263 lines
8.8 KiB
TypeScript
263 lines
8.8 KiB
TypeScript
import type { Construct, IDependable } from 'constructs';
|
|
import type { ClientVpnAuthorizationRuleOptions } from './client-vpn-authorization-rule';
|
|
import { ClientVpnAuthorizationRule } from './client-vpn-authorization-rule';
|
|
import type { IClientVpnConnectionHandler, IClientVpnEndpoint, TransportProtocol, VpnPort } from './client-vpn-endpoint-types';
|
|
import type { ClientVpnRouteOptions } from './client-vpn-route';
|
|
import { ClientVpnRoute } from './client-vpn-route';
|
|
import { Connections } from './connections';
|
|
import type { ClientVpnEndpointReference } from './ec2.generated';
|
|
import type { ISecurityGroup } from './security-group';
|
|
import type { IVpc, SubnetSelection } from './vpc';
|
|
import type { ISAMLProviderRef } from '../../aws-iam';
|
|
import * as logs from '../../aws-logs';
|
|
import { Resource } from '../../core';
|
|
import type { ILogStreamRef } from '../../interfaces/generated/aws-logs-interfaces.generated';
|
|
/**
|
|
* Options for Client Route Enforcement
|
|
*/
|
|
export interface ClientRouteEnforcementOptions {
|
|
/**
|
|
* Enable or disable Client Route Enforcement.
|
|
* The state can either be true (enabled) or false (disabled).
|
|
*/
|
|
readonly enforced: boolean;
|
|
}
|
|
/**
|
|
* Options for a client VPN endpoint
|
|
*/
|
|
export interface ClientVpnEndpointOptions {
|
|
/**
|
|
* The IPv4 address range, in CIDR notation, from which to assign client IP
|
|
* addresses. The address range cannot overlap with the local CIDR of the VPC
|
|
* in which the associated subnet is located, or the routes that you add manually.
|
|
*
|
|
* Changing the address range will replace the Client VPN endpoint.
|
|
*
|
|
* The CIDR block should be /22 or greater.
|
|
*/
|
|
readonly cidr: string;
|
|
/**
|
|
* The ARN of the client certificate for mutual authentication.
|
|
*
|
|
* The certificate must be signed by a certificate authority (CA) and it must
|
|
* be provisioned in AWS Certificate Manager (ACM).
|
|
*
|
|
* @default - use user-based authentication
|
|
*/
|
|
readonly clientCertificateArn?: string;
|
|
/**
|
|
* The type of user-based authentication to use.
|
|
*
|
|
* @see https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/client-authentication.html
|
|
*
|
|
* @default - use mutual authentication
|
|
*/
|
|
readonly userBasedAuthentication?: ClientVpnUserBasedAuthentication;
|
|
/**
|
|
* Whether to enable connections logging
|
|
*
|
|
* @default true
|
|
*/
|
|
readonly logging?: boolean;
|
|
/**
|
|
* A CloudWatch Logs log group for connection logging
|
|
*
|
|
* @default - a new group is created
|
|
*/
|
|
readonly logGroup?: logs.ILogGroupRef;
|
|
/**
|
|
* A CloudWatch Logs log stream for connection logging
|
|
*
|
|
* @default - a new stream is created
|
|
*/
|
|
readonly logStream?: ILogStreamRef;
|
|
/**
|
|
* The AWS Lambda function used for connection authorization
|
|
*
|
|
* The name of the Lambda function must begin with the `AWSClientVPN-` prefix
|
|
*
|
|
* @default - no connection handler
|
|
*/
|
|
readonly clientConnectionHandler?: IClientVpnConnectionHandler;
|
|
/**
|
|
* A brief description of the Client VPN endpoint.
|
|
*
|
|
* @default - no description
|
|
*/
|
|
readonly description?: string;
|
|
/**
|
|
* The security groups to apply to the target network.
|
|
*
|
|
* @default - a new security group is created
|
|
*/
|
|
readonly securityGroups?: ISecurityGroup[];
|
|
/**
|
|
* Specify whether to enable the self-service portal for the Client VPN endpoint.
|
|
*
|
|
* @default true
|
|
*/
|
|
readonly selfServicePortal?: boolean;
|
|
/**
|
|
* The ARN of the server certificate
|
|
*/
|
|
readonly serverCertificateArn: string;
|
|
/**
|
|
* Indicates whether split-tunnel is enabled on the AWS Client VPN endpoint.
|
|
*
|
|
* @see https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/split-tunnel-vpn.html
|
|
*
|
|
* @default false
|
|
*/
|
|
readonly splitTunnel?: boolean;
|
|
/**
|
|
* The transport protocol to be used by the VPN session.
|
|
*
|
|
* @default TransportProtocol.UDP
|
|
*/
|
|
readonly transportProtocol?: TransportProtocol;
|
|
/**
|
|
* The port number to assign to the Client VPN endpoint for TCP and UDP
|
|
* traffic.
|
|
*
|
|
* @default VpnPort.HTTPS
|
|
*/
|
|
readonly port?: VpnPort;
|
|
/**
|
|
* Information about the DNS servers to be used for DNS resolution.
|
|
*
|
|
* A Client VPN endpoint can have up to two DNS servers.
|
|
*
|
|
* @default - use the DNS address configured on the device
|
|
*/
|
|
readonly dnsServers?: string[];
|
|
/**
|
|
* Subnets to associate to the client VPN endpoint.
