habsi/authentik
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
b2c13f061493c359361b18fbace9b231e77f32a7
authentik/lifecycle/aws/template.yaml
Jens L. bcfd6fefa7 release: 2025.2.3 (#13705) 
* release: 2025.2.3

* fix uv lock not being bumped

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2025-03-28 17:08:57 +01:00

1145 lines
36 KiB
YAML
Raw Blame History

Parameters:
DBInstanceType:
Type: String
Default: m5.large
Description: RDS PostgreSQL instance type (without the leading db.)
DBVersion:
Type: String
Default: "17.1"
Description: RDS PostgreSQL version
DBStorage:
Type: Number
Default: 10
Description: RDS PostgreSQL storage size in GB
MinValue: 10
RedisInstanceType:
Type: String
Default: cache.t4g.medium
Description: ElastiCache Redis instance type (with the leading cache.)
RedisVersion:
Type: String
Default: "7.1"
Description: ElastiCache Redis version
AuthentikImage:
Type: String
Default: ghcr.io/goauthentik/server
Description: authentik Docker image
AuthentikVersion:
Type: String
Default: 2025.2.3
Description: authentik Docker image tag
AuthentikServerCPU:
Type: Number
Default: 512
Description: authentik server CPU units (1024 = 1 vCPU)
AuthentikServerMemory:
Type: Number
Default: 1024
Description: authentik server memory in MiB
AuthentikServerDesiredCount:
Type: Number
Default: 2
Description: Desired number of authentik server tasks
MinValue: 1
AuthentikWorkerCPU:
Type: Number
Default: 512
Description: authentik worker CPU units (1024 = 1 vCPU)
AuthentikWorkerMemory:
Type: Number
Default: 1024
Description: authentik worker memory in MiB
AuthentikWorkerDesiredCount:
Type: Number
Default: 2
Description: Desired number of authentik worker tasks
MinValue: 1
CertificateARN:
Type: String
Description: ACM certificate ARN for HTTPS access
Resources:
AuthentikVpcA1ABE6C2:
Type: AWS::EC2::VPC
Properties:
CidrBlock: 10.0.0.0/16
EnableDnsHostnames: true
EnableDnsSupport: true
InstanceTenancy: default
Tags:
- Key: Name
Value: AuthentikStack/AuthentikVpc
Metadata:
aws:cdk:path: AuthentikStack/AuthentikVpc/Resource
AuthentikVpcPublicSubnet1Subnet0C75862A:
Type: AWS::EC2::Subnet
Properties:
AvailabilityZone:
Fn::Select:
- 0
- Fn::GetAZs: ""
CidrBlock: 10.0.0.0/18
MapPublicIpOnLaunch: true
Tags:
- Key: aws-cdk:subnet-name
Value: Public
- Key: aws-cdk:subnet-type
Value: Public
- Key: Name
Value: AuthentikStack/AuthentikVpc/PublicSubnet1
VpcId:
Ref: AuthentikVpcA1ABE6C2
Metadata:
aws:cdk:path: AuthentikStack/AuthentikVpc/PublicSubnet1/Subnet
AuthentikVpcPublicSubnet1RouteTable142C1454:
Type: AWS::EC2::RouteTable
Properties:
Tags:
- Key: Name
Value: AuthentikStack/AuthentikVpc/PublicSubnet1
VpcId:
Ref: AuthentikVpcA1ABE6C2
Metadata:
aws:cdk:path: AuthentikStack/AuthentikVpc/PublicSubnet1/RouteTable
AuthentikVpcPublicSubnet1RouteTableAssociation33E57E0C:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId:
Ref: AuthentikVpcPublicSubnet1RouteTable142C1454
SubnetId:
Ref: AuthentikVpcPublicSubnet1Subnet0C75862A
Metadata:
aws:cdk:path: AuthentikStack/AuthentikVpc/PublicSubnet1/RouteTableAssociation
AuthentikVpcPublicSubnet1DefaultRoute90C4189A:
Type: AWS::EC2::Route
Properties:
DestinationCidrBlock: 0.0.0.0/0
GatewayId:
Ref: AuthentikVpcIGW53CE5190
RouteTableId:
Ref: AuthentikVpcPublicSubnet1RouteTable142C1454
DependsOn:
- AuthentikVpcVPCGW65A49376
Metadata:
aws:cdk:path: AuthentikStack/AuthentikVpc/PublicSubnet1/DefaultRoute
AuthentikVpcPublicSubnet1EIP2A4626A0:
Type: AWS::EC2::EIP
Properties:
Domain: vpc
Tags:
- Key: Name
Value: AuthentikStack/AuthentikVpc/PublicSubnet1
Metadata:
aws:cdk:path: AuthentikStack/AuthentikVpc/PublicSubnet1/EIP
AuthentikVpcPublicSubnet1NATGatewayEBF2B25B:
Type: AWS::EC2::NatGateway
Properties:
AllocationId:
Fn::GetAtt:
- AuthentikVpcPublicSubnet1EIP2A4626A0
- AllocationId
SubnetId:
Ref: AuthentikVpcPublicSubnet1Subnet0C75862A
Tags:
- Key: Name
Value: AuthentikStack/AuthentikVpc/PublicSubnet1
DependsOn:
- AuthentikVpcPublicSubnet1DefaultRoute90C4189A
- AuthentikVpcPublicSubnet1RouteTableAssociation33E57E0C
Metadata:
aws:cdk:path: AuthentikStack/AuthentikVpc/PublicSubnet1/NATGateway
AuthentikVpcPublicSubnet2Subnet4DFAFA5B:
Type: AWS::EC2::Subnet
Properties:
AvailabilityZone:
Fn::Select:
- 1
- Fn::GetAZs: ""
CidrBlock: 10.0.64.0/18
MapPublicIpOnLaunch: true
Tags:
- Key: aws-cdk:subnet-name
Value: Public
- Key: aws-cdk:subnet-type
Value: Public
- Key: Name
Value: AuthentikStack/AuthentikVpc/PublicSubnet2
VpcId:
Ref: AuthentikVpcA1ABE6C2
Metadata:
aws:cdk:path: AuthentikStack/AuthentikVpc/PublicSubnet2/Subnet
AuthentikVpcPublicSubnet2RouteTableF486229B:
Type: AWS::EC2::RouteTable
Properties:
Tags:
- Key: Name
Value: AuthentikStack/AuthentikVpc/PublicSubnet2
VpcId:
Ref: AuthentikVpcA1ABE6C2
Metadata:
aws:cdk:path: AuthentikStack/AuthentikVpc/PublicSubnet2/RouteTable
AuthentikVpcPublicSubnet2RouteTableAssociationDA2BDD26:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId:
Ref: AuthentikVpcPublicSubnet2RouteTableF486229B
SubnetId:
Ref: AuthentikVpcPublicSubnet2Subnet4DFAFA5B
Metadata:
aws:cdk:path: AuthentikStack/AuthentikVpc/PublicSubnet2/RouteTableAssociation
AuthentikVpcPublicSubnet2DefaultRoute2E9B0EBA:
Type: AWS::EC2::Route
Properties:
DestinationCidrBlock: 0.0.0.0/0
GatewayId:
Ref: AuthentikVpcIGW53CE5190
RouteTableId:
Ref: AuthentikVpcPublicSubnet2RouteTableF486229B
DependsOn:
- AuthentikVpcVPCGW65A49376
Metadata:
aws:cdk:path: AuthentikStack/AuthentikVpc/PublicSubnet2/DefaultRoute
AuthentikVpcPrivateSubnet1Subnet6748EEA3:
Type: AWS::EC2::Subnet
Properties:
AvailabilityZone:
Fn::Select:
- 0
- Fn::GetAZs: ""
CidrBlock: 10.0.128.0/18
MapPublicIpOnLaunch: false
Tags:
- Key: aws-cdk:subnet-name
Value: Private
- Key: aws-cdk:subnet-type
Value: Private
- Key: Name
Value: AuthentikStack/AuthentikVpc/PrivateSubnet1
VpcId:
Ref: AuthentikVpcA1ABE6C2
Metadata:
aws:cdk:path: AuthentikStack/AuthentikVpc/PrivateSubnet1/Subnet
AuthentikVpcPrivateSubnet1RouteTable865DCC15:
Type: AWS::EC2::RouteTable
Properties:
Tags:
- Key: Name
Value: AuthentikStack/AuthentikVpc/PrivateSubnet1
VpcId:
Ref: AuthentikVpcA1ABE6C2
Metadata:
aws:cdk:path: AuthentikStack/AuthentikVpc/PrivateSubnet1/RouteTable
AuthentikVpcPrivateSubnet1RouteTableAssociationBBA42BB3:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId:
Ref: AuthentikVpcPrivateSubnet1RouteTable865DCC15
SubnetId:
Ref: AuthentikVpcPrivateSubnet1Subnet6748EEA3
Metadata:
aws:cdk:path: AuthentikStack/AuthentikVpc/PrivateSubnet1/RouteTableAssociation
AuthentikVpcPrivateSubnet1DefaultRouteE7E61D7D:
Type: AWS::EC2::Route
Properties:
DestinationCidrBlock: 0.0.0.0/0
NatGatewayId:
Ref: AuthentikVpcPublicSubnet1NATGatewayEBF2B25B
RouteTableId:
Ref: AuthentikVpcPrivateSubnet1RouteTable865DCC15
Metadata:
aws:cdk:path: AuthentikStack/AuthentikVpc/PrivateSubnet1/DefaultRoute
AuthentikVpcPrivateSubnet2Subnet6B8E7123:
Type: AWS::EC2::Subnet
Properties:
AvailabilityZone:
Fn::Select:
- 1
- Fn::GetAZs: ""
CidrBlock: 10.0.192.0/18
MapPublicIpOnLaunch: false
Tags:
- Key: aws-cdk:subnet-name
Value: Private
- Key: aws-cdk:subnet-type
Value: Private
- Key: Name
Value: AuthentikStack/AuthentikVpc/PrivateSubnet2
VpcId:
Ref: AuthentikVpcA1ABE6C2
Metadata:
aws:cdk:path: AuthentikStack/AuthentikVpc/PrivateSubnet2/Subnet
AuthentikVpcPrivateSubnet2RouteTable472C2F26:
Type: AWS::EC2::RouteTable
Properties:
Tags:
- Key: Name
Value: AuthentikStack/AuthentikVpc/PrivateSubnet2
VpcId:
Ref: AuthentikVpcA1ABE6C2
Metadata:
aws:cdk:path: AuthentikStack/AuthentikVpc/PrivateSubnet2/RouteTable
AuthentikVpcPrivateSubnet2RouteTableAssociation0276EED3:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId:
Ref: AuthentikVpcPrivateSubnet2RouteTable472C2F26
SubnetId:
Ref: AuthentikVpcPrivateSubnet2Subnet6B8E7123
Metadata:
aws:cdk:path: AuthentikStack/AuthentikVpc/PrivateSubnet2/RouteTableAssociation
AuthentikVpcPrivateSubnet2DefaultRouteB93D7A74:
Type: AWS::EC2::Route
Properties:
DestinationCidrBlock: 0.0.0.0/0
NatGatewayId:
Ref: AuthentikVpcPublicSubnet1NATGatewayEBF2B25B
RouteTableId:
Ref: AuthentikVpcPrivateSubnet2RouteTable472C2F26
Metadata:
aws:cdk:path: AuthentikStack/AuthentikVpc/PrivateSubnet2/DefaultRoute
AuthentikVpcIGW53CE5190:
Type: AWS::EC2::InternetGateway
Properties:
Tags:
- Key: Name
Value: AuthentikStack/AuthentikVpc
Metadata:
aws:cdk:path: AuthentikStack/AuthentikVpc/IGW
AuthentikVpcVPCGW65A49376:
Type: AWS::EC2::VPCGatewayAttachment
Properties:
InternetGatewayId:
Ref: AuthentikVpcIGW53CE5190
VpcId:
Ref: AuthentikVpcA1ABE6C2
Metadata:
aws:cdk:path: AuthentikStack/AuthentikVpc/VPCGW
DatabaseSG2A23C222:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Security Group for authentik RDS PostgreSQL
SecurityGroupEgress:
- CidrIp: 0.0.0.0/0
Description: Allow all outbound traffic by default
IpProtocol: "-1"
VpcId:
Ref: AuthentikVpcA1ABE6C2
Metadata:
aws:cdk:path: AuthentikStack/DatabaseSG/Resource
DatabaseSGfromAuthentikStackAuthentikSG23C19B28543226D9B076:
Type: AWS::EC2::SecurityGroupIngress
Properties:
Description: Allow authentik to connect to RDS PostgreSQL
FromPort: 5432
GroupId:
Fn::GetAtt:
- DatabaseSG2A23C222
- GroupId
IpProtocol: tcp
SourceSecurityGroupId:
Fn::GetAtt:
- AuthentikSG3040E46F
- GroupId
ToPort: 5432
Metadata:
aws:cdk:path: AuthentikStack/DatabaseSG/from AuthentikStackAuthentikSG23C19B28:5432
RedisSGEA80AC17:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Security Group for authentik ElastiCache Redis
SecurityGroupEgress:
- CidrIp: 0.0.0.0/0
Description: Allow all outbound traffic by default
IpProtocol: "-1"
VpcId:
Ref: AuthentikVpcA1ABE6C2
Metadata:
aws:cdk:path: AuthentikStack/RedisSG/Resource
RedisSGfromAuthentikStackAuthentikSG23C19B2863790C4BCCDE:
Type: AWS::EC2::SecurityGroupIngress
Properties:
Description: Allow authentik to connect to ElastiCache Redis
FromPort: 6379
GroupId:
Fn::GetAtt:
- RedisSGEA80AC17
- GroupId
IpProtocol: tcp
SourceSecurityGroupId:
Fn::GetAtt:
- AuthentikSG3040E46F
- GroupId
ToPort: 6379
Metadata:
aws:cdk:path: AuthentikStack/RedisSG/from AuthentikStackAuthentikSG23C19B28:6379
AuthentikSG3040E46F:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Security Group for authentik services
SecurityGroupEgress:
- CidrIp: 0.0.0.0/0
Description: Allow all outbound traffic by default
IpProtocol: "-1"
VpcId:
Ref: AuthentikVpcA1ABE6C2
Metadata:
aws:cdk:path: AuthentikStack/AuthentikSG/Resource
AuthentikSGfromAuthentikStackAuthentikALBSecurityGroup46E4D829900045771B43:
Type: AWS::EC2::SecurityGroupIngress
Properties:
Description: Load balancer to target
FromPort: 9000
GroupId:
Fn::GetAtt:
- AuthentikSG3040E46F
- GroupId
IpProtocol: tcp
SourceSecurityGroupId:
Fn::GetAtt:
- AuthentikALBSecurityGroup2B18FEEF
- GroupId
ToPort: 9000
Metadata:
aws:cdk:path: AuthentikStack/AuthentikSG/from AuthentikStackAuthentikALBSecurityGroup46E4D829:9000
