Nirbhay/aws_ec2_client_vpn_endpoint

docs/resources/aws_ec2_client_vpn_endpoint.md

@@ -0,0 +1,111 @@
+---
+title: About the aws_ec2_client_vpn_endpoint Resource
+platform: aws
+---
+
+# aws_ec2_client_vpn_endpoint
+
+Use the `aws_ec2_client_vpn_endpoint` InSpec audit resource to test properties of a single specific AWS EC2 Client VPN endpoint.
+
+The `AWS::EC2::ClientVpnEndpoint` specifies a Client VPN endpoint.
+
+## Syntax
+
+Ensure that the client VPN endpoint exists.
+
+    describe aws_ec2_client_vpn_endpoint(client_vpn_endpoint_id: "CLIENT_VPN_ENDPOINT_ID") do
+      it { should exist }
+    end
+
+## Parameters
+
+`client_vpn_endpoint_id` _(required)_
+
+The ID of the Client VPN endpoint.
+
+For additional information, see the [AWS documentation on AWS EC2 ClientVpnEndpoint.](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-clientvpnendpoint.html).
+
+## Properties
+
+| Property | Description |
+| --- | --- |
+| client_vpn_endpoint_id | The ID of the Client VPN endpoint. |
+| description | A brief description of the endpoint. |
+| status.code | The state of the Client VPN endpoint. |
+| status.message | A message about the status of the Client VPN endpoint. |
+| creation_time | The date and time the Client VPN endpoint was created. |
+| deletion_time | The date and time the Client VPN endpoint was deleted, if applicable. |
+| dns_name | The DNS name to be used by clients when connecting to the Client VPN endpoint. |
+| client_cidr_block | The IPv4 address range, in CIDR notation, from which client IP addresses are assigned. |
+| dns_servers | Information about the DNS servers to be used for DNS resolution. |
+| split_tunnel | Indicates whether split-tunnel is enabled in the Client VPN endpoint. |
+| vpn_protocol | The protocol used by the VPN session. |
+| transport_protocol | The transport protocol used by the Client VPN endpoint. |
+| vpn_port | The port number for the Client VPN endpoint. |
+| associated_target_networks | Information about the associated target networks. A target network is a subnet in a VPC. |
+| associated_target_network_id | The ID of the subnet. |
+| associated_target_network_type | The target network type. |
+| server_certificate_arn | The ARN of the server certificate. |
+| authentication_options | Information about the authentication method used by the Client VPN endpoint. |
+| authentication_options_types | The authentication type used. |
+| authentication_options_active_directory_ids | The ID of the Active Directory used for authentication. |
+| authentication_options_mutual_authentication.client_root_certificate_chains | The ARN of the client certificate. |
+| authentication_options_federated_authentication_saml_provider_arns | The Amazon Resource Name (ARN) of the IAM SAML identity provider. |
+| authentication_options_federated_authentication_self_service_saml_provider_arns | The Amazon Resource Name (ARN) of the IAM SAML identity provider for the self-service portal. |
+| connection_log_options_enabled | Indicates whether client connection logging is enabled for the Client VPN endpoint. |
+| connection_log_options_cloudwatch_log_groups | The name of the Amazon CloudWatch Logs log group to which connection logging data is published. |
+| connection_log_options_cloudwatch_log_streams | The name of the Amazon CloudWatch Logs log stream to which connection logging data is published. |
+| tags | Describes a tag. |
+| security_group_ids | The IDs of the security groups for the target network. |
+| vpc_id | The ID of the VPC. |
+| self_service_portal_url | The URL of the self-service portal. |
+| client_connect_options_enabled | Indicates whether client connect options are enabled. |
+| client_connect_options_lambda_function_arns | The Amazon Resource Name (ARN) of the Lambda function used for connection authorization. |
+| client_connect_options_status_codes | The status code. |
+| client_connect_options_status_messages | The status message. |
+
+## Examples
+
+### Ensure a client VPN endpoint ID is available.
+
+    describe aws_ec2_client_vpn_endpoint(client_vpn_endpoint_id: "CLIENT_VPN_ENDPOINT_ID") do
+      its('client_vpn_endpoint_id') { should eq 'CLIENT_VPN_ENDPOINT_ID' }
+    end
+
+### Ensure that the status code is `available`.
+
+    describe aws_ec2_client_vpn_endpoint(client_vpn_endpoint_id: "CLIENT_VPN_ENDPOINT_ID") do
+        its('status.code') { should eq 'available' }
+    end
+
+## Matchers
+
+This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [Universal Matchers page](https://www.inspec.io/docs/reference/matchers/).
+
+The controls will pass if the `describe` method returns at least one result.
+
+### exist
+
+Use `should` to test that the entity exists.
+
+    describe aws_ec2_client_vpn_endpoint(client_vpn_endpoint_id: "CLIENT_VPN_ENDPOINT_ID") do
+      it { should exist }
+    end
+
+Use `should_not` to test the entity does not exist.
+
+    describe aws_ec2_client_vpn_endpoint(client_vpn_endpoint_id: "CLIENT_VPN_ENDPOINT_ID") do
+      it { should_not exist }
+    end
+
+### be_available
+
+Use `should` to check if the entity is available.
+
+    describe aws_ec2_client_vpn_endpoint(client_vpn_endpoint_id: "CLIENT_VPN_ENDPOINT_ID") do
+      it { should be_available }
+    end
+
+## AWS Permissions
+
+Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `EC2:Client:DescribeClientVpnEndpointsResult` action with `Effect` set to `Allow`.

docs/resources/aws_ec2_client_vpn_endpoints.md

@@ -0,0 +1,107 @@
+---
+title: About the aws_ec2_client_vpn_endpoints Resource
+platform: aws
+---
+
+# aws_ec2_client_vpn_endpoints
+
+Use the `aws_ec2_client_vpn_endpoints` InSpec audit resource to test properties of multiple AWS EC2 Client VPN endpoint.
+
+The `AWS::EC2::ClientVpnEndpoint` specifies a Client VPN endpoint.
+
+## Syntax
+
+Ensure that the client VPN endpoint exists.
+
+    describe aws_ec2_client_vpn_endpoints do
+      it { should exist }
+    end
+
+## Parameters
+
+For additional information, see the [AWS documentation on AWS EC2 ClientVpnEndpoint.](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-clientvpnendpoint.html).
+
+## Properties
+
+| Property | Description | Field |
+| --- | --- | --- |
+| client_vpn_endpoint_ids | The ID of the Client VPN endpoint. | client_vpn_endpoint_id |
+| descriptions | A brief description of the endpoint. | description |
+| status_codes | The state of the Client VPN endpoint. | status.code |
+| status_messages | A message about the status of the Client VPN endpoint. | status.message |
+| creation_times | The date and time the Client VPN endpoint was created. | creation_time |
+| deletion_times | The date and time the Client VPN endpoint was deleted, if applicable. | deletion_time |
+| dns_names | The DNS name to be used by clients when connecting to the Client VPN endpoint. | dns_name |
+| client_cidr_blocks | The IPv4 address range, in CIDR notation, from which client IP addresses are assigned. | client_cidr_block |
+| dns_servers | Information about the DNS servers to be used for DNS resolution. | dns_servers |
+| split_tunnels | Indicates whether split-tunnel is enabled in the Client VPN endpoint. | split_tunnel |
+| vpn_protocols | The protocol used by the VPN session. | vpn_protocol |
+| transport_protocols | The transport protocol used by the Client VPN endpoint. | transport_protocol |
+| vpn_ports | The port number for the Client VPN endpoint. | vpn_port |
+| associated_target_networks | Information about the associated target networks. A target network is a subnet in a VPC. | associated_target_networks |
+| associated_target_network_id | The ID of the subnet. | network_id |
+| associated_target_network_type | The target network type. | network_type |
+| server_certificate_arns | The ARN of the server certificate. | server_certificate_arn |
+| authentication_options | Information about the authentication method used by the Client VPN endpoint. | authentication_options |
+| authentication_options_types | The authentication type used. | type |
+| authentication_options_active_directory_ids | The ID of the Active Directory used for authentication. | directory_id |
+| authentication_options_mutual_authentication.client_root_certificate_chains | The ARN of the client certificate. | client_root_certificate_chain |
+| authentication_options_federated_authentication_saml_provider_arns | The Amazon Resource Name (ARN) of the IAM SAML identity provider. | saml_provider_arn |
+| authentication_options_federated_authentication_self_service_saml_provider_arns | The Amazon Resource Name (ARN) of the IAM SAML identity provider for the self-service portal. | self_service_saml_provider_arn |
+| connection_log_options_enabled | Indicates whether client connection logging is enabled for the Client VPN endpoint. | enabled |
+| connection_log_options_cloudwatch_log_groups | The name of the Amazon CloudWatch Logs log group to which connection logging data is published. | cloudwatch_log_group |
+| connection_log_options_cloudwatch_log_streams | The name of the Amazon CloudWatch Logs log stream to which connection logging data is published. | cloudwatch_log_stream |
+| tags | Describes a tag. | tags |
+| security_group_ids | The IDs of the security groups for the target network. | security_group_ids |
+| vpc_id | The ID of the VPC. | vpc_id |
+| self_service_portal_url | The URL of the self-service portal. | self_service_portal_url |
+| client_connect_options_enabled | Indicates whether client connect options are enabled. | enabled |
+| client_connect_options_lambda_function_arns | The Amazon Resource Name (ARN) of the Lambda function used for connection authorization. | lambda_function_arn |
+| client_connect_options_status_codes | The status code. | status.code |
+| client_connect_options_status_messages | The status message. | status.message |
+
+## Examples
+
+### Ensure a client VPN endpoint ID is available.
+
+    describe aws_ec2_client_vpn_endpoints do
+      its('client_vpn_endpoint_ids') { should include 'CLIENT_VPN_ENDPOINT_ID' }
+    end
+
+### Ensure that the status code is `available`.
+
+    describe aws_ec2_client_vpn_endpoints do
+        its('status_codes') { should include 'available' }
+    end
+
+## Matchers
+
+This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [Universal Matchers page](https://www.inspec.io/docs/reference/matchers/).
+
+The controls will pass if the `describe` method returns at least one result.
+
+### exist
+
+Use `should` to test that the entity exists.
+
+    describe aws_ec2_client_vpn_endpoints do
+      it { should exist }
+    end
+
+Use `should_not` to test the entity does not exist.
+
+    describe aws_ec2_client_vpn_endpoints do
+      it { should_not exist }
+    end
+
+### be_available
+
+Use `should` to check if the entity is available.
+
+    describe aws_ec2_client_vpn_endpoints do
+      it { should be_available }
+    end
+
+## AWS Permissions
+
+Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `EC2:Client:DescribeClientVpnEndpointsResult` action with `Effect` set to `Allow`.

libraries/aws_ec2_client_vpn_endpoint.rb

@@ -0,0 +1,40 @@
+# frozen_string_literal: true
+
+require 'aws_backend'
+
+class AWSEC2ClientVPNEndpoint < AwsResourceBase
+  name 'aws_ec2_client_vpn_endpoint'
+  desc 'Describes a VPN endpoint.'
+
+  example "
+    describe aws_ec2_client_vpn_endpoint(client_vpn_endpoint_id: 'CLIENT_VPN_ENDPOINT_ID') do
+      it { should exist }
+    end
+  "
+
+  def initialize(opts = {})
+    opts = { client_vpn_endpoint_id: opts } if opts.is_a?(String)
+    super(opts)
+    validate_parameters(required: [:client_vpn_endpoint_id])
+    raise ArgumentError, "#{@__resource_name__}: client_vpn_endpoint_id must be provided" unless opts[:client_vpn_endpoint_id] && !opts[:client_vpn_endpoint_id].empty?
+    @display_name = opts[:client_vpn_endpoint_id]
+    catch_aws_errors do
+      resp = @aws.compute_client.describe_client_vpn_endpoints({ client_vpn_endpoint_ids: [opts[:client_vpn_endpoint_id]] })
+      @res = resp.client_vpn_endpoints[0].to_h
+      create_resource_methods(@res)
+    end
+  end
+
+  def client_vpn_endpoint_id
+    return nil unless exists?
+    @res[:client_vpn_endpoint_id]
+  end
+
+  def exists?
+    !@res.nil? && !@res.empty?
+  end
+
+  def to_s
+    "Client VPN Endpoint ID: #{@display_name}"
+  end
+end

libraries/aws_ec2_client_vpn_endpoints.rb

@@ -0,0 +1,57 @@
+# frozen_string_literal: true
+
+require 'aws_backend'
+
+class AWSEC2ClientVPNEndpoints < AwsResourceBase
+  name 'aws_ec2_client_vpn_endpoints'
+  desc 'Describes all the VPN endpoint.'
+
+  example "
+    describe aws_ec2_client_vpn_endpoints do
+      it { should exist }
+    end
+  "
+
+  attr_reader :table
+
+  FilterTable.create
+             .register_column(:client_vpn_endpoint_ids, field: :client_vpn_endpoint_id)
+             .register_column(:descriptions, field: :description)
+             .register_column(:creation_time, field: :creation_time)
+             .register_column(:deletion_time, field: :deletion_time)
+             .register_column(:dns_names, field: :dns_name)
+             .register_column(:split_tunnels, field: :split_tunnel)
+             .register_column(:vpn_protocols, field: :vpn_protocol)
+             .register_column(:transport_protocols, field: :transport_protocol)
+             .register_column(:vpn_ports, field: :vpn_port)
+             .register_column(:server_certificate_arns, field: :server_certificate_arn)
+             .register_column(:tags, field: :tags)
+             .install_filter_methods_on_resource(self, :table)
+
+  def initialize(opts = {})
+    super(opts)
+    validate_parameters
+    @table = fetch_data
+  end
+
+  def fetch_data
+    catch_aws_errors do
+      @table = @aws.compute_client.describe_client_vpn_endpoints.map do |resp|
+        resp.client_vpn_endpoints.map { |resp_name| {
+          client_vpn_endpoint_id: resp_name.client_vpn_endpoint_id,
+          description: resp_name.description,
+          creation_time: resp_name.creation_time,
+          deletion_time: resp_name.deletion_time,
+          dns_name: resp_name.dns_name,
+          split_tunnel: resp_name.split_tunnel,
+          vpn_protocol: resp_name.vpn_protocol,
+          transport_protocol: resp_name.transport_protocol,
+          vpn_port: resp_name.vpn_port,
+          server_certificate_arn: resp_name.server_certificate_arn,
+          tags: resp_name.tags,
+        }
+        }
+      end.flatten
+    end
+  end
+end

test/integration/build/aws.tf

@@ -4460,4 +4460,34 @@ resource "aws_ec2_client_vpn_authorization_rule" "test_auth" {
   client_vpn_endpoint_id = aws_ec2_client_vpn_endpoint.test-endpoint.id
   target_network_cidr    = "0.0.0.0/0"
   authorize_all_groups   = true
-}
+}
+
+## VPN Endpoints
+resource "aws_ec2_client_vpn_route" "test-route" {
+  client_vpn_endpoint_id = aws_ec2_client_vpn_endpoint.test-endpoint.id
+  destination_cidr_block = "0.0.0.0/0"
+  target_vpc_subnet_id   = aws_ec2_client_vpn_network_association.test-association.subnet_id
+}
+
+resource "aws_ec2_client_vpn_network_association" "test-association" {
+  client_vpn_endpoint_id = aws_ec2_client_vpn_endpoint.test-endpoint.id
+  subnet_id              = "subnet-700ff218"
+}
+
+resource "aws_ec2_client_vpn_endpoint" "test-endpoint" {
+  description            = "Example Client VPN endpoint"
+  server_certificate_arn = "arn:aws:acm:us-east-2:112758395563:certificate/a20fe841-b1ef-4785-aefb-e69838eacdcb"
+  client_cidr_block      = "10.0.0.0/16"
+
+  authentication_options {
+    type                       = "certificate-authentication"
+    root_certificate_chain_arn = "arn:aws:acm:us-east-2:112758395563:certificate/a20fe841-b1ef-4785-aefb-e69838eacdcb"
+  }
+
+  connection_log_options {
+    enabled = false
+  }
+}
+
+
+

test/integration/build/outputs.tf

@@ -941,7 +941,6 @@ output "aws_cloudfront_cache_policy_id" {
   value = aws_cloudfront_cache_policy.aws_cloudfront_cache_policy_test1.id
 }
 
-
 output "request_origin_id" {
   value = aws_cloudfront_origin_request_policy.test-origin-policy.id
 }
@@ -953,10 +952,23 @@ output "dashboard_name" {
 output "dashboard_arn" {
   value = aws_cloudwatch_dashboard.main.dashboard_arn
 }
+
 output "server_certificate_name" {
   value = aws_iam_server_certificate.test_cert.name
 }
 
 output "server_certificate_id" {
   value = aws_iam_server_certificate.test_cert.id
-}
+}
+
+output "client_vpn_endpoint_id" {
+  value = aws_ec2_client_vpn_endpoint.test-endpoint.id
+}
+
+output "association_id" {
+  value = aws_ec2_client_vpn_network_association.test-association.id
+}
+
+output "target_vpc_subnet_id" {
+  value = aws_ec2_client_vpn_route.test-route.id
+}