Merge branch 'master' into accraw/1012

.gitignore

@@ -1,4 +1,10 @@
+.DS_Store
+
 scimsession
 *.deploy
 *.bak
 .idea/
+.terraform/
+terraform.tfstate
+terraform.tfstate.backup
+terraform.tfvars

README.md

@@ -18,7 +18,8 @@ The easiest way to deploy the SCIM bridge is with our one-click installations cu
 Advanced deployment are recommended when you have particular requirements for your environment. They are easily customizable and adaptable to your situation.
 - [Kubernetes](/kubernetes)
 - [Docker Compose & Docker Swarm](/docker)
-- [AWS EC2 with Terraform](/aws-terraform)
+- [AWS EC2 with terraform](/aws-terraform) [deprecated]
+- [AWS ECS Fargate with Terraform](/aws-ecsfargate-terraform)
 - [Azure Kubernetes Service](https://support.1password.com/cs/scim-deploy-azure/)
 
 ## Support

aws-ecsfargate-terraform/README.md

@@ -0,0 +1,41 @@
+# Deploying the 1Password SCIM Bridge in AWS ECS with Terraform
+
+This document describes deploying the 1Password SCIM bridge to your Amazon Web Service Elastic Container Service Fargate using Terraform. It's just a suggested starting point - you may be using different services for different things, this example uses only AWS products. Please familiarize yourself with [PREPARATION.md](/PREPARATION.md) before beginning.
+
+Prerequisites
+- [terraform](https://learn.hashicorp.com/tutorials/terraform/install-cli)
+- AWS credentials configured (either through $HOME/.aws/credentials or environment variable)
+  see: [Terraform AWS authentication](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#authentication)
+- (Optional) DNS Zone in Route 53
+- scimsession file and bearer token ([follow step 1 here](https://support.1password.com/scim/))
+
+1. Copy `terraform.tfvars.template` to `terraform.tfvars`
+
+2. Copy the `scimsession` file in the terraform code directory
+
+3. (Optional) If you use route 53, save the Route53 zone ID in the `terraform.tfvars`
+
+4. Save the full domain name you want to use as domain_name in terraform.tfvars
+
+5. Create a region entry in terraform.tfvars for what region you're deploying in. You can omit this if you are using us-east-1
+
+Your terraform.tfvars file should look something like this:
+```
+domain_name = "scim-bridge.yourcompany.com"
+dns_zone_id = "RANDOMLETTERS123"
+```
+Note: If you are not using Route53, you don't need to set the zone id and can remove that line from the tfvars file.
+
+Now run the following commands (Note: If you are not using Route53 the second command is unnecessary):
+```
+terraform init
+terraform apply -target=aws_acm_certificate.scim_bridge_cert
+terraform plan -out=./op-scim.plan
+# Validate what this plan does by reading it
+terraform apply ./op-scim.plan
+```
+If you are using something other than Route53 for your domain name, point your domain to the `loadbalancer-dns-name` that was printed out from your terraform apply.
+
+After a few minutes, if you go to the SCIM Bridge URL you set, you should be able to enter your bearer token to verify that your scim bridge is up and running. Connect to your IdP using step 3 [here](https://support.1password.com/scim/) and go to your 1Password account and check that provisioning is on in Setting -> Provisioning and you should be good to go!
+
+If you want to check out the logs for your scim bridge, in AWS go to Cloudwatch -> Log Groups and you should see the log group that was printed out at the end of your terraform apply. You can then see the scim-bridge and redis container logs. 

aws-ecsfargate-terraform/task-definitions/scim.json

@@ -0,0 +1,58 @@
+[
+    {
+      "name": "scim-bridge",
+      "image": "1password/scim:v1.6.1",
+      "cpu": 128,
+      "memory": 512,
+      "essential": true,
+      "dependsOn": [
+        {
+          "containerName": "redis",
+          "condition": "START"
+        }
+      ],
+      "portMappings": [
+        {
+          "containerPort": 3002,
+          "hostPort": 3002
+        }
+      ],
+      "environment": [
+        { "name": "OP_REDIS_HOST", "value": "localhost" },
+        { "name": "OP_LETSENCRYPT_DOMAIN", "value": "" }
+      ],
+      "secrets": [
+        {"name": "OP_SESSION", "valueFrom": "${secret_arn}"}
+      ],
+      "logConfiguration": {
+        "logDriver": "awslogs",
+        "options": { 
+           "awslogs-group" : "${aws_logs_group}",
+           "awslogs-region": "${region}",
+           "awslogs-stream-prefix": "ecs-scim"
+        }
+      }
+    },
+    {
+      "name": "redis",
+      "image": "redis:latest",
+      "cpu": 128,
+      "memory": 256,
+      "essential": true,
+      "restart": "always",
+      "logConfiguration": {
+        "logDriver": "awslogs",
+        "options": { 
+           "awslogs-group" : "${aws_logs_group}",
+           "awslogs-region": "${region}",
+           "awslogs-stream-prefix": "ecs-redis"
+        }
+      },
+      "portMappings": [
+        {
+          "containerPort": 6379,
+          "hostPort": 6379
+        }
+      ]
+    }
+  ]

