From a8faad1c8b30128731451ec580e91ba2e5c8b176 Mon Sep 17 00:00:00 2001 From: Amanda Crawley Date: Mon, 9 Nov 2020 12:06:58 -0400 Subject: [PATCH 01/17] first pass at terraform ecs with fargate setup --- aws-terraform/ecs/README.md | 4 + aws-terraform/ecs/task-definitions/scim.json | 61 ++++++ aws-terraform/ecs/terraform.tf | 184 +++++++++++++++++++ 3 files changed, 249 insertions(+) create mode 100644 aws-terraform/ecs/README.md create mode 100644 aws-terraform/ecs/task-definitions/scim.json create mode 100644 aws-terraform/ecs/terraform.tf diff --git a/aws-terraform/ecs/README.md b/aws-terraform/ecs/README.md new file mode 100644 index 0000000..8cf1f0f --- /dev/null +++ b/aws-terraform/ecs/README.md @@ -0,0 +1,4 @@ +# Deploying the 1Password SCIM Bridge in AWS ECS with Terraform + +This document describes deploying the 1Password SCIM bridge to your Amazon Web Service Elastic Container Service using Terraform. + diff --git a/aws-terraform/ecs/task-definitions/scim.json b/aws-terraform/ecs/task-definitions/scim.json new file mode 100644 index 0000000..13f8355 --- /dev/null +++ b/aws-terraform/ecs/task-definitions/scim.json @@ -0,0 +1,61 @@ +[ + { + "name": "scim-bridge", + "image": "1password/scim:v1.6.0", + "cpu": 128, + "memory": 512, + "essential": true, + "dependsOn": [ + { + "containerName": "redis", + "condition": "START" + } + ], + "portMappings": [ + { + "containerPort": 8080, + "hostPort": 8080 + }, + { + "containerPort": 8443, + "hostPort": 8443 + } + ], + "entrypoint": ["/op-scim/op-scim", "--redis-host=redis", "--redis-port=6379"], + "environment": [ + { "name": "OP_PORT", "value": "8080"}, + { "name": "OP_SESSION", "value": "/data/scimsession"}, + { "name": "OP_REDIS_URL", "value": "redis"} + ], + "logConfiguration": { + "logDriver": "awslogs", + "options": { + "awslogs-group" : "/ecs/fargate-task-definition", + "awslogs-region": "us-east-1", + "awslogs-stream-prefix": "ecs-scim" + } + } + }, + { + "name": "redis", + "image": "redis:latest", + "cpu": 128, + "memory": 256, + "essential": true, + "restart": "always", + "logConfiguration": { + "logDriver": "awslogs", + "options": { + "awslogs-group" : "/ecs/fargate-task-definition", + "awslogs-region": "us-east-1", + "awslogs-stream-prefix": "ecs-redis" + } + }, + "portMappings": [ + { + "containerPort": 6379, + "hostPort": 6379 + } + ] + } + ] \ No newline at end of file diff --git a/aws-terraform/ecs/terraform.tf b/aws-terraform/ecs/terraform.tf new file mode 100644 index 0000000..60a9b08 --- /dev/null +++ b/aws-terraform/ecs/terraform.tf @@ -0,0 +1,184 @@ +provider "aws" { + version = "~> 2.0" + region = "us-east-1" +} + +resource "aws_ecs_cluster" "scim-bridge" { + name = "scim-bridge" +} + +resource "aws_ecs_task_definition" "scim-bridge" { + family = "scim-bridge" + container_definitions = file("task-definitions/scim.json") + #volume { + # name = "data" + # host_path = "/data" + #} + requires_compatibilities = ["FARGATE"] # Stating that we are using ECS Fargate + network_mode = "awsvpc" # Using awsvpc as our network mode as this is required for Fargate + memory = 512 # Specifying the memory our container requires + cpu = 256 # Specifying the CPU our container requires + execution_role_arn = aws_iam_role.ecsTaskExecutionRole-scim-bridge.arn +} + +resource "aws_iam_role" "ecsTaskExecutionRole-scim-bridge" { + name = "ecsTaskExecutionRole-scim-bridge" + assume_role_policy = data.aws_iam_policy_document.assume_role_policy.json +} + +data "aws_iam_policy_document" "assume_role_policy" { + statement { + actions = ["sts:AssumeRole"] + + principals { + type = "Service" + identifiers = ["ecs-tasks.amazonaws.com"] + } + } +} + +resource "aws_iam_role_policy_attachment" "ecsTaskExecutionRole_policy-scim-bridge" { + role = aws_iam_role.ecsTaskExecutionRole-scim-bridge.name + policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy" +} + +resource "aws_ecs_service" "scim_bridge_service" { + name = "scim_bridge_service" + cluster = aws_ecs_cluster.scim-bridge.id + task_definition = aws_ecs_task_definition.scim-bridge.arn + launch_type = "FARGATE" + desired_count = 1 + + /**load_balancer { + target_group_arn = aws_lb_target_group.target_group_http.arn + container_name = aws_ecs_task_definition.scim-bridge.family + container_port = 8080 # Specifying the container port + }*/ + + load_balancer { + target_group_arn = aws_lb_target_group.target_group_https.arn + container_name = aws_ecs_task_definition.scim-bridge.family + container_port = 8443 # Specifying the container port + } + + network_configuration { + subnets = [aws_default_subnet.default_subnet_a.id, aws_default_subnet.default_subnet_b.id, aws_default_subnet.default_subnet_c.id] + assign_public_ip = true # Providing our containers with public IPs + security_groups = [aws_security_group.service_security_group.id] # Setting the security group + } +} + +resource "aws_alb" "scim-bridge-alb" { + name = "scim-bridge-alb" # Naming our load balancer + load_balancer_type = "application" + subnets = [ # Referencing the default subnets + aws_default_subnet.default_subnet_a.id, + aws_default_subnet.default_subnet_b.id, + aws_default_subnet.default_subnet_c.id + ] + # Referencing the security group + security_groups = [aws_security_group.scim-bridge-sg.id] +} + +# Creating a security group for the load balancer: +resource "aws_security_group" "scim-bridge-sg" { + ingress { + from_port = 80 # Allowing traffic in from port 80 + to_port = 80 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] # Allowing traffic in from all sources + } + + ingress { + from_port = 443 # Allowing traffic in from port 80 + to_port = 443 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] # Allowing traffic in from all sources + } + + egress { + from_port = 0 # Allowing any incoming port + to_port = 0 # Allowing any outgoing port + protocol = "-1" # Allowing any outgoing protocol + cidr_blocks = ["0.0.0.0/0"] # Allowing traffic out to all IP addresses + } +} + +resource "aws_security_group" "service_security_group" { + ingress { + from_port = 0 + to_port = 0 + protocol = "-1" + # Only allowing traffic in from the load balancer security group + security_groups = [aws_security_group.scim-bridge-sg.id] + } + + egress { + from_port = 0 # Allowing any incoming port + to_port = 0 # Allowing any outgoing port + protocol = "-1" # Allowing any outgoing protocol + cidr_blocks = ["0.0.0.0/0"] # Allowing traffic out to all IP addresses + } +} + +resource "aws_lb_target_group" "target_group_http" { + name = "target-group-http" + port = 80 + protocol = "HTTP" + target_type = "ip" + vpc_id = aws_default_vpc.default_vpc.id # Referencing the default VPC + health_check { + matcher = "200,301,302" + path = "/" + } +} + +resource "aws_lb_listener" "listener_http" { + load_balancer_arn = aws_alb.scim-bridge-alb.arn # Referencing our load balancer + port = "80" + protocol = "HTTP" + default_action { + type = "forward" + target_group_arn = aws_lb_target_group.target_group_http.arn # Referencing our target group + } +} + +resource "aws_lb_target_group" "target_group_https" { + name = "target-group-https" + port = 443 + protocol = "HTTPS" + target_type = "ip" + vpc_id = aws_default_vpc.default_vpc.id # Referencing the default VPC + health_check { + matcher = "200,301,302" + path = "/" + } +} + +resource "aws_lb_listener" "listener_https" { + load_balancer_arn = aws_alb.scim-bridge-alb.arn # Referencing our load balancer + port = "443" + protocol = "HTTPS" + certificate_arn = "arn:aws:acm:us-east-1:729119775555:certificate/7b939514-6eee-496f-97dd-b30a63331db7" + default_action { + type = "forward" + target_group_arn = aws_lb_target_group.target_group_https.arn # Referencing our target group + } +} + +# Providing a reference to our default VPC +resource "aws_default_vpc" "default_vpc" { +} + +# Providing a reference to our default subnets +resource "aws_default_subnet" "default_subnet_a" { + availability_zone = "us-east-1a" +} + +resource "aws_default_subnet" "default_subnet_b" { + availability_zone = "us-east-1b" +} + +resource "aws_default_subnet" "default_subnet_c" { + availability_zone = "us-east-1c" +} \ No newline at end of file From 3addefe2673d5621273897c65749442d4696fd16 Mon Sep 17 00:00:00 2001 From: Amanda Crawley Date: Tue, 24 Nov 2020 13:56:03 -0400 Subject: [PATCH 02/17] fixed redis reference --- aws-terraform/ecs/task-definitions/scim.json | 8 ++++---- aws-terraform/ecs/terraform.tf | 19 ++++++++----------- 2 files changed, 12 insertions(+), 15 deletions(-) diff --git a/aws-terraform/ecs/task-definitions/scim.json b/aws-terraform/ecs/task-definitions/scim.json index 13f8355..d9f095c 100644 --- a/aws-terraform/ecs/task-definitions/scim.json +++ b/aws-terraform/ecs/task-definitions/scim.json @@ -21,16 +21,16 @@ "hostPort": 8443 } ], - "entrypoint": ["/op-scim/op-scim", "--redis-host=redis", "--redis-port=6379"], + "entrypoint": ["/op-scim/op-scim", "--redis-host=localhost", "--redis-port=6379"], "environment": [ { "name": "OP_PORT", "value": "8080"}, { "name": "OP_SESSION", "value": "/data/scimsession"}, - { "name": "OP_REDIS_URL", "value": "redis"} + { "name": "OP_REDIS_URL", "value": "localhost"} ], "logConfiguration": { "logDriver": "awslogs", "options": { - "awslogs-group" : "/ecs/fargate-task-definition", + "awslogs-group" : "/ecs/scim-bridge", "awslogs-region": "us-east-1", "awslogs-stream-prefix": "ecs-scim" } @@ -46,7 +46,7 @@ "logConfiguration": { "logDriver": "awslogs", "options": { - "awslogs-group" : "/ecs/fargate-task-definition", + "awslogs-group" : "/ecs/scim-bridge", "awslogs-region": "us-east-1", "awslogs-stream-prefix": "ecs-redis" } diff --git a/aws-terraform/ecs/terraform.tf b/aws-terraform/ecs/terraform.tf index 60a9b08..b4d3335 100644 --- a/aws-terraform/ecs/terraform.tf +++ b/aws-terraform/ecs/terraform.tf @@ -10,10 +10,6 @@ resource "aws_ecs_cluster" "scim-bridge" { resource "aws_ecs_task_definition" "scim-bridge" { family = "scim-bridge" container_definitions = file("task-definitions/scim.json") - #volume { - # name = "data" - # host_path = "/data" - #} requires_compatibilities = ["FARGATE"] # Stating that we are using ECS Fargate network_mode = "awsvpc" # Using awsvpc as our network mode as this is required for Fargate memory = 512 # Specifying the memory our container requires @@ -48,12 +44,13 @@ resource "aws_ecs_service" "scim_bridge_service" { task_definition = aws_ecs_task_definition.scim-bridge.arn launch_type = "FARGATE" desired_count = 1 + depends_on = [aws_lb_listener.listener_http, aws_lb_listener.listener_https] - /**load_balancer { + load_balancer { target_group_arn = aws_lb_target_group.target_group_http.arn container_name = aws_ecs_task_definition.scim-bridge.family container_port = 8080 # Specifying the container port - }*/ + } load_balancer { target_group_arn = aws_lb_target_group.target_group_https.arn @@ -90,7 +87,7 @@ resource "aws_security_group" "scim-bridge-sg" { } ingress { - from_port = 443 # Allowing traffic in from port 80 + from_port = 443 to_port = 443 protocol = "tcp" cidr_blocks = ["0.0.0.0/0"] # Allowing traffic in from all sources @@ -123,7 +120,7 @@ resource "aws_security_group" "service_security_group" { resource "aws_lb_target_group" "target_group_http" { name = "target-group-http" - port = 80 + port = 8080 protocol = "HTTP" target_type = "ip" vpc_id = aws_default_vpc.default_vpc.id # Referencing the default VPC @@ -135,7 +132,7 @@ resource "aws_lb_target_group" "target_group_http" { resource "aws_lb_listener" "listener_http" { load_balancer_arn = aws_alb.scim-bridge-alb.arn # Referencing our load balancer - port = "80" + port = 80 protocol = "HTTP" default_action { type = "forward" @@ -145,7 +142,7 @@ resource "aws_lb_listener" "listener_http" { resource "aws_lb_target_group" "target_group_https" { name = "target-group-https" - port = 443 + port = 8443 protocol = "HTTPS" target_type = "ip" vpc_id = aws_default_vpc.default_vpc.id # Referencing the default VPC @@ -157,7 +154,7 @@ resource "aws_lb_target_group" "target_group_https" { resource "aws_lb_listener" "listener_https" { load_balancer_arn = aws_alb.scim-bridge-alb.arn # Referencing our load balancer - port = "443" + port = 443 protocol = "HTTPS" certificate_arn = "arn:aws:acm:us-east-1:729119775555:certificate/7b939514-6eee-496f-97dd-b30a63331db7" default_action { From fe5e6032676909340dc1e2bdcf3df97061304938 Mon Sep 17 00:00:00 2001 From: Amanda Crawley Date: Thu, 26 Nov 2020 10:18:18 -0400 Subject: [PATCH 03/17] Working but gets a redirect loop --- aws-terraform/ecs/README.md | 2 + aws-terraform/ecs/task-definitions/scim.json | 5 +- aws-terraform/ecs/terraform.tf | 74 +++++++++++++++----- 3 files changed, 61 insertions(+), 20 deletions(-) diff --git a/aws-terraform/ecs/README.md b/aws-terraform/ecs/README.md index 8cf1f0f..beb2a31 100644 --- a/aws-terraform/ecs/README.md +++ b/aws-terraform/ecs/README.md @@ -2,3 +2,5 @@ This document describes deploying the 1Password SCIM bridge to your Amazon Web Service Elastic Container Service using Terraform. +terraform apply -target=aws_acm_certificate.scim_bridge_cert +terraform apply \ No newline at end of file diff --git a/aws-terraform/ecs/task-definitions/scim.json b/aws-terraform/ecs/task-definitions/scim.json index d9f095c..c1d2b34 100644 --- a/aws-terraform/ecs/task-definitions/scim.json +++ b/aws-terraform/ecs/task-definitions/scim.json @@ -19,12 +19,15 @@ { "containerPort": 8443, "hostPort": 8443 + }, + { + "containerPort": 3002, + "hostPort": 3002 } ], "entrypoint": ["/op-scim/op-scim", "--redis-host=localhost", "--redis-port=6379"], "environment": [ { "name": "OP_PORT", "value": "8080"}, - { "name": "OP_SESSION", "value": "/data/scimsession"}, { "name": "OP_REDIS_URL", "value": "localhost"} ], "logConfiguration": { diff --git a/aws-terraform/ecs/terraform.tf b/aws-terraform/ecs/terraform.tf index b4d3335..5770777 100644 --- a/aws-terraform/ecs/terraform.tf +++ b/aws-terraform/ecs/terraform.tf @@ -44,7 +44,7 @@ resource "aws_ecs_service" "scim_bridge_service" { task_definition = aws_ecs_task_definition.scim-bridge.arn launch_type = "FARGATE" desired_count = 1 - depends_on = [aws_lb_listener.listener_http, aws_lb_listener.listener_https] + depends_on = [aws_lb_listener.listener_https] load_balancer { target_group_arn = aws_lb_target_group.target_group_http.arn @@ -52,11 +52,11 @@ resource "aws_ecs_service" "scim_bridge_service" { container_port = 8080 # Specifying the container port } - load_balancer { + /*load_balancer { target_group_arn = aws_lb_target_group.target_group_https.arn container_name = aws_ecs_task_definition.scim-bridge.family container_port = 8443 # Specifying the container port - } + }*/ network_configuration { subnets = [aws_default_subnet.default_subnet_a.id, aws_default_subnet.default_subnet_b.id, aws_default_subnet.default_subnet_c.id] @@ -130,17 +130,7 @@ resource "aws_lb_target_group" "target_group_http" { } } -resource "aws_lb_listener" "listener_http" { - load_balancer_arn = aws_alb.scim-bridge-alb.arn # Referencing our load balancer - port = 80 - protocol = "HTTP" - default_action { - type = "forward" - target_group_arn = aws_lb_target_group.target_group_http.arn # Referencing our target group - } -} - -resource "aws_lb_target_group" "target_group_https" { +/*resource "aws_lb_target_group" "target_group_https" { name = "target-group-https" port = 8443 protocol = "HTTPS" @@ -150,24 +140,32 @@ resource "aws_lb_target_group" "target_group_https" { matcher = "200,301,302" path = "/" } -} - +}*/ resource "aws_lb_listener" "listener_https" { load_balancer_arn = aws_alb.scim-bridge-alb.arn # Referencing our load balancer port = 443 protocol = "HTTPS" - certificate_arn = "arn:aws:acm:us-east-1:729119775555:certificate/7b939514-6eee-496f-97dd-b30a63331db7" + certificate_arn = aws_acm_certificate.scim_bridge_cert.arn default_action { type = "forward" - target_group_arn = aws_lb_target_group.target_group_https.arn # Referencing our target group + target_group_arn = aws_lb_target_group.target_group_http.arn # Referencing our target group } } +/*resource "aws_lb_listener" "listener_http" { + load_balancer_arn = aws_alb.scim-bridge-alb.arn # Referencing our load balancer + port = 80 + protocol = "HTTP" + default_action { + type = "forward" + target_group_arn = aws_lb_target_group.target_group_http.arn # Referencing our target group + } +}*/ + # Providing a reference to our default VPC resource "aws_default_vpc" "default_vpc" { } -# Providing a reference to our default subnets resource "aws_default_subnet" "default_subnet_a" { availability_zone = "us-east-1a" } @@ -178,4 +176,42 @@ resource "aws_default_subnet" "default_subnet_b" { resource "aws_default_subnet" "default_subnet_c" { availability_zone = "us-east-1c" +} + +resource "aws_acm_certificate" "scim_bridge_cert" { + domain_name = "scim-bridge-amanda.play.agilebits.net" + validation_method = "DNS" + + lifecycle { + create_before_destroy = true + } +} + +resource "aws_route53_record" "scim_bridge_cert_validation" { + for_each = { + for dvo in aws_acm_certificate.scim_bridge_cert.domain_validation_options : dvo.domain_name => { + name = dvo.resource_record_name + record = dvo.resource_record_value + type = dvo.resource_record_type + } + } + + allow_overwrite = true + name = each.value.name + records = [each.value.record] + ttl = 60 + type = each.value.type + zone_id = "Z3V3UMKDNQGJ7A" +} + +resource "aws_route53_record" "scim_bridge" { + zone_id = "Z3V3UMKDNQGJ7A" + name = "scim-bridge-amanda.play.agilebits.net" + type = "A" + + alias { + name = aws_alb.scim-bridge-alb.dns_name + zone_id = aws_alb.scim-bridge-alb.zone_id + evaluate_target_health = true + } } \ No newline at end of file From 0e65e7e4c24f9575d4f6be1a25a93f384d76bb8c Mon Sep 17 00:00:00 2001 From: Graham L Brown Date: Thu, 10 Dec 2020 09:30:06 -0800 Subject: [PATCH 04/17] Update to v1.6.1 --- docker/compose/docker-compose.yml | 2 +- docker/swarm/docker-compose.yml | 2 +- kubernetes/op-scim-deployment.