feat: adds zoho integration

.gitattributes

@@ -15,4 +15,5 @@
 # Include these files in normal git tracking so they can be used by terragrunt
 packages/infrastructure/authentik_core_resources/logo.svg !filter !diff !merge text
 packages/infrastructure/authentik_aws_sso/aws.svg !filter !diff !merge text
-packages/infrastructure/authentik_vault_sso/vault.svg !filter !diff !merge text
+packages/infrastructure/authentik_vault_sso/vault.svg !filter !diff !merge text
+packages/infrastructure/authentik_zoho_sso/zoho.svg !filter !diff !merge text

packages/infrastructure/authentik_aws_sso/vars.tf

@@ -1,14 +1,14 @@
 variable "aws_acs_url" {
-  description = "The ACS url provided by AWS when configuring and external identity provider"
+  description = "The ACS url provided by AWS when configuring an external identity provider"
   type        = string
 }
 variable "aws_sign_in_url" {
-  description = "The Sign-in url provided by AWS when configuring and external identity provider"
+  description = "The sign-in url provided by AWS when configuring an external identity provider"
   type        = string
 }
 
 variable "aws_issuer" {
-  description = "The Issuer url provided by AWS when configuring and external identity provider"
+  description = "The Issuer url provided by AWS when configuring an external identity provider"
   type        = string
 }
 

packages/infrastructure/authentik_zoho_sso/README.md

@@ -0,0 +1,3 @@
+# AWS SSO with Zoho
+
+**Type:** Live

packages/infrastructure/authentik_zoho_sso/USAGE.md

@@ -0,0 +1,13 @@
+## Usage
+
+### Sign-in URL
+
+For IDP-initiated logins, the `zoho_sign_in_url` variable must be provided.
+
+This is not found in the Zoho web UI and must be constructed manually.
+
+It is of the form `https://accounts.zoho.com/samlauthrequest/<domain>?serviceurl=<zoho_service>` where
+
+- `<domain>` is a domain **that has been verified with Zoho**
+
+- `<zoho_service>` is the `https` url of a Zoho service (e.g., `https://one.zoho.com`)

packages/infrastructure/authentik_zoho_sso/common_vars.tf

@@ -0,0 +1,47 @@
+variable "environment" {
+  description = "The name of the environment the infrastructure is being deployed into. #injected"
+  type        = string
+  default     = null
+}
+
+variable "pf_root_module" {
+  description = "The name of the root Panfactum module in the module tree. #injected"
+  type        = string
+  default     = "authentik_aws_sso"
+}
+
+variable "pf_module" {
+  description = "The name of the Panfactum module where the containing resources are directly defined. #injected"
+  type        = string
+  default     = "authentik_aws_sso"
+}
+
+variable "region" {
+  description = "The region the infrastructure is being deployed into. #injected"
+  type        = string
+  default     = null
+}
+
+variable "extra_tags" {
+  description = "Extra tags or labels to add to the created resources. #injected"
+  type        = map(string)
+  default     = {}
+}
+
+variable "is_local" {
+  description = "Whether this module is a part of a local development deployment #injected"
+  type        = bool
+  default     = false
+}
+
+variable "pf_stack_version" {
+  description = "Which version of the Panfactum stack is being used (git ref) #injected"
+  type        = string
+  default     = "main"
+}
+
+variable "pf_stack_commit" {
+  description = "The commit hash for the version of the Panfactum stack being used #injected"
+  type        = string
+  default     = "xxxxxxxxxxxxxxxxxxxxxxxxxxx"
+}

packages/infrastructure/authentik_zoho_sso/main.tf

@@ -0,0 +1,144 @@
+terraform {
+  required_providers {
+    authentik = {
+      source  = "goauthentik/authentik"
+      version = "2024.2.0"
+    }
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = "2.27.0"
+    }
+    random = {
+      source  = "hashicorp/random"
+      version = "3.6.0"
+    }
+    tls = {
+      source  = "hashicorp/tls"
+      version = "4.0.5"
+    }
+  }
+}
+
+
+###########################################################################
+## Upload the logo
+###########################################################################
+
+resource "random_id" "logo" {
+  prefix      = "zoho-"
+  byte_length = 8
+}
+
+resource "kubernetes_config_map_v1_data" "media" {
+  metadata {
+    name      = var.media_configmap
+    namespace = var.authentik_namespace
+  }
+  data = {
+    "${random_id.logo.hex}.svg" = file("${path.module}/zoho.svg")
+  }
+  field_manager = random_id.logo.hex
+  force         = true
+}
+
+###########################################################################
+## Cert Config
+###########################################################################
+
+// These certs are only used for their random cryptographic
+// material to sign the SAML assertions. There is no
+// need to use cert-manager to manage them,
+// especially since they need to be manually uploaded to AWS
+// every time they rotate
+resource "tls_private_key" "signing" {
+  algorithm = "RSA"
+  rsa_bits  = 4096
+}
+
+resource "tls_self_signed_cert" "signing" {
+  private_key_pem = tls_private_key.signing.private_key_pem
+  subject {
+    common_name  = var.authentik_domain
+    organization = var.organization_name
+  }
+  validity_period_hours = 24 * 365 * 10
+  allowed_uses = [
+    "key_encipherment",
+    "digital_signature",
+    "server_auth",
+  ]
+}
+
+resource "authentik_certificate_key_pair" "signing" {
+  name             = "zoho-signing-certs"
+  certificate_data = tls_self_signed_cert.signing.cert_pem
+  key_data         = tls_private_key.signing.private_key_pem
+}
+
+###########################################################################
+## IdP Config
+###########################################################################
+
+
+data "authentik_flow" "default-authorization-flow" {
+  slug = "default-provider-authorization-implicit-consent"
+}
+
+data "authentik_property_mapping_saml" "email" {
+  managed = "goauthentik.io/providers/saml/email"
+}
+
+resource "authentik_provider_saml" "zoho" {
+  name               = "zoho"
+  authorization_flow = data.authentik_flow.default-authorization-flow.id
+  acs_url            = var.zoho_acs_url
+  sp_binding         = "post"
+  issuer             = var.zoho_issuer
+  name_id_mapping    = data.authentik_property_mapping_saml.email.id
+  signing_kp         = authentik_certificate_key_pair.signing.id
+}
+
+data "authentik_provider_saml_metadata" "zoho" {
+  provider_id = authentik_provider_saml.zoho.id
+}
+
+
+resource "authentik_application" "zoho" {
+  name              = "zoho"
+  slug              = "zoho"
+  protocol_provider = authentik_provider_saml.zoho.id
+  meta_launch_url   = var.zoho_sign_in_url
+  meta_description  = var.ui_description
+  meta_publisher    = "Panfactum"
+  meta_icon         = "/media/public/${random_id.logo.hex}.svg"
+  group             = var.ui_group
+  open_in_new_tab   = true
+}
+
+
+data "authentik_group" "superusers" {
+  name = "superusers"
+}
+
+resource "authentik_policy_binding" "superuser_access" {
+  target = authentik_application.zoho.uuid
+  group  = data.authentik_group.superusers.id
+  order  = 0
+}
+
+
+data "authentik_group" "group" {
+  for_each = var.allowed_groups
+  name     = each.key
+}
+
+resource "authentik_policy_binding" "access" {
+  for_each = var.allowed_groups
+  target   = authentik_application.zoho.uuid
+  group    = data.authentik_group.group[each.key].id
+  order    = 10
+}
+
+
+
+

packages/infrastructure/authentik_zoho_sso/outputs.tf

@@ -0,0 +1,3 @@
+output "saml_metadata" {
+  value = data.authentik_provider_saml_metadata.zoho.metadata
+}

