feat(ec2): ClientVpn support #4233
Conversation
|
Thanks so much for taking the time to contribute to the AWS CDK ❤️ We will shortly assign someone to review this pull request and help get it
|
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
| readonly authenticationOptions: IClientAuthenticationRequest[]; | ||
| readonly clientCidrBlock: string; | ||
| readonly connectionLogOptions: IConnectionLogOptions; | ||
| // TODO replace with serverCertificate object? |
There was a problem hiding this comment.
Unfortunately, I don't think it's possible:
Dependency cycles detected, you should fix these!
aws-cdk/aws-certificatemanager -> @aws-cdk/aws-ec2 -> @aws-cdk/aws-lambda -> @aws-cdk/aws-certificatemanager
Any way to work around this?
There was a problem hiding this comment.
I'm sorry, where are these dependencies coming from?
On my machine, I'm not seeing any dependency from EC2 to either Lambda or CertificateManager.
There was a problem hiding this comment.
I was trying to add @aws-cdk/aws-certificatemanager to EC2 to get access to ICertificates. I haven't committed it because of the previous error
There was a problem hiding this comment.
Is it possible to use both IAM and ACM certificates here? I've been thinking about this for a while. A potential solution might be to declare an iam.ICertificate (or iam.ICertificateSource), and have ACM's ICertificate extend that. Since everything depends on IAM already, we wouldn't have any dependency issues.
There was a problem hiding this comment.
I don't think it's possible to use IAM certificates in this case, unless I'm missing something:
The server certificate must be provisioned in AWS Certificate Manager (ACM)
Client Authentication and Authorization:
The server and client certificates must be uploaded to AWS Certificate Manager (ACM).
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
There was a problem hiding this comment.
Hey @nmussy,
I'm currently using Client VPN in production and have developed a CDK construct for my use case.
Some feedback on your PR based on my experience:
- I would expect the construct to create a new
logs.LogGroupif the user wants logging but doesn't want to specify group/stream (aretentionprop could be exposed) - Instead of having to specify a
subnet: ISubnethow about using asubnetSelection: ec2.SubnetSelection;like other CDK constructs do? - You are missing a security group on your target network associations, without it the client vpn will be using the VPC's default security group. This means that you cannot offer
connectionson your construct. Specifying a security group for a target network association is currently not supported by CloudFormation, I had to go with theAwsCustomResource, something like this:
this.securityGroup = new ec2.SecurityGroup(this, 'SecurityGroup', {
vpc: props.vpc,
allowAllOutbound: false,
});
// Use custom resource to update security group
new custom.AwsCustomResource(this, 'ApplySecurityGroupsToClientVpnTargetNetwork', {
onUpdate: {
service: 'EC2',
action: 'applySecurityGroupsToClientVpnTargetNetwork',
parameters: {
ClientVpnEndpointId: clientVpnEndpoint.ref,
VpcId: props.vpc.vpcId,
SecurityGroupIds: [this.securityGroup.securityGroupId],
} as EC2.ApplySecurityGroupsToClientVpnTargetNetworkRequest,
physicalResourceId: this.securityGroup.securityGroupId,
},
});
|
Thanks a lot @jogold for the great comments, as always. I'll keep pushing this feature tomorrow, I should have to ready for review soon-ish. |
|
Concerning @jogold second comment:
There's also the issue of having multiple subnets returned by Thoughts? |
There was a problem hiding this comment.
There's also the issue of having multiple subnets returned by
vpc.selectSubnets. I don't know if we should throw and warn the user that their selection is ambiguous, or change the method to aaddTargetNetworkAssociationsand all the selected subnets.
Right now there is no way to select a single subnet, it would always be a list of subnets. On the other hand, this feature has been requested so at some point SubnetSelection will grow a way to pick out individual subnets.
Is there a problem with adding the routes to multiple subnets?
Unless you have a pressing need right now to select individual subnets, I suggest you lift along with the rising tide of SubnetSelection. If you do have a pressing need, I still think you should probably implement the SubnetSelection variant, maybe add a special method to apply to a single specific ISubnet, and mark that one @experimental.
In fact, I think I would like it if you marked all of the new classes and interfaces @experimental, so we can give the new API a couple of releases to bake and a number of people to try it out before we commit to it.
| import {CIDR_VALIDATION_REGEXES} from "./peer"; | ||
| import {ISubnet} from './vpc'; | ||
|
|
||
| interface IClientAuthenticationRequestOptions { |
There was a problem hiding this comment.
