Skip to content

Commit

Permalink
Fix authentication action. Don't use map variable for authenticatio…
Browse files Browse the repository at this point in the history 
…n action (#29)

* Fix authentication action. Don't use `map` variable for authentication action

* Fix authentication action. Don't use `map` variable for authentication action
  • Loading branch information
@aknysh
aknysh authored Apr 19, 2019
1 parent 91c88be commit b639891
Show file tree
Hide file tree
Showing 8 changed files with 212 additions and 115 deletions.
71 changes: 44 additions & 27 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,11 @@ We literally have [*hundreds of terraform modules*][terraform_modules] that are

## Usage


**IMPORTANT:** The `master` branch is used in `source` just as an example. In your code, do not pin to `master` because there may be breaking changes between releases.
Instead pin to the release tag (e.g. `?ref=tags/x.y.z`) of one of our [latest releases](https://github.com/cloudposse/terraform-aws-ecs-web-app/releases).


Module usage examples:

- [without authentication](examples/without_authentication) - complete example without authentication
Expand All @@ -51,31 +56,32 @@ Module usage examples:

```
module "default-backend-web-app" {
source = "git::https://github.com/cloudposse/terraform-aws-ecs-web-app.git?ref=master"
name = "appname"
namespace = "eg"
stage = "testing"
vpc_id = "${module.vpc.vpc_id}"
listener_arns = "${module.alb.listener_arns}"
listener_arns_count = "1"
aws_logs_region = "us-west-2"
ecs_cluster_arn = "${aws_ecs_cluster.default.arn}"
ecs_cluster_name = "${aws_ecs_cluster.default.name}"
ecs_security_group_ids = ["${module.vpc.vpc_default_security_group_id}"]
ecs_private_subnet_ids = ["${module.subnets.private_subnet_ids}"]
alb_ingress_healthcheck_path = "/healthz"
alb_ingress_paths = ["/*"]
codepipeline_enabled = "false"
source = "git::https://github.com/cloudposse/terraform-aws-ecs-web-app.git?ref=master"
namespace = "eg"
stage = "testing"
name = "appname"
vpc_id = "${module.vpc.vpc_id}"
alb_ingress_unauthenticated_listener_arns = "${module.alb.listener_arns}"
alb_ingress_unauthenticated_listener_arns_count = "1"
aws_logs_region = "us-west-2"
ecs_cluster_arn = "${aws_ecs_cluster.default.arn}"
ecs_cluster_name = "${aws_ecs_cluster.default.name}"
ecs_security_group_ids = ["${module.vpc.vpc_default_security_group_id}"]
ecs_private_subnet_ids = ["${module.subnets.private_subnet_ids}"]
alb_ingress_healthcheck_path = "/healthz"
alb_ingress_unauthenticated_paths = ["/*"]
codepipeline_enabled = "false"
environment = [
{
name = "COOKIE"
value = "cookiemonster"
},
{
name = "PORT"
value = "80"
}
]
{
name = "COOKIE"
value = "cookiemonster"
},
{
name = "PORT"
value = "80"
}
]
}
```

