Skip to content

Instantly share code, notes, and snippets.

@markusl

markusl/README.md

Last active March 11, 2021 07:18
Show Gist options
  • Save markusl/2cc4dcba4517bf0a360626b7bc3d34eb to your computer and use it in GitHub Desktop.
Save markusl/2cc4dcba4517bf0a360626b7bc3d34eb to your computer and use it in GitHub Desktop.
Download ZIP
AWS ALB Azure AD OIDC Provider
Raw
README.md

Example AWS CDK code for adding Azure AD OIDC provider in AWS ALB

AWS documentation https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-authenticate-users.html

You can configure an Application Load Balancer to securely authenticate users as they access your applications. This enables you to offload the work of authenticating users to your load balancer so that your applications can focus on their business logic.

See also

Raw
aws-cdk-alb-oidc.ts
const exampleAddOidcProviderInAlb = () => {
const loadBalancer = new elbv2.ApplicationLoadBalancer(stack, `${env}-Alb`, {
vpc,
internetFacing: true,
});
const zone = route53.HostedZone.fromHostedZoneAttributes(stack, 'HostedZone', zoneAttrs);
const record = new route53.ARecord(stack, 'ARecord', {
zone,
target: route53.RecordTarget.fromAlias(new targets.LoadBalancerTarget(loadBalancer)),
recordName,
});
const cert = new acm.Certificate(stack, 'WildcardCertificate', {
domainName: `*.${zoneAttrs.zoneName}`,
validation: acm.CertificateValidation.fromDns(zone),
});
// Redirect from HTTP to HTTPS
loadBalancer.addListener('listener-http', {
port: 80,
defaultAction: elbv2.ListenerAction.redirect({
protocol: 'HTTPS',
port: '443',
}),
});
const sg = new ec2.SecurityGroup(stack, 'sg', { vpc, });
// Allow AWS OIDC provider access - https://aws.amazon.com/premiumsupport/knowledge-center/elb-configure-authentication-alb/
sg.addIngressRule(ec2.Peer.anyIpv4(), ec2.Port.tcp(443));
loadBalancer.addSecurityGroup(sg);
const httpsListener = loadBalancer.addListener('listener-https', {
port: 443,
defaultAction: elbv2.ListenerAction.fixedResponse(503),
certificates: [cert],
});
const target = httpsListener.addTargets('target-https', {
priority: 20,
conditions: [elbv2.ListenerCondition.pathPatterns(['/*'])],
targets: [service],
port: 80,
healthCheck,
});
httpsListener.addAction('DefaultAction', {
priority: 10,
conditions: [elbv2.ListenerCondition.pathPatterns(['/auth/*'])],
action: elbv2.ListenerAction.authenticateOidc({
authorizationEndpoint: 'https://login.microsoftonline.com/<TENANT_ID>/oauth2/v2.0/authorize',
clientId: CLIENT_ID,
clientSecret: cdk.SecretValue.secretsManager(`AZURE-AD_CLIENT_SECRET`),
issuer: 'https://login.microsoftonline.com/<TENANT_ID>/v2.0',
tokenEndpoint: 'https://login.microsoftonline.com/<TENANT_ID>/oauth2/v2.0/token',
userInfoEndpoint: 'https://graph.microsoft.com/oidc/userinfo',
next: elbv2.ListenerAction.forward([target]),
}),
});
httpsListener.addTargets('target-https-unauth', {
priority: 50,
conditions: [elbv2.ListenerCondition.pathPatterns(['/unauth*'])],
targets: [service],
port: 80,
healthCheck,
});
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment