Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(ec2): client vpn endpoint #12234

Merged
merged 25 commits into from Mar 22, 2021
Merged

feat(ec2): client vpn endpoint #12234

merged 25 commits into from Mar 22, 2021

Conversation

@jogold
Copy link
Contributor

@jogold jogold commented Dec 26, 2020

Add support for client VPN endpoints with the following L2s: ClientVpnEndpoint,
ClientVpnAuthorizationRule and ClientVpnRoute.

Client VPN endpoints can be added to VPCs with the addClientVpnEndpoint()
method.

Both mutual and user-based authentication are supported.

The ClientVpnEndpoint class implements IConnectable.

Use a custom resource to import server and client certificates in ACM
for the integration test.

Close #4206


By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@gitpod-io
Copy link

@gitpod-io gitpod-io bot commented Dec 26, 2020

@jogold
Copy link
Contributor Author

@jogold jogold commented Dec 29, 2020

To be discussed:

  • mark as experimental?
  • should ClientVpnUserBasedAuthentication.activeDirectory() take a IDirectory? There's no IDirectory for the moment but we can assume that it will come in aws-directoryservice
  • same but different for ClientVpnUserBasedAuthentication.federated() with the federated role that is currently not supported by CF
@jogold
Copy link
Contributor Author

@jogold jogold commented Feb 4, 2021

@rix0rrr any feedback here?

/**
* A Lambda function
*/
export interface IFunction {

This comment has been minimized.

@rix0rrr

rix0rrr Feb 25, 2021
Contributor

This only works in TypeScript, not in nominally-typed languages.

What you'd normally have to do is define an interface (or abstract class) for integrations and make a concrete class in a separate package combining EC2 types and Lambda types.

However in this case, I believe aws-lambda already depends on aws-ec2. So it's permissible in this case to define an interface here and have aws-lambda.Function implement it directly.

This comment has been minimized.

@jogold

jogold Mar 8, 2021
Author Contributor

This is now IClientVpnConnectionHandler, and FunctionBase implements it.

/**
* A certificate
*/
export interface ICertificate {

This comment has been minimized.

@rix0rrr

rix0rrr Feb 25, 2021
Contributor

Some for this, although the dependency is trickier. We don't have a dependency yet and adding one feels unsafe. So definitely looks like it needs an integration package.

This comment has been minimized.

@jogold

jogold Feb 25, 2021
Author Contributor

Do we need a ICertifcate here after all? Would it be here acceptable to reference an ARN (string) directly in ClientVpnEndpointOptions? I mean how likely is it that CF adds support for "imported" certificates in ACM?

This comment has been minimized.

@rix0rrr

rix0rrr Mar 8, 2021
Contributor

Not sure what "imported" certificates means, in this case.

I guess just taking an ARN is acceptable for now... I suppose we can deprecate that field once we figure out a good way to do the integration. Everything I can think of is pretty bad, so just taking a string seems like the simplest solution.

This comment has been minimized.

@jogold

jogold Mar 8, 2021
Author Contributor

Imported means this: https://docs.aws.amazon.com/acm/latest/userguide/import-certificate.html

Certificates automatically issued by ACM cannot be used here for the client VPN endpoint.

Changed for now to serverCertificateArn and clientCertificateArn but another option could be to define IClientVpnCertificate and when CF adds a resource in ACM for imported certificates it will implement it?

I see that CF added support for AWS::IAM::ServerCertificate last week, what we need here is the same but in ACM. See aws-cloudformation/cloudformation-coverage-roadmap#614.

This is also why I'm using a custom resource for the integ test.

}

/** The ID of the Active Directory to be used for authentication */
public abstract readonly directoryId?: string;

This comment has been minimized.

@rix0rrr

rix0rrr Feb 25, 2021
Contributor

Feels more correct to abstract this away one more level and return the entire object, with "whatever" fields need to be in there fore the given auth type.

This comment has been minimized.

