Conditions: {} Outputs: LoadBalancerDNS: Value: Fn::GetAtt: - AuthentikALB992EAB01 - DNSName Parameters: AuthentikImage: Default: ghcr.io/goauthentik/server Description: authentik Docker image Type: String AuthentikServerCPU: Default: 512 Description: authentik server CPU units (1024 = 1 vCPU) Type: Number AuthentikServerDesiredCount: Default: 2 Description: Desired number of authentik server tasks MinValue: 1 Type: Number AuthentikServerMemory: Default: 1024 Description: authentik server memory in MiB Type: Number AuthentikVersion: Default: 2024.10.4 Description: authentik Docker image tag Type: String AuthentikWorkerCPU: Default: 512 Description: authentik worker CPU units (1024 = 1 vCPU) Type: Number AuthentikWorkerDesiredCount: Default: 2 Description: Desired number of authentik worker tasks MinValue: 1 Type: Number AuthentikWorkerMemory: Default: 1024 Description: authentik worker memory in MiB Type: Number CertificateARN: Description: ACM certificate ARN for HTTPS access Type: String DBInstanceType: Default: m5.large Description: RDS PostgreSQL instance type (without the leading db.) Type: String DBStorage: Default: 10 Description: RDS PostgreSQL storage size in GB MinValue: 10 Type: Number DBVersion: Default: '17.1' Description: RDS PostgreSQL version Type: String RedisInstanceType: Default: cache.t4g.medium Description: ElastiCache Redis instance type (with the leading cache.) Type: String RedisVersion: Default: '7.1' Description: ElastiCache Redis version Type: String Resources: AuthentikALB992EAB01: DependsOn: - AuthentikVpcPublicSubnet1DefaultRoute90C4189A - AuthentikVpcPublicSubnet1RouteTableAssociation33E57E0C - AuthentikVpcPublicSubnet2DefaultRoute2E9B0EBA - AuthentikVpcPublicSubnet2RouteTableAssociationDA2BDD26 Metadata: aws:cdk:path: AuthentikStack/AuthentikALB/Resource Properties: LoadBalancerAttributes: - Key: deletion_protection.enabled Value: 'false' Scheme: internet-facing SecurityGroups: - Fn::GetAtt: - AuthentikALBSecurityGroup2B18FEEF - GroupId Subnets: - Ref: AuthentikVpcPublicSubnet1Subnet0C75862A - Ref: AuthentikVpcPublicSubnet2Subnet4DFAFA5B Type: application Type: AWS::ElasticLoadBalancingV2::LoadBalancer AuthentikALBAuthentikHttpListener6825393B: Metadata: aws:cdk:path: AuthentikStack/AuthentikALB/AuthentikHttpListener/Resource Properties: DefaultActions: - RedirectConfig: Protocol: HTTPS StatusCode: HTTP_301 Type: redirect LoadBalancerArn: Ref: AuthentikALB992EAB01 Port: 80 Protocol: HTTP Type: AWS::ElasticLoadBalancingV2::Listener AuthentikALBAuthentikHttpsListener34A9BF12: Metadata: aws:cdk:path: AuthentikStack/AuthentikALB/AuthentikHttpsListener/Resource Properties: Certificates: - CertificateArn: Ref: CertificateARN DefaultActions: - TargetGroupArn: Ref: AuthentikALBAuthentikHttpsListenerAuthentikServerTargetGroup345C3479 Type: forward LoadBalancerArn: Ref: AuthentikALB992EAB01 Port: 443 Protocol: HTTPS Type: AWS::ElasticLoadBalancingV2::Listener AuthentikALBAuthentikHttpsListenerAuthentikServerTargetGroup345C3479: Metadata: aws:cdk:path: AuthentikStack/AuthentikALB/AuthentikHttpsListener/AuthentikServerTargetGroup/Resource Properties: HealthCheckPath: /-/health/live/ Matcher: HttpCode: '200' Port: 9000 Protocol: HTTP TargetGroupAttributes: - Key: stickiness.enabled Value: 'false' TargetType: ip VpcId: Ref: AuthentikVpcA1ABE6C2 Type: AWS::ElasticLoadBalancingV2::TargetGroup AuthentikALBSecurityGroup2B18FEEF: Metadata: aws:cdk:path: AuthentikStack/AuthentikALB/SecurityGroup/Resource Properties: GroupDescription: Automatically created Security Group for ELB AuthentikStackAuthentikALB07C6B2CD SecurityGroupIngress: - CidrIp: 0.0.0.0/0 Description: Allow from anyone on port 80 FromPort: 80 IpProtocol: tcp ToPort: 80 - CidrIp: 0.0.0.0/0 Description: Allow from anyone on port 443 FromPort: 443 IpProtocol: tcp ToPort: 443 VpcId: Ref: AuthentikVpcA1ABE6C2 Type: AWS::EC2::SecurityGroup AuthentikALBSecurityGrouptoAuthentikStackAuthentikSG23C19B2890000F200B23: Metadata: aws:cdk:path: AuthentikStack/AuthentikALB/SecurityGroup/to AuthentikStackAuthentikSG23C19B28:9000 Properties: Description: Load balancer to target DestinationSecurityGroupId: Fn::GetAtt: - AuthentikSG3040E46F - GroupId FromPort: 9000 GroupId: Fn::GetAtt: - AuthentikALBSecurityGroup2B18FEEF - GroupId IpProtocol: tcp ToPort: 9000 Type: AWS::EC2::SecurityGroupEgress AuthentikCluster54E596EF: Metadata: aws:cdk:path: AuthentikStack/AuthentikCluster/Resource Type: AWS::ECS::Cluster AuthentikDB6710DB92: DeletionPolicy: Snapshot Metadata: aws:cdk:path: AuthentikStack/AuthentikDB/Resource Properties: AllocatedStorage: Ref: DBStorage CopyTagsToSnapshot: true DBInstanceClass: Fn::Join: - '' - - db. - Ref: DBInstanceType DBName: authentik DBSubnetGroupName: Ref: AuthentikDBSubnetGroup03A9E1C9 Engine: postgres EngineVersion: Ref: DBVersion MasterUserPassword: Fn::Join: - '' - - '{{resolve:secretsmanager:' - Ref: DBPassword67313E91 - :SecretString:password::}} MasterUsername: Fn::Join: - '' - - '{{resolve:secretsmanager:' - Ref: DBPassword67313E91 - :SecretString:username::}} MultiAZ: true PubliclyAccessible: false StorageType: gp2 VPCSecurityGroups: - Fn::GetAtt: - DatabaseSG2A23C222 - GroupId Type: AWS::RDS::DBInstance UpdateReplacePolicy: Snapshot AuthentikDBSubnetGroup03A9E1C9: Metadata: aws:cdk:path: AuthentikStack/AuthentikDB/SubnetGroup/Default Properties: DBSubnetGroupDescription: Subnet group for AuthentikDB database SubnetIds: - Ref: AuthentikVpcPrivateSubnet1Subnet6748EEA3 - Ref: AuthentikVpcPrivateSubnet2Subnet6B8E7123 Type: AWS::RDS::DBSubnetGroup AuthentikMediaEFS4AB06689: DeletionPolicy: Retain Metadata: aws:cdk:path: AuthentikStack/AuthentikMediaEFS/Resource Properties: Encrypted: true FileSystemTags: - Key: Name Value: AuthentikStack/AuthentikMediaEFS PerformanceMode: generalPurpose ThroughputMode: bursting Type: AWS::EFS::FileSystem UpdateReplacePolicy: Retain AuthentikMediaEFSAuthentikMediaAccessPointA60D3CC7: Metadata: aws:cdk:path: AuthentikStack/AuthentikMediaEFS/AuthentikMediaAccessPoint/Resource Properties: AccessPointTags: - Key: Name Value: AuthentikStack/AuthentikMediaEFS/AuthentikMediaAccessPoint FileSystemId: Ref: AuthentikMediaEFS4AB06689 PosixUser: Gid: '1000' Uid: '1000' RootDirectory: CreationInfo: OwnerGid: '1000' OwnerUid: '1000' Permissions: '755' Path: /media Type: AWS::EFS::AccessPoint AuthentikMediaEFSEfsMountTarget1D3A264C1: Metadata: aws:cdk:path: AuthentikStack/AuthentikMediaEFS/EfsMountTarget1 Properties: FileSystemId: Ref: AuthentikMediaEFS4AB06689 SecurityGroups: - Fn::GetAtt: - AuthentikMediaEFSSecurityGroup1840BA29 - GroupId SubnetId: Ref: AuthentikVpcPrivateSubnet1Subnet6748EEA3 Type: AWS::EFS::MountTarget AuthentikMediaEFSEfsMountTarget224E8D525: Metadata: aws:cdk:path: AuthentikStack/AuthentikMediaEFS/EfsMountTarget2 Properties: FileSystemId: Ref: AuthentikMediaEFS4AB06689 SecurityGroups: - Fn::GetAtt: - AuthentikMediaEFSSecurityGroup1840BA29 - GroupId SubnetId: Ref: AuthentikVpcPrivateSubnet2Subnet6B8E7123 Type: AWS::EFS::MountTarget AuthentikMediaEFSSecurityGroup1840BA29: Metadata: aws:cdk:path: AuthentikStack/AuthentikMediaEFSSecurityGroup/Resource Properties: GroupDescription: Security group for authentik media EFS SecurityGroupEgress: - CidrIp: 0.0.0.0/0 Description: Allow all outbound traffic by default IpProtocol: '-1' VpcId: Ref: AuthentikVpcA1ABE6C2 Type: AWS::EC2::SecurityGroup AuthentikMediaEFSSecurityGroupfromAuthentikStackAuthentikSG23C19B28204954496494: Metadata: aws:cdk:path: AuthentikStack/AuthentikMediaEFSSecurityGroup/from AuthentikStackAuthentikSG23C19B28:2049 Properties: Description: from AuthentikStackAuthentikSG23C19B28:2049 FromPort: 2049 GroupId: Fn::GetAtt: - AuthentikMediaEFSSecurityGroup1840BA29 - GroupId IpProtocol: tcp SourceSecurityGroupId: Fn::GetAtt: - AuthentikSG3040E46F - GroupId ToPort: 2049 Type: AWS::EC2::SecurityGroupIngress AuthentikRedis: Metadata: aws:cdk:path: AuthentikStack/AuthentikRedis Properties: AutomaticFailoverEnabled: true CacheNodeType: Ref: RedisInstanceType CacheSubnetGroupName: Ref: AuthentikRedisSubnetGroup Engine: redis EngineVersion: Ref: RedisVersion NumCacheClusters: 2 ReplicationGroupDescription: Redis cluster for authentik SecurityGroupIds: - Fn::GetAtt: - RedisSGEA80AC17 - GroupId Type: AWS::ElastiCache::ReplicationGroup AuthentikRedisSubnetGroup: Metadata: aws:cdk:path: AuthentikStack/AuthentikRedisSubnetGroup Properties: Description: Subnet group for authentik ElastiCache Redis SubnetIds: - Ref: AuthentikVpcPrivateSubnet1Subnet6748EEA3 - Ref: AuthentikVpcPrivateSubnet2Subnet6B8E7123 Type: AWS::ElastiCache::SubnetGroup AuthentikSG3040E46F: Metadata: aws:cdk:path: AuthentikStack/AuthentikSG/Resource Properties: GroupDescription: Security Group for authentik services SecurityGroupEgress: - CidrIp: 0.0.0.0/0 Description: Allow all outbound traffic by default IpProtocol: '-1' VpcId: Ref: AuthentikVpcA1ABE6C2 Type: AWS::EC2::SecurityGroup AuthentikSGfromAuthentikStackAuthentikALBSecurityGroup46E4D829900045771B43: Metadata: aws:cdk:path: AuthentikStack/AuthentikSG/from AuthentikStackAuthentikALBSecurityGroup46E4D829:9000 Properties: Description: Load balancer to target FromPort: 9000 GroupId: Fn::GetAtt: - AuthentikSG3040E46F - GroupId IpProtocol: tcp SourceSecurityGroupId: Fn::GetAtt: - AuthentikALBSecurityGroup2B18FEEF - GroupId ToPort: 9000 Type: AWS::EC2::SecurityGroupIngress AuthentikSecretKeyAC972960: DeletionPolicy: Delete Metadata: aws:cdk:path: AuthentikStack/AuthentikSecretKey/Resource Properties: GenerateSecretString: ExcludeCharacters: '"@/\' PasswordLength: 64 Type: AWS::SecretsManager::Secret UpdateReplacePolicy: Delete AuthentikServerService9C845914: DependsOn: - AuthentikALBAuthentikHttpsListenerAuthentikServerTargetGroup345C3479 - AuthentikALBAuthentikHttpsListener34A9BF12 - AuthentikServerTaskTaskRoleDefaultPolicy4C2F360F - AuthentikServerTaskTaskRole5BB06A73 Metadata: aws:cdk:path: AuthentikStack/AuthentikServerService/Service Properties: Cluster: Ref: AuthentikCluster54E596EF DeploymentConfiguration: Alarms: AlarmNames: [] Enable: false Rollback: false MaximumPercent: 200 MinimumHealthyPercent: 50 DesiredCount: Ref: AuthentikServerDesiredCount EnableECSManagedTags: false EnableExecuteCommand: true HealthCheckGracePeriodSeconds: 60 LaunchType: FARGATE LoadBalancers: - ContainerName: AuthentikServerContainer ContainerPort: 9000 TargetGroupArn: Ref: AuthentikALBAuthentikHttpsListenerAuthentikServerTargetGroup345C3479 NetworkConfiguration: AwsvpcConfiguration: AssignPublicIp: DISABLED SecurityGroups: - Fn::GetAtt: - AuthentikSG3040E46F - GroupId