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/docker/compose/docker-compose.yml b/docker/compose/docker-compose.yml index 7c8f127..a4c9815 100644 --- a/docker/compose/docker-compose.yml +++ b/docker/compose/docker-compose.yml @@ -1,7 +1,7 @@ version: '2.2' services: scim: - image: 1password/scim:v1.6.0 + image: 1password/scim:v1.6.1 ports: - "80:8080" - "443:8443" diff --git a/docker/swarm/docker-compose.yml b/docker/swarm/docker-compose.yml index 3a68e70..5b85373 100644 --- a/docker/swarm/docker-compose.yml +++ b/docker/swarm/docker-compose.yml @@ -1,7 +1,7 @@ version: '3.3' services: scim: - image: 1password/scim:v1.6.0 + image: 1password/scim:v1.6.1 deploy: replicas: 1 restart_policy: diff --git a/kubernetes/op-scim-deployment.yaml b/kubernetes/op-scim-deployment.yaml index 2fd6c64..8abf21b 100644 --- a/kubernetes/op-scim-deployment.yaml +++ b/kubernetes/op-scim-deployment.yaml @@ -14,7 +14,7 @@ spec: spec: containers: - name: op-scim-bridge - image: 1password/scim:v1.6.0 + image: 1password/scim:v1.6.1 command: ["/op-scim/op-scim"] ports: - containerPort: 3002 From 5f3324bbc1a83e9c194195c65bf169b6e8bf94eb Mon Sep 17 00:00:00 2001 From: Amanda Crawley Date: Thu, 10 Dec 2020 17:07:10 -0400 Subject: [PATCH 05/17] switched to 3002 and trying to get scimsession pre-installed --- aws-terraform/ecs/task-definitions/scim.json | 17 +++++------- aws-terraform/ecs/terraform.tf | 28 ++++++++++++++++++-- 2 files changed, 32 insertions(+), 13 deletions(-) diff --git a/aws-terraform/ecs/task-definitions/scim.json b/aws-terraform/ecs/task-definitions/scim.json index c1d2b34..fe27f1a 100644 --- a/aws-terraform/ecs/task-definitions/scim.json +++ b/aws-terraform/ecs/task-definitions/scim.json @@ -1,7 +1,7 @@ [ { "name": "scim-bridge", - "image": "1password/scim:v1.6.0", + "image": "1password/scim:v1.6.1", "cpu": 128, "memory": 512, "essential": true, @@ -12,14 +12,6 @@ } ], "portMappings": [ - { - "containerPort": 8080, - "hostPort": 8080 - }, - { - "containerPort": 8443, - "hostPort": 8443 - }, { "containerPort": 3002, "hostPort": 3002 @@ -27,8 +19,11 @@ ], "entrypoint": ["/op-scim/op-scim", "--redis-host=localhost", "--redis-port=6379"], "environment": [ - { "name": "OP_PORT", "value": "8080"}, - { "name": "OP_REDIS_URL", "value": "localhost"} + { "name": "OP_REDIS_URL", "value": "localhost" }, + { "name": "OP_LETSENCRYPT_DOMAIN", "value": "" } + ], + "secrets": [ + {"name": "OP_SESSION", "valueFrom": "arn:aws:secretsmanager:us-east-1:729119775555:secret:amanda/scim-bridge/scimsession-ukalr5"} ], "logConfiguration": { "logDriver": "awslogs", diff --git a/aws-terraform/ecs/terraform.tf b/aws-terraform/ecs/terraform.tf index 5770777..8795cee 100644 --- a/aws-terraform/ecs/terraform.tf +++ b/aws-terraform/ecs/terraform.tf @@ -38,6 +38,30 @@ resource "aws_iam_role_policy_attachment" "ecsTaskExecutionRole_policy-scim-brid policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy" } +resource "aws_iam_role_policy" "scim_secret_policy" { + name = "scim_secret_policy" + role = aws_iam_role.ecsTaskExecutionRole-scim-bridge.id + + policy = <<-EOF + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "secretsmanager:GetSecretValue", + "ssm:GetParameters" + ], + "Resource": [ + "arn:aws:secretsmanager:us-east-1:729119775555:secret:amanda/scim-bridge/scimsession-ukalr5", + "arn:aws:ssm:us-east-1:729119775555:parameter/*" + ] + } + ] + } + EOF +} + resource "aws_ecs_service" "scim_bridge_service" { name = "scim_bridge_service" cluster = aws_ecs_cluster.scim-bridge.id @@ -49,7 +73,7 @@ resource "aws_ecs_service" "scim_bridge_service" { load_balancer { target_group_arn = aws_lb_target_group.target_group_http.arn container_name = aws_ecs_task_definition.scim-bridge.family - container_port = 8080 # Specifying the container port + container_port = 3002 # Specifying the container port } /*load_balancer { @@ -120,7 +144,7 @@ resource "aws_security_group" "service_security_group" { resource "aws_lb_target_group" "target_group_http" { name = "target-group-http" - port = 8080 + port = 3002 protocol = "HTTP" target_type = "ip" vpc_id = aws_default_vpc.default_vpc.id # Referencing the default VPC From acf98583fe6ab16c302fbc24cb9a601cb4b2e6aa Mon Sep 17 00:00:00 2001 From: Amanda Crawley Date: Tue, 15 Dec 2020 20:39:59 -0400 Subject: [PATCH 06/17] working now, starting to cleanup with variables --- .gitignore | 3 ++ aws-terraform/ecs/task-definitions/scim.json | 4 +- aws-terraform/ecs/terraform.tf | 50 +++++--------------- aws-terraform/ecs/terraform.tfvars | 4 ++ aws-terraform/ecs/variables.tf | 33 +++++++++++++ 5 files changed, 53 insertions(+), 41 deletions(-) create mode 100644 aws-terraform/ecs/terraform.tfvars create mode 100644 aws-terraform/ecs/variables.tf diff --git a/.gitignore b/.gitignore index 4f2675a..428afbd 100644 --- a/.gitignore +++ b/.gitignore @@ -3,3 +3,6 @@ scim.env *.deploy *.bak .idea/ +.terraform/ +terraform.tfstate +terraform.tfstate.backup \ No newline at end of file diff --git a/aws-terraform/ecs/task-definitions/scim.json b/aws-terraform/ecs/task-definitions/scim.json index fe27f1a..5f94211 100644 --- a/aws-terraform/ecs/task-definitions/scim.json +++ b/aws-terraform/ecs/task-definitions/scim.json @@ -17,13 +17,13 @@ "hostPort": 3002 } ], - "entrypoint": ["/op-scim/op-scim", "--redis-host=localhost", "--redis-port=6379"], + "entrypoint": ["/op-scim/op-scim", "--redis-host=localhost"], "environment": [ { "name": "OP_REDIS_URL", "value": "localhost" }, { "name": "OP_LETSENCRYPT_DOMAIN", "value": "" } ], "secrets": [ - {"name": "OP_SESSION", "valueFrom": "arn:aws:secretsmanager:us-east-1:729119775555:secret:amanda/scim-bridge/scimsession-ukalr5"} + {"name": "OP_SESSION", "valueFrom": "arn:aws:secretsmanager:us-east-1:729119775555:secret:ecs/scim-bridge/amanda-HF09CT"} ], "logConfiguration": { "logDriver": "awslogs", diff --git a/aws-terraform/ecs/terraform.tf b/aws-terraform/ecs/terraform.tf index 8795cee..1ac528a 100644 --- a/aws-terraform/ecs/terraform.tf +++ b/aws-terraform/ecs/terraform.tf @@ -1,6 +1,6 @@ provider "aws" { version = "~> 2.0" - region = "us-east-1" + region = var.region } resource "aws_ecs_cluster" "scim-bridge" { @@ -49,12 +49,10 @@ resource "aws_iam_role_policy" "scim_secret_policy" { { "Effect": "Allow", "Action": [ - "secretsmanager:GetSecretValue", - "ssm:GetParameters" + "secretsmanager:GetSecretValue" ], "Resource": [ - "arn:aws:secretsmanager:us-east-1:729119775555:secret:amanda/scim-bridge/scimsession-ukalr5", - "arn:aws:ssm:us-east-1:729119775555:parameter/*" + "${var.secret_arn}" ] } ] @@ -67,6 +65,7 @@ resource "aws_ecs_service" "scim_bridge_service" { cluster = aws_ecs_cluster.scim-bridge.id task_definition = aws_ecs_task_definition.scim-bridge.arn launch_type = "FARGATE" + platform_version = "1.4.0" desired_count = 1 depends_on = [aws_lb_listener.listener_https] @@ -76,12 +75,6 @@ resource "aws_ecs_service" "scim_bridge_service" { container_port = 3002 # Specifying the container port } - /*load_balancer { - target_group_arn = aws_lb_target_group.target_group_https.arn - container_name = aws_ecs_task_definition.scim-bridge.family - container_port = 8443 # Specifying the container port - }*/ - network_configuration { subnets = [aws_default_subnet.default_subnet_a.id, aws_default_subnet.default_subnet_b.id, aws_default_subnet.default_subnet_c.id] assign_public_ip = true # Providing our containers with public IPs @@ -154,17 +147,6 @@ resource "aws_lb_target_group" "target_group_http" { } } -/*resource "aws_lb_target_group" "target_group_https" { - name = "target-group-https" - port = 8443 - protocol = "HTTPS" - target_type = "ip" - vpc_id = aws_default_vpc.default_vpc.id # Referencing the default VPC - health_check { - matcher = "200,301,302" - path = "/" - } -}*/ resource "aws_lb_listener" "listener_https" { load_balancer_arn = aws_alb.scim-bridge-alb.arn # Referencing our load balancer port = 443 @@ -176,34 +158,24 @@ resource "aws_lb_listener" "listener_https" { } } -/*resource "aws_lb_listener" "listener_http" { - load_balancer_arn = aws_alb.scim-bridge-alb.arn # Referencing our load balancer - port = 80 - protocol = "HTTP" - default_action { - type = "forward" - target_group_arn = aws_lb_target_group.target_group_http.arn # Referencing our target group - } -}*/ - # Providing a reference to our default VPC resource "aws_default_vpc" "default_vpc" { } resource "aws_default_subnet" "default_subnet_a" { - availability_zone = "us-east-1a" + availability_zone = "${var.region}a" } resource "aws_default_subnet" "default_subnet_b" { - availability_zone = "us-east-1b" + availability_zone = "${var.region}b" } resource "aws_default_subnet" "default_subnet_c" { - availability_zone = "us-east-1c" + availability_zone = "${var.region}c" } resource "aws_acm_certificate" "scim_bridge_cert" { - domain_name = "scim-bridge-amanda.play.agilebits.net" + domain_name = var.domain_name validation_method = "DNS" lifecycle { @@ -225,12 +197,12 @@ resource "aws_route53_record" "scim_bridge_cert_validation" { records = [each.value.record] ttl = 60 type = each.value.type - zone_id = "Z3V3UMKDNQGJ7A" + zone_id = var.dns_zone_id } resource "aws_route53_record" "scim_bridge" { - zone_id = "Z3V3UMKDNQGJ7A" - name = "scim-bridge-amanda.play.agilebits.net" + zone_id = var.dns_zone_id + name = var.domain_name type = "A" alias { diff --git a/aws-terraform/ecs/terraform.tfvars b/aws-terraform/ecs/terraform.tfvars new file mode 100644 index 0000000..12e9aed --- /dev/null +++ b/aws-terraform/ecs/terraform.tfvars @@ -0,0 +1,4 @@ +domain_name = "scim-bridge-amanda.play.agilebits.net" +region = "us-east-1" +dns_zone_id = "Z3V3UMKDNQGJ7A" +secret_arn = "arn:aws:secretsmanager:us-east-1:729119775555:secret:ecs/scim-bridge/amanda-HF09CT" \ No newline at end of file diff --git a/aws-terraform/ecs/variables.tf b/aws-terraform/ecs/variables.tf new file mode 100644 index 0000000..eaf2ae3 --- /dev/null +++ b/aws-terraform/ecs/variables.tf @@ -0,0 +1,33 @@ +variable "region" { + type = string + description = "" + default = "us-east-1" +} + +variable "prefix" { + type = string + description = "" + default = "scim-bridge" +} + +variable "secret_arn" { + type = string + description = "" +} + +variable "domain_name" { + type = string + description = "" +} + +variable "dns_zone_id" { + type = string + description = "" + default = "Z3V3UMKDNQGJ7A" +} + +variable "aws_logs_group" { + type = string + description = "" + default = "/ecs/scim-bridge" +} \ No newline at end of file From 5263ec36a81990e853b2ea179262495fbbe0496d Mon Sep 17 00:00:00 2001 From: Amanda Crawley Date: Tue, 15 Dec 2020 21:01:17 -0400 Subject: [PATCH 07/17] added a few details in the README and variable stuff --- .gitignore | 3 ++- aws-terraform/ecs/README.md | 19 +++++++++++++++++++ aws-terraform/ecs/task-definitions/scim.json | 10 +++++----- aws-terraform/ecs/terraform.tf | 6 +++++- aws-terraform/ecs/terraform.tfvars | 1 - aws-terraform/ecs/variables.tf | 6 ------ 6 files changed, 31 insertions(+), 14 deletions(-) diff --git a/.gitignore b/.gitignore index 428afbd..652affb 100644 --- a/.gitignore +++ b/.gitignore @@ -5,4 +5,5 @@ scim.env .idea/ .terraform/ terraform.tfstate -terraform.tfstate.backup \ No newline at end of file +terraform.tfstate.backup +terraform.tfvars \ No newline at end of file diff --git a/aws-terraform/ecs/README.md b/aws-terraform/ecs/README.md index beb2a31..58cf031 100644 --- a/aws-terraform/ecs/README.md +++ b/aws-terraform/ecs/README.md @@ -2,5 +2,24 @@ This document describes deploying the 1Password SCIM bridge to your Amazon Web Service Elastic Container Service using Terraform. +Prerequisites +- DNS Zone +- scimsession file and bearer token + +1. base64url encode your scimsession file and upload it to AWS Secret Manager. Take the arn and save it in terraform.tfvars with the name secret_arn. + +2. Create or choose the zone you want to use and grab the zone id and save it as dns_zone_id in terraform.tfvars. Save the full domain name you want to use as domain_name in terraform.tfvars. + +3. Create the AWS Log Group in CloudWatch where you would like the logs to go. Save the name in terraform.tfvars as aws_logs_group. + +4. Create a region entry in terraform.tfvars for what region you're deploying in. You can omit this if you are using us-east-1. + +Your terraform.tfvars file should look something like this: +domain_name = "scim-bridge.yourcompany.com" +dns_zone_id = "RANDOMLETTERS123" +secret_arn = "arn:aws:secretsmanager:::secret:-BLAH" +aws_logs_group = "/ecs/scim-bridge" + +Now run the following commands: terraform apply -target=aws_acm_certificate.scim_bridge_cert terraform apply \ No newline at end of file diff --git a/aws-terraform/ecs/task-definitions/scim.json b/aws-terraform/ecs/task-definitions/scim.json index 5f94211..426bd5f 100644 --- a/aws-terraform/ecs/task-definitions/scim.json +++ b/aws-terraform/ecs/task-definitions/scim.json @@ -23,13 +23,13 @@ { "name": "OP_LETSENCRYPT_DOMAIN", "value": "" } ], "secrets": [ - {"name": "OP_SESSION", "valueFrom": "arn:aws:secretsmanager:us-east-1:729119775555:secret:ecs/scim-bridge/amanda-HF09CT"} + {"name": "OP_SESSION", "valueFrom": "${secret_arn}"} ], "logConfiguration": { "logDriver": "awslogs", "options": { - "awslogs-group" : "/ecs/scim-bridge", - "awslogs-region": "us-east-1", + "awslogs-group" : "${aws_logs_group}", + "awslogs-region": "${region}", "awslogs-stream-prefix": "ecs-scim" } } @@ -44,8 +44,8 @@ "logConfiguration": { "logDriver": "awslogs", "options": { - "awslogs-group" : "/ecs/scim-bridge", - "awslogs-region": "us-east-1", + "awslogs-group" : "${aws_logs_group}", + "awslogs-region": "${region}", "awslogs-stream-prefix": "ecs-redis" } }, diff --git a/aws-terraform/ecs/terraform.tf b/aws-terraform/ecs/terraform.tf index 1ac528a..9b3d42a 100644 --- a/aws-terraform/ecs/terraform.tf +++ b/aws-terraform/ecs/terraform.tf @@ -9,7 +9,11 @@ resource "aws_ecs_cluster" "scim-bridge" { resource "aws_ecs_task_definition" "scim-bridge" { family = "scim-bridge" - container_definitions = file("task-definitions/scim.json") + container_definitions = templatefile("task-definitions/scim.json", + { secret_arn = var.secret_arn, + aws_logs_group = var.aws_logs_group, + region = var.region + }) requires_compatibilities = ["FARGATE"] # Stating that we are using ECS Fargate network_mode = "awsvpc" # Using awsvpc as our network mode as this is required for Fargate memory = 512 # Specifying the memory our container requires diff --git a/aws-terraform/ecs/terraform.tfvars b/aws-terraform/ecs/terraform.tfvars index 12e9aed..68d5441 100644 --- a/aws-terraform/ecs/terraform.tfvars +++ b/aws-terraform/ecs/terraform.tfvars @@ -1,4 +1,3 @@ domain_name = "scim-bridge-amanda.play.agilebits.net" -region = "us-east-1" dns_zone_id = "Z3V3UMKDNQGJ7A" secret_arn = "arn:aws:secretsmanager:us-east-1:729119775555:secret:ecs/scim-bridge/amanda-HF09CT" \ No newline at end of file diff --git a/aws-terraform/ecs/variables.tf b/aws-terraform/ecs/variables.tf index eaf2ae3..4771e65 100644 --- a/aws-terraform/ecs/variables.tf +++ b/aws-terraform/ecs/variables.tf @@ -4,11 +4,6 @@ variable "region" { default = "us-east-1" } -variable "prefix" { - type = string - description = "" - default = "scim-bridge" -} variable "secret_arn" { type = string @@ -23,7 +18,6 @@ variable "domain_name" { variable "dns_zone_id" { type = string description = "" - default = "Z3V3UMKDNQGJ7A" } variable "aws_logs_group" { From 2b20a6900e49a5f3477fccd7f3fbd5aa106a15ab Mon Sep 17 00:00:00 2001 From: accraw <73299418+accraw@users.noreply.github.com> Date: Wed, 16 Dec 2020 09:22:33 -0400 Subject: [PATCH 08/17] Delete terraform.tfvars --- aws-terraform/ecs/terraform.tfvars | 3 --- 1 file changed, 3 deletions(-) delete mode 100644 aws-terraform/ecs/terraform.tfvars diff --git a/aws-terraform/ecs/terraform.tfvars b/aws-terraform/ecs/terraform.tfvars deleted file mode 100644 index 68d5441..0000000 --- a/aws-terraform/ecs/terraform.tfvars +++ /dev/null @@ -1,3 +0,0 @@ -domain_name = "scim-bridge-amanda.play.agilebits.net" -dns_zone_id = "Z3V3UMKDNQGJ7A" -secret_arn = "arn:aws:secretsmanager:us-east-1:729119775555:secret:ecs/scim-bridge/amanda-HF09CT" \ No newline at end of file From 41bce7b59adad12b314e30d0782af4083eb7e221 Mon Sep 17 00:00:00 2001 From: Amanda Crawley Date: Wed, 16 Dec 2020 11:23:29 -0400 Subject: [PATCH 09/17] Updated README and removed some comments --- aws-terraform/ecs/README.md | 26 ++++++++++++++------ aws-terraform/ecs/terraform.tf | 45 +++++++++++++++++----------------- 2 files changed, 40 insertions(+), 31 deletions(-) diff --git a/aws-terraform/ecs/README.md b/aws-terraform/ecs/README.md index 58cf031..1f4c7df 100644 --- a/aws-terraform/ecs/README.md +++ b/aws-terraform/ecs/README.md @@ -1,25 +1,35 @@ # Deploying the 1Password SCIM Bridge in AWS ECS with Terraform -This document describes deploying the 1Password SCIM bridge to your Amazon Web Service Elastic Container Service using Terraform. +This document describes deploying the 1Password SCIM bridge to your Amazon Web Service Elastic Container Service Fargate using Terraform. It's just a suggested starting point - you may be using different services for different things, this example uses only AWS products. Please familiarize yourself with [Preparation.md](../../Preparation.md) before beginning. Prerequisites -- DNS Zone -- scimsession file and bearer token +- [terraform](https://learn.hashicorp.com/tutorials/terraform/install-cli) and [aws-cli](https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html) installed and configured +- DNS Zone in Route 53 +- scimsession file and bearer token ([follow step 1 here](https://support.1password.com/scim/)) +- an empty file `terraform.tfvars` in this directory -1. base64url encode your scimsession file and upload it to AWS Secret Manager. Take the arn and save it in terraform.tfvars with the name secret_arn. +1. Base64url encode your scimsession file (a command one could use on a mac is `cat /local/path/to/scimsession | base64 | tr -d "\n"`) and upload it to AWS Secret Manager. Take the arn and save it in terraform.tfvars with the name secret_arn. (Some details about this can be found [here](https://aws.amazon.com/premiumsupport/knowledge-center/ecs-data-security-container-task/)) -2. Create or choose the zone you want to use and grab the zone id and save it as dns_zone_id in terraform.tfvars. Save the full domain name you want to use as domain_name in terraform.tfvars. +2. Create or choose the zone you want to use and grab the Hosted zone ID and save it as dns_zone_id in terraform.tfvars. Save the full domain name you want to use as domain_name in terraform.tfvars. -3. Create the AWS Log Group in CloudWatch where you would like the logs to go. Save the name in terraform.tfvars as aws_logs_group. +3. Create the [AWS Log Group](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/Working-with-log-groups-and-streams.html) in CloudWatch where you would like the logs to go. Save the name in terraform.tfvars as aws_logs_group. 