@jogold

jogold Feb 25, 2021
Author Contributor

You mean something like this?

public abstract readonly directory?: { directoryId: string };
public abstract readonly samlProvider?: { samlProviderArn: string, selfServiceSamlProviderArn?: string };

This comment has been minimized.

@jogold

jogold Feb 25, 2021
Author Contributor

Actually I don't get it, isn't the ClientVpnUserBasedAuthentication the entire object with the fields set according to the chosen auth?

This comment has been minimized.

@rix0rrr

rix0rrr Mar 8, 2021
Contributor

It is. I'm talking about the protocol between ClientVpnUserBasedAuthentication and ClientVpnEndpoint.

I was thinking the protocol didn't need to be more complicated than this:

export abstract class ClientVpnUserBasedAuthentication {
  public abstract render(): any;
}

Then ClientVpnEndpoint doesn't need to care about the individual fields in that output structure anymore, but can just trust that whatever ClientVpnUserBasedAuthentication returns is correct.

This comment has been minimized.

@jogold

jogold Mar 8, 2021
Author Contributor

OK, this means

export class ClientVpnActiveDirectoryAuthentication extends ClientVpnUserBasedAuthentication {
  constructor(private readonly directoryId: string) {
    super();
  }

  render() {
    return {
      type: 'directory-service-authentication',
      activeDirectory: {
        directoryId: this.directoryId,
      },
    };
  }
}

and we drop the static methods on ClientVpnUserBasedAuthentication?

This comment has been minimized.

@rix0rrr

rix0rrr Mar 22, 2021
Contributor

The static methods still make sense as factory functions. You can also skip exporting the class that way.

@mergify mergify bot dismissed rix0rrr’s stale review Feb 25, 2021

Pull request has been modified.

@jogold
Copy link
Contributor Author

@jogold jogold commented Mar 4, 2021

Now that CF supports SAML providers, this needs #13393.

/**
* Active Directory authentication
*/
public static activeDirectory(directoryId: string): ClientVpnUserBasedAuthentication {

This comment has been minimized.

@jogold

jogold Mar 8, 2021
Author Contributor

Here again, maybe we can do IClientVpnActiveDirectory instead?

There are currently no L2s in @aws-cdk/aws-directoryservice but when they'll come there will be a dependency on @aws-cdk/aws-ec2

This comment has been minimized.

@rix0rrr

rix0rrr Mar 22, 2021
Contributor

We can always add a new factory method for that if and when it becomes necessary. Let's not worry about it too much for now.

@mergify
Copy link
Contributor

@mergify mergify bot commented Mar 22, 2021

Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@aws-cdk-automation
Copy link
Collaborator

@aws-cdk-automation aws-cdk-automation commented Mar 22, 2021

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildProject89A8053A-LhjRyN9kxr8o
  • Commit ID: 1a1ca00
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@mergify
Copy link
Contributor

@mergify mergify bot commented Mar 22, 2021

Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@mergify mergify bot merged commit 4fde59a into aws:master Mar 22, 2021
7 checks passed
7 checks passed
@github-actions
auto-approve
Details
@github-actions
validate-pr
Details
AWS CodeBuild us-east-1 (AutoBuildProject89A8053A-LhjRyN9kxr8o) Build succeeded for project AutoBuildProject89A8053A-LhjRyN9kxr8o
Details
@gitpod-io
Gitpod Open an online workspace in Gitpod
Details
@mergify
Rule: automatic merge (merge) The pull request has been merged automatically
Details
@semantic-pull-requests
Semantic Pull Request ready to be squashed
Details
@mergify
Summary 5 potential rules
Details
eladb added a commit that referenced this pull request Mar 24, 2021
Add support for client VPN endpoints with the following L2s: `ClientVpnEndpoint`,
`ClientVpnAuthorizationRule` and `ClientVpnRoute`.

Client VPN endpoints can be added to VPCs with the `addClientVpnEndpoint()`
method.

Both mutual and user-based authentication are supported.

The `ClientVpnEndpoint` class implements `IConnectable`.

Use a custom resource to import server and client certificates in ACM
for the integration test.

Close #4206

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

3 participants