zpapez/template_okta_alb.yml

## template_okta_alb.yml
AWSTemplateFormatVersion: 2010-09-09
Description: Template to create OKTA auth application load balancer.
Parameters:
  CertificateArn:
    Type: String
    Description: ARN of certificate to use on HTTPS listener
  authorizationEndpoint:
    Type: String
    Description: Okta account endpoint
    Default: https://dev-12345.okta.com/oauth2/default/v1/authorize
  clientId:
    Type: String
    Description: clinet ID for application in Okta account
  clientSecret:
    Type: String
    Description: client secret for application in Okta account
  issuer:
    Type: String
    Description: issuer of Okta account
    Default: https://dev-12345.okta.com/oauth2/default
  tokenEndpoint:
    Type: String
    Description: token endpoint of Okta account
    Default: https://dev-12345.okta.com/oauth2/default/v1/token
  userInfoEndpoint:
    Type: String
    Description: user info endpoint of Okta account
    Default: https://dev-12345.okta.com/oauth2/default/v1/userinfo
  ELBSGId:
    Type: AWS::EC2::SecurityGroup::Id
    Description: Id of the security group for the ELB.
  SubnetId:
    Type: AWS::EC2::Subnet::Id
    Description: Id of the subnet for App Load Balancer.
  SubnetIdB:
    Type: AWS::EC2::Subnet::Id
    Description: Id of the second subnet for App Load Balancer.
  VpcId:
    Type: AWS::EC2::VPC::Id
    Description: Id of the VPC for target groups
  Instance1:
    Type: String
    Description: Id of instance 1 in the target group
  Instance2:
    Type: String
    Description: Id of instance 2 in the target group
  TargetTransportPort:
    Type: String
    Description: Port where target group communicates with its instances

Resources:
  AuthAppLB:
    Type: AWS::ElasticLoadBalancingV2::LoadBalancer
    Properties:
      Type: application
      Name: "okta-auth-alb"
      Scheme: internet-facing
      Subnets:
        - !Ref SubnetId
        - !Ref SubnetIdB
      SecurityGroups:
        - !Ref ELBSGId
  HttpsListener:
    Type: AWS::ElasticLoadBalancingV2::Listener
    Properties:
      Certificates:
        - CertificateArn: !Ref CertificateArn
      DefaultActions:
        - Order: 1
          Type: authenticate-oidc
          AuthenticateOidcConfig:
            AuthorizationEndpoint: !Ref authorizationEndpoint
            ClientId: !Ref clientId
            ClientSecret: !Ref clientSecret
            Issuer: !Ref issuer
            OnUnauthenticatedRequest: authenticate
            Scope: openid profile
            SessionCookieName: AWSELBAuthSessionCookie
            SessionTimeout: 604800
            TokenEndpoint: !Ref tokenEndpoint
            UserInfoEndpoint: !Ref userInfoEndpoint
        - Order: 2
          Type: forward
          TargetGroupArn: !Ref AuthTargetGroup
      LoadBalancerArn: !Ref AuthAppLB
      Port: 443
      Protocol: HTTPS
  HealthCheckAllowRule:
    Type: AWS::ElasticLoadBalancingV2::ListenerRule
    Properties:
      Actions:
        - Type: forward
          TargetGroupArn: !Ref AuthTargetGroup
      Conditions:
        - Field: path-pattern
          Values: [ "/status/200" ]
      ListenerArn: !Ref HttpsListener
      Priority: 1

  HttpPlainListener:
    Type: AWS::ElasticLoadBalancingV2::Listener
    Properties:
      DefaultActions:
        - Type: redirect
          RedirectConfig:
            Protocol: HTTPS
            Port: 443
            StatusCode: HTTP_301
      LoadBalancerArn: !Ref AuthAppLB
      Port: 80
      Protocol: HTTP

  AuthTargetGroup:
    Type: AWS::ElasticLoadBalancingV2::TargetGroup
    Properties:
      Name: "okta-auth-target-group"
      HealthCheckIntervalSeconds: 30
      HealthyThresholdCount: 2
      UnhealthyThresholdCount: 2
      Port: !Ref TargetTransportPort
      Protocol: HTTP
      HealthCheckPath: /status/200
      VpcId: !Ref VpcId
      TargetType: instance
      Targets:
        - Id: !Ref Instance1
        - Id: !Ref Instance2

