in scripts/clientvpnendpoint-customlambdaresource.py [0:0]
def create_endpoint(event, context):
try:
subnetToAssociate = event['ResourceProperties']['SubnetToAssociate']
targetNetworkCidr = event['ResourceProperties']['TargetNetworkCidr']
logGroup = event['ResourceProperties']['LogGroup']
logStream = event['ResourceProperties']['LogStream']
clientCidr = event['ResourceProperties']['ClientCidr']
paramStorePath = event['ResourceProperties']['ParamStorePath']
vpnConfigBucket = event['ResourceProperties']['VpnConfigBucket']
vpcId = event['ResourceProperties']['VpcId']
vpcSecurityGroup = event['ResourceProperties']['VpcSecurityGroup']
dnsServerIP = event['ResourceProperties']['DNSServerIP']
vpcAandBClassToRoutableNetworks = event['ResourceProperties']['VpcAandBClassToRoutableNetworks']
installEasyRSACommands = ['curl -L https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.6/EasyRSA-unix-v3.0.6.tgz -O',
'mkdir /tmp/easyrsa',
'mkdir /tmp/vpndetails',
'tar -xvzf /tmp/EasyRSA-unix-v3.0.6.tgz -C /tmp/easyrsa',
'ls /tmp/easyrsa']
runCommandSet(installEasyRSACommands)
easyRsaCommands = [ '/tmp/easyrsa/EasyRSA-v3.0.6/easyrsa init-pki',
'/tmp/easyrsa/EasyRSA-v3.0.6/easyrsa init-pki',
'/tmp/easyrsa/EasyRSA-v3.0.6/easyrsa build-ca nopass',
'/tmp/easyrsa/EasyRSA-v3.0.6/easyrsa build-server-full server nopass',
'/tmp/easyrsa/EasyRSA-v3.0.6/easyrsa build-client-full client1.domain.tld nopass',
'cp /tmp/pki/ca.crt /tmp/vpndetails/',
'cp /tmp/pki/issued/server.crt /tmp/vpndetails/server.crt',
'cp /tmp/pki/private/server.key /tmp/vpndetails/server.key',
'cp /tmp/pki/issued/client1.domain.tld.crt /tmp/vpndetails/client1.domain.tld.crt',
'cp /tmp/pki/private/client1.domain.tld.key /tmp/vpndetails/client1.domain.tld.key']
runCommandSet(easyRsaCommands, '/tmp/easy-rsa/EasyRSA-v3.0.6')
serverCertResponse = acm.import_certificate(
Certificate=get_bytes_from_file('/tmp/vpndetails/server.crt'),
PrivateKey=get_bytes_from_file('/tmp/vpndetails/server.key'),
CertificateChain=get_bytes_from_file('/tmp/vpndetails/ca.crt')
)
clientCertResponse = acm.import_certificate(
Certificate=get_bytes_from_file('/tmp/vpndetails/client1.domain.tld.crt'),
PrivateKey=get_bytes_from_file('/tmp/vpndetails/client1.domain.tld.key'),
CertificateChain=get_bytes_from_file('/tmp/vpndetails/ca.crt')
)
createClientCmd = ['aws ec2 create-client-vpn-endpoint --client-cidr-block {0} --server-certificate-arn {1} --authentication-options Type=certificate-authentication,MutualAuthentication={{ClientRootCertificateChainArn={2}}} --connection-log-options Enabled=True,CloudwatchLogGroup={3},CloudwatchLogStream={4} --dns-servers {5}'.format(
clientCidr,serverCertResponse['CertificateArn'], clientCertResponse['CertificateArn'], logGroup, logStream, dnsServerIP)]
endpointResponseRaw = runCommandSet(createClientCmd)
endpointResponse = json.loads(endpointResponseRaw[0])
clientVpnEndpointId = endpointResponse['ClientVpnEndpointId']
param_response = ssm.put_parameter(
Name=paramStorePath,
Description='Biotech Blueprint VPC Client VPN Endpoint ID.',
Type='String',
Value=clientVpnEndpointId,
Overwrite=True
)
associateClientVPN = ['aws ec2 associate-client-vpn-target-network --client-vpn-endpoint-id {0} --subnet-id {1}'.format(clientVpnEndpointId,subnetToAssociate),
'aws ec2 create-client-vpn-route --client-vpn-endpoint-id {0} --destination-cidr-block 0.0.0.0/0 --target-vpc-subnet-id {1}'.format(clientVpnEndpointId,subnetToAssociate),
'aws ec2 authorize-client-vpn-ingress --client-vpn-endpoint-id {0} --target-network-cidr {1} --authorize-all-groups'.format(clientVpnEndpointId,targetNetworkCidr),
'aws ec2 apply-security-groups-to-client-vpn-target-network --client-vpn-endpoint-id {0} --vpc-id {1} --security-group-ids {2}'.format(clientVpnEndpointId,vpcId,vpcSecurityGroup)]
associationResponseRaw = runCommandSet(associateClientVPN)
associationResponse = json.loads(associationResponseRaw[0])
associationID = associationResponse['AssociationId']
param_response = ssm.put_parameter(
Name=paramStorePath+"AssociationID",
Description='Biotech Blueprint VPC Client VPN Endpoint ID Association ID.',
Type='String',
Value=associationID,
Overwrite=True
)
downloadVpnConfig = ['aws ec2 export-client-vpn-client-configuration --client-vpn-endpoint-id {0}'.format(clientVpnEndpointId)]
downloadConfigResponseRaw = runCommandSet(downloadVpnConfig)
downloadConfigResponse = json.loads(downloadConfigResponseRaw[0])
configText = downloadConfigResponse['ClientConfiguration']
configText += "\nkey client1.domain.tld.key"
configText += "\ncert client1.domain.tld.crt"
configText += "\nroute 0.0.0.0 192.0.0.0 net_gateway"
configText += "\nroute 64.0.0.0 192.0.0.0 net_gateway"
configText += "\nroute 128.0.0.0 192.0.0.0 net_gateway"
configText += "\nroute 192.0.0.0 192.0.0.0 net_gateway"
for AandBClassOctet in vpcAandBClassToRoutableNetworks:
configText += "\nroute {0}.0.0 255.255.0.0 vpn_gateway".format(AandBClassOctet)
logger.info(configText)
with open("/tmp/vpndetails/openvpnclientconfig.ovpn", "w") as confFile:
confFile.write(configText)
downloadAndCopyConfigKeysAndCert = ['aws ec2 export-client-vpn-client-configuration --client-vpn-endpoint-id {0}'.format(clientVpnEndpointId),
'aws s3 cp /tmp/vpndetails/openvpnclientconfig.ovpn s3://{0}/PreclinicalVPN.ovpn'.format(vpnConfigBucket),
'aws s3 cp /tmp/vpndetails/client1.domain.tld.crt s3://{0}/client1.domain.tld.crt'.format(vpnConfigBucket),
'aws s3 cp /tmp/vpndetails/client1.domain.tld.key s3://{0}/client1.domain.tld.key'.format(vpnConfigBucket)
]
runCommandSet(downloadAndCopyConfigKeysAndCert)
response_data = {
'ClientVpnEndpointId': endpointResponse['ClientVpnEndpointId'],
'DnsName': endpointResponse['DnsName']
}
send(event, context, SUCCESS, response_data)
except Exception as e:
logger.error(e)
response_data = {'ErrorMessage': e}
send(event, context, FAILED, response_data)