aws-ecsfargate-terraform/terraform.tf

@@ -0,0 +1,225 @@
+provider "aws" {
+  version = "~> 2.0"
+  region  = var.aws_region
+}
+
+data "aws_vpc" "default" {
+  default = true
+}
+
+data "aws_subnet_ids" "default_vpc_subnets" {
+  vpc_id = data.aws_vpc.default.id
+}
+
+resource "aws_secretsmanager_secret" "scimsession" {
+  name = "scim-bridge-scimsession"
+}
+
+resource "aws_secretsmanager_secret_version" "scimsession_1" {
+  secret_id     = aws_secretsmanager_secret.scimsession.id
+  secret_string = base64encode(file("${path.module}/scimsession"))
+}
+
+resource "aws_cloudwatch_log_group" "scim-bridge" {
+  name_prefix = "scim-bridge-logs"
+}
+
+resource "aws_ecs_cluster" "scim-bridge" {
+  name = "scim-bridge"
+}
+
+resource "aws_ecs_task_definition" "scim-bridge" {
+  family = "scim-bridge"
+  container_definitions = templatefile("task-definitions/scim.json",
+    { secret_arn     = aws_secretsmanager_secret.scimsession.arn,
+      aws_logs_group = aws_cloudwatch_log_group.scim-bridge.name,
+      region         = var.aws_region
+  })
+  requires_compatibilities = ["FARGATE"]
+  network_mode             = "awsvpc"
+  memory                   = 512
+  cpu                      = 256
+  execution_role_arn       = aws_iam_role.scim-bridge.arn
+}
+
+resource "aws_iam_role" "scim-bridge" {
+  name               = "scim-bridge-task-role"
+  assume_role_policy = data.aws_iam_policy_document.assume_role_policy.json
+}
+
+data "aws_iam_policy_document" "assume_role_policy" {
+  statement {
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["ecs-tasks.amazonaws.com"]
+    }
+  }
+}
+
+resource "aws_iam_role_policy_attachment" "scim-bridge" {
+  role       = aws_iam_role.scim-bridge.name
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
+}
+
+data "aws_iam_policy_document" "scim" {
+  statement {
+    actions = [
+      "secretsmanager:GetSecretValue",
+    ]
+
+    resources = [
+      aws_secretsmanager_secret.scimsession.arn,
+    ]
+  }
+}
+
+resource "aws_iam_role_policy" "scim_secret_policy" {
+  name   = "scim_secret_policy"
+  role   = aws_iam_role.scim-bridge.id
+  policy = data.aws_iam_policy_document.scim.json
+}
+
+resource "aws_ecs_service" "scim_bridge_service" {
+  name             = "scim_bridge_service"
+  cluster          = aws_ecs_cluster.scim-bridge.id
+  task_definition  = aws_ecs_task_definition.scim-bridge.arn
+  launch_type      = "FARGATE"
+  platform_version = "1.4.0"
+  desired_count    = 1
+  depends_on       = [aws_lb_listener.listener_https]
+
+  load_balancer {
+    target_group_arn = aws_lb_target_group.target_group_http.arn
+    container_name   = aws_ecs_task_definition.scim-bridge.family
+    container_port   = 3002
+  }
+
+  network_configuration {
+    subnets          = data.aws_subnet_ids.default_vpc_subnets.ids
+    assign_public_ip = true
+    security_groups  = [aws_security_group.service_security_group.id]
+  }
+}
+
+resource "aws_alb" "scim-bridge-alb" {
+  name               = "scim-bridge-alb"
+  load_balancer_type = "application"
+  subnets            = data.aws_subnet_ids.default_vpc_subnets.ids
+  security_groups    = [aws_security_group.scim-bridge-sg.id]
+}
+
+# Creating a security group for the load balancer:
+resource "aws_security_group" "scim-bridge-sg" {
+  ingress {
+    from_port   = 80
+    to_port     = 80
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  ingress {
+    from_port   = 443
+    to_port     = 443
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+}
+
+resource "aws_security_group" "service_security_group" {
+  ingress {
+    from_port = 0
+    to_port   = 0
+    protocol  = "-1"
+    # Only allowing traffic in from the load balancer security group
+    security_groups = [aws_security_group.scim-bridge-sg.id]
+  }
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+}
+
+resource "aws_lb_target_group" "target_group_http" {
+  name        = "target-group-http"
+  port        = 3002
+  protocol    = "HTTP"
+  target_type = "ip"
+  vpc_id      = data.aws_vpc.default.id
+  health_check {
+    matcher = "200,301,302"
+    path    = "/"
+  }
+}
+
+resource "aws_lb_listener" "listener_https" {
+  load_balancer_arn = aws_alb.scim-bridge-alb.arn
+  port              = 443
+  protocol          = "HTTPS"
+  certificate_arn   = aws_acm_certificate.scim_bridge_cert.arn
+  default_action {
+    type             = "forward"
+    target_group_arn = aws_lb_target_group.target_group_http.arn
+  }
+}
+
+output "cloudwatch-log-group" {
+  description = "Where you can find your scim-bridge logs"
+  value       = aws_cloudwatch_log_group.scim-bridge.name
+}
+
+output "loadbalancer-dns-name" {
+  description = "The Load balancer address to set in your DNS"
+  value       = aws_alb.scim-bridge-alb.dns_name
+}
+
+resource "aws_acm_certificate" "scim_bridge_cert" {
+  domain_name       = var.domain_name
+  validation_method = "DNS"
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+/* If you are not using AWS Route 53 and AWS Certificate Manager for your DNS, 
+   comment out below here */
+resource "aws_route53_record" "scim_bridge_cert_validation" {
+  for_each = {
+    for dvo in aws_acm_certificate.scim_bridge_cert.domain_validation_options : dvo.domain_name => {
+      name   = dvo.resource_record_name
+      record = dvo.resource_record_value
+      type   = dvo.resource_record_type
+    }
+  }
+
+  allow_overwrite = true
+  name            = each.value.name
+  records         = [each.value.record]
+  ttl             = 60
+  type            = each.value.type
+  zone_id         = var.route53_zone_id
+}
+
+resource "aws_route53_record" "scim_bridge" {
+  zone_id = var.route53_zone_id
+  name    = var.domain_name
+  type    = "A"
+
+  alias {
+    name                   = aws_alb.scim-bridge-alb.dns_name
+    zone_id                = aws_alb.scim-bridge-alb.zone_id
+    evaluate_target_health = true
+  }
+}

