Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: ECS 1Password SCIM Bridge Guide #664

Merged
merged 12 commits into from
Sep 16, 2024
+137 −0
Merged

feat: ECS 1Password SCIM Bridge Guide #664

Changes from 1 commit
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
82901bb
Add deployment steps for 1Password SCIM Bridge
milldr Aug 20, 2024
61c7f1d
Add SCIM bridge deployment steps with AWS SSM Parameter Store
milldr Aug 20, 2024
4393d5a
Add CollapsibleText component for configuration details
milldr Aug 20, 2024
54f857e
Update VPN connection instructions for SCIM bridge validation
milldr Aug 20, 2024
aaf95e0
indentation
milldr Aug 20, 2024
7c26805
Update docs/layers/ecs/tutorials/1password-scim-bridge.mdx
milldr Aug 20, 2024
46038dd
Merge branch 'master' into feat/ecs-1pass-scim
osterman Aug 23, 2024
c16dc6c
Merge branch 'master' into feat/ecs-1pass-scim
milldr Aug 28, 2024
e101456
Update SCIM bridge implementation steps in tutorial
milldr Sep 13, 2024
7e9fef2
merged
milldr Sep 13, 2024
c4bdeb7
validated scim setup
milldr Sep 14, 2024
9dd5150
Merge branch 'master' into feat/ecs-1pass-scim
milldr Sep 14, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Add SCIM bridge deployment steps with AWS SSM Parameter Store
  • Loading branch information
@milldr
milldr committed Aug 20, 2024
commit 61c7f1d0b869b00173f732149bd42a9614f2227e
201 changes: 99 additions & 102 deletions docs/layers/ecs/tutorials/1password-scim-bridge.mdx
View file
Original file line number Diff line number Diff line change
@@ -7,129 +7,126 @@ description: "Deploy the 1Password SCIM Bridge for ECS environments"
import Intro from "@site/src/components/Intro";
import Steps from "@site/src/components/Steps";
import Step from "@site/src/components/Step";
import TaskList from "@site/src/components/TaskList";
import StepNumber from "@site/src/components/StepNumber";

<Intro>
The 1Password SCIM Bridge is a service that allows you to automate the management of users and groups in 1Password. This guide will walk you through deploying the SCIM Bridge for ECS environments.
</Intro>

## Summary

<TaskList>
- Create the SCIM bridge in 1Password - Deploy the SCIM bridge ECS service - Validate the integration
</TaskList>

## Implementation

### Generate Credentials for your SCIM bridge in 1Password

The first step is to generate credentials for your SCIM bridge in 1Password. We will pass these credentials to Terraform and the ECS task definition to create the SCIM bridge.
The implementation of this is fairly simple. We will generate credentials for the SCIM bridge in 1Password, store them in AWS SSM Parameter Store, and deploy the SCIM bridge ECS service.

<Steps>
<Step>Log in to your 1Password account.</Step>

<Step>Click Integrations in the sidebar.</Step>

<Step>Choose your identity provider from the User Provisioning section.</Step>

<Step>Follow the onscreen instructions to generate credentials for your SCIM bridge.</Step>
<Step>
### <StepNumber/> Generate Credentials for your SCIM bridge in 1Password

<Step>Store the credentials in AWS SSM Parameter Store.
The first step is to generate credentials for your SCIM bridge in 1Password. We will pass these credentials to Terraform and the ECS task definition to create the SCIM bridge.

<Steps>
- Open the AWS Web Console - Navigate to the target account, such as `plat-dev`, and target region, such as `us-west-2`
- Open "AWS System Manager" > "Parameter Store"
- Create 2 new Secure String parameters using the credentials you generated in the previous step:

```console
SCIM_USERNAME: "/1password/scim-bridge/username"
SCIM_PASSWORD: "/1password/scim-bridge/password"
```
1. Log in to your 1Password account
1. Click Integrations in the sidebar.
1. Choose your identity provider from the User Provisioning section.
1. Follow the onscreen instructions to generate credentials for your SCIM bridge.
1. Store the credentials in AWS SSM Parameter Store.

<Steps>
- Open the AWS Web Console - Navigate to the target account, such as `plat-dev`, and target region, such as `us-west-2`
- Open "AWS System Manager" > "Parameter Store"
- Create 2 new Secure String parameters using the credentials you generated in the previous step:

```console
SCIM_USERNAME: "/1password/scim-bridge/username"
SCIM_PASSWORD: "/1password/scim-bridge/password"
```
</Steps>
</Steps>

</Step>
</Steps>

### Deploy the SCIM bridge ECS Service
<Step>
### <StepNumber /> Deploy the SCIM bridge ECS Service

The next step is to deploy the SCIM bridge ECS service. We will use Terraform to create the necessary resources with our existing `ecs-service` component. Ensure you have the `ecs-service` component and `ecs` cluster before proceeding.
The next step is to deploy the SCIM bridge ECS service. We will use Terraform to create the necessary resources with our existing `ecs-service` component. Ensure you have the `ecs-service` component and `ecs` cluster before proceeding.

If you do not have ECS prerequisites, please see the [ECS layer](/layers/ecs) to create the necessary resources.
If you do not have ECS prerequisites, please see the [ECS layer](/layers/ecs) to create the necessary resources.

<Steps>
<Step>
Create a new stack configuration for the SCIM bridge. The placement of this file will depend on your project structure. For example, you could create a new file such as `stacks/catalog/ecs-services/1password-scim-bridge.yaml` with the following content:

```yaml
import:
- catalog/terraform/services/defaults

components:
terraform:
1pass-scim:
metadata:
component: ecs-service
inherits:
- ecs-service/defaults
vars:
enabled: true
name: 1pass-scim
containers:
service:
name: op_scim_bridge
image: 1password/scim:v2.9.5
cpu: 128
memory: 512
essential: true
dependsOn:
- containerName: redis
condition: START
port_mappings:
- containerPort: 3002
hostPort: 3002
protocol: tcp
map_environment:
OP_REDIS_URL: redis://localhost:6379
OP_TLS_DOMAIN: ""
OP_CONFIRMATION_INTERVAL: "300"
map_secrets:
OP_SESSION: "/path/to/secret" # TODO "${secret_arn}"
# OP_WORKSPACE_CREDENTIALS: ""
# OP_WORKSPACE_SETTINGS: ""
log_configuration:
logDriver: awslogs
options: {}
redis:
name: redis
image: redis:latest
cpu: 128
memory: 512
essential: true
restart: always
port_mappings:
- containerPort: 6379
hostPort: 6379
protocol: tcp
map_environment:
REDIS_ARGS: "--maxmemory 256mb --maxmemory-policy volatile-lru"
log_configuration:
logDriver: awslogs
options: {}
```

</Step>
<Step>
Confirm the `map_secrets` for `OP_WORKSPACE_CREDENTIALS` and `OP_WORKSPACE_SETTINGS` match the AWS SSM Parameter Store paths you created previously, and confirm they are in the same account and region as the ECS service.
<Steps>
1. Create a new stack configuration for the SCIM bridge. The placement of this file will depend on your project structure. For example, you could create a new file such as `stacks/catalog/ecs-services/1password-scim-bridge.yaml` with the following content:

<details>
<summary>`1pass-scim` Stack Component Configuration</summary>
```yaml
import:
- catalog/terraform/services/defaults

components:
terraform:
1pass-scim:
metadata:
component: ecs-service
inherits:
- ecs-service/defaults
vars:
enabled: true
name: 1pass-scim
containers:
service:
name: op_scim_bridge
image: 1password/scim:v2.9.5
cpu: 128
memory: 512
essential: true
dependsOn:
- containerName: redis
condition: START
port_mappings:
- containerPort: 3002
hostPort: 3002
protocol: tcp
map_environment:
OP_REDIS_URL: redis://localhost:6379
OP_TLS_DOMAIN: ""
OP_CONFIRMATION_INTERVAL: "300"
map_secrets:
OP_SESSION: "/path/to/secret" # TODO "${secret_arn}"
# OP_WORKSPACE_CREDENTIALS: ""
# OP_WORKSPACE_SETTINGS: ""
log_configuration:
logDriver: awslogs
options: {}
redis:
name: redis
image: redis:latest
cpu: 128
memory: 512
essential: true
restart: always
port_mappings:
- containerPort: 6379
hostPort: 6379
protocol: tcp
map_environment:
REDIS_ARGS: "--maxmemory 256mb --maxmemory-policy volatile-lru"
log_configuration:
logDriver: awslogs
options: {}
```
</details>
2. Confirm the `map_secrets` for `OP_WORKSPACE_CREDENTIALS` and `OP_WORKSPACE_SETTINGS` match the AWS SSM Parameter Store paths you created previously, and confirm they are in the same account and region as this ECS service component.
3. Deploy the ECS service with Atmos:
```bash
atmos terraform apply 1pass-scim -s plat-usw2-dev
```
</Steps>
</Step>

<Step>
Deploy the ECS service with Atmos:
### <StepNumber/> Validate the Integration

```bash
atmos terraform apply 1pass-scim -s plat-usw2-dev
```
The final step is to validate the integration. Connect to the VPN, navigate to the SCIM bridge URL, and confirm the service is running.

For example, go to `https://1pass-scim.platform.usw1.dev.plat.acme-svc.com/`
</Step>
</Steps>

### Validate the Integration

The final step is to validate the integration. You can do this by navigating to the SCIM bridge URL and confirming the service is running.
</Steps>