Docstring on the type declaration itself as well please. This comment applies to all interfaces and classes.
| /** | ||
| * Information about the Active Directory to be used | ||
| */ | ||
| readonly activeDirectory?: { |
There was a problem hiding this comment.
This isn't going to work in jsii (and if it does, it shouldn't).
Either inline the directoryId into the parent struct, or define it as an IActiveDirectory with a class that implements it.
| /** | ||
| * Information about the authentication certificates to be used | ||
| */ | ||
| readonly mutualAuthentication?: { |
| /** | ||
| * The name of the CloudWatch Logs log group | ||
| */ | ||
| readonly cloudwatchLogGroup?: string; |
There was a problem hiding this comment.
Tell us using a @default declaration what happens if you don't supply this.
Feels like this should be an ILogGroup, and the same for ILogStream, no?
| */ | ||
| readonly cloudwatchLogStream?: string; | ||
| /** | ||
| * Indicates whether connection logging is enabled |
There was a problem hiding this comment.
Would a default of true be sensible here?
| } | ||
| } | ||
|
|
||
| interface IConnectionLogOptions { |
There was a problem hiding this comment.
This seems to be an intra-framework communication struct (as opposed to something that users are expected to fill in). We tend to call these XxxConfig.
There was a problem hiding this comment.
It is. Do your previous comments about the default values still apply, seen as they're required by CloudFormation (either cloudwatchLogGroup or cloudwatchLogStream)?
| * The id of the Client VPN Endpoint | ||
| */ | ||
| readonly clientVpnEndpointId: string; | ||
| readonly routes: ClientVpnRoute[]; |
| this.clientVpnEndpointId = clientVpnEndpoint.ref; | ||
| } | ||
|
|
||
| public addRoute(options: ClientVpnRouteOptions): ClientVpnRoute { |
There was a problem hiding this comment.
Does it make sense to add routes?: ClientVpnRouteOptions[] to the construction props and call this method on them in the constructor?
There was a problem hiding this comment.
Yeah, I'll add it for all 3 addX methods
| } | ||
|
|
||
| export interface ClientVpnRouteProps extends ClientVpnRouteOptions { | ||
| readonly clientVpnEndpoint: IClientVpnEndpoint; |
| subnet, | ||
| }); | ||
|
|
||
| this.targetNetworkAssociations.push(association); |
There was a problem hiding this comment.
This is being pushed both here and in the constructed class.
I'm not sure that I'm a fan. What's the use case for maintaining and publishing these objects through the public array?
There was a problem hiding this comment.
I was keeping track of them for the this.targetNetworkAssociations.length, but it doesn't feel great I agree. I didn't know what else to hook onto for the id generation.
There was a problem hiding this comment.
You can just keep the count, instead of the objects themselves.
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
|
I was looking into implementing @jogold's lerna ERR! ECYCLE Dependency cycles detected, you should fix these!
lerna ERR! ECYCLE @aws-cdk/aws-cloudformation -> @aws-cdk/custom-resources -> @aws-cdk/aws-ec2 -> @aws-cdk/aws-lambda -> @aws-cdk/aws-cloudformationAn issue was recently opened on the roadmap (#199) to implement the missing method. |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
We can maybe combine a |
|
Thanks so much for taking the time to contribute to the AWS CDK ❤️ We will shortly assign someone to review this pull request and help get it
|
5 similar comments
|
Thanks so much for taking the time to contribute to the AWS CDK ❤️ We will shortly assign someone to review this pull request and help get it
|
|
Thanks so much for taking the time to contribute to the AWS CDK ❤️ We will shortly assign someone to review this pull request and help get it
|
|
Thanks so much for taking the time to contribute to the AWS CDK ❤️ We will shortly assign someone to review this pull request and help get it
|
|
Thanks so much for taking the time to contribute to the AWS CDK ❤️ We will shortly assign someone to review this pull request and help get it
|
|
Thanks so much for taking the time to contribute to the AWS CDK ❤️ We will shortly assign someone to review this pull request and help get it
|
SomayaB
added
draft
pr/work-in-progress
|
I am interested in using a ClientVPN in an app that I am working on so I would be interested in having access through this L2. Is this CR still in active development? If not is this on the roadmap to be worked on again |
|
Seems like this has been abandoned. Please reopen if relevant. |
Fixes #4206
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license