
 
 ```
-cfn-vpn modify [name] --dns-servers 10.15.0.2
+cfn-vpn modify [name] --params-yaml cfnvpn.[name].yaml
 ```
 
 a cloudformation changeset is created with the desired changes and approval is asked
@@ -60,8 +60,10 @@ INFO: - Changeset UPDATE complete
 INFO: - Client VPN [endpoint-id] modified
 ```
 
-### With YAML File
+### With CLI Options
+
+to modify the VPN properties run the modify command with the desired options
 
 ```
-cfn-vpn modify [name] --params-yaml cfnvpn.[name].yaml
+cfn-vpn modify [name] --dns-servers 10.15.0.2
 ```

data/docs/routes.md

@@ -4,48 +4,124 @@ Management of the VPN routes can be altered using the `routes` command or by usi
 
 **Note:** The default route via subnet association cannot be modified through this command. Use the `modify` command to alter the subnet associations.
 
-CfnVpn can create static routes for CIDRs as well as dynamically lookup IPs for dns endpoints and continue to monitor and update the routes if the IPs change.
+There are 3 different types of routes, [Static](#Static CIDR Routes), [DNS Lookup](#DNS Lookup Routes) and [Cloud](#Cloud Routes).
+
+## Static CIDR Routes
+
+Static routes create a static entry in the cfnvpn route table with the CIDR provided.
+
+#### CLI Commands
+
+new route run the routes command along with the `--cidr` option
 
 ```sh
-cfn-vpn help routes
+cfn-vpn routes [name] --cidr 10.151.0.0/16
 ```
 
-## Dynamic DNS Routes
+delete a route run the routes command along with the `--cidr` option of the route to delete and the delete option
 
-Dynamic DNS routes takes a dns endpoint and will query the record every 5 minutes to see if the IPs have changed and update the routes.
+```sh
+cfn-vpn routes [name] --cidr 10.151.0.0/16 --delete
+```
 
-### Add New
+#### YAML Config
 
-to add a new route run the routes command along with the `--dns` option
+```yaml
+routes:
+- cidr: 10.151.0.0/16
+  desc: route to dev peered vpc
+  schedule: rate(5 minutes)
+  groups:
+  - devs
+  - ops
+```
+
+## DNS Lookup Routes
+
+Dynamic DNS routes takes a dns endpoint and will query the record every 5 minutes to see if the IPs have changed and update the routes in the vpn route table.
+
+#### CLI Commands
+
+new route run the routes command along with the `--dns` option
 
 ```sh
 cfn-vpn routes [name] --dns example.com
 ```
 
-### Delete
-
-to delete a route run the routes command along with the `--dns` option of the route to delete and the delete option
+delete a route run the routes command along with the `--dns` option of the route to delete and the delete option
 
 ```sh
 cfn-vpn routes [name] --dns example.com --delete
 ```
 
-## Static CIDR Routes
+#### YAML Config
+
+```yaml
+routes:
+- dns: example.com
+  desc: my dev alb
+  schedule: rate(10 minutes)
+  groups:
+  - dev
+```
 
-### Add New
+## Cloud Routes
 
-to add a new route run the routes command along with the `--cidr` option
+Automatically lookup and create routes to push cloud provider IP ranges through the VPN. Cloud routes can only be configured through the yaml config.
 
-```sh
-cfn-vpn routes [name] --cidr 10.151.0.0/16
+Supported clouds:
+- [AWS](#AWS)
+
+### AWS
+
+Using AWS published [IP address ranges](https://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html) cfn-vpn can lookup and add the CIDR ranges published the the vpn route table.
+
+The list can be filtered by AWS `region` and `service`.
+
+AWS services that can be used to filter the address ranges. **Note:** not all regions contain all services.
+
+```
+API_GATEWAY
+EBS
+EC2_INSTANCE_CONNECT
+CHIME_VOICECONNECTOR
+CHIME_MEETINGS
+CODEBUILD
+CLOUDFRONT
+ROUTE53_HEALTHCHECKS_PUBLISHING
+AMAZON_APPFLOW
+S3
+CLOUD9
+ROUTE53
+AMAZON
+KINESIS_VIDEO_STREAMS
+ROUTE53_HEALTHCHECKS
+GLOBALACCELERATOR
+WORKSPACES_GATEWAYS
+CLOUDFRONT_ORIGIN_FACING
+EC2
+DYNAMODB
+ROUTE53_RESOLVER
+AMAZON_CONNECT
 ```
 
-### Delete
+**Warning:** AWS publish 100's of IP address ranges and with Client VPN soft limit of 10 routes per vpn endpoint you will hit the limit without filtering the published ranges.
 
-to delete a route run the routes command along with the `--cidr` option of the route to delete and the delete option
+#### YAML Config
 
-```sh
-cfn-vpn routes [name] --cidr 10.151.0.0/16 --delete
+```yaml
+routes:
+- cloud: aws
+  schedule: rate(1 hour)
+  groups:
+  - ops
+  filters:
+  - name: region
+    values:
+    - ap-southeast-2
+  - name: service
+    values:
+    - API_GATEWAY
 ```
 
 ## Manage Authorization Groups
@@ -70,32 +146,6 @@ To delete groups from an existing route use the `--del-groups` options
 cfn-vpn routes [name] [--cidr 10.151.0.0/16] [--dns example.com] --del-groups dev
 ```
 
-## Modify Command
-
-add or modify the `routes:` key in your config yaml file
-
-```yaml
-routes:
-- cidr: 10.151.0.0/16
-  desc: route to dev peered vpc
-  groups:
-  - devs
-  - ops
-- cidr: 10.152.0.0/16
-  desc: route to prod peered vpc
-  groups:
-  - ops
-- dns: example.com
-  desc: my dev alb
-  groups:
-  - dev
-```
-
-run the `modify` command and supply the yaml file to apply the changes
-
-```sh
-cfn-vpn routes [name] --params-yaml cfnvpn.[name].yaml
-```
 
 ## Route Limits
 

data/docs/slack-notifications.md

@@ -12,10 +12,19 @@ https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX
 
 Next modify your VPN stack using the modify command and pass in url
 
+**CLI**
+
 ```sh
 cfn-vpn modify [name] --slack-webhook-url "https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX"
 ```
 
+**YAML**
+
+```yaml
+slack_webhook_url: https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX
+```
+
+
 ## Route Events
 
 - `FAILED`: general failure

data/docs/yaml-config.md

@@ -0,0 +1,118 @@
+# YAML Configuration File
+
+cfn-vpn configuration can be managed through a YAML file using the `modify` command to apply the config changes to the vpn stack
+
+## Applying changes
+
+run the `modify` command and supply the yaml file to apply the changes
+
+```sh
+cfn-vpn routes [name] --params-yaml cfnvpn.[name].yaml
+```
+
+## Dump Current Config to YAML File
+
+the following command will take the current config of a cfn-vpn stack and dump the contents into a YAML file named `cfnvpn.[name].yaml`
+
+```sh
+cfn-vpn params [name] --dump
+```
+
+## Configuration Options
+
+### VPN Config
+
+```yaml
+region: ap-southeast-2
+subnet_ids:
+- subnet-abc123
+- subnet-def456
+cidr: 10.250.0.0/16
+dns_servers:
+- 10.250.0.2
+split_tunnel: true
+protocol: udp
+bucket: my-vpn-bucket
+server_cert_arn: arn:aws:acm:us-east-1:000000000000:certificate/123456
+```
+
+### Certificate Authentication
+
+```yaml
+type: certificate
+```
+
+### SAML Authentication
+
+```yaml
+type: federated
+saml_arn: arn:aws:iam::000000000000:saml-provider/VpnSamlRole
+saml_self_service_arn: arn:aws:iam::000000000000:saml-provider/VpnSelfServiceSamlRole
+```
+
+### AWS Directory Services Authentication
+
+```yaml
+type: active-directory
+directory_id: d-a1b2c3d4e5
+```
+
+### Routes
+
+**Static CIDR Route**
+
+```yaml
+routes:
+- cidr: 10.151.0.0/16
+  desc: route to dev peered vpc
+  groups:
+  - devs
+  - ops
+```
+
+**DNS Lookup Route**
+
+```yaml
+routes:
+- dns: example.com
+  desc: my dev alb
+  schedule: rate(10 minutes)
+  groups:
+  - dev
+```
+
+**Cloud Lookup Route**
+
+```yaml
+routes:
+- cloud: aws
+  schedule: rate(1 hour)
+  groups:
+  - ops
+  filters:
+  - name: region
+    values:
+    - ap-southeast-2
+  - name: service
+    values:
+    - API_GATEWAY
+```
+
+### Default Auth Groups
+
+```yaml
+default_groups:
+- group-a
+```
+
+### Auto Route Limit Increase
+
+```yaml
+auto_limit_increase: true
+```
+
+### Slack Notifications
+
+```yaml
+slack_webhook_url: https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX
+```

data/lib/cfnvpn/templates/lambdas/auto_route_populator/app.py

@@ -1,8 +1,8 @@
 import os
-import socket
 import boto3
 from botocore.exceptions import ClientError
 from lib.slack import Slack
+from lookup import dns_lookup, cloud_lookup
 from states import *
 import logging
 from quotas import increase_quota, AUTH_RULE_TABLE_QUOTA_CODE, ROUTE_TABLE_QUOTA_CODE
@@ -26,8 +26,8 @@ def delete_route(client, vpn_endpoint, subnet, cidr):
       raise e
 
   
-def create_route(client, event, cidr, target_subnet):
-  description = f"cfnvpn auto generated route for endpoint {event['Record']}."
+def create_route(client, event, cidr, target_subnet, lookup_item):
+  description = f"cfnvpn auto generated route for lookup {lookup_item}."
   if event['Description']:
     description += f" {event['Description']}"
 
@@ -61,8 +61,8 @@ def revoke_route_auth(client, event, cidr, group = None):
       raise e
 
 
-def authorize_route(client, event, cidr, group = None):
-  description = f"cfnvpn auto generated authorization for endpoint {event['Record']}."
+def authorize_route(client, event, cidr, lookup_item, group = None):
+  description = f"cfnvpn auto generated authorization for lookup {lookup_item}."
   if event['Description']:
     description += f" {event['Description']}"
 
@@ -80,7 +80,7 @@ def authorize_route(client, event, cidr, group = None):
   client.authorize_client_vpn_ingress(**args)
 
 
-def get_routes(client, event):
+def get_routes(client, event, lookup_item):
   paginator = client.get_paginator('describe_client_vpn_routes')
   response_iterator = paginator.paginate(
     ClientVpnEndpointId=event['ClientVpnEndpointId'],
@@ -94,10 +94,10 @@ def get_routes(client, event):
  
   return [route for page in response_iterator 
             for route in page['Routes'] 
-            if 'Description' in route and event['Record'] in route['Description']]
+            if 'Description' in route and lookup_item in route['Description']]
 
 
-def get_auth_rules(client, event):
+def get_auth_rules(client, event, lookup_item):
   paginator = client.get_paginator('describe_client_vpn_authorization_rules')
   response_iterator = paginator.paginate(
     ClientVpnEndpointId=event['ClientVpnEndpointId']
@@ -105,7 +105,7 @@ def get_auth_rules(client, event):
 
   return [rule for page in response_iterator 
             for rule in page['AuthorizationRules']
-            if 'Description' in rule and event['Record'] in rule['Description']]
+            if 'Description' in rule and lookup_item in rule['Description']]
 
 
 def expired_auth_rules(auth_rules, cidrs, groups):
@@ -131,16 +131,27 @@ def handler(event,context):
 
   logger.info(f"auto route populator triggered with event : {event}")
   slack = Slack(username=SLACK_USERNAME)
+
+  lookup_type = None
   
-  # DNS lookup on the dns record and return all IPS for the endpoint
-  try:
-    cidrs = [ ip + "/32" for ip in socket.gethostbyname_ex(event['Record'])[-1]]
-    logger.info(f"resolved endpoint {event['Record']} to {cidrs}")
-  except socket.gaierror as e:
-    logger.error(f"failed to resolve record {event['Record']}", exc_info=True)
-    slack.post_event(message=f"failed to resolve record {event['Record']}", state=RESOLVE_FAILED, error=e)
+  if 'Record' in event:
+    cidrs = dns_lookup(event['Record'])
+    lookup_item = event['Record']
+    if cidrs is None:
+      slack.post_event(message=f"failed to resolve record {event['Record']}", state=RESOLVE_FAILED)
+    logger.info(f"dns lookup found {len(cidrs)} IP's")
+  elif 'Cloud' in event:
+    cidrs = cloud_lookup(event['Cloud'], event.get('Filters', []))
+    lookup_item = f"cloud:{event['Cloud']}"
+    logger.info(f"cloud {event['Cloud']} lookup found {len(cidrs)} IP address ranges")
+  else:
+    logger.error("one of [ Record | Cloud ] not found in event")
     return 'KO'
-  
+
+  if not cidrs:
+    logger.error(f"no cidrs found")
+    return 'KO'
+
   client = boto3.client('ec2')
 
