Last active
May 25, 2021 17:07
-
-
Save zpapez/5b28d3429cdd2113b4b99854c5bd10f6 to your computer and use it in GitHub Desktop.
CloudFormation Template to create AWS Application Load Balancer with OKTA Authentication
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
AWSTemplateFormatVersion: 2010-09-09 | |
Description: Template to create OKTA auth application load balancer. | |
Parameters: | |
CertificateArn: | |
Type: String | |
Description: ARN of certificate to use on HTTPS listener | |
authorizationEndpoint: | |
Type: String | |
Description: Okta account endpoint | |
Default: https://dev-12345.okta.com/oauth2/default/v1/authorize | |
clientId: | |
Type: String | |
Description: clinet ID for application in Okta account | |
clientSecret: | |
Type: String | |
Description: client secret for application in Okta account | |
issuer: | |
Type: String | |
Description: issuer of Okta account | |
Default: https://dev-12345.okta.com/oauth2/default | |
tokenEndpoint: | |
Type: String | |
Description: token endpoint of Okta account | |
Default: https://dev-12345.okta.com/oauth2/default/v1/token | |
userInfoEndpoint: | |
Type: String | |
Description: user info endpoint of Okta account | |
Default: https://dev-12345.okta.com/oauth2/default/v1/userinfo | |
ELBSGId: | |
Type: AWS::EC2::SecurityGroup::Id | |
Description: Id of the security group for the ELB. | |
SubnetId: | |
Type: AWS::EC2::Subnet::Id | |
Description: Id of the subnet for App Load Balancer. | |
SubnetIdB: | |
Type: AWS::EC2::Subnet::Id | |
Description: Id of the second subnet for App Load Balancer. | |
VpcId: | |
Type: AWS::EC2::VPC::Id | |
Description: Id of the VPC for target groups | |
Instance1: | |
Type: String | |
Description: Id of instance 1 in the target group | |
Instance2: | |
Type: String | |
Description: Id of instance 2 in the target group | |
TargetTransportPort: | |
Type: String | |
Description: Port where target group communicates with its instances | |
Resources: | |
AuthAppLB: | |
Type: AWS::ElasticLoadBalancingV2::LoadBalancer | |
Properties: | |
Type: application | |
Name: "okta-auth-alb" | |
Scheme: internet-facing | |
Subnets: | |
- !Ref SubnetId | |
- !Ref SubnetIdB | |
SecurityGroups: | |
- !Ref ELBSGId | |
HttpsListener: | |
Type: AWS::ElasticLoadBalancingV2::Listener | |
Properties: | |
Certificates: | |
- CertificateArn: !Ref CertificateArn | |
DefaultActions: | |
- Order: 1 | |
Type: authenticate-oidc | |
AuthenticateOidcConfig: | |
AuthorizationEndpoint: !Ref authorizationEndpoint | |
ClientId: !Ref clientId | |
ClientSecret: !Ref clientSecret | |
Issuer: !Ref issuer | |
OnUnauthenticatedRequest: authenticate | |
Scope: openid profile | |
SessionCookieName: AWSELBAuthSessionCookie | |
SessionTimeout: 604800 | |
TokenEndpoint: !Ref tokenEndpoint | |
UserInfoEndpoint: !Ref userInfoEndpoint | |
- Order: 2 | |
Type: forward | |
TargetGroupArn: !Ref AuthTargetGroup | |
LoadBalancerArn: !Ref AuthAppLB | |
Port: 443 | |
Protocol: HTTPS | |
HealthCheckAllowRule: | |
Type: AWS::ElasticLoadBalancingV2::ListenerRule | |
Properties: | |
Actions: | |
- Type: forward | |
TargetGroupArn: !Ref AuthTargetGroup | |
Conditions: | |
- Field: path-pattern | |
Values: [ "/status/200" ] | |
ListenerArn: !Ref HttpsListener | |
Priority: 1 | |
HttpPlainListener: | |
Type: AWS::ElasticLoadBalancingV2::Listener | |
Properties: | |
DefaultActions: | |
- Type: redirect | |
RedirectConfig: | |
Protocol: HTTPS | |
Port: 443 | |
StatusCode: HTTP_301 | |
LoadBalancerArn: !Ref AuthAppLB | |
Port: 80 | |
Protocol: HTTP | |
AuthTargetGroup: | |
Type: AWS::ElasticLoadBalancingV2::TargetGroup | |
Properties: | |
Name: "okta-auth-target-group" | |
HealthCheckIntervalSeconds: 30 | |
HealthyThresholdCount: 2 | |
UnhealthyThresholdCount: 2 | |
Port: !Ref TargetTransportPort | |
Protocol: HTTP | |
HealthCheckPath: /status/200 | |
VpcId: !Ref VpcId | |
TargetType: instance | |
Targets: | |
- Id: !Ref Instance1 | |
- Id: !Ref Instance2 | |
Outputs: | |
AppLoadBalancerUrl: | |
Description: The URL of the App Load Balancer | |
Value: !GetAtt AuthAppLB.DNSName |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment