Add load balancer configuration: security groups, auth

aws / copilot-cli

The AWS Copilot CLI is a tool for developers to build, release and operate production ready containerized applications on AWS App Runner or Amazon ECS on AWS Fargate.

https://aws.github.io/copilot-cli/

Apache License 2.0

3.53k stars 417 forks source link

Add load balancer configuration: security groups, auth #1982

Open sharepointoscar opened 3 years ago

sharepointoscar commented 3 years ago

Scenario

I provision a new environment via copilot. This provisions a Load Balancer as usual. However, I want to be able to customize the LB either at provisioning time, or after provisioning it. In this scenario, we want to configured OICD to authenticate users.

us3r5pac3 commented 3 years ago

The customer use case would be to offload single sign-on using OpenID Connect on the Application Load Balancer: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-authenticate-users.html

us3r5pac3 commented 3 years ago

I think we'd need:

the authenticate-oidc and redirect action types for listener rules
the fields that enable AuthenticateOidcActionConfig

h5aaimtron commented 3 years ago

Bumping this request since it is for UCLA and Oscar was requesting on our behalf at the time. We're focused on making copilot a major tool within our toolbox for aws migration, however; there are still gaps where we must manually update resources (this being one). As you know, once we update, we lose the level of management copilot generated stacks afford us.

Lou1415926 commented 3 years ago

The request makes a lot of sense. Thank you @us3r5pac3 and @h5aaimtron for the customer use cases and for clarifying the need!

sekamaneka commented 2 years ago

any updates on this?

Lou1415926 commented 2 years ago

Apologies - this integration isn't on our short-term sprint board yet. In the meantime, I wonder if it's possible to create a ListenerRule with OIDC configured using addons?

Resources:
  Type: AWS::ElasticLoadBalancingV2::ListenerRule
  Properties: 
    Actions: 
      - Type: authenticate-oidc
        AuthenticateOidcConfig: 
          AuthorizationEndpoint: # Your endpoint.
          ClientId:  # Your client-id.
          ClientSecret: # Your client-secret.
          Issuer: # The issuer.
        Order: 1
      - Type: forward
        TargetGroupArn: # Your target group ARN.
        Order: 2
    Conditions: 
      - RuleCondition # Your rule conditions, e.g. path being `"/authenticate"`.
    ListenerArn: # The listner ARN
    Priority: Integer

You can take advantage of customized Parameters section in addons to atttach the addon listener rule to your the ALB listener, for example, you can create addons/addons.parameters.yml and write

Parameters:
  ListenerARN: !GetAtt EnvControllerAction.HTTPListenerArn

and then refer to it in your addon template by !Ref ListenerARN.

sekamaneka commented 2 years ago

This is how i did it but i still would prefer a native solution that also setups cognito for example. Either way we will probably go another way.. thanks for the quick response

afgallo commented 2 years ago

This only works if we can bump up the priority of the oidc integration to 1 which is already taken by copilot. How can this be achieved via the add-on @Lou1415926 ?

iamhopaul123 commented 2 years ago

Hello @afgallo. Right now I can't think of any possible way to do that using addons as for the priority. Maybe it is possible to set the path in the manifest to something never match and configure the real path pattern in the addons rule?

If you can use script we have a customer successfully using Copilot to set the OIDC up here.