DBPassword67313E91:
Type: AWS::SecretsManager::Secret
Properties:
GenerateSecretString:
ExcludeCharacters: '"@/\'
GenerateStringKey: password
PasswordLength: 64
SecretStringTemplate: '{"username": "authentik"}'
UpdateReplacePolicy: Delete
DeletionPolicy: Delete
Metadata:
aws:cdk:path: AuthentikStack/DBPassword/Resource
DBPasswordAttachmentAC350077:
Type: AWS::SecretsManager::SecretTargetAttachment
Properties:
SecretId:
Ref: DBPassword67313E91
TargetId:
Ref: AuthentikDB6710DB92
TargetType: AWS::RDS::DBInstance
Metadata:
aws:cdk:path: AuthentikStack/DBPassword/Attachment/Resource
AuthentikSecretKeyAC972960:
Type: AWS::SecretsManager::Secret
Properties:
GenerateSecretString:
ExcludeCharacters: '"@/\'
PasswordLength: 64
UpdateReplacePolicy: Delete
DeletionPolicy: Delete
Metadata:
aws:cdk:path: AuthentikStack/AuthentikSecretKey/Resource
AuthentikDBSubnetGroup03A9E1C9:
Type: AWS::RDS::DBSubnetGroup
Properties:
DBSubnetGroupDescription: Subnet group for AuthentikDB database
SubnetIds:
- Ref: AuthentikVpcPrivateSubnet1Subnet6748EEA3
- Ref: AuthentikVpcPrivateSubnet2Subnet6B8E7123
Metadata:
aws:cdk:path: AuthentikStack/AuthentikDB/SubnetGroup/Default
AuthentikDB6710DB92:
Type: AWS::RDS::DBInstance
Properties:
AllocatedStorage:
Ref: DBStorage
CopyTagsToSnapshot: true
DBInstanceClass:
Fn::Join:
- ""
- - db.
- Ref: DBInstanceType
DBName: authentik
DBSubnetGroupName:
Ref: AuthentikDBSubnetGroup03A9E1C9
Engine: postgres
EngineVersion:
Ref: DBVersion
MasterUserPassword:
Fn::Join:
- ""
- - "{{resolve:secretsmanager:"
- Ref: DBPassword67313E91
- :SecretString:password::}}
MasterUsername:
Fn::Join:
- ""
- - "{{resolve:secretsmanager:"
- Ref: DBPassword67313E91
- :SecretString:username::}}
MultiAZ: true
PubliclyAccessible: false
StorageType: gp2
VPCSecurityGroups:
- Fn::GetAtt:
- DatabaseSG2A23C222
- GroupId
UpdateReplacePolicy: Snapshot
DeletionPolicy: Snapshot
Metadata:
aws:cdk:path: AuthentikStack/AuthentikDB/Resource
AuthentikRedisSubnetGroup:
Type: AWS::ElastiCache::SubnetGroup
Properties:
Description: Subnet group for authentik ElastiCache Redis
SubnetIds:
- Ref: AuthentikVpcPrivateSubnet1Subnet6748EEA3
- Ref: AuthentikVpcPrivateSubnet2Subnet6B8E7123
Metadata:
aws:cdk:path: AuthentikStack/AuthentikRedisSubnetGroup
AuthentikRedis:
Type: AWS::ElastiCache::ReplicationGroup
Properties:
AutomaticFailoverEnabled: true
CacheNodeType:
Ref: RedisInstanceType
CacheSubnetGroupName:
Ref: AuthentikRedisSubnetGroup
Engine: redis
EngineVersion:
Ref: RedisVersion
NumCacheClusters: 2
ReplicationGroupDescription: Redis cluster for authentik
SecurityGroupIds:
- Fn::GetAtt:
- RedisSGEA80AC17
- GroupId
Metadata:
aws:cdk:path: AuthentikStack/AuthentikRedis
AuthentikMediaEFSSecurityGroup1840BA29:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Security group for authentik media EFS
SecurityGroupEgress:
- CidrIp: 0.0.0.0/0
Description: Allow all outbound traffic by default
IpProtocol: "-1"
VpcId:
Ref: AuthentikVpcA1ABE6C2
Metadata:
aws:cdk:path: AuthentikStack/AuthentikMediaEFSSecurityGroup/Resource
AuthentikMediaEFSSecurityGroupfromAuthentikStackAuthentikSG23C19B28204954496494:
Type: AWS::EC2::SecurityGroupIngress
Properties:
Description: from AuthentikStackAuthentikSG23C19B28:2049
FromPort: 2049
GroupId:
Fn::GetAtt:
- AuthentikMediaEFSSecurityGroup1840BA29
- GroupId
IpProtocol: tcp
SourceSecurityGroupId:
Fn::GetAtt:
- AuthentikSG3040E46F
- GroupId
ToPort: 2049
Metadata:
aws:cdk:path: AuthentikStack/AuthentikMediaEFSSecurityGroup/from AuthentikStackAuthentikSG23C19B28:2049
AuthentikMediaEFS4AB06689:
Type: AWS::EFS::FileSystem
Properties:
Encrypted: true
FileSystemTags:
- Key: Name
Value: AuthentikStack/AuthentikMediaEFS
PerformanceMode: generalPurpose
ThroughputMode: bursting
UpdateReplacePolicy: Retain
DeletionPolicy: Retain
Metadata:
aws:cdk:path: AuthentikStack/AuthentikMediaEFS/Resource
AuthentikMediaEFSEfsMountTarget1D3A264C1:
Type: AWS::EFS::MountTarget
Properties:
FileSystemId:
Ref: AuthentikMediaEFS4AB06689
SecurityGroups:
- Fn::GetAtt:
- AuthentikMediaEFSSecurityGroup1840BA29
- GroupId
SubnetId:
Ref: AuthentikVpcPrivateSubnet1Subnet6748EEA3
Metadata:
aws:cdk:path: AuthentikStack/AuthentikMediaEFS/EfsMountTarget1
AuthentikMediaEFSEfsMountTarget224E8D525:
Type: AWS::EFS::MountTarget
Properties:
FileSystemId:
Ref: AuthentikMediaEFS4AB06689
SecurityGroups:
- Fn::GetAtt:
- AuthentikMediaEFSSecurityGroup1840BA29
- GroupId
SubnetId:
Ref: AuthentikVpcPrivateSubnet2Subnet6B8E7123
Metadata:
aws:cdk:path: AuthentikStack/AuthentikMediaEFS/EfsMountTarget2
AuthentikMediaEFSAuthentikMediaAccessPointA60D3CC7:
Type: AWS::EFS::AccessPoint
Properties:
AccessPointTags:
- Key: Name
Value: AuthentikStack/AuthentikMediaEFS/AuthentikMediaAccessPoint
FileSystemId:
Ref: AuthentikMediaEFS4AB06689
PosixUser:
Gid: "1000"
Uid: "1000"
RootDirectory:
CreationInfo:
OwnerGid: "1000"
OwnerUid: "1000"
Permissions: "755"
Path: /media
Metadata:
aws:cdk:path: AuthentikStack/AuthentikMediaEFS/AuthentikMediaAccessPoint/Resource
AuthentikCluster54E596EF:
Type: AWS::ECS::Cluster
Metadata:
aws:cdk:path: AuthentikStack/AuthentikCluster/Resource
AuthentikServerTaskTaskRole5BB06A73:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Action: sts:AssumeRole
Effect: Allow
Principal:
Service: ecs-tasks.amazonaws.com
Version: "2012-10-17"
Metadata:
aws:cdk:path: AuthentikStack/AuthentikServerTask/TaskRole/Resource
AuthentikServerTaskTaskRoleDefaultPolicy4C2F360F:
Type: AWS::IAM::Policy
Properties:
PolicyDocument:
Statement:
- Action:
- ssmmessages:CreateControlChannel
- ssmmessages:CreateDataChannel
- ssmmessages:OpenControlChannel
- ssmmessages:OpenDataChannel
Effect: Allow
Resource: "*"
- Action: logs:DescribeLogGroups
Effect: Allow
Resource: "*"
- Action:
- logs:CreateLogStream
- logs:DescribeLogStreams
- logs:PutLogEvents
Effect: Allow
Resource: "*"
Version: "2012-10-17"
PolicyName: AuthentikServerTaskTaskRoleDefaultPolicy4C2F360F
Roles:
- Ref: AuthentikServerTaskTaskRole5BB06A73
Metadata:
aws:cdk:path: AuthentikStack/AuthentikServerTask/TaskRole/DefaultPolicy/Resource
AuthentikServerTaskD2D47AE0:
Type: AWS::ECS::TaskDefinition
Properties:
ContainerDefinitions:
- Command:
- server
Environment:
- Name: AUTHENTIK_POSTGRESQL__HOST
Value:
Fn::GetAtt:
- AuthentikDB6710DB92
- Endpoint.Address
- Name: AUTHENTIK_POSTGRESQL__USER
Value: authentik
- Name: AUTHENTIK_REDIS__HOST
Value:
Fn::GetAtt:
- AuthentikRedis
- PrimaryEndPoint.Address
Essential: true
HealthCheck:
Command:
- CMD
- ak
- healthcheck
Interval: 30
Retries: 3
StartPeriod: 60
Timeout: 30
Image:
Fn::Join:
- ""
- - Ref: AuthentikImage
- ":"
- Ref: AuthentikVersion
LogConfiguration:
LogDriver: awslogs
Options:
awslogs-group:
Ref: AuthentikServerTaskAuthentikServerContainerLogGroup7E3C6881
awslogs-stream-prefix: authentik-server
awslogs-region:
Ref: AWS::Region
MountPoints:
- ContainerPath: /media
ReadOnly: false
SourceVolume: media
Name: AuthentikServerContainer
PortMappings:
- ContainerPort: 9000
Protocol: tcp
RestartPolicy:
Enabled: true
Secrets:
- Name: AUTHENTIK_POSTGRESQL__PASSWORD
ValueFrom:
Fn::Join:
- ""
- - Ref: DBPassword67313E91
- ":password::"
- Name: AUTHENTIK_SECRET_KEY
ValueFrom:
Ref: AuthentikSecretKeyAC972960
Cpu:
Ref: AuthentikServerCPU
ExecutionRoleArn:
Fn::GetAtt:
- AuthentikServerTaskExecutionRole053E3BF5
- Arn
Family: AuthentikStackAuthentikServerTask23085F62
Memory:
Ref: AuthentikServerMemory
NetworkMode: awsvpc
RequiresCompatibilities:
- FARGATE
TaskRoleArn:
Fn::GetAtt:
- AuthentikServerTaskTaskRole5BB06A73
- Arn
Volumes:
- EFSVolumeConfiguration:
AuthorizationConfig:
AccessPointId:
Ref: AuthentikMediaEFSAuthentikMediaAccessPointA60D3CC7
IAM: ENABLED
FilesystemId:
Ref: AuthentikMediaEFS4AB06689
TransitEncryption: ENABLED
Name: media
Metadata:
aws:cdk:path: AuthentikStack/AuthentikServerTask/Resource
AuthentikServerTaskAuthentikServerContainerLogGroup7E3C6881:
Type: AWS::Logs::LogGroup
UpdateReplacePolicy: Retain
DeletionPolicy: Retain
Metadata:
aws:cdk:path: AuthentikStack/AuthentikServerTask/AuthentikServerContainer/LogGroup/Resource
AuthentikServerTaskExecutionRole053E3BF5:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Action: sts:AssumeRole
Effect: Allow
Principal:
Service: ecs-tasks.amazonaws.com
Version: "2012-10-17"
Metadata:
aws:cdk:path: AuthentikStack/AuthentikServerTask/ExecutionRole/Resource
AuthentikServerTaskExecutionRoleDefaultPolicy5AE74030:
Type: AWS::IAM::Policy
Properties:
PolicyDocument:
Statement:
- Action:
- logs:CreateLogStream
- logs:PutLogEvents
Effect: Allow
Resource:
Fn::GetAtt:
- AuthentikServerTaskAuthentikServerContainerLogGroup7E3C6881
- Arn
- Action:
- secretsmanager:GetSecretValue
- secretsmanager:DescribeSecret
Effect: Allow
Resource:
Ref: DBPassword67313E91
- Action:
- secretsmanager:GetSecretValue
- secretsmanager:DescribeSecret
Effect: Allow
Resource:
Ref: AuthentikSecretKeyAC972960
Version: "2012-10-17"
PolicyName: AuthentikServerTaskExecutionRoleDefaultPolicy5AE74030
Roles:
- Ref: AuthentikServerTaskExecutionRole053E3BF5
Metadata:
aws:cdk:path: AuthentikStack/AuthentikServerTask/ExecutionRole/DefaultPolicy/Resource
AuthentikServerService9C845914:
Type: AWS::ECS::Service
Properties:
Cluster:
Ref: AuthentikCluster54E596EF
DeploymentConfiguration:
Alarms:
AlarmNames: []
Enable: false
Rollback: false
MaximumPercent: 200
MinimumHealthyPercent: 50
DesiredCount:
Ref: AuthentikServerDesiredCount
EnableECSManagedTags: false
EnableExecuteCommand: true
HealthCheckGracePeriodSeconds: 60
LaunchType: FARGATE
LoadBalancers:
- ContainerName: AuthentikServerContainer
ContainerPort: 9000
TargetGroupArn:
Ref: AuthentikALBAuthentikHttpsListenerAuthentikServerTargetGroup345C3479
NetworkConfiguration:
AwsvpcConfiguration:
AssignPublicIp: DISABLED
SecurityGroups:
- Fn::GetAtt:
- AuthentikSG3040E46F
- GroupId
Subnets:
- Ref: AuthentikVpcPrivateSubnet1Subnet6748EEA3
- Ref: AuthentikVpcPrivateSubnet2Subnet6B8E7123
TaskDefinition:
Ref: AuthentikServerTaskD2D47AE0
DependsOn:
- AuthentikALBAuthentikHttpsListenerAuthentikServerTargetGroup345C3479
- AuthentikALBAuthentikHttpsListener34A9BF12
- AuthentikServerTaskTaskRoleDefaultPolicy4C2F360F
- AuthentikServerTaskTaskRole5BB06A73
Metadata:
aws:cdk:path: AuthentikStack/AuthentikServerService/Service
AuthentikWorkerTaskTaskRole87C41589:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Action: sts:AssumeRole
Effect: Allow
Principal:
Service: ecs-tasks.amazonaws.com
Version: "2012-10-17"
Metadata:
aws:cdk:path: AuthentikStack/AuthentikWorkerTask/TaskRole/Resource
AuthentikWorkerTaskTaskRoleDefaultPolicy4E74B62D:
Type: AWS::IAM::Policy
Properties:
PolicyDocument:
Statement:
- Action:
- ssmmessages:CreateControlChannel
- ssmmessages:CreateDataChannel
- ssmmessages:OpenControlChannel
- ssmmessages:OpenDataChannel
Effect: Allow
