Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix authentication action. Don't use map variable for authentication action #29

Merged
merged 2 commits into from
Apr 19, 2019
Merged

Fix authentication action. Don't use map variable for authentication action #29

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
364bd4d
Fix authentication action. Don't use `map` variable for authenticatio…
aknysh Apr 18, 2019
a1b7e6f
Fix authentication action. Don't use `map` variable for authenticatio…
aknysh Apr 18, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
71 changes: 44 additions & 27 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,11 @@ We literally have [*hundreds of terraform modules*][terraform_modules] that are

## Usage


**IMPORTANT:** The `master` branch is used in `source` just as an example. In your code, do not pin to `master` because there may be breaking changes between releases.
Instead pin to the release tag (e.g. `?ref=tags/x.y.z`) of one of our [latest releases](https://github.com/cloudposse/terraform-aws-ecs-web-app/releases).


Module usage examples:

- [without authentication](examples/without_authentication) - complete example without authentication
Expand All @@ -51,31 +56,32 @@ Module usage examples:

```
module "default-backend-web-app" {
source = "git::https://github.com/cloudposse/terraform-aws-ecs-web-app.git?ref=master"
name = "appname"
namespace = "eg"
stage = "testing"
vpc_id = "${module.vpc.vpc_id}"
listener_arns = "${module.alb.listener_arns}"
listener_arns_count = "1"
aws_logs_region = "us-west-2"
ecs_cluster_arn = "${aws_ecs_cluster.default.arn}"
ecs_cluster_name = "${aws_ecs_cluster.default.name}"
ecs_security_group_ids = ["${module.vpc.vpc_default_security_group_id}"]
ecs_private_subnet_ids = ["${module.subnets.private_subnet_ids}"]
alb_ingress_healthcheck_path = "/healthz"
alb_ingress_paths = ["/*"]
codepipeline_enabled = "false"
source = "git::https://github.com/cloudposse/terraform-aws-ecs-web-app.git?ref=master"
namespace = "eg"
stage = "testing"
name = "appname"
vpc_id = "${module.vpc.vpc_id}"
alb_ingress_unauthenticated_listener_arns = "${module.alb.listener_arns}"
alb_ingress_unauthenticated_listener_arns_count = "1"
aws_logs_region = "us-west-2"
ecs_cluster_arn = "${aws_ecs_cluster.default.arn}"
ecs_cluster_name = "${aws_ecs_cluster.default.name}"
ecs_security_group_ids = ["${module.vpc.vpc_default_security_group_id}"]
ecs_private_subnet_ids = ["${module.subnets.private_subnet_ids}"]
alb_ingress_healthcheck_path = "/healthz"
alb_ingress_unauthenticated_paths = ["/*"]
codepipeline_enabled = "false"

environment = [
{
name = "COOKIE"
value = "cookiemonster"
},
{
name = "PORT"
value = "80"
}
]
{
name = "COOKIE"
value = "cookiemonster"
},
{
name = "PORT"
value = "80"
}
]
}
```

Expand All @@ -100,11 +106,15 @@ Available targets:
|------|-------------|:----:|:-----:|:-----:|
| alb_arn_suffix | ARN suffix of the ALB for the Target Group | string | `` | no |
| alb_ingress_authenticated_hosts | Authenticated hosts to match in Hosts header | list | `<list>` | no |
| alb_ingress_authenticated_listener_arns | A list of authenticated ALB listener ARNs to attach ALB listener rules to | list | `<list>` | no |
| alb_ingress_authenticated_listener_arns_count | The number of authenticated ARNs in `alb_ingress_authenticated_listener_arns`. This is necessary to work around a limitation in Terraform where counts cannot be computed | string | `0` | no |
| alb_ingress_authenticated_paths | Authenticated path pattern to match (a maximum of 1 can be defined) | list | `<list>` | no |
| alb_ingress_healthcheck_path | The path of the healthcheck which the ALB checks | string | `/` | no |
| alb_ingress_listener_authenticated_priority | The priority for the rules with authentication, between 1 and 50000 (1 being highest priority). Must be different from `alb_ingress_listener_unauthenticated_priority` since a listener can't have multiple rules with the same priority | string | `300` | no |
| alb_ingress_listener_unauthenticated_priority | The priority for the rules without authentication, between 1 and 50000 (1 being highest priority). Must be different from `alb_ingress_listener_authenticated_priority` since a listener can't have multiple rules with the same priority | string | `1000` | no |
| alb_ingress_unauthenticated_hosts | Unauthenticated hosts to match in Hosts header | list | `<list>` | no |
| alb_ingress_unauthenticated_listener_arns | A list of unauthenticated ALB listener ARNs to attach ALB listener rules to | list | `<list>` | no |
| alb_ingress_unauthenticated_listener_arns_count | The number of unauthenticated ARNs in `alb_ingress_unauthenticated_listener_arns`. This is necessary to work around a limitation in Terraform where counts cannot be computed | string | `0` | no |
| alb_ingress_unauthenticated_paths | Unauthenticated path pattern to match (a maximum of 1 can be defined) | list | `<list>` | no |
| alb_name | Name of the ALB for the Target Group | string | `` | no |
| alb_target_group_alarms_3xx_threshold | The maximum number of 3XX HTTPCodes in a given period for ECS Service | string | `25` | no |
Expand All @@ -119,7 +129,16 @@ Available targets:
| alb_target_group_alarms_response_time_threshold | The maximum ALB Target Group response time | string | `0.5` | no |
| alb_target_group_arn | Pass target group down to module | string | `` | no |
| attributes | List of attributes to add to label | list | `<list>` | no |
| authentication_action | Authentication action to be placed in front of all other ALB listener actions to authenticate users with Cognito or OIDC. Required when `alb_ingress_authenticated_hosts` or `alb_ingress_authenticated_paths` are provided | map | `<map>` | no |
| authentication_cognito_user_pool_arn | Cognito User Pool ARN | string | `` | no |
| authentication_cognito_user_pool_client_id | Cognito User Pool Client ID | string | `` | no |
| authentication_cognito_user_pool_domain | Cognito User Pool Domain. The User Pool Domain should be set to the domain prefix (`xxx`) instead of full domain (https://xxx.auth.us-west-2.amazoncognito.com) | string | `` | no |
| authentication_oidc_authorization_endpoint | OIDC Authorization Endpoint | string | `` | no |