4. Create a region entry in terraform.tfvars for what region you're deploying in. You can omit this if you are using us-east-1. -Your terraform.tfvars file should look something like this: +Your terraform.tfvars file should look something like this: +``` domain_name = "scim-bridge.yourcompany.com" dns_zone_id = "RANDOMLETTERS123" secret_arn = "arn:aws:secretsmanager:::secret:-BLAH" aws_logs_group = "/ecs/scim-bridge" +``` Now run the following commands: +``` +terraform init terraform apply -target=aws_acm_certificate.scim_bridge_cert -terraform apply \ No newline at end of file +terraform plan -out=./op-scim.plan +terraform apply ./op-scim.plan +``` + +After a few minutes, if you go to the SCIM Bridge URL you set, you should be able to enter your bearer token to verify that your scim bridge is up and running. Connect to your IdP using step 3 [here](https://support.1password.com/scim/) and go to your 1Password account and check that provisioning is on in Setting -> Provisioning and you should be good to go! \ No newline at end of file diff --git a/aws-terraform/ecs/terraform.tf b/aws-terraform/ecs/terraform.tf index 9b3d42a..6067389 100644 --- a/aws-terraform/ecs/terraform.tf +++ b/aws-terraform/ecs/terraform.tf @@ -14,10 +14,10 @@ resource "aws_ecs_task_definition" "scim-bridge" { aws_logs_group = var.aws_logs_group, region = var.region }) - requires_compatibilities = ["FARGATE"] # Stating that we are using ECS Fargate - network_mode = "awsvpc" # Using awsvpc as our network mode as this is required for Fargate - memory = 512 # Specifying the memory our container requires - cpu = 256 # Specifying the CPU our container requires + requires_compatibilities = ["FARGATE"] + network_mode = "awsvpc" + memory = 512 + cpu = 256 execution_role_arn = aws_iam_role.ecsTaskExecutionRole-scim-bridge.arn } @@ -76,49 +76,48 @@ resource "aws_ecs_service" "scim_bridge_service" { load_balancer { target_group_arn = aws_lb_target_group.target_group_http.arn container_name = aws_ecs_task_definition.scim-bridge.family - container_port = 3002 # Specifying the container port + container_port = 3002 } network_configuration { subnets = [aws_default_subnet.default_subnet_a.id, aws_default_subnet.default_subnet_b.id, aws_default_subnet.default_subnet_c.id] - assign_public_ip = true # Providing our containers with public IPs - security_groups = [aws_security_group.service_security_group.id] # Setting the security group + assign_public_ip = true + security_groups = [aws_security_group.service_security_group.id] } } resource "aws_alb" "scim-bridge-alb" { - name = "scim-bridge-alb" # Naming our load balancer + name = "scim-bridge-alb" load_balancer_type = "application" - subnets = [ # Referencing the default subnets + subnets = [ aws_default_subnet.default_subnet_a.id, aws_default_subnet.default_subnet_b.id, aws_default_subnet.default_subnet_c.id ] - # Referencing the security group security_groups = [aws_security_group.scim-bridge-sg.id] } # Creating a security group for the load balancer: resource "aws_security_group" "scim-bridge-sg" { ingress { - from_port = 80 # Allowing traffic in from port 80 + from_port = 80 to_port = 80 protocol = "tcp" - cidr_blocks = ["0.0.0.0/0"] # Allowing traffic in from all sources + cidr_blocks = ["0.0.0.0/0"] } ingress { from_port = 443 to_port = 443 protocol = "tcp" - cidr_blocks = ["0.0.0.0/0"] # Allowing traffic in from all sources + cidr_blocks = ["0.0.0.0/0"] } egress { - from_port = 0 # Allowing any incoming port - to_port = 0 # Allowing any outgoing port - protocol = "-1" # Allowing any outgoing protocol - cidr_blocks = ["0.0.0.0/0"] # Allowing traffic out to all IP addresses + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] } } @@ -132,10 +131,10 @@ resource "aws_security_group" "service_security_group" { } egress { - from_port = 0 # Allowing any incoming port - to_port = 0 # Allowing any outgoing port - protocol = "-1" # Allowing any outgoing protocol - cidr_blocks = ["0.0.0.0/0"] # Allowing traffic out to all IP addresses + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] } } @@ -152,13 +151,13 @@ resource "aws_lb_target_group" "target_group_http" { } resource "aws_lb_listener" "listener_https" { - load_balancer_arn = aws_alb.scim-bridge-alb.arn # Referencing our load balancer + load_balancer_arn = aws_alb.scim-bridge-alb.arn port = 443 protocol = "HTTPS" certificate_arn = aws_acm_certificate.scim_bridge_cert.arn default_action { type = "forward" - target_group_arn = aws_lb_target_group.target_group_http.arn # Referencing our target group + target_group_arn = aws_lb_target_group.target_group_http.arn } } From 58b8748dd03666842f774d28075b79e0e914e160 Mon Sep 17 00:00:00 2001 From: Pierre-Alexandre St-Jean Date: Thu, 17 Dec 2020 09:57:38 -0500 Subject: [PATCH 10/17] SECRETS AND MODIFICATIONS --- .gitignore | 4 +- aws-terraform/ecs/terraform.tf | 92 +++++++++++++++++----------------- aws-terraform/ecs/variables.tf | 6 --- 3 files changed, 48 insertions(+), 54 deletions(-) diff --git a/.gitignore b/.gitignore index 652affb..535ab06 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,5 @@ +.DS_Store + scimsession scim.env *.deploy @@ -6,4 +8,4 @@ scim.env .terraform/ terraform.tfstate terraform.tfstate.backup -terraform.tfvars \ No newline at end of file +terraform.tfvars diff --git a/aws-terraform/ecs/terraform.tf b/aws-terraform/ecs/terraform.tf index 6067389..78d68cd 100644 --- a/aws-terraform/ecs/terraform.tf +++ b/aws-terraform/ecs/terraform.tf @@ -3,6 +3,23 @@ provider "aws" { region = var.region } +data "aws_vpc" "default" { + default = true +} + +data "aws_subnet_ids" "default_vpc_subnets" { + vpc_id = data.aws_vpc.default.id +} + +resource "aws_secretsmanager_secret" "scimsession" { + name = "scim-bridge-scimsession" +} + +resource "aws_secretsmanager_secret_version" "scimsession_1" { + secret_id = aws_secretsmanager_secret.scimsession.id + secret_string = base64encode(file("${path.module}/scimsession")) +} + resource "aws_ecs_cluster" "scim-bridge" { name = "scim-bridge" } @@ -10,7 +27,7 @@ resource "aws_ecs_cluster" "scim-bridge" { resource "aws_ecs_task_definition" "scim-bridge" { family = "scim-bridge" container_definitions = templatefile("task-definitions/scim.json", - { secret_arn = var.secret_arn, + { secret_arn = aws_secretsmanager_secret.scimsession.arn, aws_logs_group = var.aws_logs_group, region = var.region }) @@ -18,11 +35,11 @@ resource "aws_ecs_task_definition" "scim-bridge" { network_mode = "awsvpc" memory = 512 cpu = 256 - execution_role_arn = aws_iam_role.ecsTaskExecutionRole-scim-bridge.arn + execution_role_arn = aws_iam_role.scim-bridge.arn } -resource "aws_iam_role" "ecsTaskExecutionRole-scim-bridge" { - name = "ecsTaskExecutionRole-scim-bridge" +resource "aws_iam_role" "scim-bridge" { + name = "scim-bridge-task-role" assume_role_policy = data.aws_iam_policy_document.assume_role_policy.json } @@ -37,31 +54,27 @@ data "aws_iam_policy_document" "assume_role_policy" { } } -resource "aws_iam_role_policy_attachment" "ecsTaskExecutionRole_policy-scim-bridge" { - role = aws_iam_role.ecsTaskExecutionRole-scim-bridge.name +resource "aws_iam_role_policy_attachment" "scim-bridge" { + role = aws_iam_role.scim-bridge.name policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy" } +data "aws_iam_policy_document" "scim" { + statement { + actions = [ + "secretsmanager:GetSecretValue", + ] + + resources = [ + aws_secretsmanager_secret.scimsession.arn, + ] + } +} + resource "aws_iam_role_policy" "scim_secret_policy" { name = "scim_secret_policy" - role = aws_iam_role.ecsTaskExecutionRole-scim-bridge.id - - policy = <<-EOF - { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "secretsmanager:GetSecretValue" - ], - "Resource": [ - "${var.secret_arn}" - ] - } - ] - } - EOF + role = aws_iam_role.scim-bridge.id + policy = data.aws_iam_policy_document.scim.json } resource "aws_ecs_service" "scim_bridge_service" { @@ -80,7 +93,7 @@ resource "aws_ecs_service" "scim_bridge_service" { } network_configuration { - subnets = [aws_default_subnet.default_subnet_a.id, aws_default_subnet.default_subnet_b.id, aws_default_subnet.default_subnet_c.id] + subnets = data.aws_subnet_ids.default_vpc_subnets.ids assign_public_ip = true security_groups = [aws_security_group.service_security_group.id] } @@ -89,11 +102,7 @@ resource "aws_ecs_service" "scim_bridge_service" { resource "aws_alb" "scim-bridge-alb" { name = "scim-bridge-alb" load_balancer_type = "application" - subnets = [ - aws_default_subnet.default_subnet_a.id, - aws_default_subnet.default_subnet_b.id, - aws_default_subnet.default_subnet_c.id - ] + subnets = data.aws_subnet_ids.default_vpc_subnets.ids security_groups = [aws_security_group.scim-bridge-sg.id] } @@ -143,7 +152,7 @@ resource "aws_lb_target_group" "target_group_http" { port = 3002 protocol = "HTTP" target_type = "ip" - vpc_id = aws_default_vpc.default_vpc.id # Referencing the default VPC + vpc_id = data.aws_vpc.default.id health_check { matcher = "200,301,302" path = "/" @@ -161,22 +170,6 @@ resource "aws_lb_listener" "listener_https" { } } -# Providing a reference to our default VPC -resource "aws_default_vpc" "default_vpc" { -} - -resource "aws_default_subnet" "default_subnet_a" { - availability_zone = "${var.region}a" -} - -resource "aws_default_subnet" "default_subnet_b" { - availability_zone = "${var.region}b" -} - -resource "aws_default_subnet" "default_subnet_c" { - availability_zone = "${var.region}c" -} - resource "aws_acm_certificate" "scim_bridge_cert" { domain_name = var.domain_name validation_method = "DNS" @@ -213,4 +206,9 @@ resource "aws_route53_record" "scim_bridge" { zone_id = aws_alb.scim-bridge-alb.zone_id evaluate_target_health = true } +} + +output "loadbalancer-dns-name" { + description = "The Load balancer address to set in your DNS" + value = aws_alb.scim-bridge-alb.dns_name } \ No newline at end of file diff --git a/aws-terraform/ecs/variables.tf b/aws-terraform/ecs/variables.tf index 4771e65..64bd365 100644 --- a/aws-terraform/ecs/variables.tf +++ b/aws-terraform/ecs/variables.tf @@ -4,12 +4,6 @@ variable "region" { default = "us-east-1" } - -variable "secret_arn" { - type = string - description = "" -} - variable "domain_name" { type = string description = "" From 8f4f71c0b1c419a0f4479432d1ee878cb579c87d Mon Sep 17 00:00:00 2001 From: Pierre-Alexandre St-Jean Date: Thu, 17 Dec 2020 09:57:47 -0500 Subject: [PATCH 11/17] terraform fmt --- aws-terraform/ecs/terraform.tf | 40 +++++++++++++++++----------------- aws-terraform/ecs/variables.tf | 20 ++++++++--------- 2 files changed, 30 insertions(+), 30 deletions(-) diff --git a/aws-terraform/ecs/terraform.tf b/aws-terraform/ecs/terraform.tf index 78d68cd..c75c511 100644 --- a/aws-terraform/ecs/terraform.tf +++ b/aws-terraform/ecs/terraform.tf @@ -5,7 +5,7 @@ provider "aws" { data "aws_vpc" "default" { default = true -} +} data "aws_subnet_ids" "default_vpc_subnets" { vpc_id = data.aws_vpc.default.id @@ -25,12 +25,12 @@ resource "aws_ecs_cluster" "scim-bridge" { } resource "aws_ecs_task_definition" "scim-bridge" { - family = "scim-bridge" - container_definitions = templatefile("task-definitions/scim.json", - { secret_arn = aws_secretsmanager_secret.scimsession.arn, - aws_logs_group = var.aws_logs_group, - region = var.region - }) + family = "scim-bridge" + container_definitions = templatefile("task-definitions/scim.json", + { secret_arn = aws_secretsmanager_secret.scimsession.arn, + aws_logs_group = var.aws_logs_group, + region = var.region + }) requires_compatibilities = ["FARGATE"] network_mode = "awsvpc" memory = 512 @@ -72,22 +72,22 @@ data "aws_iam_policy_document" "scim" { } resource "aws_iam_role_policy" "scim_secret_policy" { - name = "scim_secret_policy" - role = aws_iam_role.scim-bridge.id + name = "scim_secret_policy" + role = aws_iam_role.scim-bridge.id policy = data.aws_iam_policy_document.scim.json } resource "aws_ecs_service" "scim_bridge_service" { - name = "scim_bridge_service" - cluster = aws_ecs_cluster.scim-bridge.id - task_definition = aws_ecs_task_definition.scim-bridge.arn - launch_type = "FARGATE" + name = "scim_bridge_service" + cluster = aws_ecs_cluster.scim-bridge.id + task_definition = aws_ecs_task_definition.scim-bridge.arn + launch_type = "FARGATE" platform_version = "1.4.0" - desired_count = 1 - depends_on = [aws_lb_listener.listener_https] + desired_count = 1 + depends_on = [aws_lb_listener.listener_https] load_balancer { - target_group_arn = aws_lb_target_group.target_group_http.arn + target_group_arn = aws_lb_target_group.target_group_http.arn container_name = aws_ecs_task_definition.scim-bridge.family container_port = 3002 } @@ -102,8 +102,8 @@ resource "aws_ecs_service" "scim_bridge_service" { resource "aws_alb" "scim-bridge-alb" { name = "scim-bridge-alb" load_balancer_type = "application" - subnets = data.aws_subnet_ids.default_vpc_subnets.ids - security_groups = [aws_security_group.scim-bridge-sg.id] + subnets = data.aws_subnet_ids.default_vpc_subnets.ids + security_groups = [aws_security_group.scim-bridge-sg.id] } # Creating a security group for the load balancer: @@ -155,7 +155,7 @@ resource "aws_lb_target_group" "target_group_http" { vpc_id = data.aws_vpc.default.id health_check { matcher = "200,301,302" - path = "/" + path = "/" } } @@ -210,5 +210,5 @@ resource "aws_route53_record" "scim_bridge" { output "loadbalancer-dns-name" { description = "The Load balancer address to set in your DNS" - value = aws_alb.scim-bridge-alb.dns_name + value = aws_alb.scim-bridge-alb.dns_name } \ No newline at end of file diff --git a/aws-terraform/ecs/variables.tf b/aws-terraform/ecs/variables.tf index 64bd365..67e7fd0 100644 --- a/aws-terraform/ecs/variables.tf +++ b/aws-terraform/ecs/variables.tf @@ -1,21 +1,21 @@ variable "region" { - type = string - description = "" - default = "us-east-1" + type = string + description = "" + default = "us-east-1" } variable "domain_name" { - type = string - description = "" + type = string + description = "" } variable "dns_zone_id" { - type = string - description = "" + type = string + description = "" } variable "aws_logs_group" { - type = string - description = "" - default = "/ecs/scim-bridge" + type = string + description = "" + default = "/ecs/scim-bridge" } \ No newline at end of file From ab6b75944ac76263dfa7a07e7d6fe439fad110d6 Mon Sep 17 00:00:00 2001 From: Pierre-Alexandre St-Jean Date: Thu, 17 Dec 2020 10:10:42 -0500 Subject: [PATCH 12/17] logs --- aws-terraform/ecs/README.md | 9 +++------ aws-terraform/ecs/terraform.tf | 11 ++++++++++- aws-terraform/ecs/variables.tf | 6 ------ 3 files changed, 13 insertions(+), 13 deletions(-) diff --git a/aws-terraform/ecs/README.md b/aws-terraform/ecs/README.md index 1f4c7df..f49175c 100644 --- a/aws-terraform/ecs/README.md +++ b/aws-terraform/ecs/README.md @@ -8,20 +8,16 @@ Prerequisites - scimsession file and bearer token ([follow step 1 here](https://support.1password.com/scim/)) - an empty file `terraform.tfvars` in this directory -1. Base64url encode your scimsession file (a command one could use on a mac is `cat /local/path/to/scimsession | base64 | tr -d "\n"`) and upload it to AWS Secret Manager. Take the arn and save it in terraform.tfvars with the name secret_arn. (Some details about this can be found [here](https://aws.amazon.com/premiumsupport/knowledge-center/ecs-data-security-container-task/)) +1. Have the scimsession file available in the same directory has the terraform code 2. Create or choose the zone you want to use and grab the Hosted zone ID and save it as dns_zone_id in terraform.tfvars. Save the full domain name you want to use as domain_name in terraform.tfvars. -3. Create the [AWS Log Group](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/Working-with-log-groups-and-streams.html) in CloudWatch where you would like the logs to go. Save the name in terraform.tfvars as aws_logs_group. - -4. Create a region entry in terraform.tfvars for what region you're deploying in. You can omit this if you are using us-east-1. +3. Create a region entry in terraform.tfvars for what region you're deploying in. You can omit this if you are using us-east-1. Your terraform.tfvars file should look something like this: ``` domain_name = "scim-bridge.yourcompany.com" dns_zone_id = "RANDOMLETTERS123" -secret_arn = "arn:aws:secretsmanager:::secret:-BLAH" -aws_logs_group = "/ecs/scim-bridge" ``` Now run the following commands: @@ -29,6 +25,7 @@ Now run the following commands: terraform init terraform apply -target=aws_acm_certificate.scim_bridge_cert terraform plan -out=./op-scim.plan +# Validate what this plan does by reading it terraform apply ./op-scim.plan ``` diff --git a/aws-terraform/ecs/terraform.tf b/aws-terraform/ecs/terraform.tf index c75c511..1175029 100644 --- a/aws-terraform/ecs/terraform.tf +++ b/aws-terraform/ecs/terraform.tf @@ -20,6 +20,10 @@ resource "aws_secretsmanager_secret_version" "scimsession_1" { secret_string = base64encode(file("${path.module}/scimsession")) } +resource "aws_cloudwatch_log_group" "scim-bridge" { + name_prefix = "scim-bridge-logs" +} + resource "aws_ecs_cluster" "scim-bridge" { name = "scim-bridge" } @@ -28,7 +32,7 @@ resource "aws_ecs_task_definition" "scim-bridge" { family = "scim-bridge" container_definitions = templatefile("task-definitions/scim.json", { secret_arn = aws_secretsmanager_secret.scimsession.arn, - aws_logs_group = var.aws_logs_group, + aws_logs_group = aws_cloudwatch_log_group.scim-bridge.name, region = var.region }) requires_compatibilities = ["FARGATE"] @@ -211,4 +215,9 @@ resource "aws_route53_record" "scim_bridge" { output "loadbalancer-dns-name" { description = "The Load balancer address to set in your DNS" value = aws_alb.scim-bridge-alb.dns_name +} + +output "cloudwatch-log-group" { + description = "Where you can find your scim-bridge logs" + value = aws_cloudwatch_log_group.scim-bridge.name } \ No newline at end of file diff --git a/aws-terraform/ecs/variables.tf b/aws-terraform/ecs/variables.tf index 67e7fd0..6f06527 100644 --- a/aws-terraform/ecs/variables.tf +++ b/aws-terraform/ecs/variables.tf @@ -12,10 +12,4 @@ variable "domain_name" { variable "dns_zone_id" { type = string description = "" -} - -variable "aws_logs_group" { - type = string - description = "" - default = "/ecs/scim-bridge" } \ No newline at end of file From 66fc029b55b11fb98fbebe06fcf5012a074bb4aa Mon Sep 17 00:00:00 2001 From: Pierre-Alexandre St-Jean Date: Thu, 17 Dec 2020 10:34:28 -0500 Subject: [PATCH 13/17] tfvarstemplate --- aws-terraform/ecs/README.md | 9 +++++---- aws-terraform/ecs/terraform.tf | 8 ++++---- aws-terraform/ecs/terraform.tfvars.template | 4 ++++ aws-terraform/ecs/variables.tf | 4 ++-- 4 files changed, 15 insertions(+), 10 deletions(-) create mode 100644 aws-terraform/ecs/terraform.tfvars.template diff --git a/aws-terraform/ecs/README.md b/aws-terraform/ecs/README.md index f49175c..a964561 100644 --- a/aws-terraform/ecs/README.md +++ b/aws-terraform/ecs/README.md @@ -6,13 +6,14 @@ Prerequisites - [terraform](https://learn.hashicorp.com/tutorials/terraform/install-cli) and [aws-cli](https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html) installed and configured - DNS Zone in Route 53 - scimsession file and bearer token ([follow step 1 here](https://support.1password.com/scim/)) -- an empty file `terraform.tfvars` in this directory -1. Have the scimsession file available in the same directory has the terraform code +1. Copy `terraform.tfvars.template` to `terraform.tfvars` -2. Create or choose the zone you want to use and grab the Hosted zone ID and save it as dns_zone_id in terraform.tfvars. Save the full domain name you want to use as domain_name in terraform.tfvars. +2. Have the scimsession file available in the same directory has the terraform code -3. Create a region entry in terraform.tfvars for what region you're deploying in. You can omit this if you are using us-east-1. +3. Create or choose the zone you want to use and grab the Hosted zone ID and save it as dns_zone_id in terraform.tfvars. Save the full domain name you want to use as domain_name in terraform.tfvars. + +4. Create a region entry in terraform.tfvars for what region you're deploying in. You can omit this if you are using us-east-1. Your terraform.tfvars file should look something like this: ``` diff --git a/aws-terraform/ecs/terraform.tf b/aws-terraform/ecs/terraform.tf index 1175029..d983299 100644 --- a/aws-terraform/ecs/terraform.tf +++ b/aws-terraform/ecs/terraform.tf @@ -1,6 +1,6 @@ provider "aws" { version = "~> 2.0" - region = var.region + region = var.aws_region } data "aws_vpc" "default" { @@ -33,7 +33,7 @@ resource "aws_ecs_task_definition" "scim-bridge" { container_definitions = templatefile("task-definitions/scim.json", { secret_arn = aws_secretsmanager_secret.scimsession.arn, aws_logs_group = aws_cloudwatch_log_group.scim-bridge.name, - region = var.region + region = var.aws_region }) requires_compatibilities = ["FARGATE"] network_mode = "awsvpc" @@ -197,11 +197,11 @@ resource "aws_route53_record" "scim_bridge_cert_validation" { records = [each.value.record] ttl = 60 type = each.value.type - zone_id = var.dns_zone_id + zone_id = var.route53_zone_id } resource "aws_route53_record" "scim_bridge" { - zone_id = var.dns_zone_id + zone_id = var.route53_zone_id name = var.domain_name type = "A" diff --git a/aws-terraform/ecs/terraform.tfvars.template b/aws-terraform/ecs/terraform.tfvars.template new file mode 100644 index 0000000..ece6ad4 --- /dev/null +++ b/aws-terraform/ecs/terraform.tfvars.template @@ -0,0 +1,4 @@ +aws_region="us-east-1" + +domain_name="FILL_ME" +route53_zone_id="FILL_ME" \ No newline at end of file diff --git a/aws-terraform/ecs/variables.tf b/aws-terraform/ecs/variables.tf index 6f06527..aefd0aa 100644 --- a/aws-terraform/ecs/variables.tf +++ b/aws-terraform/ecs/variables.tf @@ -1,4 +1,4 @@ -variable "region" { +variable "aws_region" { type = string description = "" default = "us-east-1" @@ -9,7 +9,7 @@ variable "domain_name" { description = "" } -variable "dns_zone_id" { +variable "route53_zone_id" { type = string description = "" } \ No newline at end of file From 7849d69922edfd166b3f1b3ff2a1d0bd688a8f22 Mon Sep 17 00:00:00 2001 From: accraw <73299418+accraw@users.noreply.github.com> Date: Mon, 21 Dec 2020 09:26:05 -0400 Subject: [PATCH 14/17] Apply suggestions from code review Co-authored-by: Pierre-Alexandre St-Jean --- aws-terraform/ecs/README.md | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/aws-terraform/ecs/README.md b/aws-terraform/ecs/README.md index a964561..6933d82 100644 --- a/aws-terraform/ecs/README.md +++ b/aws-terraform/ecs/README.md @@ -3,8 +3,10 @@ This document describes deploying the 1Password SCIM bridge to your Amazon Web Service Elastic Container Service Fargate using Terraform. It's just a suggested starting point - you may be using different services for different things, this example uses only AWS products. Please familiarize yourself with [Preparation.md](../../Preparation.md) before beginning. Prerequisites -- [terraform](https://learn.hashicorp.com/tutorials/terraform/install-cli) and [aws-cli](https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html) installed and configured -- DNS Zone in Route 53 +- [terraform](https://learn.hashicorp.com/tutorials/terraform/install-cli) +- AWS credentials configured (either through $HOME/.aws/credentials or environment variable) + see: [Terraform AWS authentication](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#authentication) +- (Optional) DNS Zone in Route 53 - scimsession file and bearer token ([follow step 1 here](https://support.1password.com/scim/)) 1. Copy `terraform.tfvars.template` to `terraform.tfvars` @@ -30,4 +32,4 @@ terraform plan -out=./op-scim.plan terraform apply ./op-scim.plan ``` -After a few minutes, if you go to the SCIM Bridge URL you set, you should be able to enter your bearer token to verify that your scim bridge is up and running. Connect to your IdP using step 3 [here](https://support.1password.com/scim/) and go to your 1Password account and check that provisioning is on in Setting -> Provisioning and you should be good to go! \ No newline at end of file +After a few minutes, if you go to the SCIM Bridge URL you set, you should be able to enter your bearer token to verify that your scim bridge is up and running. Connect to your IdP using step 3 [here](https://support.1password.com/scim/) and go to your 1Password account and check that provisioning is on in Setting -> Provisioning and you should be good to go! From d71abc9763f146b34c376a2727db7a7a9ac76a20 Mon Sep 17 00:00:00 2001 From: Amanda Crawley Date: Mon, 21 Dec 2020 11:10:38 -0400 Subject: [PATCH 15/17] Updated the README, added some comments, cleaned up for final review --- README.md | 3 ++- .../README.md | 12 +++++++--- .../task-definitions/scim.json | 3 +-- .../terraform.tf | 22 ++++++++++--------- .../terraform.tfvars.template | 0 .../variables.tf | 0 6 files changed, 24 insertions(+), 16 deletions(-) rename {aws-terraform/ecs => aws-ecsfargate-terraform}/README.md (65%) rename {aws-terraform/ecs => aws-ecsfargate-terraform}/task-definitions/scim.json (91%) rename {aws-terraform/ecs => aws-ecsfargate-terraform}/terraform.tf (98%) rename {aws-terraform/ecs => aws-ecsfargate-terraform}/terraform.tfvars.template (100%) rename {aws-terraform/ecs => aws-ecsfargate-terraform}/variables.tf (100%) diff --git a/README.md b/README.md index c2b00f9..dd84a26 100644 --- a/README.md +++ b/README.md @@ -18,7 +18,8 @@ The easiest way to deploy the SCIM bridge is with our one-click installations cu Advanced deployment are recommended when you have particular requirements for your environment. They are easily customizable and adaptable to your situation. - [Kubernetes](/kubernetes) - [Docker Compose & Docker Swarm](/docker) -- [AWS EC2 with terraform](/aws-terraform) +- [AWS EC2 with terraform](/aws-terraform) [deprecated] +- [AWS ECS Fargate with Terraform](/aws-ecsfargate-terraform) - [Azure Kubernetes Service](https://support.1password.com/cs/scim-deploy-azure/) ## Support diff --git a/aws-terraform/ecs/README.md b/aws-ecsfargate-terraform/README.md similarity index 65% rename from aws-terraform/ecs/README.md rename to aws-ecsfargate-terraform/README.md index 6933d82..303586a 100644 --- a/aws-terraform/ecs/README.md +++ b/aws-ecsfargate-terraform/README.md @@ -13,17 +13,20 @@ Prerequisites 2. Have the scimsession file available in the same directory has the terraform code -3. Create or choose the zone you want to use and grab the Hosted zone ID and save it as dns_zone_id in terraform.tfvars. Save the full domain name you want to use as domain_name in terraform.tfvars. +3. If you are using Route53, create or choose the zone you want to use and grab the Hosted zone ID and save it as dns_zone_id in terraform.tfvars. -4. Create a region entry in terraform.tfvars for what region you're deploying in. You can omit this if you are using us-east-1. +4. Save the full domain name you want to use as domain_name in terraform.tfvars. + +5. Create a region entry in terraform.tfvars for what region you're deploying in. You can omit this if you are using us-east-1. Your terraform.tfvars file should look something like this: ``` domain_name = "scim-bridge.yourcompany.com" dns_zone_id = "RANDOMLETTERS123" ``` +Note: If you are not using Route53, you don't need to set the zone id and can remove that line from the tfvars file. -Now run the following commands: +Now run the following commands (Note: If you are not using Route53 the second command is unnecessary): ``` terraform init terraform apply -target=aws_acm_certificate.scim_bridge_cert @@ -31,5 +34,8 @@ terraform plan -out=./op-scim.plan # Validate what this plan does by reading it terraform apply ./op-scim.plan ``` +If you are using something other than Route53 for your domain name, point your domain to the `loadbalancer-dns-name` that was printed out from your terraform apply. After a few minutes, if you go to the SCIM Bridge URL you set, you should be able to enter your bearer token to verify that your scim bridge is up and running. Connect to your IdP using step 3 [here](https://support.1password.com/scim/) and go to your 1Password account and check that provisioning is on in Setting -> Provisioning and you should be good to go! + +If you want to check out the logs for your scim bridge, in AWS go to Cloudwatch -> Log Groups and you should see the log group that was printed out at the end of your terraform apply. You can then see the scim-bridge and redis container logs. \ No newline at end of file diff --git a/aws-terraform/ecs/task-definitions/scim.json b/aws-ecsfargate-terraform/task-definitions/scim.json similarity index 91% rename from aws-terraform/ecs/task-definitions/scim.json rename to aws-ecsfargate-terraform/task-definitions/scim.json index 426bd5f..50c0a40 100644 --- a/aws-terraform/ecs/task-definitions/scim.json +++ b/aws-ecsfargate-terraform/task-definitions/scim.json @@ -17,9 +17,8 @@ "hostPort": 3002 } ], - "entrypoint": ["/op-scim/op-scim", "--redis-host=localhost"], "environment": [ - { "name": "OP_REDIS_URL", "value": "localhost" }, + { "name": "OP_REDIS_HOST", "value": "localhost" }, { "name": "OP_LETSENCRYPT_DOMAIN", "value": "" } ], "secrets": [ diff --git a/aws-terraform/ecs/terraform.tf b/aws-ecsfargate-terraform/terraform.tf similarity index 98% rename from aws-terraform/ecs/terraform.tf rename to aws-ecsfargate-terraform/terraform.tf index d983299..e150683 100644 --- a/aws-terraform/ecs/terraform.tf +++ b/aws-ecsfargate-terraform/terraform.tf @@ -174,6 +174,16 @@ resource "aws_lb_listener" "listener_https" { } } +output "cloudwatch-log-group" { + description = "Where you can find your scim-bridge logs" + value = aws_cloudwatch_log_group.scim-bridge.name +} + +output "loadbalancer-dns-name" { + description = "The Load balancer address to set in your DNS" + value = aws_alb.scim-bridge-alb.dns_name +} + resource "aws_acm_certificate" "scim_bridge_cert" { domain_name = var.domain_name validation_method = "DNS" @@ -183,6 +193,8 @@ resource "aws_acm_certificate" "scim_bridge_cert" { } } +/* If you are not using AWS Route 53 and AWS Certificate Manager for your DNS, + comment out below here */ resource "aws_route53_record" "scim_bridge_cert_validation" { for_each = { for dvo in aws_acm_certificate.scim_bridge_cert.domain_validation_options : dvo.domain_name => { @@ -210,14 +222,4 @@ resource "aws_route53_record" "scim_bridge" { zone_id = aws_alb.scim-bridge-alb.zone_id evaluate_target_health = true } -} - -output "loadbalancer-dns-name" { - description = "The Load balancer address to set in your DNS" - value = aws_alb.scim-bridge-alb.dns_name -} - -output "cloudwatch-log-group" { - description = "Where you can find your scim-bridge logs" - value = aws_cloudwatch_log_group.scim-bridge.name } \ No newline at end of file diff --git a/aws-terraform/ecs/terraform.tfvars.template b/aws-ecsfargate-terraform/terraform.tfvars.template similarity index 100% rename from aws-terraform/ecs/terraform.tfvars.template rename to aws-ecsfargate-terraform/terraform.tfvars.template diff --git a/aws-terraform/ecs/variables.tf b/aws-ecsfargate-terraform/variables.tf similarity index 100% rename from aws-terraform/ecs/variables.tf rename to aws-ecsfargate-terraform/variables.tf From bae43060dcb56ab8e951514f19b58bab8747aedd Mon Sep 17 00:00:00 2001 From: Amanda Crawley Date: Mon, 21 Dec 2020 11:14:39 -0400 Subject: [PATCH 16/17] small README update --- aws-ecsfargate-terraform/README.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/aws-ecsfargate-terraform/README.md b/aws-ecsfargate-terraform/README.md index 303586a..1706e34 100644 --- a/aws-ecsfargate-terraform/README.md +++ b/aws-ecsfargate-terraform/README.md @@ -11,13 +11,13 @@ Prerequisites 1. Copy `terraform.tfvars.template` to `terraform.tfvars` -2. Have the scimsession file available in the same directory has the terraform code +2. Copy the `scimsession` file in the terraform code directory -3. If you are using Route53, create or choose the zone you want to use and grab the Hosted zone ID and save it as dns_zone_id in terraform.tfvars. +3. (Optional) If you use route 53, save the Route53 zone ID in the `terraform.tfvars` -4. Save the full domain name you want to use as domain_name in terraform.tfvars. +4. Save the full domain name you want to use as domain_name in terraform.tfvars -5. Create a region entry in terraform.tfvars for what region you're deploying in. You can omit this if you are using us-east-1. +5. Create a region entry in terraform.tfvars for what region you're deploying in. You can omit this if you are using us-east-1 Your terraform.tfvars file should look something like this: ``` From 79aceb1d152a76be8dcb14ec69384c6fb5d8cf40 Mon Sep 17 00:00:00 2001 From: Bud Bach Date: Wed, 30 Dec 2020 17:22:40 -0600 Subject: [PATCH 17/17] Fix link to PREPARATION.md --- aws-ecsfargate-terraform/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/aws-ecsfargate-terraform/README.md b/aws-ecsfargate-terraform/README.md index 1706e34..eb5a1e5 100644 --- a/aws-ecsfargate-terraform/README.md +++ b/aws-ecsfargate-terraform/README.md @@ -1,6 +1,6 @@ # Deploying the 1Password SCIM Bridge in AWS ECS with Terraform -This document describes deploying the 1Password SCIM bridge to your Amazon Web Service Elastic Container Service Fargate using Terraform. It's just a suggested starting point - you may be using different services for different things, this example uses only AWS products. Please familiarize yourself with [Preparation.md](../../Preparation.md) before beginning. +This document describes deploying the 1Password SCIM bridge to your Amazon Web Service Elastic Container Service Fargate using Terraform. It's just a suggested starting point - you may be using different services for different things, this example uses only AWS products. Please familiarize yourself with [PREPARATION.md](/PREPARATION.md) before beginning. Prerequisites - [terraform](https://learn.hashicorp.com/tutorials/terraform/install-cli) @@ -38,4 +38,4 @@ If you are using something other than Route53 for your domain name, point your d After a few minutes, if you go to the SCIM Bridge URL you set, you should be able to enter your bearer token to verify that your scim bridge is up and running. Connect to your IdP using step 3 [here](https://support.1password.com/scim/) and go to your 1Password account and check that provisioning is on in Setting -> Provisioning and you should be good to go! -If you want to check out the logs for your scim bridge, in AWS go to Cloudwatch -> Log Groups and you should see the log group that was printed out at the end of your terraform apply. You can then see the scim-bridge and redis container logs. \ No newline at end of file +If you want to check out the logs for your scim bridge, in AWS go to Cloudwatch -> Log Groups and you should see the log group that was printed out at the end of your terraform apply. You can then see the scim-bridge and redis container logs.