Resource: "*"
- Action: logs:DescribeLogGroups
Effect: Allow
Resource: "*"
- Action:
- logs:CreateLogStream
- logs:DescribeLogStreams
- logs:PutLogEvents
Effect: Allow
Resource: "*"
Version: "2012-10-17"
PolicyName: AuthentikWorkerTaskTaskRoleDefaultPolicy4E74B62D
Roles:
- Ref: AuthentikWorkerTaskTaskRole87C41589
Metadata:
aws:cdk:path: AuthentikStack/AuthentikWorkerTask/TaskRole/DefaultPolicy/Resource
AuthentikWorkerTaskF8F277C5:
Type: AWS::ECS::TaskDefinition
Properties:
ContainerDefinitions:
- Command:
- worker
Environment:
- Name: AUTHENTIK_POSTGRESQL__HOST
Value:
Fn::GetAtt:
- AuthentikDB6710DB92
- Endpoint.Address
- Name: AUTHENTIK_POSTGRESQL__USER
Value: authentik
- Name: AUTHENTIK_REDIS__HOST
Value:
Fn::GetAtt:
- AuthentikRedis
- PrimaryEndPoint.Address
Essential: true
HealthCheck:
Command:
- CMD
- ak
- healthcheck
Interval: 30
Retries: 3
StartPeriod: 60
Timeout: 30
Image:
Fn::Join:
- ""
- - Ref: AuthentikImage
- ":"
- Ref: AuthentikVersion
LogConfiguration:
LogDriver: awslogs
Options:
awslogs-group:
Ref: AuthentikWorkerTaskAuthentikWorkerContainerLogGroupC05B4DFC
awslogs-stream-prefix: authentik-worker
awslogs-region:
Ref: AWS::Region
MountPoints:
- ContainerPath: /media
ReadOnly: false
SourceVolume: media
Name: AuthentikWorkerContainer
RestartPolicy:
Enabled: true
Secrets:
- Name: AUTHENTIK_POSTGRESQL__PASSWORD
ValueFrom:
Fn::Join:
- ""
- - Ref: DBPassword67313E91
- ":password::"
- Name: AUTHENTIK_SECRET_KEY
ValueFrom:
Ref: AuthentikSecretKeyAC972960
Cpu:
Ref: AuthentikWorkerCPU
ExecutionRoleArn:
Fn::GetAtt:
- AuthentikWorkerTaskExecutionRole2E56865A
- Arn
Family: AuthentikStackAuthentikWorkerTask6C7D4E77
Memory:
Ref: AuthentikWorkerMemory
NetworkMode: awsvpc
RequiresCompatibilities:
- FARGATE
TaskRoleArn:
Fn::GetAtt:
- AuthentikWorkerTaskTaskRole87C41589
- Arn
Volumes:
- EFSVolumeConfiguration:
AuthorizationConfig:
AccessPointId:
Ref: AuthentikMediaEFSAuthentikMediaAccessPointA60D3CC7
IAM: ENABLED
FilesystemId:
Ref: AuthentikMediaEFS4AB06689
TransitEncryption: ENABLED
Name: media
Metadata:
aws:cdk:path: AuthentikStack/AuthentikWorkerTask/Resource
AuthentikWorkerTaskAuthentikWorkerContainerLogGroupC05B4DFC:
Type: AWS::Logs::LogGroup
UpdateReplacePolicy: Retain
DeletionPolicy: Retain
Metadata:
aws:cdk:path: AuthentikStack/AuthentikWorkerTask/AuthentikWorkerContainer/LogGroup/Resource
AuthentikWorkerTaskExecutionRole2E56865A:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Action: sts:AssumeRole
Effect: Allow
Principal:
Service: ecs-tasks.amazonaws.com
Version: "2012-10-17"
Metadata:
aws:cdk:path: AuthentikStack/AuthentikWorkerTask/ExecutionRole/Resource
AuthentikWorkerTaskExecutionRoleDefaultPolicyB028D6C8:
Type: AWS::IAM::Policy
Properties:
PolicyDocument:
Statement:
- Action:
- logs:CreateLogStream
- logs:PutLogEvents
Effect: Allow
Resource:
Fn::GetAtt:
- AuthentikWorkerTaskAuthentikWorkerContainerLogGroupC05B4DFC
- Arn
- Action:
- secretsmanager:GetSecretValue
- secretsmanager:DescribeSecret
Effect: Allow
Resource:
Ref: DBPassword67313E91
- Action:
- secretsmanager:GetSecretValue
- secretsmanager:DescribeSecret
Effect: Allow
Resource:
Ref: AuthentikSecretKeyAC972960
Version: "2012-10-17"
PolicyName: AuthentikWorkerTaskExecutionRoleDefaultPolicyB028D6C8
Roles:
- Ref: AuthentikWorkerTaskExecutionRole2E56865A
Metadata:
aws:cdk:path: AuthentikStack/AuthentikWorkerTask/ExecutionRole/DefaultPolicy/Resource
AuthentikWorkerService629E37E2:
Type: AWS::ECS::Service
Properties:
Cluster:
Ref: AuthentikCluster54E596EF
DeploymentConfiguration:
Alarms:
AlarmNames: []
Enable: false
Rollback: false
MaximumPercent: 200
MinimumHealthyPercent: 50
DesiredCount:
Ref: AuthentikWorkerDesiredCount
EnableECSManagedTags: false
EnableExecuteCommand: true
LaunchType: FARGATE
NetworkConfiguration:
AwsvpcConfiguration:
AssignPublicIp: DISABLED
SecurityGroups:
- Fn::GetAtt:
- AuthentikSG3040E46F
- GroupId
Subnets:
- Ref: AuthentikVpcPrivateSubnet1Subnet6748EEA3
- Ref: AuthentikVpcPrivateSubnet2Subnet6B8E7123
TaskDefinition:
Ref: AuthentikWorkerTaskF8F277C5
DependsOn:
- AuthentikWorkerTaskTaskRoleDefaultPolicy4E74B62D
- AuthentikWorkerTaskTaskRole87C41589
Metadata:
aws:cdk:path: AuthentikStack/AuthentikWorkerService/Service
AuthentikALB992EAB01:
Type: AWS::ElasticLoadBalancingV2::LoadBalancer
Properties:
LoadBalancerAttributes:
- Key: deletion_protection.enabled
Value: "false"
Scheme: internet-facing
SecurityGroups:
- Fn::GetAtt:
- AuthentikALBSecurityGroup2B18FEEF
- GroupId
Subnets:
- Ref: AuthentikVpcPublicSubnet1Subnet0C75862A
- Ref: AuthentikVpcPublicSubnet2Subnet4DFAFA5B
Type: application
DependsOn:
- AuthentikVpcPublicSubnet1DefaultRoute90C4189A
- AuthentikVpcPublicSubnet1RouteTableAssociation33E57E0C
- AuthentikVpcPublicSubnet2DefaultRoute2E9B0EBA
- AuthentikVpcPublicSubnet2RouteTableAssociationDA2BDD26
Metadata:
aws:cdk:path: AuthentikStack/AuthentikALB/Resource
AuthentikALBSecurityGroup2B18FEEF:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Automatically created Security Group for ELB AuthentikStackAuthentikALB07C6B2CD
SecurityGroupIngress:
- CidrIp: 0.0.0.0/0
Description: Allow from anyone on port 80
FromPort: 80
IpProtocol: tcp
ToPort: 80
- CidrIp: 0.0.0.0/0
Description: Allow from anyone on port 443
FromPort: 443
IpProtocol: tcp
ToPort: 443
VpcId:
Ref: AuthentikVpcA1ABE6C2
Metadata:
aws:cdk:path: AuthentikStack/AuthentikALB/SecurityGroup/Resource
AuthentikALBSecurityGrouptoAuthentikStackAuthentikSG23C19B2890000F200B23:
Type: AWS::EC2::SecurityGroupEgress
Properties:
Description: Load balancer to target
DestinationSecurityGroupId:
Fn::GetAtt:
- AuthentikSG3040E46F
- GroupId
FromPort: 9000
GroupId:
Fn::GetAtt:
- AuthentikALBSecurityGroup2B18FEEF
- GroupId
IpProtocol: tcp
ToPort: 9000
Metadata:
aws:cdk:path: AuthentikStack/AuthentikALB/SecurityGroup/to AuthentikStackAuthentikSG23C19B28:9000
AuthentikALBAuthentikHttpListener6825393B:
Type: AWS::ElasticLoadBalancingV2::Listener
Properties:
DefaultActions:
- RedirectConfig:
Protocol: HTTPS
StatusCode: HTTP_301
Type: redirect
LoadBalancerArn:
Ref: AuthentikALB992EAB01
Port: 80
Protocol: HTTP
Metadata:
aws:cdk:path: AuthentikStack/AuthentikALB/AuthentikHttpListener/Resource
AuthentikALBAuthentikHttpsListener34A9BF12:
Type: AWS::ElasticLoadBalancingV2::Listener
Properties:
Certificates:
- CertificateArn:
Ref: CertificateARN
DefaultActions:
- TargetGroupArn:
Ref: AuthentikALBAuthentikHttpsListenerAuthentikServerTargetGroup345C3479
Type: forward
LoadBalancerArn:
Ref: AuthentikALB992EAB01
Port: 443
Protocol: HTTPS
Metadata:
aws:cdk:path: AuthentikStack/AuthentikALB/AuthentikHttpsListener/Resource
AuthentikALBAuthentikHttpsListenerAuthentikServerTargetGroup345C3479:
Type: AWS::ElasticLoadBalancingV2::TargetGroup
Properties:
HealthCheckPath: /-/health/live/
Matcher:
HttpCode: "200"
Port: 9000
Protocol: HTTP
TargetGroupAttributes:
- Key: stickiness.enabled
Value: "false"
TargetType: ip
VpcId:
Ref: AuthentikVpcA1ABE6C2
Metadata:
aws:cdk:path: AuthentikStack/AuthentikALB/AuthentikHttpsListener/AuthentikServerTargetGroup/Resource
Outputs:
LoadBalancerDNS:
Value:
Fn::GetAtt:
- AuthentikALB992EAB01
- DNSName
Reference in New Issue View Git Blame Copy Permalink