205hlab-mirrors/authentik
2
0
Fork 0
mirror of https://github.com/goauthentik/authentik.git synced 2026-06-17 19:09:11 +03:00
Code Issues Packages Projects Releases Wiki Activity

lifecycle/aws: add /data volume (#19936)

Browse Source
This commit is contained in:
Marc 'risson' Schmitt
2026-02-02 15:15:12 +01:00
committed by GitHub
parent 20f5875784
commit a7fb30a389
2 changed files with 168 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
lifecycle/aws/app.py
+55 -2
View File
@@ -188,6 +188,31 @@ class AuthentikStack(Stack):
# Storage
data_fs = efs.FileSystem(
self,
"AuthentikDataEFS",
vpc=vpc,
removal_policy=RemovalPolicy.RETAIN,
security_group=ec2.SecurityGroup(
self,
"AuthentikDataEFSSecurityGroup",
vpc=vpc,
description="Security group for authentik data EFS",
allow_all_outbound=True,
),
encrypted=True,
performance_mode=efs.PerformanceMode.GENERAL_PURPOSE,
throughput_mode=efs.ThroughputMode.BURSTING,
)
data_fs.connections.allow_default_port_from(authentik_security_group)
data_access_point = data_fs.add_access_point(
"AuthentikDataAccessPoint",
path="/data",
create_acl=efs.Acl(owner_uid="1000", owner_gid="1000", permissions="755"),
posix_user=efs.PosixUser(uid="1000", gid="1000"),
)
media_fs = efs.FileSystem(
self,
"AuthentikMediaEFS",
@@ -235,6 +260,17 @@ class AuthentikStack(Stack):
cpu=server_cpu.value_as_number,
memory_limit_mib=server_memory.value_as_number,
)
server_task.add_volume(
name="data",
efs_volume_configuration=ecs.EfsVolumeConfiguration(
file_system_id=data_fs.file_system_id,
transit_encryption="ENABLED",
authorization_config=ecs.AuthorizationConfig(
access_point_id=data_access_point.access_point_id,
iam="ENABLED",
),
),
)
server_task.add_volume(
name="media",
efs_volume_configuration=ecs.EfsVolumeConfiguration(
@@ -266,7 +302,10 @@ class AuthentikStack(Stack):
)
server_container.add_port_mappings(ecs.PortMapping(container_port=9000))
server_container.add_mount_points(
ecs.MountPoint(container_path="/media", source_volume="media", read_only=False)
ecs.MountPoint(container_path="/data", source_volume="data", read_only=False)
)
server_container.add_mount_points(
ecs.MountPoint(container_path="/data/media", source_volume="media", read_only=False)
)
server_service = ecs.FargateService(
self,
@@ -286,6 +325,17 @@ class AuthentikStack(Stack):
cpu=worker_cpu.value_as_number,
memory_limit_mib=worker_memory.value_as_number,
)
worker_task.add_volume(
name="data",
efs_volume_configuration=ecs.EfsVolumeConfiguration(
file_system_id=data_fs.file_system_id,
transit_encryption="ENABLED",
authorization_config=ecs.AuthorizationConfig(
access_point_id=data_access_point.access_point_id,
iam="ENABLED",
),
),
)
worker_task.add_volume(
name="media",
efs_volume_configuration=ecs.EfsVolumeConfiguration(
@@ -316,7 +366,10 @@ class AuthentikStack(Stack):
),
)
worker_container.add_mount_points(
ecs.MountPoint(container_path="/media", source_volume="media", read_only=False)
ecs.MountPoint(container_path="/data", source_volume="data", read_only=False)
)
worker_container.add_mount_points(
ecs.MountPoint(container_path="/data/media", source_volume="media", read_only=False)
)
worker_service = ecs.FargateService( # noqa: F841
self,
lifecycle/aws/template.yaml
+113 -2
View File
@@ -444,6 +444,93 @@ Resources:
DeletionPolicy: Snapshot
Metadata:
aws:cdk:path: AuthentikStack/AuthentikDB/Resource
AuthentikDataEFSSecurityGroupF1438EBE:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Security group for authentik data EFS