Outputs:
 AppLoadBalancerUrl:
   Description: The URL of the App Load Balancer
   Value: !GetAtt AuthAppLB.DNSName
	AWSTemplateFormatVersion: 2010-09-09
	Description: Template to create OKTA auth application load balancer.
	Parameters:
	CertificateArn:
	Type: String
	Description: ARN of certificate to use on HTTPS listener
	authorizationEndpoint:
	Type: String
	Description: Okta account endpoint
	Default: https://dev-12345.okta.com/oauth2/default/v1/authorize
	clientId:
	Type: String
	Description: clinet ID for application in Okta account
	clientSecret:
	Type: String
	Description: client secret for application in Okta account
	issuer:
	Type: String
	Description: issuer of Okta account
	Default: https://dev-12345.okta.com/oauth2/default
	tokenEndpoint:
	Type: String
	Description: token endpoint of Okta account
	Default: https://dev-12345.okta.com/oauth2/default/v1/token
	userInfoEndpoint:
	Type: String
	Description: user info endpoint of Okta account
	Default: https://dev-12345.okta.com/oauth2/default/v1/userinfo
	ELBSGId:
	Type: AWS::EC2::SecurityGroup::Id
	Description: Id of the security group for the ELB.
	SubnetId:
	Type: AWS::EC2::Subnet::Id
	Description: Id of the subnet for App Load Balancer.
	SubnetIdB:
	Type: AWS::EC2::Subnet::Id
	Description: Id of the second subnet for App Load Balancer.
	VpcId:
	Type: AWS::EC2::VPC::Id
	Description: Id of the VPC for target groups
	Instance1:
	Type: String
	Description: Id of instance 1 in the target group
	Instance2:
	Type: String
	Description: Id of instance 2 in the target group
	TargetTransportPort:
	Type: String
	Description: Port where target group communicates with its instances

	Resources:
	AuthAppLB:
	Type: AWS::ElasticLoadBalancingV2::LoadBalancer
	Properties:
	Type: application
	Name: "okta-auth-alb"
	Scheme: internet-facing
	Subnets:
	- !Ref SubnetId
	- !Ref SubnetIdB
	SecurityGroups:
	- !Ref ELBSGId
	HttpsListener:
	Type: AWS::ElasticLoadBalancingV2::Listener
	Properties:
	Certificates:
	- CertificateArn: !Ref CertificateArn
	DefaultActions:
	- Order: 1
	Type: authenticate-oidc
	AuthenticateOidcConfig:
	AuthorizationEndpoint: !Ref authorizationEndpoint
	ClientId: !Ref clientId
	ClientSecret: !Ref clientSecret
	Issuer: !Ref issuer
	OnUnauthenticatedRequest: authenticate
	Scope: openid profile
	SessionCookieName: AWSELBAuthSessionCookie
	SessionTimeout: 604800
	TokenEndpoint: !Ref tokenEndpoint
	UserInfoEndpoint: !Ref userInfoEndpoint
	- Order: 2
	Type: forward
	TargetGroupArn: !Ref AuthTargetGroup
	LoadBalancerArn: !Ref AuthAppLB
	Port: 443
	Protocol: HTTPS
	HealthCheckAllowRule:
	Type: AWS::ElasticLoadBalancingV2::ListenerRule
	Properties:
	Actions:
	- Type: forward
	TargetGroupArn: !Ref AuthTargetGroup
	Conditions:
	- Field: path-pattern
	Values: [ "/status/200" ]
	ListenerArn: !Ref HttpsListener
	Priority: 1

	HttpPlainListener:
	Type: AWS::ElasticLoadBalancingV2::Listener
	Properties:
	DefaultActions:
	- Type: redirect
	RedirectConfig:
	Protocol: HTTPS
	Port: 443
	StatusCode: HTTP_301
	LoadBalancerArn: !Ref AuthAppLB
	Port: 80
	Protocol: HTTP

	AuthTargetGroup:
	Type: AWS::ElasticLoadBalancingV2::TargetGroup
	Properties:
	Name: "okta-auth-target-group"
	HealthCheckIntervalSeconds: 30
	HealthyThresholdCount: 2
	UnhealthyThresholdCount: 2
	Port: !Ref TargetTransportPort
	Protocol: HTTP
	HealthCheckPath: /status/200
	VpcId: !Ref VpcId
	TargetType: instance
	Targets:
	- Id: !Ref Instance1
	- Id: !Ref Instance2

	Outputs:
	AppLoadBalancerUrl:
	Description: The URL of the App Load Balancer
	Value: !GetAtt AuthAppLB.DNSName