Expand All @@ -100,11 +106,15 @@ Available targets:
|------|-------------|:----:|:-----:|:-----:|
| alb_arn_suffix | ARN suffix of the ALB for the Target Group | string | `` | no |
| alb_ingress_authenticated_hosts | Authenticated hosts to match in Hosts header | list | `<list>` | no |
| alb_ingress_authenticated_listener_arns | A list of authenticated ALB listener ARNs to attach ALB listener rules to | list | `<list>` | no |
| alb_ingress_authenticated_listener_arns_count | The number of authenticated ARNs in `alb_ingress_authenticated_listener_arns`. This is necessary to work around a limitation in Terraform where counts cannot be computed | string | `0` | no |
| alb_ingress_authenticated_paths | Authenticated path pattern to match (a maximum of 1 can be defined) | list | `<list>` | no |
| alb_ingress_healthcheck_path | The path of the healthcheck which the ALB checks | string | `/` | no |
| alb_ingress_listener_authenticated_priority | The priority for the rules with authentication, between 1 and 50000 (1 being highest priority). Must be different from `alb_ingress_listener_unauthenticated_priority` since a listener can't have multiple rules with the same priority | string | `300` | no |
| alb_ingress_listener_unauthenticated_priority | The priority for the rules without authentication, between 1 and 50000 (1 being highest priority). Must be different from `alb_ingress_listener_authenticated_priority` since a listener can't have multiple rules with the same priority | string | `1000` | no |
| alb_ingress_unauthenticated_hosts | Unauthenticated hosts to match in Hosts header | list | `<list>` | no |
| alb_ingress_unauthenticated_listener_arns | A list of unauthenticated ALB listener ARNs to attach ALB listener rules to | list | `<list>` | no |
| alb_ingress_unauthenticated_listener_arns_count | The number of unauthenticated ARNs in `alb_ingress_unauthenticated_listener_arns`. This is necessary to work around a limitation in Terraform where counts cannot be computed | string | `0` | no |
| alb_ingress_unauthenticated_paths | Unauthenticated path pattern to match (a maximum of 1 can be defined) | list | `<list>` | no |
| alb_name | Name of the ALB for the Target Group | string | `` | no |
| alb_target_group_alarms_3xx_threshold | The maximum number of 3XX HTTPCodes in a given period for ECS Service | string | `25` | no |
Expand All @@ -119,7 +129,16 @@ Available targets:
| alb_target_group_alarms_response_time_threshold | The maximum ALB Target Group response time | string | `0.5` | no |
| alb_target_group_arn | Pass target group down to module | string | `` | no |
| attributes | List of attributes to add to label | list | `<list>` | no |
| authentication_action | Authentication action to be placed in front of all other ALB listener actions to authenticate users with Cognito or OIDC. Required when `alb_ingress_authenticated_hosts` or `alb_ingress_authenticated_paths` are provided | map | `<map>` | no |
| authentication_cognito_user_pool_arn | Cognito User Pool ARN | string | `` | no |
| authentication_cognito_user_pool_client_id | Cognito User Pool Client ID | string | `` | no |
| authentication_cognito_user_pool_domain | Cognito User Pool Domain. The User Pool Domain should be set to the domain prefix (`xxx`) instead of full domain (https://xxx.auth.us-west-2.amazoncognito.com) | string | `` | no |
| authentication_oidc_authorization_endpoint | OIDC Authorization Endpoint | string | `` | no |
| authentication_oidc_client_id | OIDC Client ID | string | `` | no |
| authentication_oidc_client_secret | OIDC Client Secret | string | `` | no |
| authentication_oidc_issuer | OIDC Issuer | string | `` | no |
| authentication_oidc_token_endpoint | OIDC Token Endpoint | string | `` | no |
| authentication_oidc_user_info_endpoint | OIDC User Info Endpoint | string | `` | no |
| authentication_type | Authentication type. Supported values are `COGNITO`, `OIDC`, `NONE` | string | `NONE` | no |
| autoscaling_dimension | Dimension to autoscale on (valid options: cpu, memory) | string | `memory` | no |
| autoscaling_enabled | A boolean to enable/disable Autoscaling policy for ECS Service | string | `false` | no |
| autoscaling_max_capacity | Maximum number of running instances of a Service | string | `2` | no |
Expand Down Expand Up @@ -174,8 +193,6 @@ Available targets:
| healthcheck | A map containing command (string), interval (duration in seconds), retries (1-10, number of times to retry before marking container unhealthy, and startPeriod (0-300, optional grace period to wait, in seconds, before failed healthchecks count toward retries) | map | `<map>` | no |
| host_port | The port number to bind container_port to on the host | string | `` | no |
| launch_type | The ECS launch type (valid options: FARGATE or EC2) | string | `FARGATE` | no |
| listener_arns | List of ALB Listener ARNs for the ECS service | list | - | yes |
| listener_arns_count | Number of elements in list of ALB Listener ARNs for the ECS service | string | - | yes |
| name | Name (unique identifier for app or service) | string | - | yes |
| namespace | Namespace (e.g. `eg` or `cp`) | string | - | yes |
| poll_source_changes | Periodically check the location of your source content and run the pipeline if changes are detected | string | `false` | no |
Expand Down
49 changes: 25 additions & 24 deletions README.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -79,31 +79,32 @@ usage: |-
```
module "default-backend-web-app" {
source = "git::https://github.com/cloudposse/terraform-aws-ecs-web-app.git?ref=master"
name = "appname"
namespace = "eg"
stage = "testing"
vpc_id = "${module.vpc.vpc_id}"
listener_arns = "${module.alb.listener_arns}"
listener_arns_count = "1"
aws_logs_region = "us-west-2"
ecs_cluster_arn = "${aws_ecs_cluster.default.arn}"
ecs_cluster_name = "${aws_ecs_cluster.default.name}"
ecs_security_group_ids = ["${module.vpc.vpc_default_security_group_id}"]
ecs_private_subnet_ids = ["${module.subnets.private_subnet_ids}"]
alb_ingress_healthcheck_path = "/healthz"
alb_ingress_paths = ["/*"]
codepipeline_enabled = "false"
source = "git::https://github.com/cloudposse/terraform-aws-ecs-web-app.git?ref=master"
namespace = "eg"
stage = "testing"
name = "appname"
vpc_id = "${module.vpc.vpc_id}"
alb_ingress_unauthenticated_listener_arns = "${module.alb.listener_arns}"
alb_ingress_unauthenticated_listener_arns_count = "1"
aws_logs_region = "us-west-2"
ecs_cluster_arn = "${aws_ecs_cluster.default.arn}"
ecs_cluster_name = "${aws_ecs_cluster.default.name}"
ecs_security_group_ids = ["${module.vpc.vpc_default_security_group_id}"]
ecs_private_subnet_ids = ["${module.subnets.private_subnet_ids}"]
alb_ingress_healthcheck_path = "/healthz"
alb_ingress_unauthenticated_paths = ["/*"]
codepipeline_enabled = "false"
environment = [
{
name = "COOKIE"
value = "cookiemonster"
},
{
name = "PORT"
value = "80"
}
]
{
name = "COOKIE"
value = "cookiemonster"
},
{
name = "PORT"
value = "80"
}
]
}
```
Expand Down
17 changes: 14 additions & 3 deletions docs/terraform.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,11 +4,15 @@
|------|-------------|:----:|:-----:|:-----:|
| alb_arn_suffix | ARN suffix of the ALB for the Target Group | string | `` | no |
| alb_ingress_authenticated_hosts | Authenticated hosts to match in Hosts header | list | `<list>` | no |
| alb_ingress_authenticated_listener_arns | A list of authenticated ALB listener ARNs to attach ALB listener rules to | list | `<list>` | no |
| alb_ingress_authenticated_listener_arns_count | The number of authenticated ARNs in `alb_ingress_authenticated_listener_arns`. This is necessary to work around a limitation in Terraform where counts cannot be computed | string | `0` | no |
| alb_ingress_authenticated_paths | Authenticated path pattern to match (a maximum of 1 can be defined) | list | `<list>` | no |
| alb_ingress_healthcheck_path | The path of the healthcheck which the ALB checks | string | `/` | no |
| alb_ingress_listener_authenticated_priority | The priority for the rules with authentication, between 1 and 50000 (1 being highest priority). Must be different from `alb_ingress_listener_unauthenticated_priority` since a listener can't have multiple rules with the same priority | string | `300` | no |