SecurityGroupEgress:
- CidrIp: 0.0.0.0/0
Description: Allow all outbound traffic by default
IpProtocol: "-1"
VpcId:
Ref: AuthentikVpcA1ABE6C2
Metadata:
aws:cdk:path: AuthentikStack/AuthentikDataEFSSecurityGroup/Resource
AuthentikDataEFSSecurityGroupfromAuthentikStackAuthentikSG23C19B282049BC1DBBFA:
Type: AWS::EC2::SecurityGroupIngress
Properties:
Description: from AuthentikStackAuthentikSG23C19B28:2049
FromPort: 2049
GroupId:
Fn::GetAtt:
- AuthentikDataEFSSecurityGroupF1438EBE
- GroupId
IpProtocol: tcp
SourceSecurityGroupId:
Fn::GetAtt:
- AuthentikSG3040E46F
- GroupId
ToPort: 2049
Metadata:
aws:cdk:path: AuthentikStack/AuthentikDataEFSSecurityGroup/from AuthentikStackAuthentikSG23C19B28:2049
AuthentikDataEFS3D4C1E48:
Type: AWS::EFS::FileSystem
Properties:
Encrypted: true
FileSystemTags:
- Key: Name
Value: AuthentikStack/AuthentikDataEFS
PerformanceMode: generalPurpose
ThroughputMode: bursting
UpdateReplacePolicy: Retain
DeletionPolicy: Retain
Metadata:
aws:cdk:path: AuthentikStack/AuthentikDataEFS/Resource
AuthentikDataEFSEfsMountTarget11E1521A2:
Type: AWS::EFS::MountTarget
Properties:
FileSystemId:
Ref: AuthentikDataEFS3D4C1E48
SecurityGroups:
- Fn::GetAtt:
- AuthentikDataEFSSecurityGroupF1438EBE
- GroupId
SubnetId:
Ref: AuthentikVpcPrivateSubnet1Subnet6748EEA3
Metadata:
aws:cdk:path: AuthentikStack/AuthentikDataEFS/EfsMountTarget1
AuthentikDataEFSEfsMountTarget2C31FB4A2:
Type: AWS::EFS::MountTarget
Properties:
FileSystemId:
Ref: AuthentikDataEFS3D4C1E48
SecurityGroups:
- Fn::GetAtt:
- AuthentikDataEFSSecurityGroupF1438EBE
- GroupId
SubnetId:
Ref: AuthentikVpcPrivateSubnet2Subnet6B8E7123
Metadata:
aws:cdk:path: AuthentikStack/AuthentikDataEFS/EfsMountTarget2
AuthentikDataEFSAuthentikDataAccessPoint4357C748:
Type: AWS::EFS::AccessPoint
Properties:
AccessPointTags:
- Key: Name
Value: AuthentikStack/AuthentikDataEFS/AuthentikDataAccessPoint
FileSystemId:
Ref: AuthentikDataEFS3D4C1E48
PosixUser:
Gid: "1000"
Uid: "1000"
RootDirectory:
CreationInfo:
OwnerGid: "1000"
OwnerUid: "1000"
Permissions: "755"
Path: /data
Metadata:
aws:cdk:path: AuthentikStack/AuthentikDataEFS/AuthentikDataAccessPoint/Resource
AuthentikMediaEFSSecurityGroup1840BA29:
Type: AWS::EC2::SecurityGroup
Properties:
@@ -613,7 +700,10 @@ Resources:
awslogs-region:
Ref: AWS::Region
MountPoints:
- ContainerPath: /media
- ContainerPath: /data
ReadOnly: false
SourceVolume: data
- ContainerPath: /data/media
ReadOnly: false
SourceVolume: media
Name: AuthentikServerContainer
@@ -649,6 +739,15 @@ Resources:
- AuthentikServerTaskTaskRole5BB06A73
- Arn
Volumes:
- EFSVolumeConfiguration:
AuthorizationConfig:
AccessPointId:
Ref: AuthentikDataEFSAuthentikDataAccessPoint4357C748
IAM: ENABLED
FilesystemId:
Ref: AuthentikDataEFS3D4C1E48
TransitEncryption: ENABLED
Name: data
- EFSVolumeConfiguration:
AuthorizationConfig:
AccessPointId:
@@ -829,7 +928,10 @@ Resources:
awslogs-region:
Ref: AWS::Region
MountPoints:
- ContainerPath: /media
- ContainerPath: /data
ReadOnly: false
SourceVolume: data
- ContainerPath: /data/media
ReadOnly: false
SourceVolume: media
Name: AuthentikWorkerContainer
@@ -862,6 +964,15 @@ Resources:
- AuthentikWorkerTaskTaskRole87C41589
- Arn
Volumes:
- EFSVolumeConfiguration:
AuthorizationConfig:
AccessPointId:
Ref: AuthentikDataEFSAuthentikDataAccessPoint4357C748
IAM: ENABLED
FilesystemId:
Ref: AuthentikDataEFS3D4C1E48
TransitEncryption: ENABLED
Name: data
- EFSVolumeConfiguration:
AuthorizationConfig:
AccessPointId: