-
-
Save jonathanhle/171a329bc16945debaa9a892206073e2 to your computer and use it in GitHub Desktop.
Terraform code to configure ALB listener rules with OIDC authentication with one app per route
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| variable "aws_lb_listener_arn" { | |
| description = "ARN of the ALB listener to include rules into" | |
| type = "string" | |
| } | |
| variable "okta_auth_server_base_url" { | |
| description = "Base URL of Okta's authorization server" | |
| type = "string" | |
| } | |
| variable "aws_lb_target_group_arn" { | |
| description = "ARN of the target group to forward requests to" | |
| type = "string" | |
| } | |
| variable "okta_client_id" { | |
| description = "Client IDs for the Okta OIDC applications" | |
| type = "map" | |
| } | |
| variable "okta_client_secret" { | |
| description = "Client secrets for the Okta OIDC applications" | |
| type = "map" | |
| } | |
| resource "aws_lb_listener_rule" "app-1" { | |
| listener_arn = "${var.aws_lb_listener_arn}" | |
| priority = "10" | |
| condition { | |
| path_pattern { | |
| values = ["/app-1"] | |
| } | |
| } | |
| action { | |
| type = "authenticate-oidc" | |
| authenticate_oidc { | |
| authorization_endpoint = "${var.okta_auth_server_base_url}/v1/authorize" | |
| client_id = "${var.okta_client_id["app-1"]}" | |
| client_secret = "${var.okta_client_secret["app-1"]}" | |
| issuer = "${var.okta_auth_server_base_url}" | |
| token_endpoint = "${var.okta_auth_server_base_url}/v1/token" | |
| user_info_endpoint = "${var.okta_auth_server_base_url}/v1/userinfo" | |
| on_unauthenticated_request = "authenticate" | |
| scope = "openid profile offline_access" | |
| } | |
| } | |
| action { | |
| type = "forward" | |
| target_group_arn = "${var.aws_lb_target_group_arn}" | |
| } | |
| } | |
| resource "aws_lb_listener_rule" "app-2" { | |
| listener_arn = "${var.aws_lb_listener_arn}" | |
| priority = "12" | |
| condition { | |
| path_pattern { | |
| values = ["/app-2"] | |
| } | |
| } | |
| action { | |
| type = "authenticate-oidc" | |
| authenticate_oidc { | |
| authorization_endpoint = "${var.okta_auth_server_base_url}/v1/authorize" | |
| client_id = "${var.okta_client_id["app-2"]}" | |
| client_secret = "${var.okta_client_secret["app-2"]}" | |
| issuer = "${var.okta_auth_server_base_url}" | |
| token_endpoint = "${var.okta_auth_server_base_url}/v1/token" | |
| user_info_endpoint = "${var.okta_auth_server_base_url}/v1/userinfo" | |
| on_unauthenticated_request = "authenticate" | |
| scope = "openid profile offline_access" | |
| } | |
| } | |
| action { | |
| type = "forward" | |
| target_group_arn = "${var.aws_lb_target_group_arn}" | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment