New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(ec2): client vpn endpoint #12234
Changes from 17 commits
86220bf
b9009f9
a8375a7
d3ec85d
64e437a
09f9755
4c2a3f9
880d47c
e9620a0
72c6145
42d6cd7
700087a
a4edb00
be8bc1f
833db87
7663819
8ea25c5
f4bb91d
daba82b
7132ff5
adffdb2
3aaa992
4e207e0
cc5a50e
1a1ca00
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,57 @@ | ||
import { Resource } from '@aws-cdk/core'; | ||
import { Construct } from 'constructs'; | ||
import { IClientVpnEndpoint } from './client-vpn-endpoint-types'; | ||
import { CfnClientVpnAuthorizationRule } from './ec2.generated'; | ||
|
||
/** | ||
* Options for a ClientVpnAuthorizationRule | ||
*/ | ||
export interface ClientVpnAuthorizationRuleOptions { | ||
/** | ||
* The IPv4 address range, in CIDR notation, of the network for which access | ||
* is being authorized. | ||
*/ | ||
readonly cidr: string; | ||
|
||
/** | ||
* The ID of the group to grant access to, for example, the Active Directory | ||
* group or identity provider (IdP) group. | ||
* | ||
* @default - authorize all groups | ||
*/ | ||
readonly groupId?: string; | ||
|
||
/** | ||
* A brief description of the authorization rule. | ||
* | ||
* @default - no description | ||
*/ | ||
readonly description?: string; | ||
} | ||
|
||
/** | ||
* Properties for a ClientVpnAuthorizationRule | ||
*/ | ||
export interface ClientVpnAuthorizationRuleProps extends ClientVpnAuthorizationRuleOptions { | ||
/** | ||
* The client VPN endpoint to which to add the rule. | ||
*/ | ||
readonly clientVpnEndoint: IClientVpnEndpoint; | ||
} | ||
|
||
/** | ||
* A client VPN authorization rule | ||
*/ | ||
export class ClientVpnAuthorizationRule extends Resource { | ||
constructor(scope: Construct, id: string, props: ClientVpnAuthorizationRuleProps) { | ||
super(scope, id); | ||
|
||
new CfnClientVpnAuthorizationRule(this, 'Resource', { | ||
clientVpnEndpointId: props.clientVpnEndoint.endpointId, | ||
targetNetworkCidr: props.cidr, | ||
accessGroupId: props.groupId, | ||
authorizeAllGroups: !props.groupId, | ||
description: props.description, | ||
}); | ||
} | ||
} |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,57 @@ | ||
import { IDependable, IResource } from '@aws-cdk/core'; | ||
import { IConnectable } from './connections'; | ||
|
||
/** | ||
* A client VPN endpoint | ||
*/ | ||
export interface IClientVpnEndpoint extends IResource, IConnectable { | ||
/** | ||
* The endpoint ID | ||
*/ | ||
readonly endpointId: string; | ||
|
||
/** | ||
* Dependable that can be depended upon to force target networks associations | ||
*/ | ||
readonly targetNetworksAssociated: IDependable; | ||
} | ||
|
||
/** | ||
* A Lambda function | ||
*/ | ||
export interface IFunction { | ||
/** | ||
* The ARN of the function. | ||
*/ | ||
readonly functionArn: string; | ||
} | ||
|
||
/** | ||
* A certificate | ||
*/ | ||
export interface ICertificate { | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Some for this, although the dependency is trickier. We don't have a dependency yet and adding one feels unsafe. So definitely looks like it needs an integration package. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Do we need a There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Not sure what "imported" certificates means, in this case. I guess just taking an ARN is acceptable for now... I suppose we can deprecate that field once we figure out a good way to do the integration. Everything I can think of is pretty bad, so just taking a string seems like the simplest solution. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Imported means this: https://docs.aws.amazon.com/acm/latest/userguide/import-certificate.html Certificates automatically issued by ACM cannot be used here for the client VPN endpoint. Changed for now to I see that CF added support for This is also why I'm using a custom resource for the integ test. |
||
/** | ||
* The ARN of the certificate | ||
*/ | ||
readonly certificateArn: string; | ||
} | ||
|
||
/** | ||
* Transport protocol for client VPN | ||
*/ | ||
export enum TransportProtocol { | ||
/** Transmission Control Protocol (TCP) */ | ||
TCP = 'tcp', | ||
/** User Datagram Protocol (UDP) */ | ||
UDP = 'udp', | ||
} | ||
|
||
/** | ||
* Port for client VPN | ||
*/ | ||
export enum VpnPort { | ||
/** HTTPS */ | ||
HTTPS = 443, | ||
/** OpenVPN */ | ||
OPENVPN = 1194, | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This only works in TypeScript, not in nominally-typed languages.
What you'd normally have to do is define an interface (or abstract class) for integrations and make a concrete class in a separate package combining EC2 types and Lambda types.
However in this case, I believe
aws-lambda
already depends onaws-ec2
. So it's permissible in this case to define an interface here and haveaws-lambda.Function
implement it directly.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is now
IClientVpnConnectionHandler
, andFunctionBase
implements it.