1

我一直致力于使用 AWS 的 CDK 创建 VPN。我不得不使用 Cloudformation 较低级别的资源,因为似乎还没有任何构造。我相信我的代码设置正确,因为cdk diff没有显示任何错误。但是,运行时cdk deploy出现以下错误:

CREATE_FAILED        | AWS::EC2::ClientVpnEndpoint                 | ClientVpnEndpoint2
Mutual authentication is required but is missing in the request (Service: AmazonEC2; Status Code: 400; Error Code: MissingParameter; Request ID: 5
384a1d9-ff60-4ac4-a1bc-df3a4db9146b; Proxy: null)

这很奇怪......因为我认为我不需要相互身份验证来创建使用相互身份验证的 VPN。如果是这种情况,那么如何让 aws cdk 堆栈在部署时使用相互身份验证?这是我拥有的相关代码:

        client_cert = certificate_manager.Certificate.from_certificate_arn(
            self,
            "ServerCertificate",
            self.cert_arn,
        )
        server_cert = certificate_manager.Certificate.from_certificate_arn(
            self,
            "ClientCertificate",
            self.client_arn,
        )
        log_group = logs.LogGroup(
            self,
            "ClientVpnLogGroup",
            retention=logs.RetentionDays.ONE_MONTH
        )
        log_stream = log_group.add_stream("ClientVpnLogStream")
        endpoint = ec2.CfnClientVpnEndpoint(
            self,
            "ClientVpnEndpoint2",
            description="VPN",
            authentication_options=[{
                "type": "certificate-authentication",
                "mutual_authentication": {
                    "client_root_certificate_chain_arn": client_cert.certificate_arn
                }
            }],
            tag_specifications=[{
                "resourceType": "client-vpn-endpoint",
                "tags": [{
                    "key": "Name",
                    "value": "Swyp VPN CDK created"
                }]
            }],
            client_cidr_block="10.27.0.0/20",
            connection_log_options={
                "enabled": True,
                "cloudwatch_log_group": log_group.log_group_name,
                "cloudwatch_log_stream": log_stream.log_stream_name,
            },
            server_certificate_arn=server_cert.certificate_arn,
            split_tunnel=False,
            vpc_id=vpc.vpc_id,
            dns_servers=["8.8.8.8", "8.8.4.4"],
        )
        dependables = core.ConcreteDependable()
        for i, subnet in enumerate(vpc.isolated_subnets):
            network_asc = ec2.CfnClientVpnTargetNetworkAssociation(
                self,
                "ClientVpnNetworkAssociation-" + str(i),
                client_vpn_endpoint_id=endpoint.ref,
                subnet_id=subnet.subnet_id,
            )
            dependables.add(network_asc)

        auth_rule = ec2.CfnClientVpnAuthorizationRule(
            self,
            "ClientVpnAuthRule",
            client_vpn_endpoint_id=endpoint.ref,
            target_network_cidr="0.0.0.0/0",
            authorize_all_groups=True,
            description="Allow all"
        )

        # add routes for subnets in order to surf internet (useful while splitTunnel is off)
        for i, subnet in enumerate(vpc.isolated_subnets):
            ec2.CfnClientVpnRoute(
                self,
                "CfnClientVpnRoute" + str(i),
                client_vpn_endpoint_id=endpoint.ref,
                destination_cidr_block="0.0.0.0/0",
                description="Route to all",
                target_vpc_subnet_id=subnet.subnet_id,
            ).node.add_dependency(dependables)

也许这很简单,比如需要更新 IAM 策略?总的来说,我对 aws、aws cdk/cloudformation 和 devops 还很陌生。因此,任何见解将不胜感激!

4

0 回答 0