From c7097b76df52bea80d77287bccb1157b0aaee475 Mon Sep 17 00:00:00 2001 From: Michael Kania Date: Tue, 26 May 2020 17:22:57 -0700 Subject: [PATCH 1/4] Refactor support for cognito --- README.md | 1 + main.tf | 18 +++++++++++------- variables.tf | 6 ++++++ 3 files changed, 18 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index f75d669c..87b72c82 100644 --- a/README.md +++ b/README.md @@ -156,6 +156,7 @@ No requirements. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | acm\_certificate\_domain\_name | Route53 domain name to use for ACM certificate. Route53 zone for this domain should be created in advance. Specify if it is different from value in `route53_zone_name` | `string` | `""` | no | +| alb\_authenticate\_cognito | Map of AWS Cognito authentication parameters to protect ALB (eg, using SAML). See https://www.terraform.io/docs/providers/aws/r/lb_listener.html#authenticate-cognito-action | `any` | `{}` | no | | alb\_authenticate\_oidc | Map of Authenticate OIDC parameters to protect ALB (eg, using Auth0). See https://www.terraform.io/docs/providers/aws/r/lb_listener.html#authenticate-oidc-action | `any` | `{}` | no | | alb\_ingress\_cidr\_blocks | List of IPv4 CIDR ranges to use on all ingress rules of the ALB. | `list(string)` | 
[
  "0.0.0.0/0"
]
| no | | alb\_log\_bucket\_name | S3 bucket (externally created) for storing load balancer access logs. Required if alb\_logging\_enabled is true. | `string` | `""` | no | diff --git a/main.tf b/main.tf index 9874c10b..c09f4920 100644 --- a/main.tf +++ b/main.tf @@ -23,6 +23,9 @@ locals { secret_webhook_key = local.has_secrets ? var.atlantis_gitlab_user_token != "" ? "ATLANTIS_GITLAB_WEBHOOK_SECRET" : var.atlantis_github_user_token != "" ? "ATLANTIS_GH_WEBHOOK_SECRET" : "ATLANTIS_BITBUCKET_WEBHOOK_SECRET" : "unknown_secret_webhook_key" + # determine if the alb has authentication enabled, otherwise forward the traffic unauthenticated + alb_authenication_method = length(keys(var.alb_authenticate_oidc)) > 0 ? "authenticate-oidc" : length(keys(var.alb_authenticate_cognito)) > 0 ? "authenticate-cognito" : "forward" + # Container definitions container_definitions = var.custom_container_definitions == "" ? var.atlantis_bitbucket_user_token != "" ? module.container_definition_bitbucket.json : module.container_definition_github_gitlab.json : var.custom_container_definitions @@ -178,7 +181,7 @@ module "vpc" { ################### module "alb" { source = "terraform-aws-modules/alb/aws" - version = "v5.5.0" + version = "v5.6.0" name = var.name internal = var.internal @@ -195,12 +198,13 @@ module "alb" { https_listeners = [ { - target_group_index = 0 - port = 443 - protocol = "HTTPS" - certificate_arn = var.certificate_arn == "" ? module.acm.this_acm_certificate_arn : var.certificate_arn - action_type = length(keys(var.alb_authenticate_oidc)) > 0 ? "authenticate-oidc" : "forward" - authenticate_oidc = var.alb_authenticate_oidc + target_group_index = 0 + port = 443 + protocol = "HTTPS" + certificate_arn = var.certificate_arn == "" ? module.acm.this_acm_certificate_arn : var.certificate_arn + action_type = local.alb_authenication_method + authenticate_oidc = var.alb_authenticate_oidc + authenticate_cognito = var.alb_authenticate_cognito }, ] diff --git a/variables.tf b/variables.tf index 0e9b9e9c..ba1a971d 100644 --- a/variables.tf +++ b/variables.tf @@ -96,6 +96,12 @@ variable "alb_authenticate_oidc" { default = {} } +variable "alb_authenticate_cognito" { + description = "Map of AWS Cognito authentication parameters to protect ALB (eg, using SAML). See https://www.terraform.io/docs/providers/aws/r/lb_listener.html#authenticate-cognito-action" + type = any + default = {} +} + variable "allow_unauthenticated_access" { description = "Whether to create ALB listener rule to allow unauthenticated access for certain CIDR blocks (eg. allow GitHub webhooks to bypass OIDC authentication)" type = bool From 2e21a51389022c9478e72b084de8ea438a4546e8 Mon Sep 17 00:00:00 2001 From: Michael Kania Date: Tue, 26 May 2020 18:58:06 -0700 Subject: [PATCH 2/4] update readme with cognito details --- README.md | 25 ++++++++++++++++++++++--- 1 file changed, 22 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 87b72c82..47763fed 100644 --- a/README.md +++ b/README.md @@ -101,11 +101,13 @@ Make sure that both private and public subnets were created in the same set of a If all provided subnets are public (no NAT gateway) then `ecs_service_assign_public_ip` should be set to `true`. -### Secure Atlantis with ALB Built-in Authentication and Auth0 +### Secure Atlantis with ALB Built-in Authentication + +#### Open ID Connect (OIDC) You can use service like [Auth0](https://www.auth0.com) to secure access to Atlantis and require authentication on ALB. To enable this, you need to create Auth0 application and provide correct arguments to Atlantis module. Make sure to update application hostname, client id and client secret: -``` +```hcl alb_authenticate_oidc = { issuer = "https://youruser.eu.auth0.com/" token_endpoint = "https://youruser.eu.auth0.com/oauth/token" @@ -119,9 +121,26 @@ alb_authenticate_oidc = { Read more in [this post](https://medium.com/@sandrinodm/securing-your-applications-with-aws-alb-built-in-authentication-and-auth0-310ad84c8595). -If you are using GitHub, you may allow it to trigger webhooks without authentication on ALB: +#### AWS Cognito + +The AWS Cognito service allows you to define SAML providers (e.g., GSuite). The Atlantis ALB can then be configured to require SAML authentication. To enable this, specify the following arguments containing attributes for your Cognito configuration. + +```hcl +alb_authenticate_cognito = { + user_pool_arn = "arn:aws:cognito-idp:us-west-2:1234567890:userpool/us-west-2_aBcDeFG" + cognito_user_pool_client_id = "clientid123" + cognito_user_pool_domain = "sso.your-corp.com" +} ``` + +Read more in [this post](https://medium.com/@alsmola/alb-authentication-with-g-suite-saml-using-cognito-858e35564dc8) and a helpful [SAML Cognito Terraform module](https://github.com/alloy-commons/alloy-open-source/tree/master/terraform-modules/gsuite-saml-cognito). + +#### Allow GitHub Webhooks Unauthenticated Access + +If you are using one of the authentication methods above along with commercial GitHub, you'll need to allow unauthenticated access to GitHub's Webhook static IPs: + +```hcl allow_unauthenticated_access = true allow_github_webhooks = true ``` From e116d1ccac38a38794ca78e68c94a8f3d4f18344 Mon Sep 17 00:00:00 2001 From: Michael Kania Date: Tue, 26 May 2020 19:10:15 -0700 Subject: [PATCH 3/4] fix openid name --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 47763fed..c20ea59f 100644 --- a/README.md +++ b/README.md @@ -103,7 +103,7 @@ If all provided subnets are public (no NAT gateway) then `ecs_service_assign_pub ### Secure Atlantis with ALB Built-in Authentication -#### Open ID Connect (OIDC) +#### OpenID Connect (OIDC) You can use service like [Auth0](https://www.auth0.com) to secure access to Atlantis and require authentication on ALB. To enable this, you need to create Auth0 application and provide correct arguments to Atlantis module. Make sure to update application hostname, client id and client secret: From 4ad9abb66ebf126416e3f9453f95a880430d1639 Mon Sep 17 00:00:00 2001 From: Michael Kania Date: Wed, 27 May 2020 08:48:39 -0700 Subject: [PATCH 4/4] Update README based on feedback --- README.md | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index c20ea59f..4ba40d31 100644 --- a/README.md +++ b/README.md @@ -122,9 +122,13 @@ alb_authenticate_oidc = { Read more in [this post](https://medium.com/@sandrinodm/securing-your-applications-with-aws-alb-built-in-authentication-and-auth0-310ad84c8595). -#### AWS Cognito +#### AWS Cognito with SAML -The AWS Cognito service allows you to define SAML providers (e.g., GSuite). The Atlantis ALB can then be configured to require SAML authentication. To enable this, specify the following arguments containing attributes for your Cognito configuration. +The AWS Cognito service allows you to define SAML applications tied to an identity provider (e.g., GSuite). The Atlantis ALB can then be configured to require an authenticated user managed by your identity provider. + +To configure AWS Cognito connecting to a GSuite SAML application, you can use the [gsuite-saml-cognito](https://github.com/alloy-commons/alloy-open-source/tree/master/terraform-modules/gsuite-saml-cognito#example-usage) Terraform module. + +To enable Cognito authentication on the Atlantis ALB, specify the following arguments containing attributes from your Cognito configuration. ```hcl alb_authenticate_cognito = { @@ -134,11 +138,9 @@ alb_authenticate_cognito = { } ``` -Read more in [this post](https://medium.com/@alsmola/alb-authentication-with-g-suite-saml-using-cognito-858e35564dc8) and a helpful [SAML Cognito Terraform module](https://github.com/alloy-commons/alloy-open-source/tree/master/terraform-modules/gsuite-saml-cognito). - #### Allow GitHub Webhooks Unauthenticated Access -If you are using one of the authentication methods above along with commercial GitHub, you'll need to allow unauthenticated access to GitHub's Webhook static IPs: +If you are using one of the authentication methods above along with managed GitHub (not self-hosted enterprise version), you'll need to allow unauthenticated access to GitHub's Webhook static IPs: ```hcl allow_unauthenticated_access = true