habsi/authentik
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
cd05c0ec19251c3d28f079a96d0ddc8b3a734f44
authentik/website/docs/install-config/install/aws/template.yaml
Jens L. 6c0d462410 release: 2024.12.2 (#12615)
2025-01-09 20:38:27 +01:00

1145 lines
35 KiB
YAML
Raw Blame History

Conditions: {}
Outputs:
LoadBalancerDNS:
Value:
Fn::GetAtt:
- AuthentikALB992EAB01
- DNSName
Parameters:
AuthentikImage:
Default: ghcr.io/goauthentik/server
Description: authentik Docker image
Type: String
AuthentikServerCPU:
Default: 512
Description: authentik server CPU units (1024 = 1 vCPU)
Type: Number
AuthentikServerDesiredCount:
Default: 2
Description: Desired number of authentik server tasks
MinValue: 1
Type: Number
AuthentikServerMemory:
Default: 1024
Description: authentik server memory in MiB
Type: Number
AuthentikVersion:
Default: 2024.12.2
Description: authentik Docker image tag
Type: String
AuthentikWorkerCPU:
Default: 512
Description: authentik worker CPU units (1024 = 1 vCPU)
Type: Number
AuthentikWorkerDesiredCount:
Default: 2
Description: Desired number of authentik worker tasks
MinValue: 1
Type: Number
AuthentikWorkerMemory:
Default: 1024
Description: authentik worker memory in MiB
Type: Number
CertificateARN:
Description: ACM certificate ARN for HTTPS access
Type: String
DBInstanceType:
Default: m5.large
Description: RDS PostgreSQL instance type (without the leading db.)
Type: String
DBStorage:
Default: 10
Description: RDS PostgreSQL storage size in GB
MinValue: 10
Type: Number
DBVersion:
Default: '17.1'
Description: RDS PostgreSQL version
Type: String
RedisInstanceType:
Default: cache.t4g.medium
Description: ElastiCache Redis instance type (with the leading cache.)
Type: String
RedisVersion:
Default: '7.1'
Description: ElastiCache Redis version
Type: String
Resources:
AuthentikALB992EAB01:
DependsOn:
- AuthentikVpcPublicSubnet1DefaultRoute90C4189A
- AuthentikVpcPublicSubnet1RouteTableAssociation33E57E0C
- AuthentikVpcPublicSubnet2DefaultRoute2E9B0EBA
- AuthentikVpcPublicSubnet2RouteTableAssociationDA2BDD26
Metadata:
aws:cdk:path: AuthentikStack/AuthentikALB/Resource
Properties:
LoadBalancerAttributes:
- Key: deletion_protection.enabled
Value: 'false'
Scheme: internet-facing
SecurityGroups:
- Fn::GetAtt:
- AuthentikALBSecurityGroup2B18FEEF
- GroupId
Subnets:
- Ref: AuthentikVpcPublicSubnet1Subnet0C75862A
- Ref: AuthentikVpcPublicSubnet2Subnet4DFAFA5B
Type: application
Type: AWS::ElasticLoadBalancingV2::LoadBalancer
AuthentikALBAuthentikHttpListener6825393B:
Metadata:
aws:cdk:path: AuthentikStack/AuthentikALB/AuthentikHttpListener/Resource
Properties:
DefaultActions:
- RedirectConfig:
Protocol: HTTPS
StatusCode: HTTP_301
Type: redirect
LoadBalancerArn:
Ref: AuthentikALB992EAB01
Port: 80
Protocol: HTTP
Type: AWS::ElasticLoadBalancingV2::Listener
AuthentikALBAuthentikHttpsListener34A9BF12:
Metadata:
aws:cdk:path: AuthentikStack/AuthentikALB/AuthentikHttpsListener/Resource
Properties:
Certificates:
- CertificateArn:
Ref: CertificateARN
DefaultActions:
- TargetGroupArn:
Ref: AuthentikALBAuthentikHttpsListenerAuthentikServerTargetGroup345C3479
Type: forward
LoadBalancerArn:
Ref: AuthentikALB992EAB01
Port: 443
Protocol: HTTPS
Type: AWS::ElasticLoadBalancingV2::Listener
AuthentikALBAuthentikHttpsListenerAuthentikServerTargetGroup345C3479:
Metadata:
aws:cdk:path: AuthentikStack/AuthentikALB/AuthentikHttpsListener/AuthentikServerTargetGroup/Resource
Properties:
HealthCheckPath: /-/health/live/
Matcher:
HttpCode: '200'
Port: 9000
Protocol: HTTP
TargetGroupAttributes:
- Key: stickiness.enabled
Value: 'false'
TargetType: ip
VpcId:
Ref: AuthentikVpcA1ABE6C2
Type: AWS::ElasticLoadBalancingV2::TargetGroup
AuthentikALBSecurityGroup2B18FEEF:
Metadata:
aws:cdk:path: AuthentikStack/AuthentikALB/SecurityGroup/Resource
Properties:
GroupDescription: Automatically created Security Group for ELB AuthentikStackAuthentikALB07C6B2CD
SecurityGroupIngress:
- CidrIp: 0.0.0.0/0
Description: Allow from anyone on port 80
FromPort: 80
IpProtocol: tcp
ToPort: 80
- CidrIp: 0.0.0.0/0
Description: Allow from anyone on port 443
FromPort: 443
IpProtocol: tcp
ToPort: 443
VpcId:
Ref: AuthentikVpcA1ABE6C2
Type: AWS::EC2::SecurityGroup
AuthentikALBSecurityGrouptoAuthentikStackAuthentikSG23C19B2890000F200B23:
Metadata:
aws:cdk:path: AuthentikStack/AuthentikALB/SecurityGroup/to AuthentikStackAuthentikSG23C19B28:9000
Properties:
Description: Load balancer to target
DestinationSecurityGroupId:
Fn::GetAtt:
- AuthentikSG3040E46F
- GroupId
FromPort: 9000
GroupId:
Fn::GetAtt:
- AuthentikALBSecurityGroup2B18FEEF
- GroupId
IpProtocol: tcp
ToPort: 9000
Type: AWS::EC2::SecurityGroupEgress
AuthentikCluster54E596EF:
Metadata:
aws:cdk:path: AuthentikStack/AuthentikCluster/Resource
Type: AWS::ECS::Cluster
AuthentikDB6710DB92:
DeletionPolicy: Snapshot
Metadata:
aws:cdk:path: AuthentikStack/AuthentikDB/Resource
Properties:
AllocatedStorage:
Ref: DBStorage
CopyTagsToSnapshot: true
DBInstanceClass:
Fn::Join:
- ''
- - db.
