From 9dfb429b00e3eeca0580be4f62806eafce479f95 Mon Sep 17 00:00:00 2001 From: fullykubed Date: Tue, 30 Apr 2024 18:13:31 -0400 Subject: [PATCH] feat: adds zoho integration --- .gitattributes | 3 +- .../infrastructure/authentik_aws_sso/vars.tf | 6 +- .../authentik_zoho_sso/README.md | 3 + .../authentik_zoho_sso/USAGE.md | 13 ++ .../authentik_zoho_sso/common_vars.tf | 47 ++++++ .../infrastructure/authentik_zoho_sso/main.tf | 144 ++++++++++++++++++ .../authentik_zoho_sso/outputs.tf | 3 + .../infrastructure/authentik_zoho_sso/vars.tf | 53 +++++++ .../authentik_zoho_sso/zoho.svg | 8 + packages/infrastructure/pf_website/main.tf | 1 + .../global/aws_dns_records/terragrunt.hcl | 21 ++- .../authentik_zoho_sso/.terraform.lock.hcl | 79 ++++++++++ .../us-east-2/authentik_zoho_sso/module.yaml | 5 + .../authentik_zoho_sso/terragrunt.hcl | 34 +++++ .../us-east-2/pf_website/version.yaml | 2 +- .../authentik_aws_sso/page.mdx | 6 +- .../authentik_zoho_sso/page.mdx | 119 +++++++++++++++ .../infrastructure-modules/modules.json | 1 + .../src/app/(web)/stack/pricing/page.mdx | 3 - .../src/app/(web)/stack/pricing/page.tsx | 3 + packages/website/src/app/layout.tsx | 11 +- packages/website/src/middleware.ts | 8 +- 22 files changed, 548 insertions(+), 25 deletions(-) create mode 100644 packages/infrastructure/authentik_zoho_sso/README.md create mode 100644 packages/infrastructure/authentik_zoho_sso/USAGE.md create mode 100644 packages/infrastructure/authentik_zoho_sso/common_vars.tf create mode 100644 packages/infrastructure/authentik_zoho_sso/main.tf create mode 100644 packages/infrastructure/authentik_zoho_sso/outputs.tf create mode 100644 packages/infrastructure/authentik_zoho_sso/vars.tf create mode 100644 packages/infrastructure/authentik_zoho_sso/zoho.svg create mode 100644 packages/reference/environments/production/us-east-2/authentik_zoho_sso/.terraform.lock.hcl create mode 100644 packages/reference/environments/production/us-east-2/authentik_zoho_sso/module.yaml create mode 100644 packages/reference/environments/production/us-east-2/authentik_zoho_sso/terragrunt.hcl create mode 100644 packages/website/src/app/(web)/docs/reference/infrastructure-modules/authentik_zoho_sso/page.mdx delete mode 100644 packages/website/src/app/(web)/stack/pricing/page.mdx create mode 100644 packages/website/src/app/(web)/stack/pricing/page.tsx diff --git a/.gitattributes b/.gitattributes index b8bd2f10..51551c8a 100644 --- a/.gitattributes +++ b/.gitattributes @@ -15,4 +15,5 @@ # Include these files in normal git tracking so they can be used by terragrunt packages/infrastructure/authentik_core_resources/logo.svg !filter !diff !merge text packages/infrastructure/authentik_aws_sso/aws.svg !filter !diff !merge text -packages/infrastructure/authentik_vault_sso/vault.svg !filter !diff !merge text \ No newline at end of file +packages/infrastructure/authentik_vault_sso/vault.svg !filter !diff !merge text +packages/infrastructure/authentik_zoho_sso/zoho.svg !filter !diff !merge text \ No newline at end of file diff --git a/packages/infrastructure/authentik_aws_sso/vars.tf b/packages/infrastructure/authentik_aws_sso/vars.tf index 85f58ec9..b6b3b5c6 100644 --- a/packages/infrastructure/authentik_aws_sso/vars.tf +++ b/packages/infrastructure/authentik_aws_sso/vars.tf @@ -1,14 +1,14 @@ variable "aws_acs_url" { - description = "The ACS url provided by AWS when configuring and external identity provider" + description = "The ACS url provided by AWS when configuring an external identity provider" type = string } variable "aws_sign_in_url" { - description = "The Sign-in url provided by AWS when configuring and external identity provider" + description = "The sign-in url provided by AWS when configuring an external identity provider" type = string } variable "aws_issuer" { - description = "The Issuer url provided by AWS when configuring and external identity provider" + description = "The Issuer url provided by AWS when configuring an external identity provider" type = string } diff --git a/packages/infrastructure/authentik_zoho_sso/README.md b/packages/infrastructure/authentik_zoho_sso/README.md new file mode 100644 index 00000000..eb3d2970 --- /dev/null +++ b/packages/infrastructure/authentik_zoho_sso/README.md @@ -0,0 +1,3 @@ +# AWS SSO with Zoho + +**Type:** Live diff --git a/packages/infrastructure/authentik_zoho_sso/USAGE.md b/packages/infrastructure/authentik_zoho_sso/USAGE.md new file mode 100644 index 00000000..3c64219b --- /dev/null +++ b/packages/infrastructure/authentik_zoho_sso/USAGE.md @@ -0,0 +1,13 @@ +## Usage + +### Sign-in URL + +For IDP-initiated logins, the `zoho_sign_in_url` variable must be provided. + +This is not found in the Zoho web UI and must be constructed manually. + +It is of the form `https://accounts.zoho.com/samlauthrequest/?serviceurl=` where + +- `` is a domain **that has been verified with Zoho** + +- `` is the `https` url of a Zoho service (e.g., `https://one.zoho.com`) \ No newline at end of file diff --git a/packages/infrastructure/authentik_zoho_sso/common_vars.tf b/packages/infrastructure/authentik_zoho_sso/common_vars.tf new file mode 100644 index 00000000..b8fb9829 --- /dev/null +++ b/packages/infrastructure/authentik_zoho_sso/common_vars.tf @@ -0,0 +1,47 @@ +variable "environment" { + description = "The name of the environment the infrastructure is being deployed into. #injected" + type = string + default = null +} + +variable "pf_root_module" { + description = "The name of the root Panfactum module in the module tree. #injected" + type = string + default = "authentik_aws_sso" +} + +variable "pf_module" { + description = "The name of the Panfactum module where the containing resources are directly defined. #injected" + type = string + default = "authentik_aws_sso" +} + +variable "region" { + description = "The region the infrastructure is being deployed into. #injected" + type = string + default = null +} + +variable "extra_tags" { + description = "Extra tags or labels to add to the created resources. #injected" + type = map(string) + default = {} +} + +variable "is_local" { + description = "Whether this module is a part of a local development deployment #injected" + type = bool + default = false +} + +variable "pf_stack_version" { + description = "Which version of the Panfactum stack is being used (git ref) #injected" + type = string + default = "main" +} + +variable "pf_stack_commit" { + description = "The commit hash for the version of the Panfactum stack being used #injected" + type = string + default = "xxxxxxxxxxxxxxxxxxxxxxxxxxx" +} \ No newline at end of file diff --git a/packages/infrastructure/authentik_zoho_sso/main.tf b/packages/infrastructure/authentik_zoho_sso/main.tf new file mode 100644 index 00000000..9de65b04 --- /dev/null +++ b/packages/infrastructure/authentik_zoho_sso/main.tf @@ -0,0 +1,144 @@ +terraform { + required_providers { + authentik = { + source = "goauthentik/authentik" + version = "2024.2.0" + } + kubernetes = { + source = "hashicorp/kubernetes" + version = "2.27.0" + } + random = { + source = "hashicorp/random" + version = "3.6.0" + } + tls = { + source = "hashicorp/tls" + version = "4.0.5" + } + } +} + + +########################################################################### +## Upload the logo +########################################################################### + +resource "random_id" "logo" { + prefix = "zoho-" + byte_length = 8 +} + +resource "kubernetes_config_map_v1_data" "media" { + metadata { + name = var.media_configmap + namespace = var.authentik_namespace + } + data = { + "${random_id.logo.hex}.svg" = file("${path.module}/zoho.svg") + } + field_manager = random_id.logo.hex + force = true +} + +########################################################################### +## Cert Config +########################################################################### + +// These certs are only used for their random cryptographic +// material to sign the SAML assertions. There is no +// need to use cert-manager to manage them, +// especially since they need to be manually uploaded to AWS +// every time they rotate +resource "tls_private_key" "signing" { + algorithm = "RSA" + rsa_bits = 4096 +} + +resource "tls_self_signed_cert" "signing" { + private_key_pem = tls_private_key.signing.private_key_pem + subject { + common_name = var.authentik_domain + organization = var.organization_name + } + validity_period_hours = 24 * 365 * 10 + allowed_uses = [ + "key_encipherment", + "digital_signature", + "server_auth", + ] +} + +resource "authentik_certificate_key_pair" "signing" { + name = "zoho-signing-certs" + certificate_data = tls_self_signed_cert.signing.cert_pem + key_data = tls_private_key.signing.private_key_pem +} + +########################################################################### +## IdP Config +########################################################################### + + +data "authentik_flow" "default-authorization-flow" { + slug = "default-provider-authorization-implicit-consent" +} + +data "authentik_property_mapping_saml" "email" { + managed = "goauthentik.io/providers/saml/email" +} + +resource "authentik_provider_saml" "zoho" { + name = "zoho" + authorization_flow = data.authentik_flow.default-authorization-flow.id + acs_url = var.zoho_acs_url + sp_binding = "post" + issuer = var.zoho_issuer + name_id_mapping = data.authentik_property_mapping_saml.email.id + signing_kp = authentik_certificate_key_pair.signing.id +} + +data "authentik_provider_saml_metadata" "zoho" { + provider_id = authentik_provider_saml.zoho.id +} + + +resource "authentik_application" "zoho" { + name = "zoho" + slug = "zoho" + protocol_provider = authentik_provider_saml.zoho.id + meta_launch_url = var.zoho_sign_in_url + meta_description = var.ui_description + meta_publisher = "Panfactum" + meta_icon = "/media/public/${random_id.logo.hex}.svg" + group = var.ui_group + open_in_new_tab = true +} + + +data "authentik_group" "superusers" { + name = "superusers" +} + +resource "authentik_policy_binding" "superuser_access" { + target = authentik_application.zoho.uuid + group = data.authentik_group.superusers.id + order = 0 +} + + +data "authentik_group" "group" { + for_each = var.allowed_groups + name = each.key +} + +resource "authentik_policy_binding" "access" { + for_each = var.allowed_groups + target = authentik_application.zoho.uuid + group = data.authentik_group.group[each.key].id + order = 10 +} + + + + diff --git a/packages/infrastructure/authentik_zoho_sso/outputs.tf b/packages/infrastructure/authentik_zoho_sso/outputs.tf