   # describe vpn and check if subnets are associated with the vpn
@@ -150,17 +161,17 @@ def handler(event,context):
 
   if not response['ClientVpnEndpoints']:
     logger.error(f"endpoint not found")
-    slack.post_event(message=f"failed create routes for {event['Record']}", state=FAILED, error="endpoint not found")
+    slack.post_error(lookup_item, FAILED, "endpoint not found")
     return 'KO'
 
   endpoint = response['ClientVpnEndpoints'][0]
   if endpoint['Status'] == 'pending-associate':
     logger.error(f"no subnets associated with endpoint")
-    slack.post_event(message=f"failed create routes for {event['Record']}", state=FAILED, error="vpn is in a stopped state")
+    slack.post_error(lookup_item, FAILED, "vpn is in a stopped state")
     return 'KO'
 
-  routes = get_routes(client, event)
-  auth_rules = get_auth_rules(client, event)
+  routes = get_routes(client, event, lookup_item)
+  auth_rules = get_auth_rules(client, event, lookup_item)
 
   auto_limit_increase = os.environ.get('AUTO_LIMIT_INCREASE')
   route_limit_increase_required = False
@@ -171,28 +182,20 @@ def handler(event,context):
     for subnet in event['TargetSubnets']:
       if not any(route['DestinationCidr'] == cidr and route['TargetSubnet'] == subnet for route in routes):
         try:
-          create_route(client, event, cidr, subnet)
+          create_route(client, event, cidr, subnet, lookup_item)
         except ClientError as e:
           if e.response['Error']['Code'] == 'ClientVpnRouteLimitExceeded':
             route_limit_increase_required = True
             logger.error("vpn route table has reached the route limit", exc_info=True)
-            slack.post_event(
-              message=f"unable to create route {cidr} from {event['Record']}",
-              state=ROUTE_LIMIT_EXCEEDED,
-              error="vpn route table has reached the route limit"
-            )
+            slack.post_error(lookup_item, ROUTE_LIMIT_EXCEEDED, "vpn route table has reached the route limit")
           elif e.response['Error']['Code'] == 'InvalidClientVpnActiveAssociationNotFound':
             logger.warn("no subnets are associated with the vpn", exc_info=True)
-            slack.post_event(
-              message=f"unable to create the route {cidr} from {event['Record']}", 
-              state=SUBNET_NOT_ASSOCIATED,
-              error="no subnets are associated with the vpn"
-            )
+            slack.post_error(lookup_item, SUBNET_NOT_ASSOCIATED, "no subnets are associated with the vpn")
           else:
             logger.error("encountered a unexpected client error when creating a route", exc_info=True)
         else:
           slack.post_event(
-            message=f"created new route {cidr} ({event['Record']}) to target subnet {subnet}",
+            message=f"created new route {cidr} ({lookup_item}) to target subnet {subnet}",
             state=NEW_ROUTE
           )
     
@@ -211,18 +214,18 @@ def handler(event,context):
         new_groups = [group for group in event['Groups'] if group not in existing_groups]
 
         for group in new_groups:
-          authorize_route(client, event, cidr, group)
+          authorize_route(client, event, cidr, lookup_item, group)
 
       # create an allow all rule
       elif 'Groups' not in event and not cidr_auth_rules:
-        authorize_route(client, event, cidr)
+        authorize_route(client, event, cidr, lookup_item)
 
     except ClientError as e:
         if e.response['Error']['Code'] == 'ClientVpnAuthorizationRuleLimitExceeded':
           auth_rules_limit_increase_required = True
           logger.error("vpn has reached the authorization rule limit", exc_info=True)
           slack.post_event(
-            message=f"unable add to authorization rule for route {cidr} from {event['Record']}",
+            message=f"unable add to authorization rule for route {cidr} from lookup {lookup_item}",
             state=AUTH_RULE_LIMIT_EXCEEDED,
             error="vpn has reached the authorization rule limit"
           )
@@ -248,13 +251,13 @@ def handler(event,context):
 
   # remove expired auth rules
   for rule in expired_auth_rules(auth_rules, cidrs, event.get('Groups', [])):
-    logger.info(f"removing expired auth rule {rule['DestinationCidr']} for endpoint {event['Record']}")
+    logger.info(f"removing expired auth rule {rule['DestinationCidr']} for lookup {lookup_item}")
     revoke_route_auth(client, event, rule['DestinationCidr'])
 
   # remove expired routes
   for route in expired_routes(routes, cidrs):
-    logger.info(f"removing expired route {route['DestinationCidr']} for endpoint {event['Record']}")
+    logger.info(f"removing expired route {route['DestinationCidr']} for lookup {lookup_item}")
     delete_route(client, event['ClientVpnEndpointId'], route['TargetSubnet'], route['DestinationCidr'])
-    slack.post_event(message=f"removed expired route {route['DestinationCidr']} for endpoint {event['Record']}", state=EXPIRED_ROUTE)
+    slack.post_event(message=f"removed expired route {route['DestinationCidr']} for lookup {lookup_item}", state=EXPIRED_ROUTE)
   
   return 'OK'

data/lib/cfnvpn/templates/lambdas/auto_route_populator/lookup.py

@@ -0,0 +1,58 @@
+import json
+import socket
+from urllib.request import Request, urlopen
+import logging
+
+logger = logging.getLogger(__name__)
+logger.setLevel(logging.INFO)
+
+AWS_URL = 'https://ip-ranges.amazonaws.com/ip-ranges.json'
+
+def dns_lookup(record):
+  try:
+    cidrs = [ ip + "/32" for ip in socket.gethostbyname_ex(record)[-1]]
+    logger.info(f"resolved endpoint {record} to {cidrs}")
+  except socket.gaierror as e:
+    logger.error(f"failed to resolve record {record}", exc_info=True)
+    return None
+
+  return cidrs
+
+def cloud_lookup(cloud, filters):
+  if cloud == 'aws':
+    return aws_lookup(filters)
+  else:
+    logger.error(f"unsupported cloud lookup : {cloud}")
+    return None
+
+def http_request(endpoint):
+  request = Request(endpoint, headers={'User-Agent': 'Mozilla/5.0'})
+  response = urlopen(request)
+  return response.read().decode('utf-8')
+
+def get_filter(filters, key):
+  return next((filter['values'] for filter in filters if filter['name'] == key), None)
+
+def aws_lookup(filters):
+  response = http_request(AWS_URL)
+  data = json.loads(response)
+  regions = get_filter(filters, 'region')
+  services = get_filter(filters, 'service')
+
+  cidrs = []
+  for prefix in data['prefixes']:
+    if regions and services:
+      if prefix['region'] in regions and prefix['service'] in services:
+        cidrs.append(prefix['ip_prefix'])
+    elif regions:
+      if prefix['region'] in regions:
+        cidrs.append(prefix['ip_prefix'])
+    elif services:
+      if prefix['service'] in services:
+        cidrs.append(prefix['ip_prefix'])
+    else:
+      cidrs.append(prefix['ip_prefix'])
+
+  return cidrs
+
+

data/lib/cfnvpn/templates/lambdas/lib/slack.py

@@ -12,6 +12,9 @@ class Slack:
         self.username = username
         self.slack_url = os.environ.get('SLACK_URL')
 
+    def post_error(self, lookup_item, state, error):
+        self.post_event(message=f"failed create routes for lookup {lookup_item}", state=state, error=error)
+
     def post_event(self, message, state, error=None, support_case=None):
         """Posts event to slack using an incoming webhook
         Parameters

data/lib/cfnvpn/templates/vpn.rb

@@ -127,22 +127,23 @@ module CfnVpn
           output(:InternetRoute, config[:internet_route])
         end
 
-        dns_routes = config[:routes].select {|route| route.has_key?(:dns)}
-        cidr_routes = config[:routes].select {|route| route.has_key?(:cidr)}
+        create_auto_route_populator = config[:routes].detect { |route| route.has_key?(:dns) || route.has_key?(:cloud)}
 
-        if dns_routes.any?
+        if create_auto_route_populator
           auto_route_populator(name, config)
+        end
 
-          dns_routes.each do |route|
-            # to aide in the migration from single to HA routes if the vpn is HA
-            if route[:subnets]
-              target_subnets = route[:subnets]
-            elsif config[:subnet_ids].include?(route[:subnet])
-              target_subnets = config[:subnet_ids]
-            else
-              target_subnets = [*route[:subnet]]
-            end
+        config[:routes].each do |route|
+          
+          if route[:subnets]
+            target_subnets = route[:subnets]
+          elsif config[:subnet_ids].include?(route[:subnet])
+            target_subnets = config[:subnet_ids]
+          else
+            target_subnets = [*route[:subnet]]
+          end
 
+          if route.has_key?(:dns)
             input = { 
               Record: route[:dns],
               ClientVpnEndpointId: "${ClientVpnEndpoint}",
@@ -150,7 +151,7 @@ module CfnVpn
               Description: route[:desc]
             }
             
-            if route[:groups].any?
+            if !route[:groups].nil? && route[:groups].any?
               input[:Groups] = route[:groups]
             end
 
@@ -159,29 +160,48 @@ module CfnVpn
               DependsOn network_assoc_dependson if network_assoc_dependson.any?
               State 'ENABLED'
               Description "cfnvpn auto route populator schedule for #{route[:dns]}"
-              ScheduleExpression "rate(5 minutes)"
+              ScheduleExpression route.fetch(:schedule, 'rate(5 minutes)')
               Targets([
                 { 
                   Arn: FnGetAtt(:CfnVpnAutoRoutePopulator, :Arn),
-                  Id: "auto-route-populator",
+                  Id: "dns-auto-route-populator",
                   Input: FnSub(input.to_json)
                 }
               ])
             }
-          end
-        end
-
-        if cidr_routes.any?
-          cidr_routes.each do |route|
-            # to aide in the migration from single to HA routes if the vpn is HA
-            if route[:subnets]
-              target_subnets = route[:subnets]
-            elsif config[:subnet_ids].include?(route[:subnet])
-              target_subnets = config[:subnet_ids]
-            else
-              target_subnets = [*route[:subnet]]
+          
+          elsif route.has_key?(:cloud)
+            input = { 
+              Cloud: route[:cloud],
+              ClientVpnEndpointId: "${ClientVpnEndpoint}",
+              TargetSubnets: target_subnets,
+              Description: route[:desc]
+            }
+            
+            if !route[:groups].nil? && route[:groups].any?
+              input[:Groups] = route[:groups]
             end
 
+            if !route[:filters].nil? && route[:filters].any?
+              input[:Filters] = route[:filters]
+            end          
+
+            Events_Rule(:"CfnVpnAutoRoutePopulatorEvent#{route[:cloud].resource_safe}"[0..255]) {
+              Condition(:EnableSubnetAssociation)
+              DependsOn network_assoc_dependson if network_assoc_dependson.any?
+              State 'ENABLED'
+              Description "cfnvpn auto route populator schedule for cloud #{route[:cloud]} lookup"
+              ScheduleExpression route.fetch(:schedule, 'rate(5 minutes)')
+              Targets([
+                { 
+                  Arn: FnGetAtt(:CfnVpnAutoRoutePopulator, :Arn),
+                  Id: "cloud-auto-route-populator",
+                  Input: FnSub(input.to_json)
+                }
+              ])
+            }
+
+          elsif route.has_key?(:cidr)
             target_subnets.each do |subnet|
               EC2_ClientVpnRoute(:"#{route[:cidr].resource_safe}VpnRouteTo#{subnet.resource_safe}"[0..255]) {
                 Description "cfnvpn static route for #{route[:cidr]}. #{route[:desc]}".strip
@@ -208,6 +228,7 @@ module CfnVpn
                 TargetNetworkCidr route[:cidr]
               }
             end
+
           end
         end
         
@@ -336,6 +357,7 @@ module CfnVpn
           func: 'auto_route_populator',
           files: [
             'auto_route_populator/app.py',
+            'auto_route_populator/lookup.py',
             'auto_route_populator/quotas.py',
             'lib/slack.py',
             'auto_route_populator/states.py'

data/lib/cfnvpn/version.rb

@@ -1,4 +1,4 @@
 module CfnVpn
-  VERSION = "1.4.3".freeze
+  VERSION = "1.4.4".freeze
   CHANGE_SET_VERSION = VERSION.gsub('.', '-').freeze
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: cfn-vpn
 version: !ruby/object:Gem::Version
-  version: 1.4.3
+  version: 1.4.4
 platform: ruby
 authors:
 - Guslington
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2021-12-22 00:00:00.000000000 Z
+date: 2022-06-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: thor
@@ -248,6 +248,7 @@ files:
 - docs/scheduling.md
 - docs/sessions.md
 - docs/slack-notifications.md
+- docs/yaml-config.md
 - exe/cfn-vpn
 - lib/cfnvpn.rb
 - lib/cfnvpn/acm.rb
@@ -274,6 +275,7 @@ files:
 - lib/cfnvpn/templates/helper.rb
 - lib/cfnvpn/templates/lambdas.rb
 - lib/cfnvpn/templates/lambdas/auto_route_populator/app.py
+- lib/cfnvpn/templates/lambdas/auto_route_populator/lookup.py
 - lib/cfnvpn/templates/lambdas/auto_route_populator/quotas.py
 - lib/cfnvpn/templates/lambdas/auto_route_populator/states.py
 - lib/cfnvpn/templates/lambdas/lib/slack.py