| authentication_oidc_client_id | OIDC Client ID | string | `` | no |
| authentication_oidc_client_secret | OIDC Client Secret | string | `` | no |
| authentication_oidc_issuer | OIDC Issuer | string | `` | no |
| authentication_oidc_token_endpoint | OIDC Token Endpoint | string | `` | no |
| authentication_oidc_user_info_endpoint | OIDC User Info Endpoint | string | `` | no |
| authentication_type | Authentication type. Supported values are `COGNITO`, `OIDC`, `NONE` | string | `NONE` | no |
| autoscaling_dimension | Dimension to autoscale on (valid options: cpu, memory) | string | `memory` | no |
| autoscaling_enabled | A boolean to enable/disable Autoscaling policy for ECS Service | string | `false` | no |
| autoscaling_max_capacity | Maximum number of running instances of a Service | string | `2` | no |
Expand Down Expand Up @@ -174,8 +193,6 @@ Available targets:
| healthcheck | A map containing command (string), interval (duration in seconds), retries (1-10, number of times to retry before marking container unhealthy, and startPeriod (0-300, optional grace period to wait, in seconds, before failed healthchecks count toward retries) | map | `<map>` | no |
| host_port | The port number to bind container_port to on the host | string | `` | no |
| launch_type | The ECS launch type (valid options: FARGATE or EC2) | string | `FARGATE` | no |
| listener_arns | List of ALB Listener ARNs for the ECS service | list | - | yes |
| listener_arns_count | Number of elements in list of ALB Listener ARNs for the ECS service | string | - | yes |
| name | Name (unique identifier for app or service) | string | - | yes |
| namespace | Namespace (e.g. `eg` or `cp`) | string | - | yes |
| poll_source_changes | Periodically check the location of your source content and run the pipeline if changes are detected | string | `false` | no |
Expand Down
49 changes: 25 additions & 24 deletions README.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -79,31 +79,32 @@ usage: |-

```
module "default-backend-web-app" {
source = "git::https://github.com/cloudposse/terraform-aws-ecs-web-app.git?ref=master"
name = "appname"
namespace = "eg"
stage = "testing"
vpc_id = "${module.vpc.vpc_id}"
listener_arns = "${module.alb.listener_arns}"
listener_arns_count = "1"
aws_logs_region = "us-west-2"
ecs_cluster_arn = "${aws_ecs_cluster.default.arn}"
ecs_cluster_name = "${aws_ecs_cluster.default.name}"
ecs_security_group_ids = ["${module.vpc.vpc_default_security_group_id}"]
ecs_private_subnet_ids = ["${module.subnets.private_subnet_ids}"]
alb_ingress_healthcheck_path = "/healthz"
alb_ingress_paths = ["/*"]
codepipeline_enabled = "false"
source = "git::https://github.com/cloudposse/terraform-aws-ecs-web-app.git?ref=master"
namespace = "eg"
stage = "testing"
name = "appname"
vpc_id = "${module.vpc.vpc_id}"
alb_ingress_unauthenticated_listener_arns = "${module.alb.listener_arns}"
alb_ingress_unauthenticated_listener_arns_count = "1"
aws_logs_region = "us-west-2"
ecs_cluster_arn = "${aws_ecs_cluster.default.arn}"
ecs_cluster_name = "${aws_ecs_cluster.default.name}"
ecs_security_group_ids = ["${module.vpc.vpc_default_security_group_id}"]
ecs_private_subnet_ids = ["${module.subnets.private_subnet_ids}"]
alb_ingress_healthcheck_path = "/healthz"
alb_ingress_unauthenticated_paths = ["/*"]
codepipeline_enabled = "false"

environment = [
{
name = "COOKIE"
value = "cookiemonster"
},
{
name = "PORT"
value = "80"
}
]
{
name = "COOKIE"
value = "cookiemonster"
},
{
name = "PORT"
value = "80"
}
]
}
```