- Ref: DBInstanceType
DBName: authentik
DBSubnetGroupName:
Ref: AuthentikDBSubnetGroup03A9E1C9
Engine: postgres
EngineVersion:
Ref: DBVersion
MasterUserPassword:
Fn::Join:
- ''
- - '{{resolve:secretsmanager:'
- Ref: DBPassword67313E91
- :SecretString:password::}}
MasterUsername:
Fn::Join:
- ''
- - '{{resolve:secretsmanager:'
- Ref: DBPassword67313E91
- :SecretString:username::}}
MultiAZ: true
PubliclyAccessible: false
StorageType: gp2
VPCSecurityGroups:
- Fn::GetAtt:
- DatabaseSG2A23C222
- GroupId
Type: AWS::RDS::DBInstance
UpdateReplacePolicy: Snapshot
AuthentikDBSubnetGroup03A9E1C9:
Metadata:
aws:cdk:path: AuthentikStack/AuthentikDB/SubnetGroup/Default
Properties:
DBSubnetGroupDescription: Subnet group for AuthentikDB database
SubnetIds:
- Ref: AuthentikVpcPrivateSubnet1Subnet6748EEA3
- Ref: AuthentikVpcPrivateSubnet2Subnet6B8E7123
Type: AWS::RDS::DBSubnetGroup
AuthentikMediaEFS4AB06689:
DeletionPolicy: Retain
Metadata:
aws:cdk:path: AuthentikStack/AuthentikMediaEFS/Resource
Properties:
Encrypted: true
FileSystemTags:
- Key: Name
Value: AuthentikStack/AuthentikMediaEFS
PerformanceMode: generalPurpose
ThroughputMode: bursting
Type: AWS::EFS::FileSystem
UpdateReplacePolicy: Retain
AuthentikMediaEFSAuthentikMediaAccessPointA60D3CC7:
Metadata:
aws:cdk:path: AuthentikStack/AuthentikMediaEFS/AuthentikMediaAccessPoint/Resource
Properties:
AccessPointTags:
- Key: Name
Value: AuthentikStack/AuthentikMediaEFS/AuthentikMediaAccessPoint
FileSystemId:
Ref: AuthentikMediaEFS4AB06689
PosixUser:
Gid: '1000'
Uid: '1000'
RootDirectory:
CreationInfo:
OwnerGid: '1000'
OwnerUid: '1000'
Permissions: '755'
Path: /media
Type: AWS::EFS::AccessPoint
AuthentikMediaEFSEfsMountTarget1D3A264C1:
Metadata:
aws:cdk:path: AuthentikStack/AuthentikMediaEFS/EfsMountTarget1
Properties:
FileSystemId:
Ref: AuthentikMediaEFS4AB06689
SecurityGroups:
- Fn::GetAtt:
- AuthentikMediaEFSSecurityGroup1840BA29
- GroupId
SubnetId:
Ref: AuthentikVpcPrivateSubnet1Subnet6748EEA3
Type: AWS::EFS::MountTarget
AuthentikMediaEFSEfsMountTarget224E8D525:
Metadata:
aws:cdk:path: AuthentikStack/AuthentikMediaEFS/EfsMountTarget2
Properties:
FileSystemId:
Ref: AuthentikMediaEFS4AB06689
SecurityGroups:
- Fn::GetAtt:
- AuthentikMediaEFSSecurityGroup1840BA29
- GroupId
SubnetId:
Ref: AuthentikVpcPrivateSubnet2Subnet6B8E7123
Type: AWS::EFS::MountTarget
AuthentikMediaEFSSecurityGroup1840BA29:
Metadata:
aws:cdk:path: AuthentikStack/AuthentikMediaEFSSecurityGroup/Resource
Properties:
GroupDescription: Security group for authentik media EFS
SecurityGroupEgress:
- CidrIp: 0.0.0.0/0
Description: Allow all outbound traffic by default
IpProtocol: '-1'
VpcId:
Ref: AuthentikVpcA1ABE6C2
Type: AWS::EC2::SecurityGroup
AuthentikMediaEFSSecurityGroupfromAuthentikStackAuthentikSG23C19B28204954496494:
Metadata:
aws:cdk:path: AuthentikStack/AuthentikMediaEFSSecurityGroup/from AuthentikStackAuthentikSG23C19B28:2049
Properties:
Description: from AuthentikStackAuthentikSG23C19B28:2049
FromPort: 2049
GroupId:
Fn::GetAtt:
- AuthentikMediaEFSSecurityGroup1840BA29
- GroupId
IpProtocol: tcp
SourceSecurityGroupId:
Fn::GetAtt:
- AuthentikSG3040E46F
- GroupId
ToPort: 2049
Type: AWS::EC2::SecurityGroupIngress
AuthentikRedis:
Metadata:
aws:cdk:path: AuthentikStack/AuthentikRedis
Properties:
AutomaticFailoverEnabled: true
CacheNodeType:
Ref: RedisInstanceType
CacheSubnetGroupName:
Ref: AuthentikRedisSubnetGroup
Engine: redis