aws-ecsfargate-terraform/terraform.tfvars.template

@@ -0,0 +1,4 @@
+aws_region="us-east-1"
+
+domain_name="FILL_ME"
+route53_zone_id="FILL_ME"

aws-ecsfargate-terraform/variables.tf

@@ -0,0 +1,15 @@
+variable "aws_region" {
+  type        = string
+  description = ""
+  default     = "us-east-1"
+}
+
+variable "domain_name" {
+  type        = string
+  description = ""
+}
+
+variable "route53_zone_id" {
+  type        = string
+  description = ""
+}

docker/compose/docker-compose.yml

@@ -1,7 +1,7 @@
 version: '2.2'
 services:
   scim:
-    image: 1password/scim:v1.6.0
+    image: 1password/scim:v1.6.1
     ports:
       - "80:8080"
       - "443:8443"

docker/swarm/docker-compose.yml

@@ -1,7 +1,7 @@
 version: '3.3'
 services:
   scim:
-    image: 1password/scim:v1.6.0
+    image: 1password/scim:v1.6.1
     deploy:
       replicas: 1
       restart_policy:

kubernetes/op-scim-deployment.yaml

@@ -14,7 +14,7 @@ spec:
     spec:
       containers:
       - name: op-scim-bridge
-        image: 1password/scim:v1.6.0
+        image: 1password/scim:v1.6.1
         ports:
         - containerPort: 3002
         volumeMounts: