in lib/transitvpn-stack.ts [36:178]
constructor(scope: core.Construct, id: string, props: TransitVpnProps) {
super(scope, id);
const adConnectorSecrets = sm.Secret.fromSecretArn(this, 'adConnectorSecrets', props.IdentityAccountAdConnectorSecretArn);
const vpnAdGroupSid = adConnectorSecrets.secretValueFromJson('VpnUsersAdGroupSID');
this.vpnAdGroupSid = vpnAdGroupSid;
const domainControllerDns0 = adConnectorSecrets.secretValueFromJson('DomainControllerDnsAddress0');
const domainControllerDns1 = adConnectorSecrets.secretValueFromJson('DomainControllerDnsAddress1');
let connectorAuthRequestParam: ec2.CfnClientVpnEndpoint.DirectoryServiceAuthenticationRequestProperty = {
directoryId: props.AdConnectorId
};
let authOptions: Array<ec2.CfnClientVpnEndpoint.ClientAuthenticationRequestProperty> = [{
type: "directory-service-authentication",
activeDirectory: connectorAuthRequestParam
}];
const vpnAccessLogGroup = new log.LogGroup(this, 'ClientVpnAccessLogGroup', {
retention: log.RetentionDays.SIX_MONTHS
});
const vpnAccessLogStream = new log.LogStream(this, 'ClientVpnAccessLogStream', {
logGroup: vpnAccessLogGroup,
});
let connectionLogOptions: ec2.CfnClientVpnEndpoint.ConnectionLogOptionsProperty = {
cloudwatchLogGroup: vpnAccessLogGroup.logGroupName,
cloudwatchLogStream: vpnAccessLogStream.logStreamName,
enabled: true
};
const vpnCertCustomResourceRole = new iam.Role(this, 'VpnCertificateLambdaCustomResourceRole', {
assumedBy: new iam.ServicePrincipal('lambda.amazonaws.com')
});
vpnCertCustomResourceRole.addToPolicy(new iam.PolicyStatement({
resources: ["*"],
actions: ['acm:ImportCertificate', 'acm:DeleteCertificate']
}));
vpnCertCustomResourceRole.addManagedPolicy(iam.ManagedPolicy.fromAwsManagedPolicyName('service-role/AWSLambdaBasicExecutionRole'));
const vpnCertificate = new cfn.CustomResource(this, 'vpnCertificate', {
provider: cfn.CustomResourceProvider.lambda(new lambda.SingletonFunction(this, 'Singleton', {
role: vpnCertCustomResourceRole,
uuid: "CreateVpnCertificateLambda",
code: new lambda.InlineCode(fs.readFileSync('scripts/vpn-endpoint-security-resource-handler.py', { encoding: 'utf-8' })),
handler: 'index.main',
timeout: core.Duration.seconds(300),
runtime: lambda.Runtime.PYTHON_3_7,
memorySize: 1024
}))
});
const VpnEndpoint = new ec2.CfnClientVpnEndpoint(this, 'clientVpnEndpoint', {
authenticationOptions: authOptions,
clientCidrBlock: props.vpnClientAssignedAddrCidr,
connectionLogOptions: connectionLogOptions,
serverCertificateArn: vpnCertificate.ref,
description: "Transit Client VPN Endpoint",
splitTunnel: true,
//dnsServers: XXX,
});
const privateSubnetSelection = { subnetType: ec2.SubnetType.PRIVATE };
const privateSubnets = props.transitVpc.selectSubnets(privateSubnetSelection).subnetIds;
this.PrivateSubnets = privateSubnets;
this.ClientVpnEndpoint = VpnEndpoint;
const endpointAssociation0 = new ec2.CfnClientVpnTargetNetworkAssociation(this, 'clientVpnEndpointAssociation0', {
clientVpnEndpointId: VpnEndpoint.ref,
subnetId: core.Fn.select(0,privateSubnets)
});
const endpointAssociation1 = new ec2.CfnClientVpnTargetNetworkAssociation(this, 'clientVpnEndpointAssociation1', {
clientVpnEndpointId: VpnEndpoint.ref,
subnetId: core.Fn.select(1,privateSubnets)
});
const vpnUsersSecurityGroup = new ec2.SecurityGroup(this, 'VpnUsersSG', {
vpc: props.transitVpc,
description: 'TransitVPNUsersSG',
allowAllOutbound: true
});
new ec2.CfnClientVpnAuthorizationRule(this, 'ResearchAuthorization', {
clientVpnEndpointId: VpnEndpoint.ref,
targetNetworkCidr: props.ResearchVpcCidr,
accessGroupId: core.Token.asString(vpnAdGroupSid),
description: "Allows Transit VPN users access to Research VPC"
});
new ec2.CfnClientVpnAuthorizationRule(this, 'TransitAuthorization', {
clientVpnEndpointId: VpnEndpoint.ref,
targetNetworkCidr: props.TransitVpcCidr,
accessGroupId: core.Token.asString(vpnAdGroupSid),
description: "Allows Transit VPN users access to Transit VPC"
});
new ec2.CfnClientVpnAuthorizationRule(this, 'IdentityAuthorization', {
clientVpnEndpointId: VpnEndpoint.ref,
targetNetworkCidr: props.IdentityVpcCidr,
accessGroupId: core.Token.asString(vpnAdGroupSid),
description: "Allows Transit VPN users access to Identity VPC"
});
const researchRoute0 = new ec2.CfnClientVpnRoute(this, 'researchRoute', {
clientVpnEndpointId: VpnEndpoint.ref,
destinationCidrBlock: props.ResearchVpcCidr,
targetVpcSubnetId: core.Fn.select(0,privateSubnets)
});
const identityRoute0 = new ec2.CfnClientVpnRoute(this, 'identityRoute', {
clientVpnEndpointId: VpnEndpoint.ref,
destinationCidrBlock: props.IdentityVpcCidr,
targetVpcSubnetId: core.Fn.select(0,privateSubnets)
});
researchRoute0.addDependsOn(endpointAssociation0);
identityRoute0.addDependsOn(endpointAssociation0);
const researchRoute1 = new ec2.CfnClientVpnRoute(this, 'researchRoute1', {
clientVpnEndpointId: VpnEndpoint.ref,
destinationCidrBlock: props.ResearchVpcCidr,
targetVpcSubnetId: core.Fn.select(1,privateSubnets)
});
const identityRoute1 = new ec2.CfnClientVpnRoute(this, 'identityRoute1', {
clientVpnEndpointId: VpnEndpoint.ref,
destinationCidrBlock: props.IdentityVpcCidr,
targetVpcSubnetId: core.Fn.select(1,privateSubnets)
});
researchRoute1.addDependsOn(endpointAssociation1);
identityRoute1.addDependsOn(endpointAssociation1);
}