EngineVersion:
Ref: RedisVersion
NumCacheClusters: 2
ReplicationGroupDescription: Redis cluster for authentik
SecurityGroupIds:
- Fn::GetAtt:
- RedisSGEA80AC17
- GroupId
Type: AWS::ElastiCache::ReplicationGroup
AuthentikRedisSubnetGroup:
Metadata:
aws:cdk:path: AuthentikStack/AuthentikRedisSubnetGroup
Properties:
Description: Subnet group for authentik ElastiCache Redis
SubnetIds:
- Ref: AuthentikVpcPrivateSubnet1Subnet6748EEA3
- Ref: AuthentikVpcPrivateSubnet2Subnet6B8E7123
Type: AWS::ElastiCache::SubnetGroup
AuthentikSG3040E46F:
Metadata:
aws:cdk:path: AuthentikStack/AuthentikSG/Resource
Properties:
GroupDescription: Security Group for authentik services
SecurityGroupEgress:
- CidrIp: 0.0.0.0/0
Description: Allow all outbound traffic by default
IpProtocol: '-1'
VpcId:
Ref: AuthentikVpcA1ABE6C2
Type: AWS::EC2::SecurityGroup
AuthentikSGfromAuthentikStackAuthentikALBSecurityGroup46E4D829900045771B43:
Metadata:
aws:cdk:path: AuthentikStack/AuthentikSG/from AuthentikStackAuthentikALBSecurityGroup46E4D829:9000
Properties:
Description: Load balancer to target
FromPort: 9000
GroupId:
Fn::GetAtt:
- AuthentikSG3040E46F
- GroupId
IpProtocol: tcp
SourceSecurityGroupId:
Fn::GetAtt:
- AuthentikALBSecurityGroup2B18FEEF
- GroupId
ToPort: 9000
Type: AWS::EC2::SecurityGroupIngress
AuthentikSecretKeyAC972960:
DeletionPolicy: Delete
Metadata:
aws:cdk:path: AuthentikStack/AuthentikSecretKey/Resource
Properties:
GenerateSecretString:
ExcludeCharacters: '"@/\'
PasswordLength: 64
Type: AWS::SecretsManager::Secret
UpdateReplacePolicy: Delete
AuthentikServerService9C845914:
DependsOn:
- AuthentikALBAuthentikHttpsListenerAuthentikServerTargetGroup345C3479
- AuthentikALBAuthentikHttpsListener34A9BF12
- AuthentikServerTaskTaskRoleDefaultPolicy4C2F360F
- AuthentikServerTaskTaskRole5BB06A73
Metadata:
aws:cdk:path: AuthentikStack/AuthentikServerService/Service
Properties:
Cluster:
Ref: AuthentikCluster54E596EF
DeploymentConfiguration:
Alarms:
AlarmNames: []
Enable: false
Rollback: false
MaximumPercent: 200
MinimumHealthyPercent: 50
DesiredCount:
Ref: AuthentikServerDesiredCount
EnableECSManagedTags: false
EnableExecuteCommand: true
HealthCheckGracePeriodSeconds: 60
LaunchType: FARGATE
LoadBalancers:
- ContainerName: AuthentikServerContainer
ContainerPort: 9000
TargetGroupArn:
Ref: AuthentikALBAuthentikHttpsListenerAuthentikServerTargetGroup345C3479
NetworkConfiguration:
AwsvpcConfiguration:
AssignPublicIp: DISABLED
SecurityGroups:
- Fn::GetAtt:
- AuthentikSG3040E46F
- GroupId
Subnets:
- Ref: AuthentikVpcPrivateSubnet1Subnet6748EEA3
- Ref: AuthentikVpcPrivateSubnet2Subnet6B8E7123
TaskDefinition:
Ref: AuthentikServerTaskD2D47AE0
Type: AWS::ECS::Service
AuthentikServerTaskAuthentikServerContainerLogGroup7E3C6881:
DeletionPolicy: Retain
Metadata:
aws:cdk:path: AuthentikStack/AuthentikServerTask/AuthentikServerContainer/LogGroup/Resource
Type: AWS::Logs::LogGroup
UpdateReplacePolicy: Retain
AuthentikServerTaskD2D47AE0:
Metadata:
aws:cdk:path: AuthentikStack/AuthentikServerTask/Resource
Properties:
ContainerDefinitions:
- Command:
- server
Environment:
- Name: AUTHENTIK_POSTGRESQL__HOST
Value:
Fn::GetAtt:
- AuthentikDB6710DB92
- Endpoint.Address
- Name: AUTHENTIK_POSTGRESQL__USER
Value: authentik
- Name: AUTHENTIK_REDIS__HOST
Value:
Fn::GetAtt:
- AuthentikRedis
- PrimaryEndPoint.Address
Essential: true
HealthCheck:
Command:
- CMD
- ak
- healthcheck
Interval: 30
Retries: 3
StartPeriod: 60
Timeout: 30
Image:
Fn::Join:
- ''
- - Ref: AuthentikImage
- ':'
- Ref: AuthentikVersion
LogConfiguration:
LogDriver: awslogs
Options:
awslogs-group:
Ref: AuthentikServerTaskAuthentikServerContainerLogGroup7E3C6881
awslogs-region:
Ref: AWS::Region
awslogs-stream-prefix: authentik-server
MountPoints:
- ContainerPath: /media
ReadOnly: false
SourceVolume: media
Name: AuthentikServerContainer
PortMappings:
- ContainerPort: 9000
Protocol: tcp
RestartPolicy:
Enabled: true
Secrets:
- Name: AUTHENTIK_POSTGRESQL__PASSWORD
ValueFrom:
Fn::Join:
- ''
- - Ref: DBPassword67313E91
- ':password::'
- Name: AUTHENTIK_SECRET_KEY
ValueFrom:
Ref: AuthentikSecretKeyAC972960
Cpu:
Ref: AuthentikServerCPU
ExecutionRoleArn:
Fn::GetAtt:
- AuthentikServerTaskExecutionRole053E3BF5
- Arn
Family: AuthentikStackAuthentikServerTask23085F62
Memory:
Ref: AuthentikServerMemory
NetworkMode: awsvpc
RequiresCompatibilities:
- FARGATE
TaskRoleArn:
Fn::GetAtt:
- AuthentikServerTaskTaskRole5BB06A73
- Arn
Volumes:
- EFSVolumeConfiguration:
AuthorizationConfig:
AccessPointId:
Ref: AuthentikMediaEFSAuthentikMediaAccessPointA60D3CC7
IAM: ENABLED
FilesystemId:
Ref: AuthentikMediaEFS4AB06689
TransitEncryption: ENABLED
Name: media
Type: AWS::ECS::TaskDefinition
AuthentikServerTaskExecutionRole053E3BF5:
Metadata:
aws:cdk:path: AuthentikStack/AuthentikServerTask/ExecutionRole/Resource
Properties:
AssumeRolePolicyDocument:
Statement:
- Action: sts:AssumeRole
Effect: Allow
Principal:
Service: ecs-tasks.amazonaws.com
Version: '2012-10-17'
Type: AWS::IAM::Role
AuthentikServerTaskExecutionRoleDefaultPolicy5AE74030:
Metadata:
aws:cdk:path: AuthentikStack/AuthentikServerTask/ExecutionRole/DefaultPolicy/Resource
Properties:
PolicyDocument:
Statement:
- Action:
- logs:CreateLogStream
- logs:PutLogEvents
Effect: Allow
Resource:
Fn::GetAtt:
- AuthentikServerTaskAuthentikServerContainerLogGroup7E3C6881
- Arn
- Action:
- secretsmanager:GetSecretValue
- secretsmanager:DescribeSecret
Effect: Allow
Resource:
Ref: DBPassword67313E91
- Action:
- secretsmanager:GetSecretValue
- secretsmanager:DescribeSecret
Effect: Allow
Resource:
Ref: AuthentikSecretKeyAC972960
Version: '2012-10-17'
PolicyName: AuthentikServerTaskExecutionRoleDefaultPolicy5AE74030
Roles:
- Ref: AuthentikServerTaskExecutionRole053E3BF5
Type: AWS::IAM::Policy
AuthentikServerTaskTaskRole5BB06A73:
Metadata:
aws:cdk:path: AuthentikStack/AuthentikServerTask/TaskRole/Resource
Properties:
AssumeRolePolicyDocument:
Statement:
- Action: sts:AssumeRole
Effect: Allow
Principal:
Service: ecs-tasks.amazonaws.com
Version: '2012-10-17'
Type: AWS::IAM::Role
AuthentikServerTaskTaskRoleDefaultPolicy4C2F360F:
Metadata:
aws:cdk:path: AuthentikStack/AuthentikServerTask/TaskRole/DefaultPolicy/Resource
Properties:
PolicyDocument:
Statement:
- Action:
- ssmmessages:CreateControlChannel
- ssmmessages:CreateDataChannel
- ssmmessages:OpenControlChannel
- ssmmessages:OpenDataChannel
Effect: Allow
Resource: '*'
- Action: logs:DescribeLogGroups
Effect: Allow
Resource: '*'
- Action:
- logs:CreateLogStream
- logs:DescribeLogStreams
- logs:PutLogEvents
Effect: Allow
Resource: '*'
Version: '2012-10-17'
PolicyName: AuthentikServerTaskTaskRoleDefaultPolicy4C2F360F
Roles:
- Ref: AuthentikServerTaskTaskRole5BB06A73
Type: AWS::IAM::Policy
AuthentikVpcA1ABE6C2:
Metadata:
aws:cdk:path: AuthentikStack/AuthentikVpc/Resource
Properties:
CidrBlock: 10.0.0.0/16
EnableDnsHostnames: true
EnableDnsSupport: true
InstanceTenancy: default
Tags:
- Key: Name
Value: AuthentikStack/AuthentikVpc
Type: AWS::EC2::VPC
AuthentikVpcIGW53CE5190:
Metadata:
aws:cdk:path: AuthentikStack/AuthentikVpc/IGW
Properties:
Tags:
- Key: Name
Value: AuthentikStack/AuthentikVpc
Type: AWS::EC2::InternetGateway
AuthentikVpcPrivateSubnet1DefaultRouteE7E61D7D:
Metadata:
aws:cdk:path: AuthentikStack/AuthentikVpc/PrivateSubnet1/DefaultRoute
Properties:
DestinationCidrBlock: 0.0.0.0/0
NatGatewayId:
Ref: AuthentikVpcPublicSubnet1NATGatewayEBF2B25B
RouteTableId:
Ref: AuthentikVpcPrivateSubnet1RouteTable865DCC15
Type: AWS::EC2::Route
AuthentikVpcPrivateSubnet1RouteTable865DCC15:
Metadata:
aws:cdk:path: AuthentikStack/AuthentikVpc/PrivateSubnet1/RouteTable
Properties:
Tags:
- Key: Name
Value: AuthentikStack/AuthentikVpc/PrivateSubnet1
VpcId:
Ref: AuthentikVpcA1ABE6C2
Type: AWS::EC2::RouteTable
AuthentikVpcPrivateSubnet1RouteTableAssociationBBA42BB3:
Metadata:
aws:cdk:path: AuthentikStack/AuthentikVpc/PrivateSubnet1/RouteTableAssociation
Properties:
RouteTableId:
Ref: AuthentikVpcPrivateSubnet1RouteTable865DCC15
SubnetId:
Ref: AuthentikVpcPrivateSubnet1Subnet6748EEA3
Type: AWS::EC2::SubnetRouteTableAssociation
AuthentikVpcPrivateSubnet1Subnet6748EEA3:
Metadata:
aws:cdk:path: AuthentikStack/AuthentikVpc/PrivateSubnet1/Subnet
Properties:
AvailabilityZone:
Fn::Select:
- 0
- Fn::GetAZs: ''
CidrBlock: 10.0.128.0/18
MapPublicIpOnLaunch: false
Tags:
- Key: aws-cdk:subnet-name
Value: Private
- Key: aws-cdk:subnet-type
Value: Private
- Key: Name
Value: AuthentikStack/AuthentikVpc/PrivateSubnet1
VpcId:
Ref: AuthentikVpcA1ABE6C2
Type: AWS::EC2::Subnet
AuthentikVpcPrivateSubnet2DefaultRouteB93D7A74:
Metadata:
aws:cdk:path: AuthentikStack/AuthentikVpc/PrivateSubnet2/DefaultRoute
Properties:
DestinationCidrBlock: 0.0.0.0/0
NatGatewayId:
Ref: AuthentikVpcPublicSubnet1NATGatewayEBF2B25B
RouteTableId:
Ref: AuthentikVpcPrivateSubnet2RouteTable472C2F26
Type: AWS::EC2::Route
AuthentikVpcPrivateSubnet2RouteTable472C2F26:
Metadata:
aws:cdk:path: AuthentikStack/AuthentikVpc/PrivateSubnet2/RouteTable
Properties:
Tags:
- Key: Name
Value: AuthentikStack/AuthentikVpc/PrivateSubnet2
VpcId:
Ref: AuthentikVpcA1ABE6C2
Type: AWS::EC2::RouteTable
AuthentikVpcPrivateSubnet2RouteTableAssociation0276EED3:
Metadata:
aws:cdk:path: AuthentikStack/AuthentikVpc/PrivateSubnet2/RouteTableAssociation
Properties:
RouteTableId:
Ref: AuthentikVpcPrivateSubnet2RouteTable472C2F26
SubnetId:
Ref: AuthentikVpcPrivateSubnet2Subnet6B8E7123
Type: AWS::EC2::SubnetRouteTableAssociation
AuthentikVpcPrivateSubnet2Subnet6B8E7123:
Metadata:
aws:cdk:path: AuthentikStack/AuthentikVpc/PrivateSubnet2/Subnet
Properties:
AvailabilityZone:
Fn::Select:
- 1
- Fn::GetAZs: ''
CidrBlock: 10.0.192.0/18
MapPublicIpOnLaunch: false
Tags:
- Key: aws-cdk:subnet-name
Value: Private
- Key: aws-cdk:subnet-type
Value: Private
- Key: Name
Value: AuthentikStack/AuthentikVpc/PrivateSubnet2
VpcId:
Ref: AuthentikVpcA1ABE6C2
Type: AWS::EC2::Subnet
AuthentikVpcPublicSubnet1DefaultRoute90C4189A:
DependsOn:
- AuthentikVpcVPCGW65A49376
Metadata:
aws:cdk:path: AuthentikStack/AuthentikVpc/PublicSubnet1/DefaultRoute
Properties:
DestinationCidrBlock: 0.0.0.0/0
GatewayId:
Ref: AuthentikVpcIGW53CE5190
RouteTableId:
Ref: AuthentikVpcPublicSubnet1RouteTable142C1454
Type: AWS::EC2::Route
AuthentikVpcPublicSubnet1EIP2A4626A0:
Metadata:
aws:cdk:path: AuthentikStack/AuthentikVpc/PublicSubnet1/EIP
Properties:
Domain: vpc
Tags:
- Key: Name
Value: AuthentikStack/AuthentikVpc/PublicSubnet1
Type: AWS::EC2::EIP
AuthentikVpcPublicSubnet1NATGatewayEBF2B25B:
DependsOn:
- AuthentikVpcPublicSubnet1DefaultRoute90C4189A
- AuthentikVpcPublicSubnet1RouteTableAssociation33E57E0C
Metadata:
aws:cdk:path: AuthentikStack/AuthentikVpc/PublicSubnet1/NATGateway
Properties:
AllocationId:
Fn::GetAtt:
- AuthentikVpcPublicSubnet1EIP2A4626A0
- AllocationId
SubnetId:
Ref: AuthentikVpcPublicSubnet1Subnet0C75862A
Tags:
- Key: Name
Value: AuthentikStack/AuthentikVpc/PublicSubnet1
Type: AWS::EC2::NatGateway
AuthentikVpcPublicSubnet1RouteTable142C1454:
Metadata:
aws:cdk:path: AuthentikStack/AuthentikVpc/PublicSubnet1/RouteTable
Properties:
Tags:
- Key: Name
Value: AuthentikStack/AuthentikVpc/PublicSubnet1
VpcId:
Ref: AuthentikVpcA1ABE6C2
Type: AWS::EC2::RouteTable
AuthentikVpcPublicSubnet1RouteTableAssociation33E57E0C:
Metadata:
aws:cdk:path: AuthentikStack/AuthentikVpc/PublicSubnet1/RouteTableAssociation
Properties:
RouteTableId:
Ref: AuthentikVpcPublicSubnet1RouteTable142C1454
SubnetId:
Ref: AuthentikVpcPublicSubnet1Subnet0C75862A
Type: AWS::EC2::SubnetRouteTableAssociation
AuthentikVpcPublicSubnet1Subnet0C75862A:
Metadata:
aws:cdk:path: AuthentikStack/AuthentikVpc/PublicSubnet1/Subnet
Properties:
AvailabilityZone:
Fn::Select:
- 0
- Fn::GetAZs: ''
CidrBlock: 10.0.0.0/18
MapPublicIpOnLaunch: true
Tags:
- Key: aws-cdk:subnet-name
Value: Public
- Key: aws-cdk:subnet-type
Value: Public
- Key: Name
Value: AuthentikStack/AuthentikVpc/PublicSubnet1
VpcId:
Ref: AuthentikVpcA1ABE6C2
Type: AWS::EC2::Subnet
AuthentikVpcPublicSubnet2DefaultRoute2E9B0EBA:
DependsOn:
- AuthentikVpcVPCGW65A49376
Metadata:
aws:cdk:path: AuthentikStack/AuthentikVpc/PublicSubnet2/DefaultRoute
Properties:
DestinationCidrBlock: 0.0.0.0/0
GatewayId:
Ref: AuthentikVpcIGW53CE5190
RouteTableId:
Ref: AuthentikVpcPublicSubnet2RouteTableF486229B
Type: AWS::EC2::Route
AuthentikVpcPublicSubnet2RouteTableAssociationDA2BDD26:
Metadata:
aws:cdk:path: AuthentikStack/AuthentikVpc/PublicSubnet2/RouteTableAssociation
Properties:
RouteTableId:
Ref: AuthentikVpcPublicSubnet2RouteTableF486229B
SubnetId:
Ref: AuthentikVpcPublicSubnet2Subnet4DFAFA5B
Type: AWS::EC2::SubnetRouteTableAssociation
AuthentikVpcPublicSubnet2RouteTableF486229B:
Metadata:
aws:cdk:path: AuthentikStack/AuthentikVpc/PublicSubnet2/RouteTable
Properties:
Tags:
- Key: Name
Value: AuthentikStack/AuthentikVpc/PublicSubnet2
VpcId:
Ref: AuthentikVpcA1ABE6C2
Type: AWS::EC2::RouteTable
AuthentikVpcPublicSubnet2Subnet4DFAFA5B:
Metadata:
aws:cdk:path: AuthentikStack/AuthentikVpc/PublicSubnet2/Subnet
Properties:
AvailabilityZone:
Fn::Select:
- 1
- Fn::GetAZs: ''
CidrBlock: 10.0.64.0/18
MapPublicIpOnLaunch: true
Tags:
- Key: aws-cdk:subnet-name
Value: Public
- Key: aws-cdk:subnet-type
Value: Public
- Key: Name
Value: AuthentikStack/AuthentikVpc/PublicSubnet2
VpcId:
Ref: AuthentikVpcA1ABE6C2
Type: AWS::EC2::Subnet
AuthentikVpcVPCGW65A49376:
Metadata:
aws:cdk:path: AuthentikStack/AuthentikVpc/VPCGW
Properties:
InternetGatewayId:
Ref: AuthentikVpcIGW53CE5190
VpcId:
Ref: AuthentikVpcA1ABE6C2
Type: AWS::EC2::VPCGatewayAttachment
AuthentikWorkerService629E37E2:
DependsOn:
- AuthentikWorkerTaskTaskRoleDefaultPolicy4E74B62D
- AuthentikWorkerTaskTaskRole87C41589
