From 236455fc453c9465b809817f4fb455c85eaee4e4 Mon Sep 17 00:00:00 2001 From: "Jens L." Date: Tue, 21 Jan 2025 14:48:11 +0100 Subject: [PATCH] lifecycle: move AWS CFN generation to lifecycle and fix CI (#12743) * fix missing min_healthy_percent which was causing an error on stdout...sigh Signed-off-by: Jens Langhammer * disable version reporting (replaces deleting BootstrapVersion) Signed-off-by: Jens Langhammer * dont generate bootstrap thing Signed-off-by: Jens Langhammer * aaand remove fix_template Signed-off-by: Jens Langhammer * always set CI to false so errors are sent to stderr Signed-off-by: Jens Langhammer * move aws stuff to lifecycle Signed-off-by: Jens Langhammer * fix missing package-lock Signed-off-by: Jens Langhammer * fix package Signed-off-by: Jens Langhammer * cleanup website structure Signed-off-by: Jens Langhammer --------- Signed-off-by: Jens Langhammer --- .bumpversion.cfg | 2 +- .github/dependabot.yml | 10 + .github/workflows/ci-aws-cfn.yml | 6 +- .github/workflows/release-publish.yml | 4 +- CODEOWNERS | 1 + Makefile | 8 +- lifecycle/aws/.gitignore | 111 + .../install => lifecycle}/aws/app.py | 11 +- .../install => lifecycle}/aws/cdk.json | 0 lifecycle/aws/package-lock.json | 141 ++ lifecycle/aws/package.json | 16 + .../install => lifecycle}/aws/template.yaml | 1930 ++++++++--------- website/.prettierignore | 2 - .../install/{aws/index.md => aws.md} | 2 +- .../install-config/install/aws/.gitignore | 1 - .../install/aws/fix_template.py | 11 - website/docs/releases/2024/v2024.12.md | 2 +- website/package-lock.json | 31 - website/package.json | 2 - website/sidebars.js | 2 +- 20 files changed, 1266 insertions(+), 1027 deletions(-) create mode 100644 lifecycle/aws/.gitignore rename {website/docs/install-config/install => lifecycle}/aws/app.py (98%) rename {website/docs/install-config/install => lifecycle}/aws/cdk.json (100%) create mode 100644 lifecycle/aws/package-lock.json create mode 100644 lifecycle/aws/package.json rename {website/docs/install-config/install => lifecycle}/aws/template.yaml (61%) rename website/docs/install-config/install/{aws/index.md => aws.md} (94%) delete mode 100644 website/docs/install-config/install/aws/.gitignore delete mode 100755 website/docs/install-config/install/aws/fix_template.py diff --git a/.bumpversion.cfg b/.bumpversion.cfg index 812b8a26b3..cfafbc73fa 100644 --- a/.bumpversion.cfg +++ b/.bumpversion.cfg @@ -31,4 +31,4 @@ optional_value = final [bumpversion:file:web/src/common/constants.ts] -[bumpversion:file:website/docs/install-config/install/aws/template.yaml] +[bumpversion:file:lifecycle/aws/template.yaml] diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 69ab86a2b7..e5c4474d3d 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -82,6 +82,16 @@ updates: docusaurus: patterns: - "@docusaurus/*" + - package-ecosystem: npm + directory: "/lifecycle/aws" + schedule: + interval: daily + time: "04:00" + open-pull-requests-limit: 10 + commit-message: + prefix: "lifecycle/aws:" + labels: + - dependencies - package-ecosystem: pip directory: "/" schedule: diff --git a/.github/workflows/ci-aws-cfn.yml b/.github/workflows/ci-aws-cfn.yml index 7aef43a720..f4b808080c 100644 --- a/.github/workflows/ci-aws-cfn.yml +++ b/.github/workflows/ci-aws-cfn.yml @@ -25,10 +25,10 @@ jobs: uses: ./.github/actions/setup - uses: actions/setup-node@v4 with: - node-version-file: website/package.json + node-version-file: lifecycle/aws/package.json cache: "npm" - cache-dependency-path: website/package-lock.json - - working-directory: website/ + cache-dependency-path: lifecycle/aws/package-lock.json + - working-directory: lifecycle/aws/ run: | npm ci - name: Check changes have been applied diff --git a/.github/workflows/release-publish.yml b/.github/workflows/release-publish.yml index f93f340168..f4f3bd0f83 100644 --- a/.github/workflows/release-publish.yml +++ b/.github/workflows/release-publish.yml @@ -188,8 +188,8 @@ jobs: aws-region: ${{ env.AWS_REGION }} - name: Upload template run: | - aws s3 cp --acl=public-read website/docs/install-config/install/aws/template.yaml s3://authentik-cloudformation-templates/authentik.ecs.${{ github.ref }}.yaml - aws s3 cp --acl=public-read website/docs/install-config/install/aws/template.yaml s3://authentik-cloudformation-templates/authentik.ecs.latest.yaml + aws s3 cp --acl=public-read lifecycle/aws/template.yaml s3://authentik-cloudformation-templates/authentik.ecs.${{ github.ref }}.yaml + aws s3 cp --acl=public-read lifecycle/aws/template.yaml s3://authentik-cloudformation-templates/authentik.ecs.latest.yaml test-release: needs: - build-server diff --git a/CODEOWNERS b/CODEOWNERS index 4182560dd6..d538e8fec0 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -15,6 +15,7 @@ go.mod @goauthentik/backend go.sum @goauthentik/backend # Infrastructure .github/ @goauthentik/infrastructure +lifecycle/aws/ @goauthentik/infrastructure Dockerfile @goauthentik/infrastructure *Dockerfile @goauthentik/infrastructure .dockerignore @goauthentik/infrastructure diff --git a/Makefile b/Makefile index ab45437e7c..33a4adab9d 100644 --- a/Makefile +++ b/Makefile @@ -5,7 +5,7 @@ PWD = $(shell pwd) UID = $(shell id -u) GID = $(shell id -g) NPM_VERSION = $(shell python -m scripts.npm_version) -PY_SOURCES = authentik tests scripts lifecycle .github website/docs/install-config/install/aws +PY_SOURCES = authentik tests scripts lifecycle .github DOCKER_IMAGE ?= "authentik:test" GEN_API_TS = "gen-ts-api" @@ -78,6 +78,9 @@ migrate: ## Run the Authentik Django server's migrations i18n-extract: core-i18n-extract web-i18n-extract ## Extract strings that require translation into files to send to a translation service +aws-cfn: + cd lifecycle/aws && npm run aws-cfn + core-i18n-extract: ak makemessages \ --add-location file \ @@ -252,9 +255,6 @@ website-build: website-watch: ## Build and watch the documentation website, updating automatically cd website && npm run watch -aws-cfn: - cd website && npm run aws-cfn - ######################### ## Docker ######################### diff --git a/lifecycle/aws/.gitignore b/lifecycle/aws/.gitignore new file mode 100644 index 0000000000..8c2df94de2 --- /dev/null +++ b/lifecycle/aws/.gitignore @@ -0,0 +1,111 @@ + +# Created by https://www.gitignore.io/api/node +# Edit at https://www.gitignore.io/?templates=node + +### Node ### +# Logs +logs +*.log +npm-debug.log* +yarn-debug.log* +yarn-error.log* +lerna-debug.log* + +# Diagnostic reports (https://nodejs.org/api/report.html) +report.[0-9]*.[0-9]*.[0-9]*.[0-9]*.json + +# Runtime data +pids +*.pid +*.seed +*.pid.lock + +# Directory for instrumented libs generated by jscoverage/JSCover +lib-cov + +# Coverage directory used by tools like istanbul +coverage +*.lcov + +# nyc test coverage +.nyc_output + +# Grunt intermediate storage (https://gruntjs.com/creating-plugins#storing-task-files) +.grunt + +# Bower dependency directory (https://bower.io/) +bower_components + +# node-waf configuration +.lock-wscript + +# Compiled binary addons (https://nodejs.org/api/addons.html) +build/Release + +# Dependency directories +node_modules/ +jspm_packages/ + +# TypeScript v1 declaration files +typings/ + +# TypeScript cache +*.tsbuildinfo + +# Optional npm cache directory +.npm + +# Optional eslint cache +.eslintcache + +# Optional REPL history +.node_repl_history + +# Output of 'npm pack' +*.tgz + +# Yarn Integrity file +.yarn-integrity + +# dotenv environment variables file +.env +.env.test + +# parcel-bundler cache (https://parceljs.org/) +.cache + +# next.js build output +.next + +# nuxt.js build output +.nuxt +dist + +# Uncomment the public line if your project uses Gatsby +# https://nextjs.org/blog/next-9-1#public-directory-support +# https://create-react-app.dev/docs/using-the-public-folder/#docsNav +# public + +# Storybook build outputs +.out +.storybook-out + +# vuepress build output +.vuepress/dist + +# Serverless directories +.serverless/ + +# FuseBox cache +.fusebox/ + +# DynamoDB Local files +.dynamodb/ + +# Temporary folders +tmp/ +temp/ + +# End of https://www.gitignore.io/api/node + +cdk.out diff --git a/website/docs/install-config/install/aws/app.py b/lifecycle/aws/app.py similarity index 98% rename from website/docs/install-config/install/aws/app.py rename to lifecycle/aws/app.py index 59ae18916c..6f67e5c0b4 100755 --- a/website/docs/install-config/install/aws/app.py +++ b/lifecycle/aws/app.py @@ -6,6 +6,7 @@ from aws_cdk import ( App, CfnOutput, CfnParameter, + DefaultStackSynthesizer, Duration, RemovalPolicy, Stack, @@ -38,7 +39,7 @@ from authentik import __version__ class AuthentikStack(Stack): def __init__(self, scope: Construct, id: str, **kwargs): - super().__init__(scope, id, *kwargs) + super().__init__(scope, id, **kwargs) ### Inputs @@ -327,6 +328,7 @@ class AuthentikStack(Stack): security_groups=[authentik_security_group], vpc_subnets=ec2.SubnetSelection(subnet_type=ec2.SubnetType.PRIVATE_WITH_EGRESS), enable_execute_command=True, + min_healthy_percent=50, ) worker_task = ecs.FargateTaskDefinition( @@ -376,6 +378,7 @@ class AuthentikStack(Stack): security_groups=[authentik_security_group], vpc_subnets=ec2.SubnetSelection(subnet_type=ec2.SubnetType.PRIVATE_WITH_EGRESS), enable_execute_command=True, + min_healthy_percent=50, ) # Load balancer @@ -417,5 +420,9 @@ class AuthentikStack(Stack): app = App() -AuthentikStack(app, "AuthentikStack") +AuthentikStack( + app, + "AuthentikStack", + synthesizer=DefaultStackSynthesizer(generate_bootstrap_version_rule=False), +) app.synth() diff --git a/website/docs/install-config/install/aws/cdk.json b/lifecycle/aws/cdk.json similarity index 100% rename from website/docs/install-config/install/aws/cdk.json rename to lifecycle/aws/cdk.json diff --git a/lifecycle/aws/package-lock.json b/lifecycle/aws/package-lock.json new file mode 100644 index 0000000000..6374f3fcc9 --- /dev/null +++ b/lifecycle/aws/package-lock.json @@ -0,0 +1,141 @@ +{ + "name": "@goauthentik/lifecycle-aws", + "version": "0.0.0", + "lockfileVersion": 3, + "requires": true, + "packages": { + "": { + "name": "@goauthentik/lifecycle-aws", + "version": "0.0.0", + "license": "MIT", + "devDependencies": { + "aws-cdk": "^2.176.0", + "cross-env": "^7.0.3" + }, + "engines": { + "node": ">=20" + } + }, + "node_modules/aws-cdk": { + "version": "2.176.0", + "resolved": "https://registry.npmjs.org/aws-cdk/-/aws-cdk-2.176.0.tgz", + "integrity": "sha512-yRjIXzK2ddznwuSjasWAViYBtBSQbEu6GHlylaC3GHsIUPhrK3KguqIuhdlxjMeiQ1Fvok8REDLCReZJdrSLLg==", + "dev": true, + "license": "Apache-2.0", + "bin": { + "cdk": "bin/cdk" + }, + "engines": { + "node": ">= 14.15.0" + }, + "optionalDependencies": { + "fsevents": "2.3.2" + } + }, + "node_modules/cross-env": { + "version": "7.0.3", + "resolved": "https://registry.npmjs.org/cross-env/-/cross-env-7.0.3.tgz", + "integrity": "sha512-+/HKd6EgcQCJGh2PSjZuUitQBQynKor4wrFbRg4DtAgS1aWO+gU52xpH7M9ScGgXSYmAVS9bIJ8EzuaGw0oNAw==", + "dev": true, + "license": "MIT", + "dependencies": { + "cross-spawn": "^7.0.1" + }, + "bin": { + "cross-env": "src/bin/cross-env.js", + "cross-env-shell": "src/bin/cross-env-shell.js" + }, + "engines": { + "node": ">=10.14", + "npm": ">=6", + "yarn": ">=1" + } + }, + "node_modules/cross-spawn": { + "version": "7.0.6", + "resolved": "https://registry.npmjs.org/cross-spawn/-/cross-spawn-7.0.6.tgz", + "integrity": "sha512-uV2QOWP2nWzsy2aMp8aRibhi9dlzF5Hgh5SHaB9OiTGEyDTiJJyx0uy51QXdyWbtAHNua4XJzUKca3OzKUd3vA==", + "dev": true, + "license": "MIT", + "dependencies": { + "path-key": "^3.1.0", + "shebang-command": "^2.0.0", + "which": "^2.0.1" + }, + "engines": { + "node": ">= 8" + } + }, + "node_modules/fsevents": { + "version": "2.3.2", + "resolved": "https://registry.npmjs.org/fsevents/-/fsevents-2.3.2.tgz", + "integrity": "sha512-xiqMQR4xAeHTuB9uWm+fFRcIOgKBMiOBP+eXiyT7jsgVCq1bkVygt00oASowB7EdtpOHaaPgKt812P9ab+DDKA==", + "dev": true, + "hasInstallScript": true, + "license": "MIT", + "optional": true, + "os": [ + "darwin" + ], + "engines": { + "node": "^8.16.0 || ^10.6.0 || >=11.0.0" + } + }, + "node_modules/isexe": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/isexe/-/isexe-2.0.0.tgz", + "integrity": "sha512-RHxMLp9lnKHGHRng9QFhRCMbYAcVpn69smSGcq3f36xjgVVWThj4qqLbTLlq7Ssj8B+fIQ1EuCEGI2lKsyQeIw==", + "dev": true, + "license": "ISC" + }, + "node_modules/path-key": { + "version": "3.1.1", + "resolved": "https://registry.npmjs.org/path-key/-/path-key-3.1.1.tgz", + "integrity": "sha512-ojmeN0qd+y0jszEtoY48r0Peq5dwMEkIlCOu6Q5f41lfkswXuKtYrhgoTpLnyIcHm24Uhqx+5Tqm2InSwLhE6Q==", + "dev": true, + "license": "MIT", + "engines": { + "node": ">=8" + } + }, + "node_modules/shebang-command": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/shebang-command/-/shebang-command-2.0.0.tgz", + "integrity": "sha512-kHxr2zZpYtdmrN1qDjrrX/Z1rR1kG8Dx+gkpK1G4eXmvXswmcE1hTWBWYUzlraYw1/yZp6YuDY77YtvbN0dmDA==", + "dev": true, + "license": "MIT", + "dependencies": { + "shebang-regex": "^3.0.0" + }, + "engines": { + "node": ">=8" + } + }, + "node_modules/shebang-regex": { + "version": "3.0.0", + "resolved": "https://registry.npmjs.org/shebang-regex/-/shebang-regex-3.0.0.tgz", + "integrity": "sha512-7++dFhtcx3353uBaq8DDR4NuxBetBzC7ZQOhmTQInHEd6bSrXdiEyzCvG07Z44UYdLShWUyXt5M/yhz8ekcb1A==", + "dev": true, + "license": "MIT", + "engines": { + "node": ">=8" + } + }, + "node_modules/which": { + "version": "2.0.2", + "resolved": "https://registry.npmjs.org/which/-/which-2.0.2.tgz", + "integrity": "sha512-BLI3Tl1TW3Pvl70l3yq3Y64i+awpwXqsGBYWkkqMtnbXgrMD+yj7rhW0kuEDxzJaYXGjEW5ogapKNMEKNMjibA==", + "dev": true, + "license": "ISC", + "dependencies": { + "isexe": "^2.0.0" + }, + "bin": { + "node-which": "bin/node-which" + }, + "engines": { + "node": ">= 8" + } + } + } +} diff --git a/lifecycle/aws/package.json b/lifecycle/aws/package.json new file mode 100644 index 0000000000..d387b436b3 --- /dev/null +++ b/lifecycle/aws/package.json @@ -0,0 +1,16 @@ +{ + "name": "@goauthentik/lifecycle-aws", + "version": "0.0.0", + "private": true, + "license": "MIT", + "scripts": { + "aws-cfn": "cross-env CI=false cdk synth --version-reporting=false > template.yaml" + }, + "engines": { + "node": ">=20" + }, + "devDependencies": { + "aws-cdk": "^2.176.0", + "cross-env": "^7.0.3" + } +} diff --git a/website/docs/install-config/install/aws/template.yaml b/lifecycle/aws/template.yaml similarity index 61% rename from website/docs/install-config/install/aws/template.yaml rename to lifecycle/aws/template.yaml index d7d2718020..8a291b58aa 100644 --- a/website/docs/install-config/install/aws/template.yaml +++ b/lifecycle/aws/template.yaml @@ -1,191 +1,457 @@ -Conditions: {} -Outputs: - LoadBalancerDNS: - Value: - Fn::GetAtt: - - AuthentikALB992EAB01 - - DNSName Parameters: - AuthentikImage: - Default: ghcr.io/goauthentik/server - Description: authentik Docker image - Type: String - AuthentikServerCPU: - Default: 512 - Description: authentik server CPU units (1024 = 1 vCPU) - Type: Number - AuthentikServerDesiredCount: - Default: 2 - Description: Desired number of authentik server tasks - MinValue: 1 - Type: Number - AuthentikServerMemory: - Default: 1024 - Description: authentik server memory in MiB - Type: Number - AuthentikVersion: - Default: 2024.12.2 - Description: authentik Docker image tag - Type: String - AuthentikWorkerCPU: - Default: 512 - Description: authentik worker CPU units (1024 = 1 vCPU) - Type: Number - AuthentikWorkerDesiredCount: - Default: 2 - Description: Desired number of authentik worker tasks - MinValue: 1 - Type: Number - AuthentikWorkerMemory: - Default: 1024 - Description: authentik worker memory in MiB - Type: Number - CertificateARN: - Description: ACM certificate ARN for HTTPS access - Type: String DBInstanceType: + Type: String Default: m5.large Description: RDS PostgreSQL instance type (without the leading db.) + DBVersion: Type: String + Default: "17.1" + Description: RDS PostgreSQL version DBStorage: + Type: Number Default: 10 Description: RDS PostgreSQL storage size in GB MinValue: 10 - Type: Number - DBVersion: - Default: '17.1' - Description: RDS PostgreSQL version - Type: String RedisInstanceType: + Type: String Default: cache.t4g.medium Description: ElastiCache Redis instance type (with the leading cache.) - Type: String RedisVersion: - Default: '7.1' - Description: ElastiCache Redis version Type: String + Default: "7.1" + Description: ElastiCache Redis version + AuthentikImage: + Type: String + Default: ghcr.io/goauthentik/server + Description: authentik Docker image + AuthentikVersion: + Type: String + Default: 2024.12.2 + Description: authentik Docker image tag + AuthentikServerCPU: + Type: Number + Default: 512 + Description: authentik server CPU units (1024 = 1 vCPU) + AuthentikServerMemory: + Type: Number + Default: 1024 + Description: authentik server memory in MiB + AuthentikServerDesiredCount: + Type: Number + Default: 2 + Description: Desired number of authentik server tasks + MinValue: 1 + AuthentikWorkerCPU: + Type: Number + Default: 512 + Description: authentik worker CPU units (1024 = 1 vCPU) + AuthentikWorkerMemory: + Type: Number + Default: 1024 + Description: authentik worker memory in MiB + AuthentikWorkerDesiredCount: + Type: Number + Default: 2 + Description: Desired number of authentik worker tasks + MinValue: 1 + CertificateARN: + Type: String + Description: ACM certificate ARN for HTTPS access Resources: - AuthentikALB992EAB01: + AuthentikVpcA1ABE6C2: + Type: AWS::EC2::VPC + Properties: + CidrBlock: 10.0.0.0/16 + EnableDnsHostnames: true + EnableDnsSupport: true + InstanceTenancy: default + Tags: + - Key: Name + Value: AuthentikStack/AuthentikVpc + Metadata: + aws:cdk:path: AuthentikStack/AuthentikVpc/Resource + AuthentikVpcPublicSubnet1Subnet0C75862A: + Type: AWS::EC2::Subnet + Properties: + AvailabilityZone: + Fn::Select: + - 0 + - Fn::GetAZs: "" + CidrBlock: 10.0.0.0/18 + MapPublicIpOnLaunch: true + Tags: + - Key: aws-cdk:subnet-name + Value: Public + - Key: aws-cdk:subnet-type + Value: Public + - Key: Name + Value: AuthentikStack/AuthentikVpc/PublicSubnet1 + VpcId: + Ref: AuthentikVpcA1ABE6C2 + Metadata: + aws:cdk:path: AuthentikStack/AuthentikVpc/PublicSubnet1/Subnet + AuthentikVpcPublicSubnet1RouteTable142C1454: + Type: AWS::EC2::RouteTable + Properties: + Tags: + - Key: Name + Value: AuthentikStack/AuthentikVpc/PublicSubnet1 + VpcId: + Ref: AuthentikVpcA1ABE6C2 + Metadata: + aws:cdk:path: AuthentikStack/AuthentikVpc/PublicSubnet1/RouteTable + AuthentikVpcPublicSubnet1RouteTableAssociation33E57E0C: + Type: AWS::EC2::SubnetRouteTableAssociation + Properties: + RouteTableId: + Ref: AuthentikVpcPublicSubnet1RouteTable142C1454 + SubnetId: + Ref: AuthentikVpcPublicSubnet1Subnet0C75862A + Metadata: + aws:cdk:path: AuthentikStack/AuthentikVpc/PublicSubnet1/RouteTableAssociation + AuthentikVpcPublicSubnet1DefaultRoute90C4189A: + Type: AWS::EC2::Route + Properties: + DestinationCidrBlock: 0.0.0.0/0 + GatewayId: + Ref: AuthentikVpcIGW53CE5190 + RouteTableId: + Ref: AuthentikVpcPublicSubnet1RouteTable142C1454 DependsOn: - - AuthentikVpcPublicSubnet1DefaultRoute90C4189A - - AuthentikVpcPublicSubnet1RouteTableAssociation33E57E0C - - AuthentikVpcPublicSubnet2DefaultRoute2E9B0EBA - - AuthentikVpcPublicSubnet2RouteTableAssociationDA2BDD26 + - AuthentikVpcVPCGW65A49376 Metadata: - aws:cdk:path: AuthentikStack/AuthentikALB/Resource + aws:cdk:path: AuthentikStack/AuthentikVpc/PublicSubnet1/DefaultRoute + AuthentikVpcPublicSubnet1EIP2A4626A0: + Type: AWS::EC2::EIP Properties: - LoadBalancerAttributes: - - Key: deletion_protection.enabled - Value: 'false' - Scheme: internet-facing - SecurityGroups: - - Fn::GetAtt: - - AuthentikALBSecurityGroup2B18FEEF - - GroupId - Subnets: - - Ref: AuthentikVpcPublicSubnet1Subnet0C75862A - - Ref: AuthentikVpcPublicSubnet2Subnet4DFAFA5B - Type: application - Type: AWS::ElasticLoadBalancingV2::LoadBalancer - AuthentikALBAuthentikHttpListener6825393B: + Domain: vpc + Tags: + - Key: Name + Value: AuthentikStack/AuthentikVpc/PublicSubnet1 Metadata: - aws:cdk:path: AuthentikStack/AuthentikALB/AuthentikHttpListener/Resource + aws:cdk:path: AuthentikStack/AuthentikVpc/PublicSubnet1/EIP + AuthentikVpcPublicSubnet1NATGatewayEBF2B25B: + Type: AWS::EC2::NatGateway Properties: - DefaultActions: - - RedirectConfig: - Protocol: HTTPS - StatusCode: HTTP_301 - Type: redirect - LoadBalancerArn: - Ref: AuthentikALB992EAB01 - Port: 80 - Protocol: HTTP - Type: AWS::ElasticLoadBalancingV2::Listener - AuthentikALBAuthentikHttpsListener34A9BF12: + AllocationId: + Fn::GetAtt: + - AuthentikVpcPublicSubnet1EIP2A4626A0 + - AllocationId + SubnetId: + Ref: AuthentikVpcPublicSubnet1Subnet0C75862A + Tags: + - Key: Name + Value: AuthentikStack/AuthentikVpc/PublicSubnet1 + DependsOn: + - AuthentikVpcPublicSubnet1DefaultRoute90C4189A + - AuthentikVpcPublicSubnet1RouteTableAssociation33E57E0C Metadata: - aws:cdk:path: AuthentikStack/AuthentikALB/AuthentikHttpsListener/Resource + aws:cdk:path: AuthentikStack/AuthentikVpc/PublicSubnet1/NATGateway + AuthentikVpcPublicSubnet2Subnet4DFAFA5B: + Type: AWS::EC2::Subnet Properties: - Certificates: - - CertificateArn: - Ref: CertificateARN - DefaultActions: - - TargetGroupArn: - Ref: AuthentikALBAuthentikHttpsListenerAuthentikServerTargetGroup345C3479 - Type: forward - LoadBalancerArn: - Ref: AuthentikALB992EAB01 - Port: 443 - Protocol: HTTPS - Type: AWS::ElasticLoadBalancingV2::Listener - AuthentikALBAuthentikHttpsListenerAuthentikServerTargetGroup345C3479: - Metadata: - aws:cdk:path: AuthentikStack/AuthentikALB/AuthentikHttpsListener/AuthentikServerTargetGroup/Resource - Properties: - HealthCheckPath: /-/health/live/ - Matcher: - HttpCode: '200' - Port: 9000 - Protocol: HTTP - TargetGroupAttributes: - - Key: stickiness.enabled - Value: 'false' - TargetType: ip + AvailabilityZone: + Fn::Select: + - 1 + - Fn::GetAZs: "" + CidrBlock: 10.0.64.0/18 + MapPublicIpOnLaunch: true + Tags: + - Key: aws-cdk:subnet-name + Value: Public + - Key: aws-cdk:subnet-type + Value: Public + - Key: Name + Value: AuthentikStack/AuthentikVpc/PublicSubnet2 VpcId: Ref: AuthentikVpcA1ABE6C2 - Type: AWS::ElasticLoadBalancingV2::TargetGroup - AuthentikALBSecurityGroup2B18FEEF: Metadata: - aws:cdk:path: AuthentikStack/AuthentikALB/SecurityGroup/Resource + aws:cdk:path: AuthentikStack/AuthentikVpc/PublicSubnet2/Subnet + AuthentikVpcPublicSubnet2RouteTableF486229B: + Type: AWS::EC2::RouteTable Properties: - GroupDescription: Automatically created Security Group for ELB AuthentikStackAuthentikALB07C6B2CD - SecurityGroupIngress: - - CidrIp: 0.0.0.0/0 - Description: Allow from anyone on port 80 - FromPort: 80 - IpProtocol: tcp - ToPort: 80 - - CidrIp: 0.0.0.0/0 - Description: Allow from anyone on port 443 - FromPort: 443 - IpProtocol: tcp - ToPort: 443 + Tags: + - Key: Name + Value: AuthentikStack/AuthentikVpc/PublicSubnet2 VpcId: Ref: AuthentikVpcA1ABE6C2 + Metadata: + aws:cdk:path: AuthentikStack/AuthentikVpc/PublicSubnet2/RouteTable + AuthentikVpcPublicSubnet2RouteTableAssociationDA2BDD26: + Type: AWS::EC2::SubnetRouteTableAssociation + Properties: + RouteTableId: + Ref: AuthentikVpcPublicSubnet2RouteTableF486229B + SubnetId: + Ref: AuthentikVpcPublicSubnet2Subnet4DFAFA5B + Metadata: + aws:cdk:path: AuthentikStack/AuthentikVpc/PublicSubnet2/RouteTableAssociation + AuthentikVpcPublicSubnet2DefaultRoute2E9B0EBA: + Type: AWS::EC2::Route + Properties: + DestinationCidrBlock: 0.0.0.0/0 + GatewayId: + Ref: AuthentikVpcIGW53CE5190 + RouteTableId: + Ref: AuthentikVpcPublicSubnet2RouteTableF486229B + DependsOn: + - AuthentikVpcVPCGW65A49376 + Metadata: + aws:cdk:path: AuthentikStack/AuthentikVpc/PublicSubnet2/DefaultRoute + AuthentikVpcPrivateSubnet1Subnet6748EEA3: + Type: AWS::EC2::Subnet + Properties: + AvailabilityZone: + Fn::Select: + - 0 + - Fn::GetAZs: "" + CidrBlock: 10.0.128.0/18 + MapPublicIpOnLaunch: false + Tags: + - Key: aws-cdk:subnet-name + Value: Private + - Key: aws-cdk:subnet-type + Value: Private + - Key: Name + Value: AuthentikStack/AuthentikVpc/PrivateSubnet1 + VpcId: + Ref: AuthentikVpcA1ABE6C2 + Metadata: + aws:cdk:path: AuthentikStack/AuthentikVpc/PrivateSubnet1/Subnet + AuthentikVpcPrivateSubnet1RouteTable865DCC15: + Type: AWS::EC2::RouteTable + Properties: + Tags: + - Key: Name + Value: AuthentikStack/AuthentikVpc/PrivateSubnet1 + VpcId: + Ref: AuthentikVpcA1ABE6C2 + Metadata: + aws:cdk:path: AuthentikStack/AuthentikVpc/PrivateSubnet1/RouteTable + AuthentikVpcPrivateSubnet1RouteTableAssociationBBA42BB3: + Type: AWS::EC2::SubnetRouteTableAssociation + Properties: + RouteTableId: + Ref: AuthentikVpcPrivateSubnet1RouteTable865DCC15 + SubnetId: + Ref: AuthentikVpcPrivateSubnet1Subnet6748EEA3 + Metadata: + aws:cdk:path: AuthentikStack/AuthentikVpc/PrivateSubnet1/RouteTableAssociation + AuthentikVpcPrivateSubnet1DefaultRouteE7E61D7D: + Type: AWS::EC2::Route + Properties: + DestinationCidrBlock: 0.0.0.0/0 + NatGatewayId: + Ref: AuthentikVpcPublicSubnet1NATGatewayEBF2B25B + RouteTableId: + Ref: AuthentikVpcPrivateSubnet1RouteTable865DCC15 + Metadata: + aws:cdk:path: AuthentikStack/AuthentikVpc/PrivateSubnet1/DefaultRoute + AuthentikVpcPrivateSubnet2Subnet6B8E7123: + Type: AWS::EC2::Subnet + Properties: + AvailabilityZone: + Fn::Select: + - 1 + - Fn::GetAZs: "" + CidrBlock: 10.0.192.0/18 + MapPublicIpOnLaunch: false + Tags: + - Key: aws-cdk:subnet-name + Value: Private + - Key: aws-cdk:subnet-type + Value: Private + - Key: Name + Value: AuthentikStack/AuthentikVpc/PrivateSubnet2 + VpcId: + Ref: AuthentikVpcA1ABE6C2 + Metadata: + aws:cdk:path: AuthentikStack/AuthentikVpc/PrivateSubnet2/Subnet + AuthentikVpcPrivateSubnet2RouteTable472C2F26: + Type: AWS::EC2::RouteTable + Properties: + Tags: + - Key: Name + Value: AuthentikStack/AuthentikVpc/PrivateSubnet2 + VpcId: + Ref: AuthentikVpcA1ABE6C2 + Metadata: + aws:cdk:path: AuthentikStack/AuthentikVpc/PrivateSubnet2/RouteTable + AuthentikVpcPrivateSubnet2RouteTableAssociation0276EED3: + Type: AWS::EC2::SubnetRouteTableAssociation + Properties: + RouteTableId: + Ref: AuthentikVpcPrivateSubnet2RouteTable472C2F26 + SubnetId: + Ref: AuthentikVpcPrivateSubnet2Subnet6B8E7123 + Metadata: + aws:cdk:path: AuthentikStack/AuthentikVpc/PrivateSubnet2/RouteTableAssociation + AuthentikVpcPrivateSubnet2DefaultRouteB93D7A74: + Type: AWS::EC2::Route + Properties: + DestinationCidrBlock: 0.0.0.0/0 + NatGatewayId: + Ref: AuthentikVpcPublicSubnet1NATGatewayEBF2B25B + RouteTableId: + Ref: AuthentikVpcPrivateSubnet2RouteTable472C2F26 + Metadata: + aws:cdk:path: AuthentikStack/AuthentikVpc/PrivateSubnet2/DefaultRoute + AuthentikVpcIGW53CE5190: + Type: AWS::EC2::InternetGateway + Properties: + Tags: + - Key: Name + Value: AuthentikStack/AuthentikVpc + Metadata: + aws:cdk:path: AuthentikStack/AuthentikVpc/IGW + AuthentikVpcVPCGW65A49376: + Type: AWS::EC2::VPCGatewayAttachment + Properties: + InternetGatewayId: + Ref: AuthentikVpcIGW53CE5190 + VpcId: + Ref: AuthentikVpcA1ABE6C2 + Metadata: + aws:cdk:path: AuthentikStack/AuthentikVpc/VPCGW + DatabaseSG2A23C222: Type: AWS::EC2::SecurityGroup - AuthentikALBSecurityGrouptoAuthentikStackAuthentikSG23C19B2890000F200B23: + Properties: + GroupDescription: Security Group for authentik RDS PostgreSQL + SecurityGroupEgress: + - CidrIp: 0.0.0.0/0 + Description: Allow all outbound traffic by default + IpProtocol: "-1" + VpcId: + Ref: AuthentikVpcA1ABE6C2 Metadata: - aws:cdk:path: AuthentikStack/AuthentikALB/SecurityGroup/to AuthentikStackAuthentikSG23C19B28:9000 + aws:cdk:path: AuthentikStack/DatabaseSG/Resource + DatabaseSGfromAuthentikStackAuthentikSG23C19B28543226D9B076: + Type: AWS::EC2::SecurityGroupIngress + Properties: + Description: Allow authentik to connect to RDS PostgreSQL + FromPort: 5432 + GroupId: + Fn::GetAtt: + - DatabaseSG2A23C222 + - GroupId + IpProtocol: tcp + SourceSecurityGroupId: + Fn::GetAtt: + - AuthentikSG3040E46F + - GroupId + ToPort: 5432 + Metadata: + aws:cdk:path: AuthentikStack/DatabaseSG/from AuthentikStackAuthentikSG23C19B28:5432 + RedisSGEA80AC17: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: Security Group for authentik ElastiCache Redis + SecurityGroupEgress: + - CidrIp: 0.0.0.0/0 + Description: Allow all outbound traffic by default + IpProtocol: "-1" + VpcId: + Ref: AuthentikVpcA1ABE6C2 + Metadata: + aws:cdk:path: AuthentikStack/RedisSG/Resource + RedisSGfromAuthentikStackAuthentikSG23C19B2863790C4BCCDE: + Type: AWS::EC2::SecurityGroupIngress + Properties: + Description: Allow authentik to connect to ElastiCache Redis + FromPort: 6379 + GroupId: + Fn::GetAtt: + - RedisSGEA80AC17 + - GroupId + IpProtocol: tcp + SourceSecurityGroupId: + Fn::GetAtt: + - AuthentikSG3040E46F + - GroupId + ToPort: 6379 + Metadata: + aws:cdk:path: AuthentikStack/RedisSG/from AuthentikStackAuthentikSG23C19B28:6379 + AuthentikSG3040E46F: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: Security Group for authentik services + SecurityGroupEgress: + - CidrIp: 0.0.0.0/0 + Description: Allow all outbound traffic by default + IpProtocol: "-1" + VpcId: + Ref: AuthentikVpcA1ABE6C2 + Metadata: + aws:cdk:path: AuthentikStack/AuthentikSG/Resource + AuthentikSGfromAuthentikStackAuthentikALBSecurityGroup46E4D829900045771B43: + Type: AWS::EC2::SecurityGroupIngress Properties: Description: Load balancer to target - DestinationSecurityGroupId: - Fn::GetAtt: - - AuthentikSG3040E46F - - GroupId FromPort: 9000 GroupId: Fn::GetAtt: - - AuthentikALBSecurityGroup2B18FEEF - - GroupId + - AuthentikSG3040E46F + - GroupId IpProtocol: tcp + SourceSecurityGroupId: + Fn::GetAtt: + - AuthentikALBSecurityGroup2B18FEEF + - GroupId ToPort: 9000 - Type: AWS::EC2::SecurityGroupEgress - AuthentikCluster54E596EF: Metadata: - aws:cdk:path: AuthentikStack/AuthentikCluster/Resource - Type: AWS::ECS::Cluster + aws:cdk:path: AuthentikStack/AuthentikSG/from AuthentikStackAuthentikALBSecurityGroup46E4D829:9000 + DBPassword67313E91: + Type: AWS::SecretsManager::Secret + Properties: + GenerateSecretString: + ExcludeCharacters: '"@/\' + GenerateStringKey: password + PasswordLength: 64 + SecretStringTemplate: '{"username": "authentik"}' + UpdateReplacePolicy: Delete + DeletionPolicy: Delete + Metadata: + aws:cdk:path: AuthentikStack/DBPassword/Resource + DBPasswordAttachmentAC350077: + Type: AWS::SecretsManager::SecretTargetAttachment + Properties: + SecretId: + Ref: DBPassword67313E91 + TargetId: + Ref: AuthentikDB6710DB92 + TargetType: AWS::RDS::DBInstance + Metadata: + aws:cdk:path: AuthentikStack/DBPassword/Attachment/Resource + AuthentikSecretKeyAC972960: + Type: AWS::SecretsManager::Secret + Properties: + GenerateSecretString: + ExcludeCharacters: '"@/\' + PasswordLength: 64 + UpdateReplacePolicy: Delete + DeletionPolicy: Delete + Metadata: + aws:cdk:path: AuthentikStack/AuthentikSecretKey/Resource + AuthentikDBSubnetGroup03A9E1C9: + Type: AWS::RDS::DBSubnetGroup + Properties: + DBSubnetGroupDescription: Subnet group for AuthentikDB database + SubnetIds: + - Ref: AuthentikVpcPrivateSubnet1Subnet6748EEA3 + - Ref: AuthentikVpcPrivateSubnet2Subnet6B8E7123 + Metadata: + aws:cdk:path: AuthentikStack/AuthentikDB/SubnetGroup/Default AuthentikDB6710DB92: - DeletionPolicy: Snapshot - Metadata: - aws:cdk:path: AuthentikStack/AuthentikDB/Resource + Type: AWS::RDS::DBInstance Properties: AllocatedStorage: Ref: DBStorage CopyTagsToSnapshot: true DBInstanceClass: Fn::Join: - - '' - - - db. - - Ref: DBInstanceType + - "" + - - db. + - Ref: DBInstanceType DBName: authentik DBSubnetGroupName: Ref: AuthentikDBSubnetGroup03A9E1C9 @@ -194,124 +460,38 @@ Resources: Ref: DBVersion MasterUserPassword: Fn::Join: - - '' - - - '{{resolve:secretsmanager:' - - Ref: DBPassword67313E91 - - :SecretString:password::}} + - "" + - - "{{resolve:secretsmanager:" + - Ref: DBPassword67313E91 + - :SecretString:password::}} MasterUsername: Fn::Join: - - '' - - - '{{resolve:secretsmanager:' - - Ref: DBPassword67313E91 - - :SecretString:username::}} + - "" + - - "{{resolve:secretsmanager:" + - Ref: DBPassword67313E91 + - :SecretString:username::}} MultiAZ: true PubliclyAccessible: false StorageType: gp2 VPCSecurityGroups: - - Fn::GetAtt: - - DatabaseSG2A23C222 - - GroupId - Type: AWS::RDS::DBInstance + - Fn::GetAtt: + - DatabaseSG2A23C222 + - GroupId UpdateReplacePolicy: Snapshot - AuthentikDBSubnetGroup03A9E1C9: + DeletionPolicy: Snapshot Metadata: - aws:cdk:path: AuthentikStack/AuthentikDB/SubnetGroup/Default + aws:cdk:path: AuthentikStack/AuthentikDB/Resource + AuthentikRedisSubnetGroup: + Type: AWS::ElastiCache::SubnetGroup Properties: - DBSubnetGroupDescription: Subnet group for AuthentikDB database + Description: Subnet group for authentik ElastiCache Redis SubnetIds: - - Ref: AuthentikVpcPrivateSubnet1Subnet6748EEA3 - - Ref: AuthentikVpcPrivateSubnet2Subnet6B8E7123 - Type: AWS::RDS::DBSubnetGroup - AuthentikMediaEFS4AB06689: - DeletionPolicy: Retain + - Ref: AuthentikVpcPrivateSubnet1Subnet6748EEA3 + - Ref: AuthentikVpcPrivateSubnet2Subnet6B8E7123 Metadata: - aws:cdk:path: AuthentikStack/AuthentikMediaEFS/Resource - Properties: - Encrypted: true - FileSystemTags: - - Key: Name - Value: AuthentikStack/AuthentikMediaEFS - PerformanceMode: generalPurpose - ThroughputMode: bursting - Type: AWS::EFS::FileSystem - UpdateReplacePolicy: Retain - AuthentikMediaEFSAuthentikMediaAccessPointA60D3CC7: - Metadata: - aws:cdk:path: AuthentikStack/AuthentikMediaEFS/AuthentikMediaAccessPoint/Resource - Properties: - AccessPointTags: - - Key: Name - Value: AuthentikStack/AuthentikMediaEFS/AuthentikMediaAccessPoint - FileSystemId: - Ref: AuthentikMediaEFS4AB06689 - PosixUser: - Gid: '1000' - Uid: '1000' - RootDirectory: - CreationInfo: - OwnerGid: '1000' - OwnerUid: '1000' - Permissions: '755' - Path: /media - Type: AWS::EFS::AccessPoint - AuthentikMediaEFSEfsMountTarget1D3A264C1: - Metadata: - aws:cdk:path: AuthentikStack/AuthentikMediaEFS/EfsMountTarget1 - Properties: - FileSystemId: - Ref: AuthentikMediaEFS4AB06689 - SecurityGroups: - - Fn::GetAtt: - - AuthentikMediaEFSSecurityGroup1840BA29 - - GroupId - SubnetId: - Ref: AuthentikVpcPrivateSubnet1Subnet6748EEA3 - Type: AWS::EFS::MountTarget - AuthentikMediaEFSEfsMountTarget224E8D525: - Metadata: - aws:cdk:path: AuthentikStack/AuthentikMediaEFS/EfsMountTarget2 - Properties: - FileSystemId: - Ref: AuthentikMediaEFS4AB06689 - SecurityGroups: - - Fn::GetAtt: - - AuthentikMediaEFSSecurityGroup1840BA29 - - GroupId - SubnetId: - Ref: AuthentikVpcPrivateSubnet2Subnet6B8E7123 - Type: AWS::EFS::MountTarget - AuthentikMediaEFSSecurityGroup1840BA29: - Metadata: - aws:cdk:path: AuthentikStack/AuthentikMediaEFSSecurityGroup/Resource - Properties: - GroupDescription: Security group for authentik media EFS - SecurityGroupEgress: - - CidrIp: 0.0.0.0/0 - Description: Allow all outbound traffic by default - IpProtocol: '-1' - VpcId: - Ref: AuthentikVpcA1ABE6C2 - Type: AWS::EC2::SecurityGroup - AuthentikMediaEFSSecurityGroupfromAuthentikStackAuthentikSG23C19B28204954496494: - Metadata: - aws:cdk:path: AuthentikStack/AuthentikMediaEFSSecurityGroup/from AuthentikStackAuthentikSG23C19B28:2049 - Properties: - Description: from AuthentikStackAuthentikSG23C19B28:2049 - FromPort: 2049 - GroupId: - Fn::GetAtt: - - AuthentikMediaEFSSecurityGroup1840BA29 - - GroupId - IpProtocol: tcp - SourceSecurityGroupId: - Fn::GetAtt: - - AuthentikSG3040E46F - - GroupId - ToPort: 2049 - Type: AWS::EC2::SecurityGroupIngress + aws:cdk:path: AuthentikStack/AuthentikRedisSubnetGroup AuthentikRedis: - Metadata: - aws:cdk:path: AuthentikStack/AuthentikRedis + Type: AWS::ElastiCache::ReplicationGroup Properties: AutomaticFailoverEnabled: true CacheNodeType: @@ -324,66 +504,283 @@ Resources: NumCacheClusters: 2 ReplicationGroupDescription: Redis cluster for authentik SecurityGroupIds: - - Fn::GetAtt: - - RedisSGEA80AC17 - - GroupId - Type: AWS::ElastiCache::ReplicationGroup - AuthentikRedisSubnetGroup: + - Fn::GetAtt: + - RedisSGEA80AC17 + - GroupId Metadata: - aws:cdk:path: AuthentikStack/AuthentikRedisSubnetGroup + aws:cdk:path: AuthentikStack/AuthentikRedis + AuthentikMediaEFSSecurityGroup1840BA29: + Type: AWS::EC2::SecurityGroup Properties: - Description: Subnet group for authentik ElastiCache Redis - SubnetIds: - - Ref: AuthentikVpcPrivateSubnet1Subnet6748EEA3 - - Ref: AuthentikVpcPrivateSubnet2Subnet6B8E7123 - Type: AWS::ElastiCache::SubnetGroup - AuthentikSG3040E46F: - Metadata: - aws:cdk:path: AuthentikStack/AuthentikSG/Resource - Properties: - GroupDescription: Security Group for authentik services + GroupDescription: Security group for authentik media EFS SecurityGroupEgress: - - CidrIp: 0.0.0.0/0 - Description: Allow all outbound traffic by default - IpProtocol: '-1' + - CidrIp: 0.0.0.0/0 + Description: Allow all outbound traffic by default + IpProtocol: "-1" VpcId: Ref: AuthentikVpcA1ABE6C2 - Type: AWS::EC2::SecurityGroup - AuthentikSGfromAuthentikStackAuthentikALBSecurityGroup46E4D829900045771B43: Metadata: - aws:cdk:path: AuthentikStack/AuthentikSG/from AuthentikStackAuthentikALBSecurityGroup46E4D829:9000 + aws:cdk:path: AuthentikStack/AuthentikMediaEFSSecurityGroup/Resource + AuthentikMediaEFSSecurityGroupfromAuthentikStackAuthentikSG23C19B28204954496494: + Type: AWS::EC2::SecurityGroupIngress Properties: - Description: Load balancer to target - FromPort: 9000 + Description: from AuthentikStackAuthentikSG23C19B28:2049 + FromPort: 2049 GroupId: Fn::GetAtt: - - AuthentikSG3040E46F - - GroupId + - AuthentikMediaEFSSecurityGroup1840BA29 + - GroupId IpProtocol: tcp SourceSecurityGroupId: Fn::GetAtt: - - AuthentikALBSecurityGroup2B18FEEF - - GroupId - ToPort: 9000 - Type: AWS::EC2::SecurityGroupIngress - AuthentikSecretKeyAC972960: - DeletionPolicy: Delete + - AuthentikSG3040E46F + - GroupId + ToPort: 2049 Metadata: - aws:cdk:path: AuthentikStack/AuthentikSecretKey/Resource + aws:cdk:path: AuthentikStack/AuthentikMediaEFSSecurityGroup/from AuthentikStackAuthentikSG23C19B28:2049 + AuthentikMediaEFS4AB06689: + Type: AWS::EFS::FileSystem Properties: - GenerateSecretString: - ExcludeCharacters: '"@/\' - PasswordLength: 64 - Type: AWS::SecretsManager::Secret - UpdateReplacePolicy: Delete - AuthentikServerService9C845914: - DependsOn: - - AuthentikALBAuthentikHttpsListenerAuthentikServerTargetGroup345C3479 - - AuthentikALBAuthentikHttpsListener34A9BF12 - - AuthentikServerTaskTaskRoleDefaultPolicy4C2F360F - - AuthentikServerTaskTaskRole5BB06A73 + Encrypted: true + FileSystemTags: + - Key: Name + Value: AuthentikStack/AuthentikMediaEFS + PerformanceMode: generalPurpose + ThroughputMode: bursting + UpdateReplacePolicy: Retain + DeletionPolicy: Retain Metadata: - aws:cdk:path: AuthentikStack/AuthentikServerService/Service + aws:cdk:path: AuthentikStack/AuthentikMediaEFS/Resource + AuthentikMediaEFSEfsMountTarget1D3A264C1: + Type: AWS::EFS::MountTarget + Properties: + FileSystemId: + Ref: AuthentikMediaEFS4AB06689 + SecurityGroups: + - Fn::GetAtt: + - AuthentikMediaEFSSecurityGroup1840BA29 + - GroupId + SubnetId: + Ref: AuthentikVpcPrivateSubnet1Subnet6748EEA3 + Metadata: + aws:cdk:path: AuthentikStack/AuthentikMediaEFS/EfsMountTarget1 + AuthentikMediaEFSEfsMountTarget224E8D525: + Type: AWS::EFS::MountTarget + Properties: + FileSystemId: + Ref: AuthentikMediaEFS4AB06689 + SecurityGroups: + - Fn::GetAtt: + - AuthentikMediaEFSSecurityGroup1840BA29 + - GroupId + SubnetId: + Ref: AuthentikVpcPrivateSubnet2Subnet6B8E7123 + Metadata: + aws:cdk:path: AuthentikStack/AuthentikMediaEFS/EfsMountTarget2 + AuthentikMediaEFSAuthentikMediaAccessPointA60D3CC7: + Type: AWS::EFS::AccessPoint + Properties: + AccessPointTags: + - Key: Name + Value: AuthentikStack/AuthentikMediaEFS/AuthentikMediaAccessPoint + FileSystemId: + Ref: AuthentikMediaEFS4AB06689 + PosixUser: + Gid: "1000" + Uid: "1000" + RootDirectory: + CreationInfo: + OwnerGid: "1000" + OwnerUid: "1000" + Permissions: "755" + Path: /media + Metadata: + aws:cdk:path: AuthentikStack/AuthentikMediaEFS/AuthentikMediaAccessPoint/Resource + AuthentikCluster54E596EF: + Type: AWS::ECS::Cluster + Metadata: + aws:cdk:path: AuthentikStack/AuthentikCluster/Resource + AuthentikServerTaskTaskRole5BB06A73: + Type: AWS::IAM::Role + Properties: + AssumeRolePolicyDocument: + Statement: + - Action: sts:AssumeRole + Effect: Allow + Principal: + Service: ecs-tasks.amazonaws.com + Version: "2012-10-17" + Metadata: + aws:cdk:path: AuthentikStack/AuthentikServerTask/TaskRole/Resource + AuthentikServerTaskTaskRoleDefaultPolicy4C2F360F: + Type: AWS::IAM::Policy + Properties: + PolicyDocument: + Statement: + - Action: + - ssmmessages:CreateControlChannel + - ssmmessages:CreateDataChannel + - ssmmessages:OpenControlChannel + - ssmmessages:OpenDataChannel + Effect: Allow + Resource: "*" + - Action: logs:DescribeLogGroups + Effect: Allow + Resource: "*" + - Action: + - logs:CreateLogStream + - logs:DescribeLogStreams + - logs:PutLogEvents + Effect: Allow + Resource: "*" + Version: "2012-10-17" + PolicyName: AuthentikServerTaskTaskRoleDefaultPolicy4C2F360F + Roles: + - Ref: AuthentikServerTaskTaskRole5BB06A73 + Metadata: + aws:cdk:path: AuthentikStack/AuthentikServerTask/TaskRole/DefaultPolicy/Resource + AuthentikServerTaskD2D47AE0: + Type: AWS::ECS::TaskDefinition + Properties: + ContainerDefinitions: + - Command: + - server + Environment: + - Name: AUTHENTIK_POSTGRESQL__HOST + Value: + Fn::GetAtt: + - AuthentikDB6710DB92 + - Endpoint.Address + - Name: AUTHENTIK_POSTGRESQL__USER + Value: authentik + - Name: AUTHENTIK_REDIS__HOST + Value: + Fn::GetAtt: + - AuthentikRedis + - PrimaryEndPoint.Address + Essential: true + HealthCheck: + Command: + - CMD + - ak + - healthcheck + Interval: 30 + Retries: 3 + StartPeriod: 60 + Timeout: 30 + Image: + Fn::Join: + - "" + - - Ref: AuthentikImage + - ":" + - Ref: AuthentikVersion + LogConfiguration: + LogDriver: awslogs + Options: + awslogs-group: + Ref: AuthentikServerTaskAuthentikServerContainerLogGroup7E3C6881 + awslogs-stream-prefix: authentik-server + awslogs-region: + Ref: AWS::Region + MountPoints: + - ContainerPath: /media + ReadOnly: false + SourceVolume: media + Name: AuthentikServerContainer + PortMappings: + - ContainerPort: 9000 + Protocol: tcp + RestartPolicy: + Enabled: true + Secrets: + - Name: AUTHENTIK_POSTGRESQL__PASSWORD + ValueFrom: + Fn::Join: + - "" + - - Ref: DBPassword67313E91 + - ":password::" + - Name: AUTHENTIK_SECRET_KEY + ValueFrom: + Ref: AuthentikSecretKeyAC972960 + Cpu: + Ref: AuthentikServerCPU + ExecutionRoleArn: + Fn::GetAtt: + - AuthentikServerTaskExecutionRole053E3BF5 + - Arn + Family: AuthentikStackAuthentikServerTask23085F62 + Memory: + Ref: AuthentikServerMemory + NetworkMode: awsvpc + RequiresCompatibilities: + - FARGATE + TaskRoleArn: + Fn::GetAtt: + - AuthentikServerTaskTaskRole5BB06A73 + - Arn + Volumes: + - EFSVolumeConfiguration: + AuthorizationConfig: + AccessPointId: + Ref: AuthentikMediaEFSAuthentikMediaAccessPointA60D3CC7 + IAM: ENABLED + FilesystemId: + Ref: AuthentikMediaEFS4AB06689 + TransitEncryption: ENABLED + Name: media + Metadata: + aws:cdk:path: AuthentikStack/AuthentikServerTask/Resource + AuthentikServerTaskAuthentikServerContainerLogGroup7E3C6881: + Type: AWS::Logs::LogGroup + UpdateReplacePolicy: Retain + DeletionPolicy: Retain + Metadata: + aws:cdk:path: AuthentikStack/AuthentikServerTask/AuthentikServerContainer/LogGroup/Resource + AuthentikServerTaskExecutionRole053E3BF5: + Type: AWS::IAM::Role + Properties: + AssumeRolePolicyDocument: + Statement: + - Action: sts:AssumeRole + Effect: Allow + Principal: + Service: ecs-tasks.amazonaws.com + Version: "2012-10-17" + Metadata: + aws:cdk:path: AuthentikStack/AuthentikServerTask/ExecutionRole/Resource + AuthentikServerTaskExecutionRoleDefaultPolicy5AE74030: + Type: AWS::IAM::Policy + Properties: + PolicyDocument: + Statement: + - Action: + - logs:CreateLogStream + - logs:PutLogEvents + Effect: Allow + Resource: + Fn::GetAtt: + - AuthentikServerTaskAuthentikServerContainerLogGroup7E3C6881 + - Arn + - Action: + - secretsmanager:GetSecretValue + - secretsmanager:DescribeSecret + Effect: Allow + Resource: + Ref: DBPassword67313E91 + - Action: + - secretsmanager:GetSecretValue + - secretsmanager:DescribeSecret + Effect: Allow + Resource: + Ref: AuthentikSecretKeyAC972960 + Version: "2012-10-17" + PolicyName: AuthentikServerTaskExecutionRoleDefaultPolicy5AE74030 + Roles: + - Ref: AuthentikServerTaskExecutionRole053E3BF5 + Metadata: + aws:cdk:path: AuthentikStack/AuthentikServerTask/ExecutionRole/DefaultPolicy/Resource + AuthentikServerService9C845914: + Type: AWS::ECS::Service Properties: Cluster: Ref: AuthentikCluster54E596EF @@ -401,463 +798,207 @@ Resources: HealthCheckGracePeriodSeconds: 60 LaunchType: FARGATE LoadBalancers: - - ContainerName: AuthentikServerContainer - ContainerPort: 9000 - TargetGroupArn: - Ref: AuthentikALBAuthentikHttpsListenerAuthentikServerTargetGroup345C3479 + - ContainerName: AuthentikServerContainer + ContainerPort: 9000 + TargetGroupArn: + Ref: AuthentikALBAuthentikHttpsListenerAuthentikServerTargetGroup345C3479 NetworkConfiguration: AwsvpcConfiguration: AssignPublicIp: DISABLED SecurityGroups: - - Fn::GetAtt: - - AuthentikSG3040E46F - - GroupId + - Fn::GetAtt: + - AuthentikSG3040E46F + - GroupId Subnets: - - Ref: AuthentikVpcPrivateSubnet1Subnet6748EEA3 - - Ref: AuthentikVpcPrivateSubnet2Subnet6B8E7123 + - Ref: AuthentikVpcPrivateSubnet1Subnet6748EEA3 + - Ref: AuthentikVpcPrivateSubnet2Subnet6B8E7123 TaskDefinition: Ref: AuthentikServerTaskD2D47AE0 - Type: AWS::ECS::Service - AuthentikServerTaskAuthentikServerContainerLogGroup7E3C6881: - DeletionPolicy: Retain + DependsOn: + - AuthentikALBAuthentikHttpsListenerAuthentikServerTargetGroup345C3479 + - AuthentikALBAuthentikHttpsListener34A9BF12 + - AuthentikServerTaskTaskRoleDefaultPolicy4C2F360F + - AuthentikServerTaskTaskRole5BB06A73 Metadata: - aws:cdk:path: AuthentikStack/AuthentikServerTask/AuthentikServerContainer/LogGroup/Resource - Type: AWS::Logs::LogGroup - UpdateReplacePolicy: Retain - AuthentikServerTaskD2D47AE0: + aws:cdk:path: AuthentikStack/AuthentikServerService/Service + AuthentikWorkerTaskTaskRole87C41589: + Type: AWS::IAM::Role + Properties: + AssumeRolePolicyDocument: + Statement: + - Action: sts:AssumeRole + Effect: Allow + Principal: + Service: ecs-tasks.amazonaws.com + Version: "2012-10-17" Metadata: - aws:cdk:path: AuthentikStack/AuthentikServerTask/Resource + aws:cdk:path: AuthentikStack/AuthentikWorkerTask/TaskRole/Resource + AuthentikWorkerTaskTaskRoleDefaultPolicy4E74B62D: + Type: AWS::IAM::Policy + Properties: + PolicyDocument: + Statement: + - Action: + - ssmmessages:CreateControlChannel + - ssmmessages:CreateDataChannel + - ssmmessages:OpenControlChannel + - ssmmessages:OpenDataChannel + Effect: Allow + Resource: "*" + - Action: logs:DescribeLogGroups + Effect: Allow + Resource: "*" + - Action: + - logs:CreateLogStream + - logs:DescribeLogStreams + - logs:PutLogEvents + Effect: Allow + Resource: "*" + Version: "2012-10-17" + PolicyName: AuthentikWorkerTaskTaskRoleDefaultPolicy4E74B62D + Roles: + - Ref: AuthentikWorkerTaskTaskRole87C41589 + Metadata: + aws:cdk:path: AuthentikStack/AuthentikWorkerTask/TaskRole/DefaultPolicy/Resource + AuthentikWorkerTaskF8F277C5: + Type: AWS::ECS::TaskDefinition Properties: ContainerDefinitions: - - Command: - - server - Environment: - - Name: AUTHENTIK_POSTGRESQL__HOST - Value: - Fn::GetAtt: - - AuthentikDB6710DB92 - - Endpoint.Address - - Name: AUTHENTIK_POSTGRESQL__USER - Value: authentik - - Name: AUTHENTIK_REDIS__HOST - Value: - Fn::GetAtt: - - AuthentikRedis - - PrimaryEndPoint.Address - Essential: true - HealthCheck: - Command: - - CMD - - ak - - healthcheck - Interval: 30 - Retries: 3 - StartPeriod: 60 - Timeout: 30 - Image: - Fn::Join: - - '' - - - Ref: AuthentikImage - - ':' - - Ref: AuthentikVersion - LogConfiguration: - LogDriver: awslogs - Options: - awslogs-group: - Ref: AuthentikServerTaskAuthentikServerContainerLogGroup7E3C6881 - awslogs-region: - Ref: AWS::Region - awslogs-stream-prefix: authentik-server - MountPoints: - - ContainerPath: /media - ReadOnly: false - SourceVolume: media - Name: AuthentikServerContainer - PortMappings: - - ContainerPort: 9000 - Protocol: tcp - RestartPolicy: - Enabled: true - Secrets: - - Name: AUTHENTIK_POSTGRESQL__PASSWORD - ValueFrom: + - Command: + - worker + Environment: + - Name: AUTHENTIK_POSTGRESQL__HOST + Value: + Fn::GetAtt: + - AuthentikDB6710DB92 + - Endpoint.Address + - Name: AUTHENTIK_POSTGRESQL__USER + Value: authentik + - Name: AUTHENTIK_REDIS__HOST + Value: + Fn::GetAtt: + - AuthentikRedis + - PrimaryEndPoint.Address + Essential: true + HealthCheck: + Command: + - CMD + - ak + - healthcheck + Interval: 30 + Retries: 3 + StartPeriod: 60 + Timeout: 30 + Image: Fn::Join: - - '' - - - Ref: DBPassword67313E91 - - ':password::' - - Name: AUTHENTIK_SECRET_KEY - ValueFrom: - Ref: AuthentikSecretKeyAC972960 + - "" + - - Ref: AuthentikImage + - ":" + - Ref: AuthentikVersion + LogConfiguration: + LogDriver: awslogs + Options: + awslogs-group: + Ref: AuthentikWorkerTaskAuthentikWorkerContainerLogGroupC05B4DFC + awslogs-stream-prefix: authentik-worker + awslogs-region: + Ref: AWS::Region + MountPoints: + - ContainerPath: /media + ReadOnly: false + SourceVolume: media + Name: AuthentikWorkerContainer + RestartPolicy: + Enabled: true + Secrets: + - Name: AUTHENTIK_POSTGRESQL__PASSWORD + ValueFrom: + Fn::Join: + - "" + - - Ref: DBPassword67313E91 + - ":password::" + - Name: AUTHENTIK_SECRET_KEY + ValueFrom: + Ref: AuthentikSecretKeyAC972960 Cpu: - Ref: AuthentikServerCPU + Ref: AuthentikWorkerCPU ExecutionRoleArn: Fn::GetAtt: - - AuthentikServerTaskExecutionRole053E3BF5 - - Arn - Family: AuthentikStackAuthentikServerTask23085F62 + - AuthentikWorkerTaskExecutionRole2E56865A + - Arn + Family: AuthentikStackAuthentikWorkerTask6C7D4E77 Memory: - Ref: AuthentikServerMemory + Ref: AuthentikWorkerMemory NetworkMode: awsvpc RequiresCompatibilities: - - FARGATE + - FARGATE TaskRoleArn: Fn::GetAtt: - - AuthentikServerTaskTaskRole5BB06A73 - - Arn + - AuthentikWorkerTaskTaskRole87C41589 + - Arn Volumes: - - EFSVolumeConfiguration: - AuthorizationConfig: - AccessPointId: - Ref: AuthentikMediaEFSAuthentikMediaAccessPointA60D3CC7 - IAM: ENABLED - FilesystemId: - Ref: AuthentikMediaEFS4AB06689 - TransitEncryption: ENABLED - Name: media - Type: AWS::ECS::TaskDefinition - AuthentikServerTaskExecutionRole053E3BF5: + - EFSVolumeConfiguration: + AuthorizationConfig: + AccessPointId: + Ref: AuthentikMediaEFSAuthentikMediaAccessPointA60D3CC7 + IAM: ENABLED + FilesystemId: + Ref: AuthentikMediaEFS4AB06689 + TransitEncryption: ENABLED + Name: media Metadata: - aws:cdk:path: AuthentikStack/AuthentikServerTask/ExecutionRole/Resource + aws:cdk:path: AuthentikStack/AuthentikWorkerTask/Resource + AuthentikWorkerTaskAuthentikWorkerContainerLogGroupC05B4DFC: + Type: AWS::Logs::LogGroup + UpdateReplacePolicy: Retain + DeletionPolicy: Retain + Metadata: + aws:cdk:path: AuthentikStack/AuthentikWorkerTask/AuthentikWorkerContainer/LogGroup/Resource + AuthentikWorkerTaskExecutionRole2E56865A: + Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - - Action: sts:AssumeRole - Effect: Allow - Principal: - Service: ecs-tasks.amazonaws.com - Version: '2012-10-17' - Type: AWS::IAM::Role - AuthentikServerTaskExecutionRoleDefaultPolicy5AE74030: + - Action: sts:AssumeRole + Effect: Allow + Principal: + Service: ecs-tasks.amazonaws.com + Version: "2012-10-17" Metadata: - aws:cdk:path: AuthentikStack/AuthentikServerTask/ExecutionRole/DefaultPolicy/Resource + aws:cdk:path: AuthentikStack/AuthentikWorkerTask/ExecutionRole/Resource + AuthentikWorkerTaskExecutionRoleDefaultPolicyB028D6C8: + Type: AWS::IAM::Policy Properties: PolicyDocument: Statement: - - Action: - - logs:CreateLogStream - - logs:PutLogEvents - Effect: Allow - Resource: - Fn::GetAtt: - - AuthentikServerTaskAuthentikServerContainerLogGroup7E3C6881 - - Arn - - Action: - - secretsmanager:GetSecretValue - - secretsmanager:DescribeSecret - Effect: Allow - Resource: - Ref: DBPassword67313E91 - - Action: - - secretsmanager:GetSecretValue - - secretsmanager:DescribeSecret - Effect: Allow - Resource: - Ref: AuthentikSecretKeyAC972960 - Version: '2012-10-17' - PolicyName: AuthentikServerTaskExecutionRoleDefaultPolicy5AE74030 + - Action: + - logs:CreateLogStream + - logs:PutLogEvents + Effect: Allow + Resource: + Fn::GetAtt: + - AuthentikWorkerTaskAuthentikWorkerContainerLogGroupC05B4DFC + - Arn + - Action: + - secretsmanager:GetSecretValue + - secretsmanager:DescribeSecret + Effect: Allow + Resource: + Ref: DBPassword67313E91 + - Action: + - secretsmanager:GetSecretValue + - secretsmanager:DescribeSecret + Effect: Allow + Resource: + Ref: AuthentikSecretKeyAC972960 + Version: "2012-10-17" + PolicyName: AuthentikWorkerTaskExecutionRoleDefaultPolicyB028D6C8 Roles: - - Ref: AuthentikServerTaskExecutionRole053E3BF5 - Type: AWS::IAM::Policy - AuthentikServerTaskTaskRole5BB06A73: + - Ref: AuthentikWorkerTaskExecutionRole2E56865A Metadata: - aws:cdk:path: AuthentikStack/AuthentikServerTask/TaskRole/Resource - Properties: - AssumeRolePolicyDocument: - Statement: - - Action: sts:AssumeRole - Effect: Allow - Principal: - Service: ecs-tasks.amazonaws.com - Version: '2012-10-17' - Type: AWS::IAM::Role - AuthentikServerTaskTaskRoleDefaultPolicy4C2F360F: - Metadata: - aws:cdk:path: AuthentikStack/AuthentikServerTask/TaskRole/DefaultPolicy/Resource - Properties: - PolicyDocument: - Statement: - - Action: - - ssmmessages:CreateControlChannel - - ssmmessages:CreateDataChannel - - ssmmessages:OpenControlChannel - - ssmmessages:OpenDataChannel - Effect: Allow - Resource: '*' - - Action: logs:DescribeLogGroups - Effect: Allow - Resource: '*' - - Action: - - logs:CreateLogStream - - logs:DescribeLogStreams - - logs:PutLogEvents - Effect: Allow - Resource: '*' - Version: '2012-10-17' - PolicyName: AuthentikServerTaskTaskRoleDefaultPolicy4C2F360F - Roles: - - Ref: AuthentikServerTaskTaskRole5BB06A73 - Type: AWS::IAM::Policy - AuthentikVpcA1ABE6C2: - Metadata: - aws:cdk:path: AuthentikStack/AuthentikVpc/Resource - Properties: - CidrBlock: 10.0.0.0/16 - EnableDnsHostnames: true - EnableDnsSupport: true - InstanceTenancy: default - Tags: - - Key: Name - Value: AuthentikStack/AuthentikVpc - Type: AWS::EC2::VPC - AuthentikVpcIGW53CE5190: - Metadata: - aws:cdk:path: AuthentikStack/AuthentikVpc/IGW - Properties: - Tags: - - Key: Name - Value: AuthentikStack/AuthentikVpc - Type: AWS::EC2::InternetGateway - AuthentikVpcPrivateSubnet1DefaultRouteE7E61D7D: - Metadata: - aws:cdk:path: AuthentikStack/AuthentikVpc/PrivateSubnet1/DefaultRoute - Properties: - DestinationCidrBlock: 0.0.0.0/0 - NatGatewayId: - Ref: AuthentikVpcPublicSubnet1NATGatewayEBF2B25B - RouteTableId: - Ref: AuthentikVpcPrivateSubnet1RouteTable865DCC15 - Type: AWS::EC2::Route - AuthentikVpcPrivateSubnet1RouteTable865DCC15: - Metadata: - aws:cdk:path: AuthentikStack/AuthentikVpc/PrivateSubnet1/RouteTable - Properties: - Tags: - - Key: Name - Value: AuthentikStack/AuthentikVpc/PrivateSubnet1 - VpcId: - Ref: AuthentikVpcA1ABE6C2 - Type: AWS::EC2::RouteTable - AuthentikVpcPrivateSubnet1RouteTableAssociationBBA42BB3: - Metadata: - aws:cdk:path: AuthentikStack/AuthentikVpc/PrivateSubnet1/RouteTableAssociation - Properties: - RouteTableId: - Ref: AuthentikVpcPrivateSubnet1RouteTable865DCC15 - SubnetId: - Ref: AuthentikVpcPrivateSubnet1Subnet6748EEA3 - Type: AWS::EC2::SubnetRouteTableAssociation - AuthentikVpcPrivateSubnet1Subnet6748EEA3: - Metadata: - aws:cdk:path: AuthentikStack/AuthentikVpc/PrivateSubnet1/Subnet - Properties: - AvailabilityZone: - Fn::Select: - - 0 - - Fn::GetAZs: '' - CidrBlock: 10.0.128.0/18 - MapPublicIpOnLaunch: false - Tags: - - Key: aws-cdk:subnet-name - Value: Private - - Key: aws-cdk:subnet-type - Value: Private - - Key: Name - Value: AuthentikStack/AuthentikVpc/PrivateSubnet1 - VpcId: - Ref: AuthentikVpcA1ABE6C2 - Type: AWS::EC2::Subnet - AuthentikVpcPrivateSubnet2DefaultRouteB93D7A74: - Metadata: - aws:cdk:path: AuthentikStack/AuthentikVpc/PrivateSubnet2/DefaultRoute - Properties: - DestinationCidrBlock: 0.0.0.0/0 - NatGatewayId: - Ref: AuthentikVpcPublicSubnet1NATGatewayEBF2B25B - RouteTableId: - Ref: AuthentikVpcPrivateSubnet2RouteTable472C2F26 - Type: AWS::EC2::Route - AuthentikVpcPrivateSubnet2RouteTable472C2F26: - Metadata: - aws:cdk:path: AuthentikStack/AuthentikVpc/PrivateSubnet2/RouteTable - Properties: - Tags: - - Key: Name - Value: AuthentikStack/AuthentikVpc/PrivateSubnet2 - VpcId: - Ref: AuthentikVpcA1ABE6C2 - Type: AWS::EC2::RouteTable - AuthentikVpcPrivateSubnet2RouteTableAssociation0276EED3: - Metadata: - aws:cdk:path: AuthentikStack/AuthentikVpc/PrivateSubnet2/RouteTableAssociation - Properties: - RouteTableId: - Ref: AuthentikVpcPrivateSubnet2RouteTable472C2F26 - SubnetId: - Ref: AuthentikVpcPrivateSubnet2Subnet6B8E7123 - Type: AWS::EC2::SubnetRouteTableAssociation - AuthentikVpcPrivateSubnet2Subnet6B8E7123: - Metadata: - aws:cdk:path: AuthentikStack/AuthentikVpc/PrivateSubnet2/Subnet - Properties: - AvailabilityZone: - Fn::Select: - - 1 - - Fn::GetAZs: '' - CidrBlock: 10.0.192.0/18 - MapPublicIpOnLaunch: false - Tags: - - Key: aws-cdk:subnet-name - Value: Private - - Key: aws-cdk:subnet-type - Value: Private - - Key: Name - Value: AuthentikStack/AuthentikVpc/PrivateSubnet2 - VpcId: - Ref: AuthentikVpcA1ABE6C2 - Type: AWS::EC2::Subnet - AuthentikVpcPublicSubnet1DefaultRoute90C4189A: - DependsOn: - - AuthentikVpcVPCGW65A49376 - Metadata: - aws:cdk:path: AuthentikStack/AuthentikVpc/PublicSubnet1/DefaultRoute - Properties: - DestinationCidrBlock: 0.0.0.0/0 - GatewayId: - Ref: AuthentikVpcIGW53CE5190 - RouteTableId: - Ref: AuthentikVpcPublicSubnet1RouteTable142C1454 - Type: AWS::EC2::Route - AuthentikVpcPublicSubnet1EIP2A4626A0: - Metadata: - aws:cdk:path: AuthentikStack/AuthentikVpc/PublicSubnet1/EIP - Properties: - Domain: vpc - Tags: - - Key: Name - Value: AuthentikStack/AuthentikVpc/PublicSubnet1 - Type: AWS::EC2::EIP - AuthentikVpcPublicSubnet1NATGatewayEBF2B25B: - DependsOn: - - AuthentikVpcPublicSubnet1DefaultRoute90C4189A - - AuthentikVpcPublicSubnet1RouteTableAssociation33E57E0C - Metadata: - aws:cdk:path: AuthentikStack/AuthentikVpc/PublicSubnet1/NATGateway - Properties: - AllocationId: - Fn::GetAtt: - - AuthentikVpcPublicSubnet1EIP2A4626A0 - - AllocationId - SubnetId: - Ref: AuthentikVpcPublicSubnet1Subnet0C75862A - Tags: - - Key: Name - Value: AuthentikStack/AuthentikVpc/PublicSubnet1 - Type: AWS::EC2::NatGateway - AuthentikVpcPublicSubnet1RouteTable142C1454: - Metadata: - aws:cdk:path: AuthentikStack/AuthentikVpc/PublicSubnet1/RouteTable - Properties: - Tags: - - Key: Name - Value: AuthentikStack/AuthentikVpc/PublicSubnet1 - VpcId: - Ref: AuthentikVpcA1ABE6C2 - Type: AWS::EC2::RouteTable - AuthentikVpcPublicSubnet1RouteTableAssociation33E57E0C: - Metadata: - aws:cdk:path: AuthentikStack/AuthentikVpc/PublicSubnet1/RouteTableAssociation - Properties: - RouteTableId: - Ref: AuthentikVpcPublicSubnet1RouteTable142C1454 - SubnetId: - Ref: AuthentikVpcPublicSubnet1Subnet0C75862A - Type: AWS::EC2::SubnetRouteTableAssociation - AuthentikVpcPublicSubnet1Subnet0C75862A: - Metadata: - aws:cdk:path: AuthentikStack/AuthentikVpc/PublicSubnet1/Subnet - Properties: - AvailabilityZone: - Fn::Select: - - 0 - - Fn::GetAZs: '' - CidrBlock: 10.0.0.0/18 - MapPublicIpOnLaunch: true - Tags: - - Key: aws-cdk:subnet-name - Value: Public - - Key: aws-cdk:subnet-type - Value: Public - - Key: Name - Value: AuthentikStack/AuthentikVpc/PublicSubnet1 - VpcId: - Ref: AuthentikVpcA1ABE6C2 - Type: AWS::EC2::Subnet - AuthentikVpcPublicSubnet2DefaultRoute2E9B0EBA: - DependsOn: - - AuthentikVpcVPCGW65A49376 - Metadata: - aws:cdk:path: AuthentikStack/AuthentikVpc/PublicSubnet2/DefaultRoute - Properties: - DestinationCidrBlock: 0.0.0.0/0 - GatewayId: - Ref: AuthentikVpcIGW53CE5190 - RouteTableId: - Ref: AuthentikVpcPublicSubnet2RouteTableF486229B - Type: AWS::EC2::Route - AuthentikVpcPublicSubnet2RouteTableAssociationDA2BDD26: - Metadata: - aws:cdk:path: AuthentikStack/AuthentikVpc/PublicSubnet2/RouteTableAssociation - Properties: - RouteTableId: - Ref: AuthentikVpcPublicSubnet2RouteTableF486229B - SubnetId: - Ref: AuthentikVpcPublicSubnet2Subnet4DFAFA5B - Type: AWS::EC2::SubnetRouteTableAssociation - AuthentikVpcPublicSubnet2RouteTableF486229B: - Metadata: - aws:cdk:path: AuthentikStack/AuthentikVpc/PublicSubnet2/RouteTable - Properties: - Tags: - - Key: Name - Value: AuthentikStack/AuthentikVpc/PublicSubnet2 - VpcId: - Ref: AuthentikVpcA1ABE6C2 - Type: AWS::EC2::RouteTable - AuthentikVpcPublicSubnet2Subnet4DFAFA5B: - Metadata: - aws:cdk:path: AuthentikStack/AuthentikVpc/PublicSubnet2/Subnet - Properties: - AvailabilityZone: - Fn::Select: - - 1 - - Fn::GetAZs: '' - CidrBlock: 10.0.64.0/18 - MapPublicIpOnLaunch: true - Tags: - - Key: aws-cdk:subnet-name - Value: Public - - Key: aws-cdk:subnet-type - Value: Public - - Key: Name - Value: AuthentikStack/AuthentikVpc/PublicSubnet2 - VpcId: - Ref: AuthentikVpcA1ABE6C2 - Type: AWS::EC2::Subnet - AuthentikVpcVPCGW65A49376: - Metadata: - aws:cdk:path: AuthentikStack/AuthentikVpc/VPCGW - Properties: - InternetGatewayId: - Ref: AuthentikVpcIGW53CE5190 - VpcId: - Ref: AuthentikVpcA1ABE6C2 - Type: AWS::EC2::VPCGatewayAttachment + aws:cdk:path: AuthentikStack/AuthentikWorkerTask/ExecutionRole/DefaultPolicy/Resource AuthentikWorkerService629E37E2: - DependsOn: - - AuthentikWorkerTaskTaskRoleDefaultPolicy4E74B62D - - AuthentikWorkerTaskTaskRole87C41589 - Metadata: - aws:cdk:path: AuthentikStack/AuthentikWorkerService/Service + Type: AWS::ECS::Service Properties: Cluster: Ref: AuthentikCluster54E596EF @@ -877,268 +1018,127 @@ Resources: AwsvpcConfiguration: AssignPublicIp: DISABLED SecurityGroups: - - Fn::GetAtt: - - AuthentikSG3040E46F - - GroupId + - Fn::GetAtt: + - AuthentikSG3040E46F + - GroupId Subnets: - - Ref: AuthentikVpcPrivateSubnet1Subnet6748EEA3 - - Ref: AuthentikVpcPrivateSubnet2Subnet6B8E7123 + - Ref: AuthentikVpcPrivateSubnet1Subnet6748EEA3 + - Ref: AuthentikVpcPrivateSubnet2Subnet6B8E7123 TaskDefinition: Ref: AuthentikWorkerTaskF8F277C5 - Type: AWS::ECS::Service - AuthentikWorkerTaskAuthentikWorkerContainerLogGroupC05B4DFC: - DeletionPolicy: Retain + DependsOn: + - AuthentikWorkerTaskTaskRoleDefaultPolicy4E74B62D + - AuthentikWorkerTaskTaskRole87C41589 Metadata: - aws:cdk:path: AuthentikStack/AuthentikWorkerTask/AuthentikWorkerContainer/LogGroup/Resource - Type: AWS::Logs::LogGroup - UpdateReplacePolicy: Retain - AuthentikWorkerTaskExecutionRole2E56865A: - Metadata: - aws:cdk:path: AuthentikStack/AuthentikWorkerTask/ExecutionRole/Resource + aws:cdk:path: AuthentikStack/AuthentikWorkerService/Service + AuthentikALB992EAB01: + Type: AWS::ElasticLoadBalancingV2::LoadBalancer Properties: - AssumeRolePolicyDocument: - Statement: - - Action: sts:AssumeRole - Effect: Allow - Principal: - Service: ecs-tasks.amazonaws.com - Version: '2012-10-17' - Type: AWS::IAM::Role - AuthentikWorkerTaskExecutionRoleDefaultPolicyB028D6C8: + LoadBalancerAttributes: + - Key: deletion_protection.enabled + Value: "false" + Scheme: internet-facing + SecurityGroups: + - Fn::GetAtt: + - AuthentikALBSecurityGroup2B18FEEF + - GroupId + Subnets: + - Ref: AuthentikVpcPublicSubnet1Subnet0C75862A + - Ref: AuthentikVpcPublicSubnet2Subnet4DFAFA5B + Type: application + DependsOn: + - AuthentikVpcPublicSubnet1DefaultRoute90C4189A + - AuthentikVpcPublicSubnet1RouteTableAssociation33E57E0C + - AuthentikVpcPublicSubnet2DefaultRoute2E9B0EBA + - AuthentikVpcPublicSubnet2RouteTableAssociationDA2BDD26 Metadata: - aws:cdk:path: AuthentikStack/AuthentikWorkerTask/ExecutionRole/DefaultPolicy/Resource + aws:cdk:path: AuthentikStack/AuthentikALB/Resource + AuthentikALBSecurityGroup2B18FEEF: + Type: AWS::EC2::SecurityGroup Properties: - PolicyDocument: - Statement: - - Action: - - logs:CreateLogStream - - logs:PutLogEvents - Effect: Allow - Resource: - Fn::GetAtt: - - AuthentikWorkerTaskAuthentikWorkerContainerLogGroupC05B4DFC - - Arn - - Action: - - secretsmanager:GetSecretValue - - secretsmanager:DescribeSecret - Effect: Allow - Resource: - Ref: DBPassword67313E91 - - Action: - - secretsmanager:GetSecretValue - - secretsmanager:DescribeSecret - Effect: Allow - Resource: - Ref: AuthentikSecretKeyAC972960 - Version: '2012-10-17' - PolicyName: AuthentikWorkerTaskExecutionRoleDefaultPolicyB028D6C8 - Roles: - - Ref: AuthentikWorkerTaskExecutionRole2E56865A - Type: AWS::IAM::Policy - AuthentikWorkerTaskF8F277C5: - Metadata: - aws:cdk:path: AuthentikStack/AuthentikWorkerTask/Resource - Properties: - ContainerDefinitions: - - Command: - - worker - Environment: - - Name: AUTHENTIK_POSTGRESQL__HOST - Value: - Fn::GetAtt: - - AuthentikDB6710DB92 - - Endpoint.Address - - Name: AUTHENTIK_POSTGRESQL__USER - Value: authentik - - Name: AUTHENTIK_REDIS__HOST - Value: - Fn::GetAtt: - - AuthentikRedis - - PrimaryEndPoint.Address - Essential: true - HealthCheck: - Command: - - CMD - - ak - - healthcheck - Interval: 30 - Retries: 3 - StartPeriod: 60 - Timeout: 30 - Image: - Fn::Join: - - '' - - - Ref: AuthentikImage - - ':' - - Ref: AuthentikVersion - LogConfiguration: - LogDriver: awslogs - Options: - awslogs-group: - Ref: AuthentikWorkerTaskAuthentikWorkerContainerLogGroupC05B4DFC - awslogs-region: - Ref: AWS::Region - awslogs-stream-prefix: authentik-worker - MountPoints: - - ContainerPath: /media - ReadOnly: false - SourceVolume: media - Name: AuthentikWorkerContainer - RestartPolicy: - Enabled: true - Secrets: - - Name: AUTHENTIK_POSTGRESQL__PASSWORD - ValueFrom: - Fn::Join: - - '' - - - Ref: DBPassword67313E91 - - ':password::' - - Name: AUTHENTIK_SECRET_KEY - ValueFrom: - Ref: AuthentikSecretKeyAC972960 - Cpu: - Ref: AuthentikWorkerCPU - ExecutionRoleArn: - Fn::GetAtt: - - AuthentikWorkerTaskExecutionRole2E56865A - - Arn - Family: AuthentikStackAuthentikWorkerTask6C7D4E77 - Memory: - Ref: AuthentikWorkerMemory - NetworkMode: awsvpc - RequiresCompatibilities: - - FARGATE - TaskRoleArn: - Fn::GetAtt: - - AuthentikWorkerTaskTaskRole87C41589 - - Arn - Volumes: - - EFSVolumeConfiguration: - AuthorizationConfig: - AccessPointId: - Ref: AuthentikMediaEFSAuthentikMediaAccessPointA60D3CC7 - IAM: ENABLED - FilesystemId: - Ref: AuthentikMediaEFS4AB06689 - TransitEncryption: ENABLED - Name: media - Type: AWS::ECS::TaskDefinition - AuthentikWorkerTaskTaskRole87C41589: - Metadata: - aws:cdk:path: AuthentikStack/AuthentikWorkerTask/TaskRole/Resource - Properties: - AssumeRolePolicyDocument: - Statement: - - Action: sts:AssumeRole - Effect: Allow - Principal: - Service: ecs-tasks.amazonaws.com - Version: '2012-10-17' - Type: AWS::IAM::Role - AuthentikWorkerTaskTaskRoleDefaultPolicy4E74B62D: - Metadata: - aws:cdk:path: AuthentikStack/AuthentikWorkerTask/TaskRole/DefaultPolicy/Resource - Properties: - PolicyDocument: - Statement: - - Action: - - ssmmessages:CreateControlChannel - - ssmmessages:CreateDataChannel - - ssmmessages:OpenControlChannel - - ssmmessages:OpenDataChannel - Effect: Allow - Resource: '*' - - Action: logs:DescribeLogGroups - Effect: Allow - Resource: '*' - - Action: - - logs:CreateLogStream - - logs:DescribeLogStreams - - logs:PutLogEvents - Effect: Allow - Resource: '*' - Version: '2012-10-17' - PolicyName: AuthentikWorkerTaskTaskRoleDefaultPolicy4E74B62D - Roles: - - Ref: AuthentikWorkerTaskTaskRole87C41589 - Type: AWS::IAM::Policy - DBPassword67313E91: - DeletionPolicy: Delete - Metadata: - aws:cdk:path: AuthentikStack/DBPassword/Resource - Properties: - GenerateSecretString: - ExcludeCharacters: '"@/\' - GenerateStringKey: password - PasswordLength: 64 - SecretStringTemplate: '{"username": "authentik"}' - Type: AWS::SecretsManager::Secret - UpdateReplacePolicy: Delete - DBPasswordAttachmentAC350077: - Metadata: - aws:cdk:path: AuthentikStack/DBPassword/Attachment/Resource - Properties: - SecretId: - Ref: DBPassword67313E91 - TargetId: - Ref: AuthentikDB6710DB92 - TargetType: AWS::RDS::DBInstance - Type: AWS::SecretsManager::SecretTargetAttachment - DatabaseSG2A23C222: - Metadata: - aws:cdk:path: AuthentikStack/DatabaseSG/Resource - Properties: - GroupDescription: Security Group for authentik RDS PostgreSQL - SecurityGroupEgress: - - CidrIp: 0.0.0.0/0 - Description: Allow all outbound traffic by default - IpProtocol: '-1' + GroupDescription: Automatically created Security Group for ELB AuthentikStackAuthentikALB07C6B2CD + SecurityGroupIngress: + - CidrIp: 0.0.0.0/0 + Description: Allow from anyone on port 80 + FromPort: 80 + IpProtocol: tcp + ToPort: 80 + - CidrIp: 0.0.0.0/0 + Description: Allow from anyone on port 443 + FromPort: 443 + IpProtocol: tcp + ToPort: 443 VpcId: Ref: AuthentikVpcA1ABE6C2 - Type: AWS::EC2::SecurityGroup - DatabaseSGfromAuthentikStackAuthentikSG23C19B28543226D9B076: Metadata: - aws:cdk:path: AuthentikStack/DatabaseSG/from AuthentikStackAuthentikSG23C19B28:5432 + aws:cdk:path: AuthentikStack/AuthentikALB/SecurityGroup/Resource + AuthentikALBSecurityGrouptoAuthentikStackAuthentikSG23C19B2890000F200B23: + Type: AWS::EC2::SecurityGroupEgress Properties: - Description: Allow authentik to connect to RDS PostgreSQL - FromPort: 5432 + Description: Load balancer to target + DestinationSecurityGroupId: + Fn::GetAtt: + - AuthentikSG3040E46F + - GroupId + FromPort: 9000 GroupId: Fn::GetAtt: - - DatabaseSG2A23C222 - - GroupId + - AuthentikALBSecurityGroup2B18FEEF + - GroupId IpProtocol: tcp - SourceSecurityGroupId: - Fn::GetAtt: - - AuthentikSG3040E46F - - GroupId - ToPort: 5432 - Type: AWS::EC2::SecurityGroupIngress - RedisSGEA80AC17: + ToPort: 9000 Metadata: - aws:cdk:path: AuthentikStack/RedisSG/Resource + aws:cdk:path: AuthentikStack/AuthentikALB/SecurityGroup/to AuthentikStackAuthentikSG23C19B28:9000 + AuthentikALBAuthentikHttpListener6825393B: + Type: AWS::ElasticLoadBalancingV2::Listener Properties: - GroupDescription: Security Group for authentik ElastiCache Redis - SecurityGroupEgress: - - CidrIp: 0.0.0.0/0 - Description: Allow all outbound traffic by default - IpProtocol: '-1' + DefaultActions: + - RedirectConfig: + Protocol: HTTPS + StatusCode: HTTP_301 + Type: redirect + LoadBalancerArn: + Ref: AuthentikALB992EAB01 + Port: 80 + Protocol: HTTP + Metadata: + aws:cdk:path: AuthentikStack/AuthentikALB/AuthentikHttpListener/Resource + AuthentikALBAuthentikHttpsListener34A9BF12: + Type: AWS::ElasticLoadBalancingV2::Listener + Properties: + Certificates: + - CertificateArn: + Ref: CertificateARN + DefaultActions: + - TargetGroupArn: + Ref: AuthentikALBAuthentikHttpsListenerAuthentikServerTargetGroup345C3479 + Type: forward + LoadBalancerArn: + Ref: AuthentikALB992EAB01 + Port: 443 + Protocol: HTTPS + Metadata: + aws:cdk:path: AuthentikStack/AuthentikALB/AuthentikHttpsListener/Resource + AuthentikALBAuthentikHttpsListenerAuthentikServerTargetGroup345C3479: + Type: AWS::ElasticLoadBalancingV2::TargetGroup + Properties: + HealthCheckPath: /-/health/live/ + Matcher: + HttpCode: "200" + Port: 9000 + Protocol: HTTP + TargetGroupAttributes: + - Key: stickiness.enabled + Value: "false" + TargetType: ip VpcId: Ref: AuthentikVpcA1ABE6C2 - Type: AWS::EC2::SecurityGroup - RedisSGfromAuthentikStackAuthentikSG23C19B2863790C4BCCDE: Metadata: - aws:cdk:path: AuthentikStack/RedisSG/from AuthentikStackAuthentikSG23C19B28:6379 - Properties: - Description: Allow authentik to connect to ElastiCache Redis - FromPort: 6379 - GroupId: - Fn::GetAtt: - - RedisSGEA80AC17 - - GroupId - IpProtocol: tcp - SourceSecurityGroupId: - Fn::GetAtt: - - AuthentikSG3040E46F - - GroupId - ToPort: 6379 - Type: AWS::EC2::SecurityGroupIngress + aws:cdk:path: AuthentikStack/AuthentikALB/AuthentikHttpsListener/AuthentikServerTargetGroup/Resource +Outputs: + LoadBalancerDNS: + Value: + Fn::GetAtt: + - AuthentikALB992EAB01 + - DNSName + diff --git a/website/.prettierignore b/website/.prettierignore index b23d455463..4b64495ddc 100644 --- a/website/.prettierignore +++ b/website/.prettierignore @@ -5,5 +5,3 @@ coverage node_modules help static -docs/install-config/install/aws/template.yaml -docs/install-config/install/aws/cdk.out diff --git a/website/docs/install-config/install/aws/index.md b/website/docs/install-config/install/aws.md similarity index 94% rename from website/docs/install-config/install/aws/index.md rename to website/docs/install-config/install/aws.md index 48c949adff..fca6ade314 100644 --- a/website/docs/install-config/install/aws/index.md +++ b/website/docs/install-config/install/aws.md @@ -31,4 +31,4 @@ The stack will output the endpoint of the ALB that to which you can point your D ### Further customization -If you require further customization, we recommend you install authentik via [Docker Compose](../docker-compose.mdx) or [Kubernetes](../kubernetes.md). +If you require further customization, we recommend you install authentik via [Docker Compose](./docker-compose.mdx) or [Kubernetes](./kubernetes.md). diff --git a/website/docs/install-config/install/aws/.gitignore b/website/docs/install-config/install/aws/.gitignore deleted file mode 100644 index b5b74b15f3..0000000000 --- a/website/docs/install-config/install/aws/.gitignore +++ /dev/null @@ -1 +0,0 @@ -cdk.out diff --git a/website/docs/install-config/install/aws/fix_template.py b/website/docs/install-config/install/aws/fix_template.py deleted file mode 100755 index fcdbc565ab..0000000000 --- a/website/docs/install-config/install/aws/fix_template.py +++ /dev/null @@ -1,11 +0,0 @@ -#!/usr/bin/env python3 - -import yaml - -with open("template.yaml") as file: - template = yaml.safe_load(file) - del template["Conditions"]["CDKMetadataAvailable"] - del template["Parameters"]["BootstrapVersion"] - del template["Resources"]["CDKMetadata"] -with open("template.yaml", "w") as file: - yaml.dump(template, file) diff --git a/website/docs/releases/2024/v2024.12.md b/website/docs/releases/2024/v2024.12.md index 7861a005d9..5766f83003 100644 --- a/website/docs/releases/2024/v2024.12.md +++ b/website/docs/releases/2024/v2024.12.md @@ -42,7 +42,7 @@ slug: "/releases/2024.12" - **CloudFormation** Preview - Deploy authentik in your own AWS environment with one click using our new [AWS CloudFormation template](../../install-config/install/aws/index.md). + Deploy authentik in your own AWS environment with one click using our new [AWS CloudFormation template](../../install-config/install/aws.md). - **OAuth2 provider federation** diff --git a/website/package-lock.json b/website/package-lock.json index ee11d390d5..05c388e3e5 100644 --- a/website/package-lock.json +++ b/website/package-lock.json @@ -35,7 +35,6 @@ "@docusaurus/tsconfig": "^3.7.0", "@docusaurus/types": "^3.3.2", "@types/react": "^18.3.13", - "aws-cdk": "^2.176.0", "cross-env": "^7.0.3", "prettier": "3.4.2", "typescript": "~5.7.3", @@ -5714,36 +5713,6 @@ "url": "https://github.com/sponsors/ljharb" } }, - "node_modules/aws-cdk": { - "version": "2.176.0", - "resolved": "https://registry.npmjs.org/aws-cdk/-/aws-cdk-2.176.0.tgz", - "integrity": "sha512-yRjIXzK2ddznwuSjasWAViYBtBSQbEu6GHlylaC3GHsIUPhrK3KguqIuhdlxjMeiQ1Fvok8REDLCReZJdrSLLg==", - "dev": true, - "bin": { - "cdk": "bin/cdk" - }, - "engines": { - "node": ">= 14.15.0" - }, - "optionalDependencies": { - "fsevents": "2.3.2" - } - }, - "node_modules/aws-cdk/node_modules/fsevents": { - "version": "2.3.2", - "resolved": "https://registry.npmjs.org/fsevents/-/fsevents-2.3.2.tgz", - "integrity": "sha512-xiqMQR4xAeHTuB9uWm+fFRcIOgKBMiOBP+eXiyT7jsgVCq1bkVygt00oASowB7EdtpOHaaPgKt812P9ab+DDKA==", - "dev": true, - "hasInstallScript": true, - "license": "MIT", - "optional": true, - "os": [ - "darwin" - ], - "engines": { - "node": "^8.16.0 || ^10.6.0 || >=11.0.0" - } - }, "node_modules/babel-loader": { "version": "9.2.1", "resolved": "https://registry.npmjs.org/babel-loader/-/babel-loader-9.2.1.tgz", diff --git a/website/package.json b/website/package.json index 7e63a1b45e..ed865d0346 100644 --- a/website/package.json +++ b/website/package.json @@ -4,7 +4,6 @@ "private": true, "license": "MIT", "scripts": { - "aws-cfn": "cd docs/install-config/install/aws && cdk synth > template.yaml && ./fix_template.py", "build": "cp ../docker-compose.yml static/docker-compose.yml && cp ../schema.yml static/schema.yaml && docusaurus gen-api-docs all && cross-env NODE_OPTIONS='--max_old_space_size=65536' docusaurus build", "build-bundled": "cp ../schema.yml static/schema.yaml && docusaurus gen-api-docs all && cross-env NODE_OPTIONS='--max_old_space_size=65536' docusaurus build", "deploy": "docusaurus deploy", @@ -56,7 +55,6 @@ "@docusaurus/tsconfig": "^3.7.0", "@docusaurus/types": "^3.3.2", "@types/react": "^18.3.13", - "aws-cdk": "^2.176.0", "cross-env": "^7.0.3", "prettier": "3.4.2", "typescript": "~5.7.3", diff --git a/website/sidebars.js b/website/sidebars.js index ac3f041aad..cb0598d7f4 100644 --- a/website/sidebars.js +++ b/website/sidebars.js @@ -98,7 +98,7 @@ export default { items: [ "install-config/install/docker-compose", "install-config/install/kubernetes", - "install-config/install/aws/index", + "install-config/install/aws", ], }, {