| alb_ingress_listener_unauthenticated_priority | The priority for the rules without authentication, between 1 and 50000 (1 being highest priority). Must be different from `alb_ingress_listener_authenticated_priority` since a listener can't have multiple rules with the same priority | string | `1000` | no |
| alb_ingress_unauthenticated_hosts | Unauthenticated hosts to match in Hosts header | list | `<list>` | no |
| alb_ingress_unauthenticated_listener_arns | A list of unauthenticated ALB listener ARNs to attach ALB listener rules to | list | `<list>` | no |
| alb_ingress_unauthenticated_listener_arns_count | The number of unauthenticated ARNs in `alb_ingress_unauthenticated_listener_arns`. This is necessary to work around a limitation in Terraform where counts cannot be computed | string | `0` | no |
| alb_ingress_unauthenticated_paths | Unauthenticated path pattern to match (a maximum of 1 can be defined) | list | `<list>` | no |
| alb_name | Name of the ALB for the Target Group | string | `` | no |
| alb_target_group_alarms_3xx_threshold | The maximum number of 3XX HTTPCodes in a given period for ECS Service | string | `25` | no |
Expand All @@ -23,7 +27,16 @@
| alb_target_group_alarms_response_time_threshold | The maximum ALB Target Group response time | string | `0.5` | no |
| alb_target_group_arn | Pass target group down to module | string | `` | no |
| attributes | List of attributes to add to label | list | `<list>` | no |
| authentication_action | Authentication action to be placed in front of all other ALB listener actions to authenticate users with Cognito or OIDC. Required when `alb_ingress_authenticated_hosts` or `alb_ingress_authenticated_paths` are provided | map | `<map>` | no |
| authentication_cognito_user_pool_arn | Cognito User Pool ARN | string | `` | no |
| authentication_cognito_user_pool_client_id | Cognito User Pool Client ID | string | `` | no |
| authentication_cognito_user_pool_domain | Cognito User Pool Domain. The User Pool Domain should be set to the domain prefix (`xxx`) instead of full domain (https://xxx.auth.us-west-2.amazoncognito.com) | string | `` | no |
| authentication_oidc_authorization_endpoint | OIDC Authorization Endpoint | string | `` | no |
| authentication_oidc_client_id | OIDC Client ID | string | `` | no |
| authentication_oidc_client_secret | OIDC Client Secret | string | `` | no |
| authentication_oidc_issuer | OIDC Issuer | string | `` | no |
| authentication_oidc_token_endpoint | OIDC Token Endpoint | string | `` | no |
| authentication_oidc_user_info_endpoint | OIDC User Info Endpoint | string | `` | no |
| authentication_type | Authentication type. Supported values are `COGNITO`, `OIDC`, `NONE` | string | `NONE` | no |
| autoscaling_dimension | Dimension to autoscale on (valid options: cpu, memory) | string | `memory` | no |
| autoscaling_enabled | A boolean to enable/disable Autoscaling policy for ECS Service | string | `false` | no |
| autoscaling_max_capacity | Maximum number of running instances of a Service | string | `2` | no |
Expand Down Expand Up @@ -78,8 +91,6 @@
| healthcheck | A map containing command (string), interval (duration in seconds), retries (1-10, number of times to retry before marking container unhealthy, and startPeriod (0-300, optional grace period to wait, in seconds, before failed healthchecks count toward retries) | map | `<map>` | no |
| host_port | The port number to bind container_port to on the host | string | `` | no |
| launch_type | The ECS launch type (valid options: FARGATE or EC2) | string | `FARGATE` | no |
| listener_arns | List of ALB Listener ARNs for the ECS service | list | - | yes |
| listener_arns_count | Number of elements in list of ALB Listener ARNs for the ECS service | string | - | yes |
| name | Name (unique identifier for app or service) | string | - | yes |
| namespace | Namespace (e.g. `eg` or `cp`) | string | - | yes |
| poll_source_changes | Periodically check the location of your source content and run the pipeline if changes are detected | string | `false` | no |
Expand Down
18 changes: 6 additions & 12 deletions examples/with_cognito_authentication/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -130,8 +130,8 @@ module "web_app" {
alb_ingress_healthcheck_path = "/"

# NOTE: Cognito and OIDC authentication only supported on HTTPS endpoints; here we provide `https_listener_arn` from ALB
listener_arns = ["${module.alb.https_listener_arn}"]
listener_arns_count = 1
alb_ingress_authenticated_listener_arns = ["${module.alb.https_listener_arn}"]
alb_ingress_authenticated_listener_arns_count = 1

# Unauthenticated paths (with higher priority than the authenticated paths)
alb_ingress_unauthenticated_paths = ["/events"]
Expand All @@ -141,14 +141,8 @@ module "web_app" {
alb_ingress_authenticated_paths = ["/*"]
alb_ingress_listener_authenticated_priority = "100"

# https://www.terraform.io/docs/providers/aws/r/lb_listener_rule.html
authentication_action = {
type = "authenticate-cognito"

authenticate_cognito = [{
user_pool_arn = "${var.cognito_user_pool_arn}"
user_pool_client_id = "${var.cognito_user_pool_client_id}"
user_pool_domain = "${var.cognito_user_pool_domain}"
}]
}
authentication_type = "COGNITO"
authentication_cognito_user_pool_arn = "${var.cognito_user_pool_arn}"
authentication_cognito_user_pool_client_id = "${var.cognito_user_pool_client_id}"
authentication_cognito_user_pool_domain = "${var.cognito_user_pool_domain}"
}
27 changes: 9 additions & 18 deletions examples/with_google_oidc_authentication/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -130,8 +130,8 @@ module "web_app" {
alb_ingress_healthcheck_path = "/"

# NOTE: Cognito and OIDC authentication only supported on HTTPS endpoints; here we provide `https_listener_arn` from ALB
listener_arns = ["${module.alb.https_listener_arn}"]
listener_arns_count = 1
alb_ingress_authenticated_listener_arns = ["${module.alb.https_listener_arn}"]
alb_ingress_authenticated_listener_arns_count = 1

# Unauthenticated paths (with higher priority than the authenticated paths)
alb_ingress_unauthenticated_paths = ["/events"]
Expand All @@ -141,20 +141,11 @@ module "web_app" {
alb_ingress_authenticated_paths = ["/*"]
alb_ingress_listener_authenticated_priority = "100"

# https://www.terraform.io/docs/providers/aws/r/lb_listener_rule.html
authentication_action = {
type = "authenticate-oidc"

authenticate_oidc = [{
# Use this URL to create a Google OAuth 2.0 Client and obtain the Client ID and Client Secret: https://console.developers.google.com/apis/credentials
client_id = "${var.google_oidc_client_id}"
client_secret = "${var.google_oidc_client_secret}"

# Use this URL to get Google Auth endpoints: https://accounts.google.com/.well-known/openid-configuration
issuer = "https://accounts.google.com"
authorization_endpoint = "https://accounts.google.com/o/oauth2/v2/auth"
token_endpoint = "https://oauth2.googleapis.com/token"
user_info_endpoint = "https://openidconnect.googleapis.com/v1/userinfo"
}]
}
authentication_type = "OIDC"
authentication_oidc_client_id = "${var.google_oidc_client_id}"
authentication_oidc_client_secret = "${var.google_oidc_client_secret}"
authentication_oidc_issuer = "https://accounts.google.com"
authentication_oidc_authorization_endpoint = "https://accounts.google.com/o/oauth2/v2/auth"
authentication_oidc_token_endpoint = "https://oauth2.googleapis.com/token"
authentication_oidc_user_info_endpoint = "https://openidconnect.googleapis.com/v1/userinfo"
}
4 changes: 2 additions & 2 deletions examples/without_authentication/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -130,8 +130,8 @@ module "web_app" {
alb_ingress_healthcheck_path = "/"

# Without authentication, both HTTP and HTTPS endpoints are supported
listener_arns = ["${module.alb.listener_arns}"]
listener_arns_count = 2
alb_ingress_unauthenticated_listener_arns = ["${module.alb.listener_arns}"]
alb_ingress_unauthenticated_listener_arns_count = 2

# All paths are unauthenticated
alb_ingress_unauthenticated_paths = ["/*"]
Expand Down
Loading

0 comments on commit b639891

Please sign in to comment.