Expand Down
17 changes: 14 additions & 3 deletions docs/terraform.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,11 +4,15 @@
|------|-------------|:----:|:-----:|:-----:|
| alb_arn_suffix | ARN suffix of the ALB for the Target Group | string | `` | no |
| alb_ingress_authenticated_hosts | Authenticated hosts to match in Hosts header | list | `<list>` | no |
| alb_ingress_authenticated_listener_arns | A list of authenticated ALB listener ARNs to attach ALB listener rules to | list | `<list>` | no |
| alb_ingress_authenticated_listener_arns_count | The number of authenticated ARNs in `alb_ingress_authenticated_listener_arns`. This is necessary to work around a limitation in Terraform where counts cannot be computed | string | `0` | no |
| alb_ingress_authenticated_paths | Authenticated path pattern to match (a maximum of 1 can be defined) | list | `<list>` | no |
| alb_ingress_healthcheck_path | The path of the healthcheck which the ALB checks | string | `/` | no |
| alb_ingress_listener_authenticated_priority | The priority for the rules with authentication, between 1 and 50000 (1 being highest priority). Must be different from `alb_ingress_listener_unauthenticated_priority` since a listener can't have multiple rules with the same priority | string | `300` | no |
| alb_ingress_listener_unauthenticated_priority | The priority for the rules without authentication, between 1 and 50000 (1 being highest priority). Must be different from `alb_ingress_listener_authenticated_priority` since a listener can't have multiple rules with the same priority | string | `1000` | no |
| alb_ingress_unauthenticated_hosts | Unauthenticated hosts to match in Hosts header | list | `<list>` | no |
| alb_ingress_unauthenticated_listener_arns | A list of unauthenticated ALB listener ARNs to attach ALB listener rules to | list | `<list>` | no |
| alb_ingress_unauthenticated_listener_arns_count | The number of unauthenticated ARNs in `alb_ingress_unauthenticated_listener_arns`. This is necessary to work around a limitation in Terraform where counts cannot be computed | string | `0` | no |
| alb_ingress_unauthenticated_paths | Unauthenticated path pattern to match (a maximum of 1 can be defined) | list | `<list>` | no |
| alb_name | Name of the ALB for the Target Group | string | `` | no |
| alb_target_group_alarms_3xx_threshold | The maximum number of 3XX HTTPCodes in a given period for ECS Service | string | `25` | no |
Expand All @@ -23,7 +27,16 @@
| alb_target_group_alarms_response_time_threshold | The maximum ALB Target Group response time | string | `0.5` | no |
| alb_target_group_arn | Pass target group down to module | string | `` | no |
| attributes | List of attributes to add to label | list | `<list>` | no |
| authentication_action | Authentication action to be placed in front of all other ALB listener actions to authenticate users with Cognito or OIDC. Required when `alb_ingress_authenticated_hosts` or `alb_ingress_authenticated_paths` are provided | map | `<map>` | no |
| authentication_cognito_user_pool_arn | Cognito User Pool ARN | string | `` | no |
| authentication_cognito_user_pool_client_id | Cognito User Pool Client ID | string | `` | no |
| authentication_cognito_user_pool_domain | Cognito User Pool Domain. The User Pool Domain should be set to the domain prefix (`xxx`) instead of full domain (https://xxx.auth.us-west-2.amazoncognito.com) | string | `` | no |
| authentication_oidc_authorization_endpoint | OIDC Authorization Endpoint | string | `` | no |
| authentication_oidc_client_id | OIDC Client ID | string | `` | no |
| authentication_oidc_client_secret | OIDC Client Secret | string | `` | no |
| authentication_oidc_issuer | OIDC Issuer | string | `` | no |
| authentication_oidc_token_endpoint | OIDC Token Endpoint | string | `` | no |
| authentication_oidc_user_info_endpoint | OIDC User Info Endpoint | string | `` | no |
| authentication_type | Authentication type. Supported values are `COGNITO`, `OIDC`, `NONE` | string | `NONE` | no |
| autoscaling_dimension | Dimension to autoscale on (valid options: cpu, memory) | string | `memory` | no |
| autoscaling_enabled | A boolean to enable/disable Autoscaling policy for ECS Service | string | `false` | no |
| autoscaling_max_capacity | Maximum number of running instances of a Service | string | `2` | no |
Expand Down Expand Up @@ -78,8 +91,6 @@
| healthcheck | A map containing command (string), interval (duration in seconds), retries (1-10, number of times to retry before marking container unhealthy, and startPeriod (0-300, optional grace period to wait, in seconds, before failed healthchecks count toward retries) | map | `<map>` | no |
| host_port | The port number to bind container_port to on the host | string | `` | no |
| launch_type | The ECS launch type (valid options: FARGATE or EC2) | string | `FARGATE` | no |
| listener_arns | List of ALB Listener ARNs for the ECS service | list | - | yes |
| listener_arns_count | Number of elements in list of ALB Listener ARNs for the ECS service | string | - | yes |
| name | Name (unique identifier for app or service) | string | - | yes |
| namespace | Namespace (e.g. `eg` or `cp`) | string | - | yes |
| poll_source_changes | Periodically check the location of your source content and run the pipeline if changes are detected | string | `false` | no |
Expand Down
18 changes: 6 additions & 12 deletions examples/with_cognito_authentication/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -130,8 +130,8 @@ module "web_app" {
alb_ingress_healthcheck_path = "/"