new file mode 100644 index 00000000..a380d78f --- /dev/null +++ b/packages/infrastructure/authentik_zoho_sso/outputs.tf @@ -0,0 +1,3 @@ +output "saml_metadata" { + value = data.authentik_provider_saml_metadata.zoho.metadata +} \ No newline at end of file diff --git a/packages/infrastructure/authentik_zoho_sso/vars.tf b/packages/infrastructure/authentik_zoho_sso/vars.tf new file mode 100644 index 00000000..cd92676d --- /dev/null +++ b/packages/infrastructure/authentik_zoho_sso/vars.tf @@ -0,0 +1,53 @@ +variable "zoho_acs_url" { + description = "The ACS url provided by Zoho when configuring an external identity provider" + type = string +} +variable "zoho_sign_in_url" { + description = "The sign-in url provided by Zoho when configuring an external identity provider" + type = string +} + +variable "zoho_issuer" { + description = "The issuer provided by Zoho when configuring an external identity provider" + type = string + default = "zoho.com" +} + +variable "authentik_domain" { + description = "The domain name of the authentik instance" + type = string +} + +variable "organization_name" { + description = "The name of your organization" + type = string +} + +variable "ui_description" { + description = "The description to display in the Authentik web dashboard" + type = string + default = "Zoho" +} + +variable "ui_group" { + description = "The section in the Authentik web dashboard that this will appear in" + type = string + default = "Admin" +} + +variable "allowed_groups" { + description = "Only members of these groups can access AWS" + type = set(string) + default = [] +} + +variable "media_configmap" { + description = "The configmap holding the static media that Authentik will use" + type = string +} + +variable "authentik_namespace" { + description = "The kubernetes namespace where Authentik is deployed" + type = string +} + diff --git a/packages/infrastructure/authentik_zoho_sso/zoho.svg b/packages/infrastructure/authentik_zoho_sso/zoho.svg new file mode 100644 index 00000000..37a34a4a --- /dev/null +++ b/packages/infrastructure/authentik_zoho_sso/zoho.svg @@ -0,0 +1,8 @@ + + + + + + + + \ No newline at end of file diff --git a/packages/infrastructure/pf_website/main.tf b/packages/infrastructure/pf_website/main.tf index 40690b1b..0d7f7495 100644 --- a/packages/infrastructure/pf_website/main.tf +++ b/packages/infrastructure/pf_website/main.tf @@ -128,6 +128,7 @@ module "ingress" { }] cors_enabled = true + cross_origin_embedder_policy = "credentialless" csp_enabled = true cross_origin_isolation_enabled = true rate_limiting_enabled = true diff --git a/packages/reference/environments/production/global/aws_dns_records/terragrunt.hcl b/packages/reference/environments/production/global/aws_dns_records/terragrunt.hcl index 7f484c6e..5c502523 100644 --- a/packages/reference/environments/production/global/aws_dns_records/terragrunt.hcl +++ b/packages/reference/environments/production/global/aws_dns_records/terragrunt.hcl @@ -14,8 +14,9 @@ inputs = { { subdomain = "" records = [ - "1 smtp.google.com", - "15 ykrmc2xumckkmgqlgjjfkkzqcicjvadyfo5f7dpclaamrtcg7wca.mx-verification.google.com." + "10 mx.zoho.com", + "20 mx2.zoho.com", + "50 mx3.zoho.com" ] } ] @@ -27,16 +28,24 @@ inputs = { }, // DKIM (email) { - subdomain = "google._domainkey." + subdomain = "zmail._domainkey." records = [ - "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyxt/FeLUEOazF2WCv+nj78WxNqpsByyiSgl0u9pGkAmyuEVhhUEp8oYWBt2pHkycCugCkW7tmk3ZaO+TrZ/sw5B/VlyUgaZKLcSngalzUYOvsNU5FREm1KE+MkcX610+h0PTdBQZ32MBg8yMcxKmt+FYHX7tTa5jzbai+5pTr5lVsU9ZYOnURHL9K1+itUwxyJz8VqaiqhR8wMV8tpWpLuDy6RFkatJgo8U1EohlhLQzjJTN4HUF/rjxoLEs18kTRR2ZzA3Esvi8FmERfAaO2chIldP60vBU78VAVHwi+pMavKb8U0pAyTVS/GjOQMjIRycCY7iGrvOWF2Yv6qRb/QIDAQAB" + "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCxby/gQFkDpFdPv/SeR80eFSoxZZp8e/hJ+50WP5bEONClM4U83oFbJLUuGeRvMBmKsrWd5vVJq6THjDlwPAw73T8rpDSvy4bNHeuaC3x/GxalGaVTTserDvUvGpgV07EYdWq+0IaddbNzzDkahPXnLbBhkmvJubbuTTwXKomARwIDAQAB" + ] + }, + // DKIM (CRM) + { + subdomain = "1522905413783._domainkey." + records = [ + "k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCr6KMgdxxgg7oT3ulMwPJs9RXgXDrI9UWU118pHEMohl3UbL3Jwp4oxp/9N3thh/3WCJnYV134zbEVolZwqaT3JsFEq/mQ/RpW/JnOZ3rnxqJPurb2bcfJol4SDxiWVObzHX31xnANzFcXnq1/5dMK5QvW4Jh7n0fm4+4ywqiy2QIDAQAB" ] }, { subdomain = "" records = [ - "MS=ms89071327", // AAD Domain Ownership - "v=spf1 include:_spf.google.com ~all" // SPF record authorizing email senders + "MS=ms89071327", // AAD Domain Ownership + "v=spf1 include:one.zoho.com include:zohomail.com include:_spf.google.com ~all", // SPF record authorizing email senders + "zoho-verification=zb69684923.zmverify.zoho.com" // Zoho Domain Ownership ] } ] diff --git a/packages/reference/environments/production/us-east-2/authentik_zoho_sso/.terraform.lock.hcl b/packages/reference/environments/production/us-east-2/authentik_zoho_sso/.terraform.lock.hcl new file mode 100644 index 00000000..d5a71b7a --- /dev/null +++ b/packages/reference/environments/production/us-east-2/authentik_zoho_sso/.terraform.lock.hcl @@ -0,0 +1,79 @@ +# This file is maintained automatically by "tofu init". +# Manual edits may be lost in future updates. + +provider "registry.opentofu.org/goauthentik/authentik" { + version = "2024.2.0" + constraints = "2024.2.0" + hashes = [ + "h1:AeyEcplt1WTQijM1d2E1pBPemcL57WC5bZr7y1XNui4=", + "zh:03b13879c66d1536f250c91f61ba078cc34af2fec271ea19c838a719dd4f1baa", + "zh:1c4d93aa3de72e4b00ac33fc0d4134fc5a641b863e9cd9afdc1105a4024fc8f0", + "zh:50d2f5b71ea5410633dbc8b143bef6fa77a9670a07a3fd85f9921e1094ab416e", + "zh:5320a267adb8506c23941df1c4cba56a176d0b9e0441f247fe714d34a514fcc8", + "zh:58376699c8941c109e49db7edfca4f83ec47b5b46619346380ca79d50902623e", + "zh:61f86a37dcb30167d1bfb84428b821de10c73cdec1ef911f167991ebc7eb9cd5", + "zh:6e99b5cf0f5987e3e3e24e26af12084f741a0f0b79a04d0b7e6703525cf4633e", + "zh:81c39322353f7da1c84c4ec82b6e7de70131156b256de21aee741240694e5bef", + "zh:bbec3872accea0294c86f812d668f9e2e8255b3d1f7424b39ddc261d6d02e036", + "zh:c1b56e5c4e82c683baf7854153caa85c600001ca6d1405f0d82a1aa29a600375", + "zh:cf4e41422aba2435f68bf1cf6c1e83315fe70c810dfd7e81a581d94490d6870b", + "zh:d86a2383e7fae38c9ea80f87d27d34d46a13fa24579b4612a248c888a3c9e265", + "zh:df693bc3156a2d632843abad9294d9192d1569039800c59e8a594c1b8e0fc9df", + "zh:e1a7148102d5a169dfb24c0de8441f3a9c25363976f4f2ce97f4c0b2e904302c", + ] +} + +provider "registry.opentofu.org/hashicorp/kubernetes" { + version = "2.27.0" + constraints = "2.27.0" + hashes = [ + "h1:Jtbdvbq8kIXUENtH3tVwgcjHqbuYp1pGfg4gFocY+e4=", + "h1:n/0Lc+5sJidhC2BCDYGBTU/zLMludBglLcz6YeFs1c0=", + "zh:1146f53fb39fd4bcea5574303c4871001a97d7891f65a60a4ecbc64da2a90d75", + "zh:1f7e3dc0dbb854f56a0f5ba3c50588272984ae9775da027c3c7f32cb6d8245b0", + "zh:2166f7fdade75266658603280bc822edab848e52a674340485847dde1c5d9324", + "zh:21a97530857330d2013aa66fb7afebb44fe4a5543418d0a3ca93750acd11fea5", + "zh:2d4b9fea7e99750647e1cd8df9a67cba45905825867dd19ab01411dad6b8c6fd", + "zh:de30e92e638b95e56dbb2232cb9a6f6a69346ecb3644965e9be715eaf29f22ff", + "zh:f4ae951c9add4349a498f44c3f5768cbaf7a966392a0e7632de288889e7cd5d9", + "zh:f54ecb1917dfa198933d72632ea6f0aa4da3ead070d6b9765ec1d3b7da60e827", + "zh:fba8a2f192eb5fe248708b9037db046e0d9176e7c54c6edc6f6aa55d50474082", + "zh:fe525956f3e54f0bbd2891a6abad1f807b4763b8dc734d810e223876741fefa3", + ] +} + +provider "registry.opentofu.org/hashicorp/random" { + version = "3.6.0" + constraints = "3.6.0" + hashes = [ + "h1:/xwPFz7kMERBIEk8i6UJt2fTvgzMFbwKlcyCvRJO8Ok=", + "zh:486a1c921eab5c51a480f2eb0ad85173f207c9b7bb215f3893e58bc38d3b7c75", + "zh:6901b3afa4607d1e31934ba91ed2625215ada42b3518c3a9adeeac7a5f656dc3", + "zh:7e93752c9de710e417191353ad1a41b5a60432ab7ef4f8b556bf248297ec5e23", + "zh:c795d3d319e8ee7be972746b935963b7e772a6a14080261a35c03915c1f9ccb2", + "zh:cd4f8bcaf332828d1736c73874549c25e427737f136173c7b61e2df3db50e5d9", + "zh:e0103eb2e280989c3d9ffda5d6b413e8f583be21bc1d5754c6e9ca87ecc1c44a", + "zh:f4fbec2510322d5b7ad584a92436b5dbd0f2e897a3ec538932af59e245a4c8e4", + "zh:f5418842afd4aa7676e2456e425e8f573cb2b9bffd29bd7de09d91845644ab24", + "zh:f572a26f93d00ec42461ce478678366e570fa4497e2273f9d47f24cdfc4b42b4", + "zh:ff1f07c561a3f7f219b6fee1647a559933b5dd6181753e164c3978fd47a11685", + ] +} + +provider "registry.opentofu.org/hashicorp/tls" { + version = "4.0.5" + constraints = "4.0.5" + hashes = [ + "h1:zEH0OgSkeXDqNWzmOUWDczrUwyyujAHvnbW79qdxVMI=", + "zh:05a7dc3ac92005485714f87541ad6d0d478988b478c5774227a7d39b01660050", + "zh:547e0def44080456169bf77c21037aa6dc9e7f3e644a8f6a2c5fc3e6c15cf560", + "zh:6842b03d050ae1a4f1aaed2a2b1ca707eae84ae45ae492e4bb57c3d48c26e1f1", + "zh:6ced0a9eaaba12377f3a9b08df2fd9b83ae3cb357f859eb6aecf24852f718d9a", + "zh:766bcdf71a7501da73d4805d05764dcb7c848619fa7c04b3b9bd514e5ce9e4aa", + "zh:84cc8617ce0b9a3071472863f43152812e5e8544802653f636c866ef96f1ed34", + "zh:b1939e0d44c89315173b78228c1cf8660a6924604e75ced7b89e45196ce4f45e", + "zh:ced317916e13326766427790b1d8946c4151c4f3b0efd8f720a3bc24abe065fa", + "zh:ec9ff3412cf84ba81ca88328b62c17842b803ef406ae19152c13860b356b259c", + "zh:ff064f0071e98702e542e1ce00c0465b7cd186782fe9ccab8b8830cac0f10dd4", + ] +} diff --git a/packages/reference/environments/production/us-east-2/authentik_zoho_sso/module.yaml b/packages/reference/environments/production/us-east-2/authentik_zoho_sso/module.yaml new file mode 100644 index 00000000..69481af4 --- /dev/null +++ b/packages/reference/environments/production/us-east-2/authentik_zoho_sso/module.yaml @@ -0,0 +1,5 @@ +providers: + - authentik + - tls + - random + - kubernetes \ No newline at end of file diff --git a/packages/reference/environments/production/us-east-2/authentik_zoho_sso/terragrunt.hcl b/packages/reference/environments/production/us-east-2/authentik_zoho_sso/terragrunt.hcl new file mode 100644 index 00000000..bc94b15b --- /dev/null +++ b/packages/reference/environments/production/us-east-2/authentik_zoho_sso/terragrunt.hcl @@ -0,0 +1,34 @@ +include "panfactum" { + path = find_in_parent_folders("panfactum.hcl") + expose = true +} + +terraform { + source = include.panfactum.locals.pf_stack_source +} + +dependency "authentik_core" { + config_path = "../authentik_core_resources" +} + +dependency "kube_authentik" { + config_path = "../kube_authentik" +} + +inputs = { + zoho_acs_url = "https://accounts.zoho.com/signin/samlsp/845266711" + zoho_sign_in_url = "https://accounts.zoho.com/samlauthrequest/panfactum.com?serviceurl=https://one.zoho.com" + + organization_name = dependency.authentik_core.outputs.organization_name + authentik_namespace = dependency.kube_authentik.outputs.namespace + media_configmap = dependency.kube_authentik.outputs.media_configmap + authentik_domain = dependency.kube_authentik.outputs.domain + + allowed_groups = [ + "superusers", + "privileged_engineers", + "engineers", + "restricted_engineers", + "billing_admins" + ] +} diff --git a/packages/reference/environments/production/us-east-2/pf_website/version.yaml b/packages/reference/environments/production/us-east-2/pf_website/version.yaml index eb46875d..e13bcb1e 100644 --- a/packages/reference/environments/production/us-east-2/pf_website/version.yaml +++ b/packages/reference/environments/production/us-east-2/pf_website/version.yaml @@ -1 +1 @@ -version: alpha.30 +version: alpha.36 diff --git a/packages/website/src/app/(web)/docs/reference/infrastructure-modules/authentik_aws_sso/page.mdx b/packages/website/src/app/(web)/docs/reference/infrastructure-modules/authentik_aws_sso/page.mdx index 45fc7ef4..7efba26b 100644 --- a/packages/website/src/app/(web)/docs/reference/infrastructure-modules/authentik_aws_sso/page.mdx +++ b/packages/website/src/app/(web)/docs/reference/infrastructure-modules/authentik_aws_sso/page.mdx @@ -36,19 +36,19 @@ Type: `string` ### [aws\_acs\_url](#input_aws_acs_url) -Description: The ACS url provided by AWS when configuring and external identity provider +Description: The ACS url provided by AWS when configuring an external identity provider Type: `string` ### [aws\_issuer](#input_aws_issuer) -Description: The Issuer url provided by AWS when configuring and external identity provider +Description: The Issuer url provided by AWS when configuring an external identity provider Type: `string` ### [aws\_sign\_in\_url](#input_aws_sign_in_url) -Description: The Sign-in url provided by AWS when configuring and external identity provider +Description: The sign-in url provided by AWS when configuring an external identity provider Type: `string` diff --git a/packages/website/src/app/(web)/docs/reference/infrastructure-modules/authentik_zoho_sso/page.mdx b/packages/website/src/app/(web)/docs/reference/infrastructure-modules/authentik_zoho_sso/page.mdx new file mode 100644 index 00000000..1040597d --- /dev/null +++ b/packages/website/src/app/(web)/docs/reference/infrastructure-modules/authentik_zoho_sso/page.mdx @@ -0,0 +1,119 @@ +{/* lint disable no-duplicate-headings */} + +# AWS SSO with Zoho + +**Source Code:** [Link](https://github.com/Panfactum/stack/tree/__currentPanfactumVersion__/packages/infrastructure/authentik_zoho_sso) + +**Type:** [Live](/docs/reference/infrastructure-modules/overview) + +## Providers + +The following providers are needed by this module: + +* [authentik](#requirement_authentik) (2024.2.0) + +* [kubernetes](https://registry.terraform.io/providers/hashicorp/kubernetes/2.27.0/docs) (2.27.0) + +* [random](https://registry.terraform.io/providers/hashicorp/random/3.6.0/docs) (3.6.0) + +* [tls](#requirement_tls) (4.0.5) + +## Required Inputs + +The following input variables are required: + +### [authentik\_domain](#input_authentik_domain) + +Description: The domain name of the authentik instance + +Type: `string` + +### [authentik\_namespace](#input_authentik_namespace) + +Description: The kubernetes namespace where Authentik is deployed + +Type: `string` + +### [media\_configmap](#input_media_configmap) + +Description: The configmap holding the static media that Authentik will use + +Type: `string` + +### [organization\_name](#input_organization_name) + +Description: The name of your organization + +Type: `string` + +### [zoho\_acs\_url](#input_zoho_acs_url) + +Description: The ACS url provided by Zoho when configuring an external identity provider + +Type: `string` + +### [zoho\_sign\_in\_url](#input_zoho_sign_in_url) + +Description: The sign-in url provided by Zoho when configuring an external identity provider + +Type: `string` + +## Optional Inputs + +The following input variables are optional (have default values): + +### [allowed\_groups](#input_allowed_groups) + +Description: Only members of these groups can access AWS + +Type: `set(string)` + +Default: `[]` + +### [ui\_description](#input_ui_description) + +Description: The description to display in the Authentik web dashboard + +Type: `string` + +Default: `"Zoho"` + +### [ui\_group](#input_ui_group) + +Description: The section in the Authentik web dashboard that this will appear in + +Type: `string` + +Default: `"Admin"` + +### [zoho\_issuer](#input_zoho_issuer) + +Description: The issuer provided by Zoho when configuring an external identity provider + +Type: `string` + +Default: `"zoho.com"` + +## Outputs + +The following outputs are exported: + +### [saml\_metadata](#output_saml_metadata) + +Description: n/a + +## Usage + +### Sign-in URL + +For IDP-initiated logins, the `zoho_sign_in_url` variable must be provided. + +This is not found in the Zoho web UI and must be constructed manually. + +It is of the form `https://accounts.zoho.com/samlauthrequest/?serviceurl=` where + +* `` is a domain **that has been verified with Zoho** + +* `` is the `https` url of a Zoho service (e.g., `https://one.zoho.com`) + +{/* lint enable no-duplicate-headings */} diff --git a/packages/website/src/app/(web)/docs/reference/infrastructure-modules/modules.json b/packages/website/src/app/(web)/docs/reference/infrastructure-modules/modules.json index 11da63aa..8c81b1ac 100644 --- a/packages/website/src/app/(web)/docs/reference/infrastructure-modules/modules.json +++ b/packages/website/src/app/(web)/docs/reference/infrastructure-modules/modules.json @@ -3,6 +3,7 @@ "authentik_aws_sso", "authentik_core_resources", "authentik_vault_sso", + "authentik_zoho_sso", "aws_account", "aws_account_permission_binding", "aws_cloudwatch_log_group", diff --git a/packages/website/src/app/(web)/stack/pricing/page.mdx b/packages/website/src/app/(web)/stack/pricing/page.mdx deleted file mode 100644 index c68b3cbd..00000000 --- a/packages/website/src/app/(web)/stack/pricing/page.mdx +++ /dev/null @@ -1,3 +0,0 @@ -# Pricing - -TODO diff --git a/packages/website/src/app/(web)/stack/pricing/page.tsx b/packages/website/src/app/(web)/stack/pricing/page.tsx new file mode 100644 index 00000000..a87a0945 --- /dev/null +++ b/packages/website/src/app/(web)/stack/pricing/page.tsx @@ -0,0 +1,3 @@ +export default function Page () { + return (
) +} diff --git a/packages/website/src/app/layout.tsx b/packages/website/src/app/layout.tsx index c966e7b3..1f189698 100644 --- a/packages/website/src/app/layout.tsx +++ b/packages/website/src/app/layout.tsx @@ -1,6 +1,6 @@ -import { headers } from 'next/headers' import 'katex/dist/katex.min.css' import './globals.css' +import Script from 'next/script' import React, { type ReactNode } from 'react' import ThemeRegistry from '@/components/ThemeRegistry' @@ -15,10 +15,15 @@ export const metadata = { export default function RootLayout ( { children } : {children: ReactNode} ) { - const nonce = headers().get('x-nonce') return ( - + + {process.env.NODE_ENV === 'production' && ( +