Skip to content

cloudentity/aws-authorizer-cdk

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

37 Commits
docs/images
docs/images
 
 
pkg/stacks
pkg/stacks
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
cdk.go
cdk.go
 
 
cdk.json
cdk.json
 
 
cdk_test.go
cdk_test.go
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 

Repository files navigation

Cloudentity AWS Authorizer CDK

This project provides CDK deployment for Cloudentity AWS Authorizer.

Disclaimer

This repository is currently in early access stage.

Architecture

Architecture diagram

Cloudentity AWS Authorizer consists of several components.

  1. The authorizer lambda function
  • It's responsible for validating policies assigned to the APIs in AWS API Gateway.
  • It's connecting to EFS to fetch stored configuration data from Cloudentity.
  1. The sync lambda function
  • It's fetching configuration from Cloudentity and stores it in EFS (the same File System used by the Authorizer lambda).
  • Scans AWS API Gateway APIs and sends them to Cloudentity so it's possible to assign policies to APIs.
  • Optionally, creates the Authorizer and connects it to all resources in selected APIs. (not recommended in prod environment)
  1. Trigger mechanism

To make sure the state of configuration stored in EFS is synced with Cloudentity, we're triggering sync lambda with a given interval.

3.1. EventBridge event

  • We're creating an EventBridge rule scheduled to run every 1 minute.

  • This rule triggers an AWS State Function.

    3.2. AWS State Function

  • We're creating an AWS State function which pushes multiple delayed SQS messages Those messages are later responsible for triggering the sync function in intervals shorter than 1 minute.

    3.3. SQS Queue

  • We're creating an AWS SQS Queue

  • It has a Dead Letter Queue created as well

  1. Simplified trigger mechanism

If there's no need to synchronize the state of configuration more often than every 1 minute, we've added a simplified synchronization trigger option. If you configure ReloadInterval prop to a value equal or greater to 1 minute, this mechanism is going to be used. Note: Sync will happen every minute.

4.1. EventBridge event

  • We're creating an EventBridge rule scheduled to run every 1 minute.
  • This rule triggers the sync lambda directly.

Prerequisites

  • CDK
  • Go

Set env variables

Make sure you have required env variables set in the .env file

ACP_CLIENT_ID=xxxxx
ACP_CLIENT_SECRET=xxxx
ACP_ISSUER_URL=xxxx

If you're using SSO set

AWS_PROFILE=xxx

You can also set

CDK_DEPLOY_ACCOUNT=XXX
CDK_DEPLOY_REGION=XXX

if you don't set those variables, CDK_DEFAULT_ACCOUNT and CDK_DEPLOY_REGION are going to be used.

Deploy

Run make bootstrap to bootstrap a new environment (only one-time per environment). Run make deploy to deploy the stack using authorizer from S3. Run make deploy-local-files to deploy the stack using authorizer from local .zip files.

Local lambda packages (without S3)

If you have lambda .zip packages locally, set

LOCAL_LAMBDAS_DIR=xxxxx

to the directory where your lambdas .zip files are.

IaC

By default, authorizer will get deployed with automatic authorizer creation. It will scan all APIs and attach an authorizer to all methods in all APIs.

This is not recommended for production environments, or any environments managed using IaC tools. To disable this behaviour, set the context parameter -c manuallyCreateAuthorizer=true.

This will disable automated authorizer creation.

Demo API

If you want to deply a demo API connected to the authorizer, pass -c deployDemo=true context param to cdk.

You can also use a helper make target make deploy-with-demo-api

About

AWS Authorizer CDK

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

1 star

Watchers

8 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 3

  •  
  •  
  •  

Languages