|
|
*
|
|
* @default - the VPC default strategy
|
|
*/
|
|
readonly vpcSubnets?: SubnetSelection;
|
|
/**
|
|
* Whether to authorize all users to the VPC CIDR
|
|
*
|
|
* This automatically creates an authorization rule. Set this to `false` and
|
|
* use `addAuthorizationRule()` to create your own rules instead.
|
|
*
|
|
* @default true
|
|
*/
|
|
readonly authorizeAllUsersToVpcCidr?: boolean;
|
|
/**
|
|
* The maximum VPN session duration time.
|
|
*
|
|
* @default ClientVpnSessionTimeout.TWENTY_FOUR_HOURS
|
|
*/
|
|
readonly sessionTimeout?: ClientVpnSessionTimeout;
|
|
/**
|
|
* Indicates whether the client VPN session is disconnected after the maximum `sessionTimeout` is reached.
|
|
*
|
|
* If `true`, users are prompted to reconnect client VPN.
|
|
* If `false`, client VPN attempts to reconnect automatically.
|
|
*
|
|
* @default undefined - AWS Client VPN default is true
|
|
* @see https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/cvpn-working-max-duration.html
|
|
*/
|
|
readonly disconnectOnSessionTimeout?: boolean;
|
|
/**
|
|
* Customizable text that will be displayed in a banner on AWS provided clients
|
|
* when a VPN session is established.
|
|
*
|
|
* UTF-8 encoded characters only. Maximum of 1400 characters.
|
|
*
|
|
* @default - no banner is presented to the client
|
|
*/
|
|
readonly clientLoginBanner?: string;
|
|
/**
|
|
* Options for Client Route Enforcement.
|
|
*
|
|
* Client Route Enforcement is a feature of Client VPN that helps enforce administrator defined routes on devices connected through the VPN.
|
|
* This feature helps improve your security posture by ensuring that network traffic originating from a connected client is not inadvertently sent outside the VPN tunnel.
|
|
*
|
|
* @see https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/cvpn-working-cre.html
|
|
*
|
|
* @default undefined - AWS Client VPN default setting is disable client route enforcement
|
|
*/
|
|
readonly clientRouteEnforcementOptions?: ClientRouteEnforcementOptions;
|
|
}
|
|
/**
|
|
* Maximum VPN session duration time
|
|
*/
|
|
export declare enum ClientVpnSessionTimeout {
|
|
/** 8 hours */
|
|
EIGHT_HOURS = 8,
|
|
/** 10 hours */
|
|
TEN_HOURS = 10,
|
|
/** 12 hours */
|
|
TWELVE_HOURS = 12,
|
|
/** 24 hours */
|
|
TWENTY_FOUR_HOURS = 24
|
|
}
|
|
/**
|
|
* User-based authentication for a client VPN endpoint
|
|
*/
|
|
export declare abstract class ClientVpnUserBasedAuthentication {
|
|
/**
|
|
* Active Directory authentication
|
|
*/
|
|
static activeDirectory(directoryId: string): ClientVpnUserBasedAuthentication;
|
|
/** Federated authentication */
|
|
static federated(samlProvider: ISAMLProviderRef, selfServiceSamlProvider?: ISAMLProviderRef): ClientVpnUserBasedAuthentication;
|
|
/** Renders the user based authentication */
|
|
abstract render(): any;
|
|
}
|
|
/**
|
|
* Properties for a client VPN endpoint
|
|
*/
|
|
export interface ClientVpnEndpointProps extends ClientVpnEndpointOptions {
|
|
/**
|
|
* The VPC to connect to.
|
|
*/
|
|
readonly vpc: IVpc;
|
|
}
|
|
/**
|
|
* Attributes when importing an existing client VPN endpoint
|
|
*/
|
|
export interface ClientVpnEndpointAttributes {
|
|
/**
|
|
* The endpoint ID
|
|
*/
|
|
readonly endpointId: string;
|
|
/**
|
|
* The security groups associated with the endpoint
|
|
*/
|
|
readonly securityGroups: ISecurityGroup[];
|
|
}
|
|
/**
|
|
* A client VPN connection
|
|
*/
|
|
export declare class ClientVpnEndpoint extends Resource implements IClientVpnEndpoint {
|
|
/**
|
|
* Uniquely identifies this class.
|
|
*/
|
|
static readonly PROPERTY_INJECTION_ID: string;
|
|
/**
|
|
* Import an existing client VPN endpoint
|
|
*/
|
|
static fromEndpointAttributes(scope: Construct, id: string, attrs: ClientVpnEndpointAttributes): IClientVpnEndpoint;
|
|
readonly endpointId: string;
|
|
/**
|
|
* Allows specify security group connections for the endpoint.
|
|
*/
|
|
readonly connections: Connections;
|
|
readonly targetNetworksAssociated: IDependable;
|
|
private readonly _targetNetworksAssociated;
|
|
constructor(scope: Construct, id: string, props: ClientVpnEndpointProps);
|
|
get clientVpnEndpointRef(): ClientVpnEndpointReference;
|
|
/**
|
|
* Adds an authorization rule to this endpoint
|
|
*/
|
|
addAuthorizationRule(id: string, props: ClientVpnAuthorizationRuleOptions): ClientVpnAuthorizationRule;
|
|
/**
|
|
* Adds a route to this endpoint
|
|
*/
|
|
addRoute(id: string, props: ClientVpnRouteOptions): ClientVpnRoute;
|
|
}
|