feat: Added ALB authentication feature with OpenID Connect (eg, Auth0) (#122)

Author: antonbabenko

README.md

@@ -100,6 +100,25 @@ Make sure that both private and public subnets were created in the same set of a
 
 If all provided subnets are public (no NAT gateway) then `ecs_service_assign_public_ip` should be set to `true`.
 
+
+### Secure Atlantis with ALB Built-in Authentication and Auth0
+
+You can use service like [Auth0](https://www.auth0.com) to secure access to Atlantis and require authentication on ALB. To enable this, you need to create Auth0 application and provide correct arguments to Atlantis module. Make sure to update application hostname, client id and client secret:
+
+```
+alb_authenticate_oidc = {
+  issuer = "https://youruser.eu.auth0.com/"
+  token_endpoint = "https://youruser.eu.auth0.com/oauth/token"
+  user_info_endpoint = "https://youruser.eu.auth0.com/userinfo"
+  authorization_endpoint = "https://youruser.eu.auth0.com/authorize"
+  authentication_request_extra_params = {}
+  client_id = "clientid"
+  client_secret = "secret123"
+}
+```
+
+Read more in [this post](https://medium.com/@sandrinodm/securing-your-applications-with-aws-alb-built-in-authentication-and-auth0-310ad84c8595).
+
 ## Notes
 
 1. AWS Route53 zone is not created by this module, so zone specified as a value in `route53_zone_name` should be created before using this module. Check documentation for [aws_route53_zone](https://www.terraform.io/docs/providers/aws/r/route53_zone.html).
@@ -130,6 +149,7 @@ No requirements.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | acm\_certificate\_domain\_name | Route53 domain name to use for ACM certificate. Route53 zone for this domain should be created in advance. Specify if it is different from value in `route53_zone_name` | `string` | `""` | no |
+| alb\_authenticate\_oidc | Map of Authenticate OIDC parameters to protect ALB (eg, using Auth0). See https://www.terraform.io/docs/providers/aws/r/lb_listener.html#authenticate-oidc-action | `any` | `{}` | no |
 | alb\_ingress\_cidr\_blocks | List of IPv4 CIDR ranges to use on all ingress rules of the ALB. | `list(string)` | <pre>[<br>  "0.0.0.0/0"<br>]</pre> | no |
 | alb\_log\_bucket\_name | S3 bucket (externally created) for storing load balancer access logs. Required if alb\_logging\_enabled is true. | `string` | `""` | no |
 | alb\_log\_location\_prefix | S3 prefix within the log\_bucket\_name under which logs are stored. | `string` | `""` | no |

main.tf

@@ -199,6 +199,8 @@ module "alb" {
       port               = 443
       protocol           = "HTTPS"
       certificate_arn    = var.certificate_arn == "" ? module.acm.this_acm_certificate_arn : var.certificate_arn
+      action_type        = length(keys(var.alb_authenticate_oidc)) > 0 ? "authenticate-oidc" : "forward"
+      authenticate_oidc  = var.alb_authenticate_oidc
     },
   ]
 

variables.tf

@@ -90,6 +90,12 @@ variable "alb_logging_enabled" {
   default     = false
 }
 
+variable "alb_authenticate_oidc" {
+  description = "Map of Authenticate OIDC parameters to protect ALB (eg, using Auth0). See https://www.terraform.io/docs/providers/aws/r/lb_listener.html#authenticate-oidc-action"
+  type        = any
+  default     = {}
+}
+
 # ACM
 variable "certificate_arn" {
   description = "ARN of certificate issued by AWS ACM. If empty, a new ACM certificate will be created and validated using Route53 DNS"