Subnets: - Ref: AuthentikVpcPrivateSubnet1Subnet6748EEA3 - Ref: AuthentikVpcPrivateSubnet2Subnet6B8E7123 TaskDefinition: Ref: AuthentikServerTaskD2D47AE0 Type: AWS::ECS::Service AuthentikServerTaskAuthentikServerContainerLogGroup7E3C6881: DeletionPolicy: Retain Metadata: aws:cdk:path: AuthentikStack/AuthentikServerTask/AuthentikServerContainer/LogGroup/Resource Type: AWS::Logs::LogGroup UpdateReplacePolicy: Retain AuthentikServerTaskD2D47AE0: Metadata: aws:cdk:path: AuthentikStack/AuthentikServerTask/Resource Properties: ContainerDefinitions: - Command: - server Environment: - Name: AUTHENTIK_POSTGRESQL__HOST Value: Fn::GetAtt: - AuthentikDB6710DB92 - Endpoint.Address - Name: AUTHENTIK_POSTGRESQL__USER Value: authentik - Name: AUTHENTIK_REDIS__HOST Value: Fn::GetAtt: - AuthentikRedis - PrimaryEndPoint.Address Essential: true HealthCheck: Command: - CMD - ak - healthcheck Interval: 30 Retries: 3 StartPeriod: 60 Timeout: 30 Image: Fn::Join: - '' - - Ref: AuthentikImage - ':' - Ref: AuthentikVersion LogConfiguration: LogDriver: awslogs Options: awslogs-group: Ref: AuthentikServerTaskAuthentikServerContainerLogGroup7E3C6881 awslogs-region: Ref: AWS::Region awslogs-stream-prefix: authentik-server MountPoints: - ContainerPath: /media ReadOnly: false SourceVolume: media Name: AuthentikServerContainer PortMappings: - ContainerPort: 9000 Protocol: tcp RestartPolicy: Enabled: true Secrets: - Name: AUTHENTIK_POSTGRESQL__PASSWORD ValueFrom: Fn::Join: - '' - - Ref: DBPassword67313E91 - ':password::' - Name: AUTHENTIK_SECRET_KEY ValueFrom: Ref: AuthentikSecretKeyAC972960 Cpu: Ref: AuthentikServerCPU ExecutionRoleArn: Fn::GetAtt: - AuthentikServerTaskExecutionRole053E3BF5 - Arn Family: AuthentikStackAuthentikServerTask23085F62 Memory: Ref: AuthentikServerMemory NetworkMode: awsvpc RequiresCompatibilities: - FARGATE TaskRoleArn: Fn::GetAtt: - AuthentikServerTaskTaskRole5BB06A73 - Arn Volumes: - EFSVolumeConfiguration: AuthorizationConfig: AccessPointId: Ref: AuthentikMediaEFSAuthentikMediaAccessPointA60D3CC7 IAM: ENABLED FilesystemId: Ref: AuthentikMediaEFS4AB06689 TransitEncryption: ENABLED Name: media Type: AWS::ECS::TaskDefinition AuthentikServerTaskExecutionRole053E3BF5: Metadata: aws:cdk:path: AuthentikStack/AuthentikServerTask/ExecutionRole/Resource Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: Service: ecs-tasks.amazonaws.com Version: '2012-10-17' Type: AWS::IAM::Role AuthentikServerTaskExecutionRoleDefaultPolicy5AE74030: Metadata: aws:cdk:path: AuthentikStack/AuthentikServerTask/ExecutionRole/DefaultPolicy/Resource Properties: PolicyDocument: Statement: - Action: - logs:CreateLogStream - logs:PutLogEvents Effect: Allow Resource: Fn::GetAtt: - AuthentikServerTaskAuthentikServerContainerLogGroup7E3C6881 - Arn - Action: - secretsmanager:GetSecretValue - secretsmanager:DescribeSecret Effect: Allow Resource: Ref: DBPassword67313E91 - Action: - secretsmanager:GetSecretValue - secretsmanager:DescribeSecret Effect: Allow Resource: Ref: AuthentikSecretKeyAC972960 Version: '2012-10-17' PolicyName: AuthentikServerTaskExecutionRoleDefaultPolicy5AE74030 Roles: - Ref: AuthentikServerTaskExecutionRole053E3BF5 Type: AWS::IAM::Policy AuthentikServerTaskTaskRole5BB06A73: Metadata: aws:cdk:path: AuthentikStack/AuthentikServerTask/TaskRole/Resource Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: Service: ecs-tasks.amazonaws.com Version: '2012-10-17' Type: AWS::IAM::Role AuthentikServerTaskTaskRoleDefaultPolicy4C2F360F: Metadata: aws:cdk:path: AuthentikStack/AuthentikServerTask/TaskRole/DefaultPolicy/Resource Properties: PolicyDocument: Statement: - Action: - ssmmessages:CreateControlChannel - ssmmessages:CreateDataChannel - ssmmessages:OpenControlChannel - ssmmessages:OpenDataChannel Effect: Allow Resource: '*' - Action: logs:DescribeLogGroups Effect: Allow Resource: '*' - Action: - logs:CreateLogStream - logs:DescribeLogStreams - logs:PutLogEvents Effect: Allow Resource: '*' Version: '2012-10-17' PolicyName: AuthentikServerTaskTaskRoleDefaultPolicy4C2F360F Roles: - Ref: AuthentikServerTaskTaskRole5BB06A73 Type: AWS::IAM::Policy AuthentikVpcA1ABE6C2: Metadata: aws:cdk:path: AuthentikStack/AuthentikVpc/Resource Properties: CidrBlock: 10.0.0.0/16 EnableDnsHostnames: true EnableDnsSupport: true InstanceTenancy: default Tags: - Key: Name Value: AuthentikStack/AuthentikVpc Type: AWS::EC2::VPC AuthentikVpcIGW53CE5190: Metadata: aws:cdk:path: AuthentikStack/AuthentikVpc/IGW Properties: Tags: - Key: Name Value: AuthentikStack/AuthentikVpc Type: AWS::EC2::InternetGateway AuthentikVpcPrivateSubnet1DefaultRouteE7E61D7D: Metadata: aws:cdk:path: AuthentikStack/AuthentikVpc/PrivateSubnet1/DefaultRoute Properties: DestinationCidrBlock: 0.0.0.0/0 NatGatewayId: Ref: AuthentikVpcPublicSubnet1NATGatewayEBF2B25B RouteTableId: Ref: AuthentikVpcPrivateSubnet1RouteTable865DCC15 Type: AWS::EC2::Route AuthentikVpcPrivateSubnet1RouteTable865DCC15: Metadata: aws:cdk:path: AuthentikStack/AuthentikVpc/PrivateSubnet1/RouteTable Properties: Tags: - Key: Name Value: AuthentikStack/AuthentikVpc/PrivateSubnet1 VpcId: Ref: AuthentikVpcA1ABE6C2 Type: AWS::EC2::RouteTable AuthentikVpcPrivateSubnet1RouteTableAssociationBBA42BB3: Metadata: aws:cdk:path: AuthentikStack/AuthentikVpc/PrivateSubnet1/RouteTableAssociation Properties: RouteTableId: Ref: AuthentikVpcPrivateSubnet1RouteTable865DCC15 SubnetId: Ref: AuthentikVpcPrivateSubnet1Subnet6748EEA3 Type: AWS::EC2::SubnetRouteTableAssociation AuthentikVpcPrivateSubnet1Subnet6748EEA3: Metadata: aws:cdk:path: AuthentikStack/AuthentikVpc/PrivateSubnet1/Subnet Properties: AvailabilityZone: Fn::Select: - 0 - Fn::GetAZs: '' CidrBlock: 10.0.128.0/18 MapPublicIpOnLaunch: false Tags: - Key: aws-cdk:subnet-name Value: Private - Key: aws-cdk:subnet-type Value: Private - Key: Name Value: AuthentikStack/AuthentikVpc/PrivateSubnet1 VpcId: Ref: AuthentikVpcA1ABE6C2 Type: AWS::EC2::Subnet AuthentikVpcPrivateSubnet2DefaultRouteB93D7A74: Metadata: aws:cdk:path: AuthentikStack/AuthentikVpc/PrivateSubnet2/DefaultRoute Properties: DestinationCidrBlock: 0.0.0.0/0 NatGatewayId: Ref: AuthentikVpcPublicSubnet1NATGatewayEBF2B25B RouteTableId: Ref: AuthentikVpcPrivateSubnet2RouteTable472C2F26 Type: AWS::EC2::Route AuthentikVpcPrivateSubnet2RouteTable472C2F26: Metadata: aws:cdk:path: AuthentikStack/AuthentikVpc/PrivateSubnet2/RouteTable Properties: Tags: - Key: Name Value: AuthentikStack/AuthentikVpc/PrivateSubnet2 VpcId: Ref: AuthentikVpcA1ABE6C2 Type: AWS::EC2::RouteTable AuthentikVpcPrivateSubnet2RouteTableAssociation0276EED3: Metadata: aws:cdk:path: AuthentikStack/AuthentikVpc/PrivateSubnet2/RouteTableAssociation Properties: RouteTableId: Ref: AuthentikVpcPrivateSubnet2RouteTable472C2F26 SubnetId: Ref: AuthentikVpcPrivateSubnet2Subnet6B8E7123 Type: AWS::EC2::SubnetRouteTableAssociation AuthentikVpcPrivateSubnet2Subnet6B8E7123: Metadata: aws:cdk:path: AuthentikStack/AuthentikVpc/PrivateSubnet2/Subnet Properties: AvailabilityZone: Fn::Select: - 1 - Fn::GetAZs: '' CidrBlock: 10.0.192.0/18 MapPublicIpOnLaunch: false Tags: - Key: aws-cdk:subnet-name Value: Private - Key: aws-cdk:subnet-type Value: Private - Key: Name Value: AuthentikStack/AuthentikVpc/PrivateSubnet2 VpcId: Ref: AuthentikVpcA1ABE6C2 Type: AWS::EC2::Subnet AuthentikVpcPublicSubnet1DefaultRoute90C4189A: DependsOn: - AuthentikVpcVPCGW65A49376 Metadata: aws:cdk:path: AuthentikStack/AuthentikVpc/PublicSubnet1/DefaultRoute Properties: DestinationCidrBlock: 0.0.0.0/0 GatewayId: Ref: AuthentikVpcIGW53CE5190 RouteTableId: Ref: AuthentikVpcPublicSubnet1RouteTable142C1454 Type: AWS::EC2::Route AuthentikVpcPublicSubnet1EIP2A4626A0: Metadata: aws:cdk:path: AuthentikStack/AuthentikVpc/PublicSubnet1/EIP Properties: Domain: vpc Tags: - Key: Name Value: AuthentikStack/AuthentikVpc/PublicSubnet1 Type: AWS::EC2::EIP AuthentikVpcPublicSubnet1NATGatewayEBF2B25B: DependsOn: - AuthentikVpcPublicSubnet1DefaultRoute90C4189A - AuthentikVpcPublicSubnet1RouteTableAssociation33E57E0C Metadata: aws:cdk:path: AuthentikStack/AuthentikVpc/PublicSubnet1/NATGateway Properties: AllocationId: Fn::GetAtt: - AuthentikVpcPublicSubnet1EIP2A4626A0 - AllocationId SubnetId: Ref: AuthentikVpcPublicSubnet1Subnet0C75862A Tags: - Key: Name Value: AuthentikStack/AuthentikVpc/PublicSubnet1 Type: AWS::EC2::NatGateway AuthentikVpcPublicSubnet1RouteTable142C1454: Metadata: aws:cdk:path: AuthentikStack/AuthentikVpc/PublicSubnet1/RouteTable Properties: Tags: - Key: Name Value: AuthentikStack/AuthentikVpc/PublicSubnet1 VpcId: Ref: AuthentikVpcA1ABE6C2 Type: AWS::EC2::RouteTable AuthentikVpcPublicSubnet1RouteTableAssociation33E57E0C: Metadata: aws:cdk:path: AuthentikStack/AuthentikVpc/PublicSubnet1/RouteTableAssociation Properties: RouteTableId: Ref: AuthentikVpcPublicSubnet1RouteTable142C1454 SubnetId: Ref: AuthentikVpcPublicSubnet1Subnet0C75862A Type: AWS::EC2::SubnetRouteTableAssociation AuthentikVpcPublicSubnet1Subnet0C75862A: Metadata: aws:cdk:path: AuthentikStack/AuthentikVpc/PublicSubnet1/Subnet Properties: AvailabilityZone: Fn::Select: - 0 - Fn::GetAZs: '' CidrBlock: 10.0.0.0/18 MapPublicIpOnLaunch: true Tags: - Key: aws-cdk:subnet-name Value: Public - Key: aws-cdk:subnet-type Value: Public - Key: Name Value: AuthentikStack/AuthentikVpc/PublicSubnet1 VpcId: Ref: AuthentikVpcA1ABE6C2 Type: AWS::EC2::Subnet AuthentikVpcPublicSubnet2DefaultRoute2E9B0EBA: DependsOn: - AuthentikVpcVPCGW65A49376 Metadata: aws:cdk:path: AuthentikStack/AuthentikVpc/PublicSubnet2/DefaultRoute Properties: DestinationCidrBlock: 0.0.0.0/0 GatewayId: Ref: AuthentikVpcIGW53CE5190 RouteTableId: Ref: AuthentikVpcPublicSubnet2RouteTableF486229B Type: AWS::EC2::Route AuthentikVpcPublicSubnet2RouteTableAssociationDA2BDD26: Metadata: aws:cdk:path: AuthentikStack/AuthentikVpc/PublicSubnet2/RouteTableAssociation Properties: RouteTableId: Ref: AuthentikVpcPublicSubnet2RouteTableF486229B SubnetId: Ref: AuthentikVpcPublicSubnet2Subnet4DFAFA5B Type: AWS::EC2::SubnetRouteTableAssociation AuthentikVpcPublicSubnet2RouteTableF486229B: Metadata: aws:cdk:path: AuthentikStack/AuthentikVpc/PublicSubnet2/RouteTable Properties: Tags: - Key: Name Value: AuthentikStack/AuthentikVpc/PublicSubnet2 VpcId: Ref: AuthentikVpcA1ABE6C2 Type: AWS::EC2::RouteTable AuthentikVpcPublicSubnet2Subnet4DFAFA5B: Metadata: aws:cdk:path: AuthentikStack/AuthentikVpc/PublicSubnet2/Subnet Properties: AvailabilityZone: Fn::Select: - 1 - Fn::GetAZs: '' CidrBlock: 10.0.64.0/18 MapPublicIpOnLaunch: true Tags: - Key: aws-cdk:subnet-name Value: Public - Key: aws-cdk:subnet-type Value: Public - Key: Name Value: AuthentikStack/AuthentikVpc/PublicSubnet2 VpcId: Ref: AuthentikVpcA1ABE6C2 Type: AWS::EC2::Subnet AuthentikVpcVPCGW65A49376: Metadata: aws:cdk:path: AuthentikStack/AuthentikVpc/VPCGW Properties: InternetGatewayId: Ref: AuthentikVpcIGW53CE5190 VpcId: Ref: AuthentikVpcA1ABE6C2 Type: AWS::EC2::VPCGatewayAttachment AuthentikWorkerService629E37E2: DependsOn: - AuthentikWorkerTaskTaskRoleDefaultPolicy4E74B62D - AuthentikWorkerTaskTaskRole87C41589 Metadata: aws:cdk:path: AuthentikStack/AuthentikWorkerService/Service Properties: Cluster: Ref: AuthentikCluster54E596EF DeploymentConfiguration: Alarms: AlarmNames: [] Enable: false Rollback: false MaximumPercent: 200 MinimumHealthyPercent: 50 DesiredCount: Ref: AuthentikWorkerDesiredCount EnableECSManagedTags: false EnableExecuteCommand: true LaunchType: FARGATE NetworkConfiguration: AwsvpcConfiguration: AssignPublicIp: DISABLED SecurityGroups: - Fn::GetAtt: - AuthentikSG3040E46F - GroupId Subnets: - Ref: AuthentikVpcPrivateSubnet1Subnet6748EEA3 - Ref: AuthentikVpcPrivateSubnet2Subnet6B8E7123 TaskDefinition: Ref: AuthentikWorkerTaskF8F277C5 Type: AWS::ECS::Service AuthentikWorkerTaskAuthentikWorkerContainerLogGroupC05B4DFC: DeletionPolicy: Retain Metadata: aws:cdk:path: AuthentikStack/AuthentikWorkerTask/AuthentikWorkerContainer/LogGroup/Resource Type: AWS::Logs::LogGroup UpdateReplacePolicy: Retain AuthentikWorkerTaskExecutionRole2E56865A: Metadata: aws:cdk:path: AuthentikStack/AuthentikWorkerTask/ExecutionRole/Resource Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: Service: ecs-tasks.amazonaws.com Version: '2012-10-17' Type: AWS::IAM::Role AuthentikWorkerTaskExecutionRoleDefaultPolicyB028D6C8: Metadata: aws:cdk:path: AuthentikStack/AuthentikWorkerTask/ExecutionRole/DefaultPolicy/Resource Properties: PolicyDocument: Statement: - Action: - logs:CreateLogStream - logs:PutLogEvents Effect: Allow Resource: Fn::GetAtt: - AuthentikWorkerTaskAuthentikWorkerContainerLogGroupC05B4DFC - Arn - Action: - secretsmanager:GetSecretValue - secretsmanager:DescribeSecret Effect: Allow Resource: Ref: DBPassword67313E91 - Action: - secretsmanager:GetSecretValue - secretsmanager:DescribeSecret Effect: Allow Resource: Ref: AuthentikSecretKeyAC972960 Version: '2012-10-17' PolicyName: AuthentikWorkerTaskExecutionRoleDefaultPolicyB028D6C8 Roles: - Ref: AuthentikWorkerTaskExecutionRole2E56865A Type: AWS::IAM::Policy AuthentikWorkerTaskF8F277C5: Metadata: aws:cdk:path: AuthentikStack/AuthentikWorkerTask/Resource Properties: ContainerDefinitions: - Command: - worker Environment: - Name: AUTHENTIK_POSTGRESQL__HOST Value: Fn::GetAtt: - AuthentikDB6710DB92 - Endpoint.Address - Name: AUTHENTIK_POSTGRESQL__USER Value: authentik - Name: AUTHENTIK_REDIS__HOST Value: Fn::GetAtt: - AuthentikRedis - PrimaryEndPoint.Address Essential: true HealthCheck: Command: - CMD - ak - healthcheck Interval: 30 Retries: 3 StartPeriod: 60 Timeout: 30 Image: Fn::Join: - '' - - Ref: AuthentikImage - ':' - Ref: AuthentikVersion LogConfiguration: LogDriver: awslogs Options: awslogs-group: Ref: AuthentikWorkerTaskAuthentikWorkerContainerLogGroupC05B4DFC awslogs-region: Ref: AWS::Region awslogs-stream-prefix: authentik-worker MountPoints: - ContainerPath: /media ReadOnly: false SourceVolume: media Name: AuthentikWorkerContainer RestartPolicy: Enabled: true Secrets: - Name: AUTHENTIK_POSTGRESQL__PASSWORD ValueFrom: Fn::Join: - '' - - Ref: DBPassword67313E91 - ':password::' - Name: AUTHENTIK_SECRET_KEY ValueFrom: Ref: AuthentikSecretKeyAC972960 Cpu: Ref: AuthentikWorkerCPU ExecutionRoleArn: Fn::GetAtt: - AuthentikWorkerTaskExecutionRole2E56865A - Arn Family: AuthentikStackAuthentikWorkerTask6C7D4E77 Memory: Ref: AuthentikWorkerMemory NetworkMode: awsvpc RequiresCompatibilities: - FARGATE TaskRoleArn: Fn::GetAtt: - AuthentikWorkerTaskTaskRole87C41589 - Arn Volumes: - EFSVolumeConfiguration: AuthorizationConfig: AccessPointId: Ref: AuthentikMediaEFSAuthentikMediaAccessPointA60D3CC7 IAM: ENABLED FilesystemId: Ref: AuthentikMediaEFS4AB06689 TransitEncryption: ENABLED Name: media Type: AWS::ECS::TaskDefinition AuthentikWorkerTaskTaskRole87C41589: Metadata: aws:cdk:path: AuthentikStack/AuthentikWorkerTask/TaskRole/Resource Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: Service: ecs-tasks.amazonaws.com Version: '2012-10-17' Type: AWS::IAM::Role AuthentikWorkerTaskTaskRoleDefaultPolicy4E74B62D: Metadata: aws:cdk:path: AuthentikStack/AuthentikWorkerTask/TaskRole/DefaultPolicy/Resource Properties: PolicyDocument: Statement: - Action: - ssmmessages:CreateControlChannel - ssmmessages:CreateDataChannel - ssmmessages:OpenControlChannel - ssmmessages:OpenDataChannel Effect: Allow Resource: '*' - Action: logs:DescribeLogGroups Effect: Allow Resource: '*' - Action: - logs:CreateLogStream - logs:DescribeLogStreams - logs:PutLogEvents Effect: Allow Resource: '*' Version: '2012-10-17' PolicyName: AuthentikWorkerTaskTaskRoleDefaultPolicy4E74B62D Roles: - Ref: AuthentikWorkerTaskTaskRole87C41589 Type: AWS::IAM::Policy DBPassword67313E91: DeletionPolicy: Delete Metadata: aws:cdk:path: AuthentikStack/DBPassword/Resource Properties: GenerateSecretString: ExcludeCharacters: '"@/\' GenerateStringKey: password PasswordLength: 64 SecretStringTemplate: '{"username": "authentik"}' Type: AWS::SecretsManager::Secret UpdateReplacePolicy: Delete DBPasswordAttachmentAC350077: Metadata: aws:cdk:path: AuthentikStack/DBPassword/Attachment/Resource Properties: SecretId: Ref: DBPassword67313E91 TargetId: Ref: AuthentikDB6710DB92 TargetType: AWS::RDS::DBInstance Type: AWS::SecretsManager::SecretTargetAttachment DatabaseSG2A23C222: Metadata: aws:cdk:path: AuthentikStack/DatabaseSG/Resource Properties: GroupDescription: Security Group for authentik RDS PostgreSQL SecurityGroupEgress: - CidrIp: 0.0.0.0/0 Description: Allow all outbound traffic by default IpProtocol: '-1' VpcId: Ref: AuthentikVpcA1ABE6C2 Type: AWS::EC2::SecurityGroup DatabaseSGfromAuthentikStackAuthentikSG23C19B28543226D9B076: Metadata: aws:cdk:path: AuthentikStack/DatabaseSG/from AuthentikStackAuthentikSG23C19B28:5432 Properties: Description: Allow authentik to connect to RDS PostgreSQL FromPort: 5432 GroupId: Fn::GetAtt: - DatabaseSG2A23C222 - GroupId IpProtocol: tcp SourceSecurityGroupId: Fn::GetAtt: - AuthentikSG3040E46F - GroupId ToPort: 5432 Type: AWS::EC2::SecurityGroupIngress RedisSGEA80AC17: Metadata: aws:cdk:path: AuthentikStack/RedisSG/Resource Properties: GroupDescription: Security Group for authentik ElastiCache Redis SecurityGroupEgress: - CidrIp: 0.0.0.0/0 Description: Allow all outbound traffic by default IpProtocol: '-1' VpcId: Ref: AuthentikVpcA1ABE6C2 Type: AWS::EC2::SecurityGroup RedisSGfromAuthentikStackAuthentikSG23C19B2863790C4BCCDE: Metadata: aws:cdk:path: AuthentikStack/RedisSG/from AuthentikStackAuthentikSG23C19B28:6379 Properties: Description: Allow authentik to connect to ElastiCache Redis FromPort: 6379 GroupId: Fn::GetAtt: - RedisSGEA80AC17 - GroupId IpProtocol: tcp SourceSecurityGroupId: Fn::GetAtt: - AuthentikSG3040E46F - GroupId ToPort: 6379 Type: AWS::EC2::SecurityGroupIngress