AWS::EC2::VPNConnection VpnTunnelOptionsSpecification - All tunnel settings ( like Phase1 / Phase2 / ike etc) should be configurable through cf

[goyertp]

Instructions for CloudFormation Coverage New Issues Template

1. Title AWS::EC2::VPNConnection VpnTunnelOptionsSpecification - Alle Tunnel Settings ( like Phase1 / Phase2 / ike etc) should be configurable through cf

2. Scope of request -> AWS::Service::ResourceType::TheResource-ExistingAttribute supports A and B today, but not new C feature.

AWS Resource supports only following attributes:

{ "PreSharedKey" : String, "TunnelInsideCidr" : String } Would really like to have { "PreSharedKey" : String, "TunnelInsideCidr" : String "DPDTimeoutSeconds": Integer "IKEVersions": String "Phase1DHGroupNumbers": String "Phase1EncryptionAlgorithms": String "Phase1IntegrityAlgorithms": String "Phase1LifetimeSeconds": Integer "Phase2DHGroupNumbers: Integer "Phase2EncryptionAlgorithms: String "Phase2IntegrityAlgorithms: String "Phase2LifetimeSeconds: Integer "RekeyFuzzPercentage: String "RekeyMarginTimeSeconds: Integer "ReplayWindowSize: Integer }

3. Expected behavior -> Can Set Tunneloptions via CF

4. Test case recommendation (optional) -> Cloud Formation Sets Code

5. Links to existing API doc (optional)

https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyVpnTunnelOptionsSpecification.html

6. Category tag (optional)

Cloud Formation

[reidca]

This is required to allow VPN connections to be created with third parties where they cannot just use the defaults chosen by AWS. I always try to do things the correct way (using CloudFormation) and am often frustrated by the lack of support.

[rkno82]

This feature should be relatively easy to be implemented?

[andreaswittig]

Seems like Security First is something to write on slides, but not to prioritize features.

[benbridts]

@reidca For a lot of those options, the AWS side of the VPN Connection will accept more values than what's in the generated configuration file (iirc Phase1EncryptionAlgorithms is one of those). Are there any specific combinations that are giving you trouble?

[reidca]

@reidca For a lot of those options, the AWS side of the VPN Connection will accept more values than what's in the generated configuration file (iirc Phase1EncryptionAlgorithms is one of those). Are there any specific combinations that are giving you trouble?

These settings simply are not in the CloudFormation resource type therefore cannot be set. I had to write my own Custom resource to set them using Boto3 which whilst working wasted a lot of time for something that should have just been there.

[benbridts]

@reidca I know, I meant that in a lot of cases you do not have to change them - the defaults will work with multiple configurations, even if the generated configuration only contains one value for each setting.

[goyertp]

Hi,

im writing my own CRs too and for this this is ridiculous. AWS is providing so many cf features. But these security features cannot be set via cf? Thats sad!

I would realy appreciate the integration of this cf coverage.

[reidca]

Hi,

im writing my own CRs too and for this this is ridiculous. AWS is providing so many cf features. But these security features cannot be set via cf? Thats sad!

I would realy appreciate the integration of this cf coverage.

I have not added this as a repo since it was not in GitHub but in case it's useful I have put the lambda function into a gist which you can find here: https://gist.github.com/reidca/c181d2e959ea070bb902073a690a7c22

The CR uses crhelper which you will need to get from pip.

You may also need to bring your own version of boto3 and botocore since the version in AWS lambda (at the time of writing the CR did not support updating the VPN connection).

boto3==1.14.34 botocore==1.17.35

[CarlosDomingues]

It's absolutely frustrating that resources that have existed for ages aren't properly supported by CF.

[ralish]

Was more than a little surprised to find that this isn't supported by CloudFormation. Apart from being what I'd think most network engineers would consider a critical part of the configuration, many of the defaults (and thus, what you are forced to use without manual intervention) are well below what modern cryptographic security standards recommend. For example:

• IKE Phase 1 enables DH group 2 (1024-bit MODP Group)
• IKE Phase 2 enables the above and DH group 5 (1536-bit MODP Group)
• SHA-1 is enabled for IKE Phase 1 & 2

[autarchprinceps]

The problem with this being unsupported is, that download configuration defaults to the least secure settings allowed in the tunnel options. If it were to use the highest, it would matter less to limit it to only secure options.

[srknc]

Why is there a "cloudformation-coverage-roadmap" repository If no one is checking issues and comments here?

[dxciberaws]

+1

[nosrepmodnar]

Glad i found this thread after i wasted a day trying to put a vpn in cloudformer, this is a ridiculous omission

[laurentlgm]

+1

[Mark-CloudNation]

+1

[bplessis-swi]

This would also be very useful to setup connection logging, can't fathom why this is unsupported while the API is there ...

shouldn't be this tagged "coverage" ?

[MikeKroell]

+1 - This makes for a lot of manual configuration

[createchange]

Adding my voice and vote. I see I came at an opportune time, with the upgrade to Coming Soon on the roadmap. Is there any timeline that can be provided as to possible release?

[DaRealMcCloud]

It has been almost 4 years since the issue was raised. For us this stops us from investigating futher into using AWS all together and are probably switching to Azure.

[atownsend247]

+1 on this

[extide]

+1 to this!

[pea-math]

+1 !

[neilferreira]

@goyertp @atownsend247 @extide @pea-math This looks to be supported now? I just stumbled upon this ticket, and it looks like the CloudFormation support is now there and works in the current CDK version.

[createchange]

That's interesting. Searching across the cdk repo, I see that some references to this were just merged: https://github.com/aws/aws-cdk/pull/31800

There is also no release notes via their CFN change log: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/ReleaseHistory.html. Maybe they are forth-coming?

Now I just need this fixed and I can actually automate VPNs fully via CFN: https://github.com/aws-cloudformation/cloudformation-coverage-roadmap/issues/308