diff --git a/lifecycle/aws/app.py b/lifecycle/aws/app.py index 50b8d06aa8..12cb604490 100755 --- a/lifecycle/aws/app.py +++ b/lifecycle/aws/app.py @@ -188,6 +188,31 @@ class AuthentikStack(Stack): # Storage + data_fs = efs.FileSystem( + self, + "AuthentikDataEFS", + vpc=vpc, + removal_policy=RemovalPolicy.RETAIN, + security_group=ec2.SecurityGroup( + self, + "AuthentikDataEFSSecurityGroup", + vpc=vpc, + description="Security group for authentik data EFS", + allow_all_outbound=True, + ), + encrypted=True, + performance_mode=efs.PerformanceMode.GENERAL_PURPOSE, + throughput_mode=efs.ThroughputMode.BURSTING, + ) + data_fs.connections.allow_default_port_from(authentik_security_group) + + data_access_point = data_fs.add_access_point( + "AuthentikDataAccessPoint", + path="/data", + create_acl=efs.Acl(owner_uid="1000", owner_gid="1000", permissions="755"), + posix_user=efs.PosixUser(uid="1000", gid="1000"), + ) + media_fs = efs.FileSystem( self, "AuthentikMediaEFS", @@ -235,6 +260,17 @@ class AuthentikStack(Stack): cpu=server_cpu.value_as_number, memory_limit_mib=server_memory.value_as_number, ) + server_task.add_volume( + name="data", + efs_volume_configuration=ecs.EfsVolumeConfiguration( + file_system_id=data_fs.file_system_id, + transit_encryption="ENABLED", + authorization_config=ecs.AuthorizationConfig( + access_point_id=data_access_point.access_point_id, + iam="ENABLED", + ), + ), + ) server_task.add_volume( name="media", efs_volume_configuration=ecs.EfsVolumeConfiguration( @@ -266,7 +302,10 @@ class AuthentikStack(Stack): ) server_container.add_port_mappings(ecs.PortMapping(container_port=9000)) server_container.add_mount_points( - ecs.MountPoint(container_path="/media", source_volume="media", read_only=False) + ecs.MountPoint(container_path="/data", source_volume="data", read_only=False) + ) + server_container.add_mount_points( + ecs.MountPoint(container_path="/data/media", source_volume="media", read_only=False) ) server_service = ecs.FargateService( self, @@ -286,6 +325,17 @@ class AuthentikStack(Stack): cpu=worker_cpu.value_as_number, memory_limit_mib=worker_memory.value_as_number, ) + worker_task.add_volume( + name="data", + efs_volume_configuration=ecs.EfsVolumeConfiguration( + file_system_id=data_fs.file_system_id, + transit_encryption="ENABLED", + authorization_config=ecs.AuthorizationConfig( + access_point_id=data_access_point.access_point_id, + iam="ENABLED", + ), + ), + ) worker_task.add_volume( name="media", efs_volume_configuration=ecs.EfsVolumeConfiguration( @@ -316,7 +366,10 @@ class AuthentikStack(Stack): ), ) worker_container.add_mount_points( - ecs.MountPoint(container_path="/media", source_volume="media", read_only=False) + ecs.MountPoint(container_path="/data", source_volume="data", read_only=False) + ) + worker_container.add_mount_points( + ecs.MountPoint(container_path="/data/media", source_volume="media", read_only=False) ) worker_service = ecs.FargateService( # noqa: F841 self, diff --git a/lifecycle/aws/template.yaml b/lifecycle/aws/template.yaml index 5f2e0a2bb5..17fa5a3125 100644 --- a/lifecycle/aws/template.yaml +++ b/lifecycle/aws/template.yaml @@ -444,6 +444,93 @@ Resources: DeletionPolicy: Snapshot Metadata: aws:cdk:path: AuthentikStack/AuthentikDB/Resource + AuthentikDataEFSSecurityGroupF1438EBE: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: Security group for authentik data EFS + SecurityGroupEgress: + - CidrIp: 0.0.0.0/0 + Description: Allow all outbound traffic by default + IpProtocol: "-1" + VpcId: + Ref: AuthentikVpcA1ABE6C2 + Metadata: + aws:cdk:path: AuthentikStack/AuthentikDataEFSSecurityGroup/Resource + AuthentikDataEFSSecurityGroupfromAuthentikStackAuthentikSG23C19B282049BC1DBBFA: + Type: AWS::EC2::SecurityGroupIngress + Properties: + Description: from AuthentikStackAuthentikSG23C19B28:2049 + FromPort: 2049 + GroupId: + Fn::GetAtt: + - AuthentikDataEFSSecurityGroupF1438EBE + - GroupId + IpProtocol: tcp + SourceSecurityGroupId: + Fn::GetAtt: + - AuthentikSG3040E46F + - GroupId + ToPort: 2049 + Metadata: + aws:cdk:path: AuthentikStack/AuthentikDataEFSSecurityGroup/from AuthentikStackAuthentikSG23C19B28:2049 + AuthentikDataEFS3D4C1E48: + Type: AWS::EFS::FileSystem + Properties: + Encrypted: true + FileSystemTags: + - Key: Name + Value: AuthentikStack/AuthentikDataEFS + PerformanceMode: generalPurpose + ThroughputMode: bursting + UpdateReplacePolicy: Retain + DeletionPolicy: Retain + Metadata: + aws:cdk:path: AuthentikStack/AuthentikDataEFS/Resource + AuthentikDataEFSEfsMountTarget11E1521A2: + Type: AWS::EFS::MountTarget + Properties: + FileSystemId: + Ref: AuthentikDataEFS3D4C1E48 + SecurityGroups: + - Fn::GetAtt: + - AuthentikDataEFSSecurityGroupF1438EBE + - GroupId + SubnetId: + Ref: AuthentikVpcPrivateSubnet1Subnet6748EEA3 + Metadata: + aws:cdk:path: AuthentikStack/AuthentikDataEFS/EfsMountTarget1 + AuthentikDataEFSEfsMountTarget2C31FB4A2: + Type: AWS::EFS::MountTarget + Properties: + FileSystemId: + Ref: AuthentikDataEFS3D4C1E48 + SecurityGroups: + - Fn::GetAtt: + - AuthentikDataEFSSecurityGroupF1438EBE + - GroupId + SubnetId: + Ref: AuthentikVpcPrivateSubnet2Subnet6B8E7123 + Metadata: + aws:cdk:path: AuthentikStack/AuthentikDataEFS/EfsMountTarget2 + AuthentikDataEFSAuthentikDataAccessPoint4357C748: + Type: AWS::EFS::AccessPoint + Properties: + AccessPointTags: + - Key: Name + Value: AuthentikStack/AuthentikDataEFS/AuthentikDataAccessPoint + FileSystemId: + Ref: AuthentikDataEFS3D4C1E48 + PosixUser: + Gid: "1000" + Uid: "1000" + RootDirectory: + CreationInfo: + OwnerGid: "1000" + OwnerUid: "1000" + Permissions: "755" + Path: /data + Metadata: + aws:cdk:path: AuthentikStack/AuthentikDataEFS/AuthentikDataAccessPoint/Resource AuthentikMediaEFSSecurityGroup1840BA29: Type: AWS::EC2::SecurityGroup Properties: @@ -613,7 +700,10 @@ Resources: awslogs-region: Ref: AWS::Region MountPoints: - - ContainerPath: /media + - ContainerPath: /data + ReadOnly: false + SourceVolume: data + - ContainerPath: /data/media ReadOnly: false SourceVolume: media Name: AuthentikServerContainer @@ -649,6 +739,15 @@ Resources: - AuthentikServerTaskTaskRole5BB06A73 - Arn Volumes: + - EFSVolumeConfiguration: + AuthorizationConfig: + AccessPointId: + Ref: AuthentikDataEFSAuthentikDataAccessPoint4357C748 + IAM: ENABLED + FilesystemId: + Ref: AuthentikDataEFS3D4C1E48 + TransitEncryption: ENABLED + Name: data - EFSVolumeConfiguration: AuthorizationConfig: AccessPointId: @@ -829,7 +928,10 @@ Resources: awslogs-region: Ref: AWS::Region MountPoints: - - ContainerPath: /media + - ContainerPath: /data + ReadOnly: false + SourceVolume: data + - ContainerPath: /data/media ReadOnly: false SourceVolume: media Name: AuthentikWorkerContainer @@ -862,6 +964,15 @@ Resources: - AuthentikWorkerTaskTaskRole87C41589 - Arn Volumes: + - EFSVolumeConfiguration: + AuthorizationConfig: + AccessPointId: + Ref: AuthentikDataEFSAuthentikDataAccessPoint4357C748 + IAM: ENABLED + FilesystemId: + Ref: AuthentikDataEFS3D4C1E48 + TransitEncryption: ENABLED + Name: data - EFSVolumeConfiguration: AuthorizationConfig: AccessPointId: