copilot-cli icon indicating copy to clipboard operation
copilot-cli copied to clipboard
verified publisher icon aws

Add load balancer configuration: security groups, auth

Open sharepointoscar opened this issue 4 years ago • 9 comments

Scenario

I provision a new environment via copilot. This provisions a Load Balancer as usual. However, I want to be able to customize the LB either at provisioning time, or after provisioning it. In this scenario, we want to configured OICD to authenticate users.

sharepointoscar avatar Feb 26 '21 20:02 sharepointoscar

The customer use case would be to offload single sign-on using OpenID Connect on the Application Load Balancer: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-authenticate-users.html

us3r5pac3 avatar Aug 05 '21 19:08 us3r5pac3

I think we'd need:

  1. the authenticate-oidc and redirect action types for listener rules
  2. the fields that enable AuthenticateOidcActionConfig

us3r5pac3 avatar Aug 05 '21 20:08 us3r5pac3

Bumping this request since it is for UCLA and Oscar was requesting on our behalf at the time. We're focused on making copilot a major tool within our toolbox for aws migration, however; there are still gaps where we must manually update resources (this being one). As you know, once we update, we lose the level of management copilot generated stacks afford us.

h5aaimtron avatar Aug 05 '21 20:08 h5aaimtron

The request makes a lot of sense. Thank you @us3r5pac3 and @h5aaimtron for the customer use cases and for clarifying the need!

Lou1415926 avatar Aug 05 '21 23:08 Lou1415926

any updates on this?

sekamaneka avatar Feb 22 '22 09:02 sekamaneka

Apologies - this integration isn't on our short-term sprint board yet. In the meantime, I wonder if it's possible to create a ListenerRule with OIDC configured using addons?

Resources:
  Type: AWS::ElasticLoadBalancingV2::ListenerRule
  Properties: 
    Actions: 
      - Type: authenticate-oidc
        AuthenticateOidcConfig: 
          AuthorizationEndpoint: # Your endpoint.
          ClientId:  # Your client-id.
          ClientSecret: # Your client-secret.
          Issuer: # The issuer.
        Order: 1
      - Type: forward
        TargetGroupArn: # Your target group ARN.
        Order: 2
    Conditions: 
      - RuleCondition # Your rule conditions, e.g. path being `"/authenticate"`.
    ListenerArn: # The listner ARN
    Priority: Integer

You can take advantage of customized Parameters section in addons to atttach the addon listener rule to your the ALB listener, for example, you can create addons/addons.parameters.yml and write

Parameters:
  ListenerARN: !GetAtt EnvControllerAction.HTTPListenerArn

and then refer to it in your addon template by !Ref ListenerARN.

Lou1415926 avatar Feb 22 '22 19:02 Lou1415926

This is how i did it but i still would prefer a native solution that also setups cognito for example. Either way we will probably go another way.. thanks for the quick response

sekamaneka avatar Feb 23 '22 09:02 sekamaneka

This only works if we can bump up the priority of the oidc integration to 1 which is already taken by copilot. How can this be achieved via the add-on @Lou1415926 ?

afgallo avatar May 17 '22 11:05 afgallo

Hello @afgallo. Right now I can't think of any possible way to do that using addons as for the priority. Maybe it is possible to set the path in the manifest to something never match and configure the real path pattern in the addons rule?

If you can use script we have a customer successfully using Copilot to set the OIDC up here.

iamhopaul123 avatar May 18 '22 19:05 iamhopaul123