# NOTE: Cognito and OIDC authentication only supported on HTTPS endpoints; here we provide `https_listener_arn` from ALB
listener_arns = ["${module.alb.https_listener_arn}"]
listener_arns_count = 1
alb_ingress_authenticated_listener_arns = ["${module.alb.https_listener_arn}"]
alb_ingress_authenticated_listener_arns_count = 1

# Unauthenticated paths (with higher priority than the authenticated paths)
alb_ingress_unauthenticated_paths = ["/events"]
Expand All @@ -141,14 +141,8 @@ module "web_app" {
alb_ingress_authenticated_paths = ["/*"]
alb_ingress_listener_authenticated_priority = "100"

# https://www.terraform.io/docs/providers/aws/r/lb_listener_rule.html
authentication_action = {
type = "authenticate-cognito"

authenticate_cognito = [{
user_pool_arn = "${var.cognito_user_pool_arn}"
user_pool_client_id = "${var.cognito_user_pool_client_id}"
user_pool_domain = "${var.cognito_user_pool_domain}"
}]
}
authentication_type = "COGNITO"
authentication_cognito_user_pool_arn = "${var.cognito_user_pool_arn}"
authentication_cognito_user_pool_client_id = "${var.cognito_user_pool_client_id}"
authentication_cognito_user_pool_domain = "${var.cognito_user_pool_domain}"
}
27 changes: 9 additions & 18 deletions examples/with_google_oidc_authentication/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -130,8 +130,8 @@ module "web_app" {
alb_ingress_healthcheck_path = "/"

# NOTE: Cognito and OIDC authentication only supported on HTTPS endpoints; here we provide `https_listener_arn` from ALB
listener_arns = ["${module.alb.https_listener_arn}"]
listener_arns_count = 1
alb_ingress_authenticated_listener_arns = ["${module.alb.https_listener_arn}"]
alb_ingress_authenticated_listener_arns_count = 1

# Unauthenticated paths (with higher priority than the authenticated paths)
alb_ingress_unauthenticated_paths = ["/events"]
Expand All @@ -141,20 +141,11 @@ module "web_app" {
alb_ingress_authenticated_paths = ["/*"]
alb_ingress_listener_authenticated_priority = "100"

# https://www.terraform.io/docs/providers/aws/r/lb_listener_rule.html
authentication_action = {
type = "authenticate-oidc"

authenticate_oidc = [{
# Use this URL to create a Google OAuth 2.0 Client and obtain the Client ID and Client Secret: https://console.developers.google.com/apis/credentials
client_id = "${var.google_oidc_client_id}"
client_secret = "${var.google_oidc_client_secret}"

# Use this URL to get Google Auth endpoints: https://accounts.google.com/.well-known/openid-configuration
issuer = "https://accounts.google.com"
authorization_endpoint = "https://accounts.google.com/o/oauth2/v2/auth"
token_endpoint = "https://oauth2.googleapis.com/token"
user_info_endpoint = "https://openidconnect.googleapis.com/v1/userinfo"
}]
}
authentication_type = "OIDC"
authentication_oidc_client_id = "${var.google_oidc_client_id}"
authentication_oidc_client_secret = "${var.google_oidc_client_secret}"
authentication_oidc_issuer = "https://accounts.google.com"
authentication_oidc_authorization_endpoint = "https://accounts.google.com/o/oauth2/v2/auth"
authentication_oidc_token_endpoint = "https://oauth2.googleapis.com/token"
authentication_oidc_user_info_endpoint = "https://openidconnect.googleapis.com/v1/userinfo"
}
4 changes: 2 additions & 2 deletions examples/without_authentication/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -130,8 +130,8 @@ module "web_app" {
alb_ingress_healthcheck_path = "/"

# Without authentication, both HTTP and HTTPS endpoints are supported
listener_arns = ["${module.alb.listener_arns}"]
listener_arns_count = 2
alb_ingress_unauthenticated_listener_arns = ["${module.alb.listener_arns}"]
alb_ingress_unauthenticated_listener_arns_count = 2

# All paths are unauthenticated
alb_ingress_unauthenticated_paths = ["/*"]
Expand Down
Loading