Metadata:
aws:cdk:path: AuthentikStack/AuthentikWorkerService/Service
Properties:
Cluster:
Ref: AuthentikCluster54E596EF
DeploymentConfiguration:
Alarms:
AlarmNames: []
Enable: false
Rollback: false
MaximumPercent: 200
MinimumHealthyPercent: 50
DesiredCount:
Ref: AuthentikWorkerDesiredCount
EnableECSManagedTags: false
EnableExecuteCommand: true
LaunchType: FARGATE
NetworkConfiguration:
AwsvpcConfiguration:
AssignPublicIp: DISABLED
SecurityGroups:
- Fn::GetAtt:
- AuthentikSG3040E46F
- GroupId
Subnets:
- Ref: AuthentikVpcPrivateSubnet1Subnet6748EEA3
- Ref: AuthentikVpcPrivateSubnet2Subnet6B8E7123
TaskDefinition:
Ref: AuthentikWorkerTaskF8F277C5
Type: AWS::ECS::Service
AuthentikWorkerTaskAuthentikWorkerContainerLogGroupC05B4DFC:
DeletionPolicy: Retain
Metadata:
aws:cdk:path: AuthentikStack/AuthentikWorkerTask/AuthentikWorkerContainer/LogGroup/Resource
Type: AWS::Logs::LogGroup
UpdateReplacePolicy: Retain
AuthentikWorkerTaskExecutionRole2E56865A:
Metadata:
aws:cdk:path: AuthentikStack/AuthentikWorkerTask/ExecutionRole/Resource
Properties:
AssumeRolePolicyDocument:
Statement:
- Action: sts:AssumeRole
Effect: Allow
Principal:
Service: ecs-tasks.amazonaws.com
Version: '2012-10-17'
Type: AWS::IAM::Role
AuthentikWorkerTaskExecutionRoleDefaultPolicyB028D6C8:
Metadata:
aws:cdk:path: AuthentikStack/AuthentikWorkerTask/ExecutionRole/DefaultPolicy/Resource
Properties:
PolicyDocument:
Statement:
- Action:
- logs:CreateLogStream
- logs:PutLogEvents
Effect: Allow
Resource:
Fn::GetAtt:
- AuthentikWorkerTaskAuthentikWorkerContainerLogGroupC05B4DFC
- Arn
- Action:
- secretsmanager:GetSecretValue
- secretsmanager:DescribeSecret
Effect: Allow
Resource:
Ref: DBPassword67313E91
- Action:
- secretsmanager:GetSecretValue
- secretsmanager:DescribeSecret
Effect: Allow
Resource:
Ref: AuthentikSecretKeyAC972960
Version: '2012-10-17'
PolicyName: AuthentikWorkerTaskExecutionRoleDefaultPolicyB028D6C8
Roles:
- Ref: AuthentikWorkerTaskExecutionRole2E56865A
Type: AWS::IAM::Policy
AuthentikWorkerTaskF8F277C5:
Metadata:
aws:cdk:path: AuthentikStack/AuthentikWorkerTask/Resource
Properties:
ContainerDefinitions:
- Command:
- worker
Environment:
- Name: AUTHENTIK_POSTGRESQL__HOST
Value:
Fn::GetAtt:
- AuthentikDB6710DB92
- Endpoint.Address
- Name: AUTHENTIK_POSTGRESQL__USER
Value: authentik
- Name: AUTHENTIK_REDIS__HOST
Value:
Fn::GetAtt:
- AuthentikRedis
- PrimaryEndPoint.Address
Essential: true
HealthCheck:
Command:
- CMD
- ak
- healthcheck
Interval: 30
Retries: 3
StartPeriod: 60
Timeout: 30
Image:
Fn::Join:
- ''
- - Ref: AuthentikImage
- ':'
- Ref: AuthentikVersion
LogConfiguration:
LogDriver: awslogs
Options:
awslogs-group:
Ref: AuthentikWorkerTaskAuthentikWorkerContainerLogGroupC05B4DFC
awslogs-region:
Ref: AWS::Region
awslogs-stream-prefix: authentik-worker
MountPoints:
- ContainerPath: /media
ReadOnly: false
SourceVolume: media
Name: AuthentikWorkerContainer
RestartPolicy:
Enabled: true
Secrets:
- Name: AUTHENTIK_POSTGRESQL__PASSWORD
ValueFrom:
Fn::Join:
- ''
- - Ref: DBPassword67313E91
- ':password::'
- Name: AUTHENTIK_SECRET_KEY
ValueFrom:
Ref: AuthentikSecretKeyAC972960
Cpu:
Ref: AuthentikWorkerCPU
ExecutionRoleArn:
Fn::GetAtt:
- AuthentikWorkerTaskExecutionRole2E56865A
- Arn
Family: AuthentikStackAuthentikWorkerTask6C7D4E77
Memory:
Ref: AuthentikWorkerMemory
NetworkMode: awsvpc
RequiresCompatibilities:
- FARGATE
TaskRoleArn:
Fn::GetAtt:
- AuthentikWorkerTaskTaskRole87C41589
- Arn
Volumes:
- EFSVolumeConfiguration:
AuthorizationConfig:
AccessPointId:
Ref: AuthentikMediaEFSAuthentikMediaAccessPointA60D3CC7
IAM: ENABLED
FilesystemId:
Ref: AuthentikMediaEFS4AB06689
TransitEncryption: ENABLED
Name: media
Type: AWS::ECS::TaskDefinition
AuthentikWorkerTaskTaskRole87C41589:
Metadata:
aws:cdk:path: AuthentikStack/AuthentikWorkerTask/TaskRole/Resource
Properties:
AssumeRolePolicyDocument:
Statement:
- Action: sts:AssumeRole
Effect: Allow
Principal:
Service: ecs-tasks.amazonaws.com
Version: '2012-10-17'
Type: AWS::IAM::Role
AuthentikWorkerTaskTaskRoleDefaultPolicy4E74B62D:
Metadata:
aws:cdk:path: AuthentikStack/AuthentikWorkerTask/TaskRole/DefaultPolicy/Resource
Properties:
PolicyDocument:
Statement:
- Action:
- ssmmessages:CreateControlChannel
- ssmmessages:CreateDataChannel
- ssmmessages:OpenControlChannel
- ssmmessages:OpenDataChannel
Effect: Allow
Resource: '*'
- Action: logs:DescribeLogGroups
Effect: Allow
Resource: '*'
- Action:
- logs:CreateLogStream
- logs:DescribeLogStreams
- logs:PutLogEvents
Effect: Allow
Resource: '*'
Version: '2012-10-17'
PolicyName: AuthentikWorkerTaskTaskRoleDefaultPolicy4E74B62D
Roles:
- Ref: AuthentikWorkerTaskTaskRole87C41589
Type: AWS::IAM::Policy
DBPassword67313E91:
DeletionPolicy: Delete
Metadata:
aws:cdk:path: AuthentikStack/DBPassword/Resource
Properties:
GenerateSecretString:
ExcludeCharacters: '"@/\'
GenerateStringKey: password
PasswordLength: 64
SecretStringTemplate: '{"username": "authentik"}'
Type: AWS::SecretsManager::Secret
UpdateReplacePolicy: Delete
DBPasswordAttachmentAC350077:
Metadata:
aws:cdk:path: AuthentikStack/DBPassword/Attachment/Resource
Properties:
SecretId:
Ref: DBPassword67313E91
TargetId:
Ref: AuthentikDB6710DB92
TargetType: AWS::RDS::DBInstance
Type: AWS::SecretsManager::SecretTargetAttachment
DatabaseSG2A23C222:
Metadata:
aws:cdk:path: AuthentikStack/DatabaseSG/Resource
Properties:
GroupDescription: Security Group for authentik RDS PostgreSQL
SecurityGroupEgress:
- CidrIp: 0.0.0.0/0
Description: Allow all outbound traffic by default
IpProtocol: '-1'
VpcId:
Ref: AuthentikVpcA1ABE6C2
Type: AWS::EC2::SecurityGroup
DatabaseSGfromAuthentikStackAuthentikSG23C19B28543226D9B076:
Metadata:
aws:cdk:path: AuthentikStack/DatabaseSG/from AuthentikStackAuthentikSG23C19B28:5432
Properties:
Description: Allow authentik to connect to RDS PostgreSQL
FromPort: 5432
GroupId:
Fn::GetAtt:
- DatabaseSG2A23C222
- GroupId
IpProtocol: tcp
SourceSecurityGroupId:
Fn::GetAtt:
- AuthentikSG3040E46F
- GroupId
ToPort: 5432
Type: AWS::EC2::SecurityGroupIngress
RedisSGEA80AC17:
Metadata:
aws:cdk:path: AuthentikStack/RedisSG/Resource
Properties:
GroupDescription: Security Group for authentik ElastiCache Redis
SecurityGroupEgress:
- CidrIp: 0.0.0.0/0
Description: Allow all outbound traffic by default
IpProtocol: '-1'
VpcId:
Ref: AuthentikVpcA1ABE6C2
Type: AWS::EC2::SecurityGroup
RedisSGfromAuthentikStackAuthentikSG23C19B2863790C4BCCDE:
Metadata:
aws:cdk:path: AuthentikStack/RedisSG/from AuthentikStackAuthentikSG23C19B28:6379
Properties:
Description: Allow authentik to connect to ElastiCache Redis
FromPort: 6379
GroupId:
Fn::GetAtt:
- RedisSGEA80AC17
- GroupId
IpProtocol: tcp
SourceSecurityGroupId:
Fn::GetAtt:
- AuthentikSG3040E46F
- GroupId
ToPort: 6379
Type: AWS::EC2::SecurityGroupIngress
Reference in New Issue View Git Blame Copy Permalink