packages/infrastructure/authentik_zoho_sso/vars.tf

@@ -0,0 +1,53 @@
+variable "zoho_acs_url" {
+  description = "The ACS url provided by Zoho when configuring an external identity provider"
+  type        = string
+}
+variable "zoho_sign_in_url" {
+  description = "The sign-in url provided by Zoho when configuring an external identity provider"
+  type        = string
+}
+
+variable "zoho_issuer" {
+  description = "The issuer provided by Zoho when configuring an external identity provider"
+  type        = string
+  default     = "zoho.com"
+}
+
+variable "authentik_domain" {
+  description = "The domain name of the authentik instance"
+  type        = string
+}
+
+variable "organization_name" {
+  description = "The name of your organization"
+  type        = string
+}
+
+variable "ui_description" {
+  description = "The description to display in the Authentik web dashboard"
+  type        = string
+  default     = "Zoho"
+}
+
+variable "ui_group" {
+  description = "The section in the Authentik web dashboard that this will appear in"
+  type        = string
+  default     = "Admin"
+}
+
+variable "allowed_groups" {
+  description = "Only members of these groups can access AWS"
+  type        = set(string)
+  default     = []
+}
+
+variable "media_configmap" {
+  description = "The configmap holding the static media that Authentik will use"
+  type        = string
+}
+
+variable "authentik_namespace" {
+  description = "The kubernetes namespace where Authentik is deployed"
+  type        = string
+}
+

packages/infrastructure/pf_website/main.tf

@@ -128,6 +128,7 @@ module "ingress" {
   }]
 
   cors_enabled                   = true
+  cross_origin_embedder_policy   = "credentialless"
   csp_enabled                    = true
   cross_origin_isolation_enabled = true
   rate_limiting_enabled          = true

packages/reference/environments/production/global/aws_dns_records/terragrunt.hcl

@@ -14,8 +14,9 @@ inputs = {
         {
           subdomain = ""
           records = [
-            "1 smtp.google.com",
-            "15 ykrmc2xumckkmgqlgjjfkkzqcicjvadyfo5f7dpclaamrtcg7wca.mx-verification.google.com."
+            "10 mx.zoho.com",
+            "20 mx2.zoho.com",
+            "50 mx3.zoho.com"
           ]
         }
       ]
@@ -27,16 +28,24 @@ inputs = {
         },
         // DKIM (email)
         {
-          subdomain = "google._domainkey."
+          subdomain = "zmail._domainkey."
           records = [
-            "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyxt/FeLUEOazF2WCv+nj78WxNqpsByyiSgl0u9pGkAmyuEVhhUEp8oYWBt2pHkycCugCkW7tmk3ZaO+TrZ/sw5B/VlyUgaZKLcSngalzUYOvsNU5FREm1KE+MkcX610+h0PTdBQZ32MBg8yMcxKmt+FYHX7tTa5jzbai+5pTr5lVsU9ZYOnURHL9K1+itUwxyJz8VqaiqhR8wMV8tpWpLuDy6RFkatJgo8U1EohlhLQzjJTN4HUF/rjxoLEs18kTRR2ZzA3Esvi8FmERfAaO2chIldP60vBU78VAVHwi+pMavKb8U0pAyTVS/GjOQMjIRycCY7iGrvOWF2Yv6qRb/QIDAQAB"
+            "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCxby/gQFkDpFdPv/SeR80eFSoxZZp8e/hJ+50WP5bEONClM4U83oFbJLUuGeRvMBmKsrWd5vVJq6THjDlwPAw73T8rpDSvy4bNHeuaC3x/GxalGaVTTserDvUvGpgV07EYdWq+0IaddbNzzDkahPXnLbBhkmvJubbuTTwXKomARwIDAQAB"
+          ]
+        },
+        // DKIM (CRM)
+        {
+          subdomain = "1522905413783._domainkey."
+          records = [
+            "k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCr6KMgdxxgg7oT3ulMwPJs9RXgXDrI9UWU118pHEMohl3UbL3Jwp4oxp/9N3thh/3WCJnYV134zbEVolZwqaT3JsFEq/mQ/RpW/JnOZ3rnxqJPurb2bcfJol4SDxiWVObzHX31xnANzFcXnq1/5dMK5QvW4Jh7n0fm4+4ywqiy2QIDAQAB"
           ]
         },
         {
           subdomain = ""
           records = [
-            "MS=ms89071327",                      // AAD Domain Ownership
-            "v=spf1 include:_spf.google.com ~all" // SPF record authorizing email senders
+            "MS=ms89071327",                                                                 // AAD Domain Ownership
+            "v=spf1 include:one.zoho.com include:zohomail.com include:_spf.google.com ~all", // SPF record authorizing email senders
+            "zoho-verification=zb69684923.zmverify.zoho.com"                                 // Zoho Domain Ownership
           ]
         }
       ]