README
¶
Actions for AWS Elastic Load Balancing V2
This package contains integration actions for ELBv2. See the README of the @aws-cdk/aws-elasticloadbalancingv2 library.
Cognito
ELB allows for requests to be authenticated against a Cognito user pool using
the AuthenticateCognitoAction. For details on the setup's requirements,
read Prepare to use Amazon
Cognito.
Here's an example:
import cognito "github.com/aws/aws-cdk-go/awscdk"
import ec2 "github.com/aws/aws-cdk-go/awscdk"
import elbv2 "github.com/aws/aws-cdk-go/awscdk"
import "github.com/aws/aws-cdk-go/awscdk"
import "github.com/aws/constructs-go/constructs"
import actions "github.com/aws/aws-cdk-go/awscdk"
cognitoStack struct {
stack
}
lb := elbv2.NewApplicationLoadBalancer(this, jsii.String("LB"), &applicationLoadBalancerProps{
vpc: vpc,
internetFacing: jsii.Boolean(true),
})
userPool := cognito.NewUserPool(this, jsii.String("UserPool"))
userPoolClient := cognito.NewUserPoolClient(this, jsii.String("Client"), &userPoolClientProps{
userPool: userPool,
// Required minimal configuration for use with an ELB
generateSecret: jsii.Boolean(true),
authFlows: &authFlow{
userPassword: jsii.Boolean(true),
},
oAuth: &oAuthSettings{
flows: &oAuthFlows{
authorizationCodeGrant: jsii.Boolean(true),
},
scopes: []oAuthScope{
cognito.*oAuthScope_EMAIL(),
},
callbackUrls: []*string{
fmt.Sprintf("https://%v/oauth2/idpresponse", lb.loadBalancerDnsName),
},
},
})
cfnClient := userPoolClient.node.defaultChild.(cfnUserPoolClient)
cfnClient.addPropertyOverride(jsii.String("RefreshTokenValidity"), jsii.Number(1))
cfnClient.addPropertyOverride(jsii.String("SupportedIdentityProviders"), []interface{}{
jsii.String("COGNITO"),
})
userPoolDomain := cognito.NewUserPoolDomain(this, jsii.String("Domain"), &userPoolDomainProps{
userPool: userPool,
cognitoDomain: &cognitoDomainOptions{
domainPrefix: jsii.String("test-cdk-prefix"),
},
})
lb.addListener(jsii.String("Listener"), &baseApplicationListenerProps{
port: jsii.Number(443),
certificates: []iListenerCertificate{
certificate,
},
defaultAction: actions.NewAuthenticateCognitoAction(&authenticateCognitoActionProps{
userPool: userPool,
userPoolClient: userPoolClient,
userPoolDomain: userPoolDomain,
next: elbv2.listenerAction.fixedResponse(jsii.Number(200), &fixedResponseOptions{
contentType: jsii.String("text/plain"),
messageBody: jsii.String("Authenticated"),
}),
}),
})
awscdk.NewCfnOutput(this, jsii.String("DNS"), &cfnOutputProps{
value: lb.loadBalancerDnsName,
})
app := awscdk.NewApp()
NewCognitoStack(app, jsii.String("integ-cognito"))
app.synth()
NOTE: this example seems incomplete, I was not able to get the redirect back to the Load Balancer after authentication working. Would love some pointers on what a full working setup actually looks like!
Documentation
¶
Index ¶
- func AuthenticateCognitoAction_AuthenticateOidc(options *awselasticloadbalancingv2.AuthenticateOidcOptions) awselasticloadbalancingv2.ListenerAction
- func AuthenticateCognitoAction_FixedResponse(statusCode *float64, options *awselasticloadbalancingv2.FixedResponseOptions) awselasticloadbalancingv2.ListenerAction
- func AuthenticateCognitoAction_Forward(targetGroups *[]awselasticloadbalancingv2.IApplicationTargetGroup, ...) awselasticloadbalancingv2.ListenerAction
- func AuthenticateCognitoAction_Redirect(options *awselasticloadbalancingv2.RedirectOptions) awselasticloadbalancingv2.ListenerAction
- func AuthenticateCognitoAction_WeightedForward(targetGroups *[]*awselasticloadbalancingv2.WeightedTargetGroup, ...) awselasticloadbalancingv2.ListenerAction
- func NewAuthenticateCognitoAction_Override(a AuthenticateCognitoAction, options *AuthenticateCognitoActionProps)
- type AuthenticateCognitoAction
- type AuthenticateCognitoActionProps
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func AuthenticateCognitoAction_AuthenticateOidc ¶
func AuthenticateCognitoAction_AuthenticateOidc(options *awselasticloadbalancingv2.AuthenticateOidcOptions) awselasticloadbalancingv2.ListenerAction
Authenticate using an identity provider (IdP) that is compliant with OpenID Connect (OIDC). See: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-authenticate-users.html#oidc-requirements
func AuthenticateCognitoAction_FixedResponse ¶
func AuthenticateCognitoAction_FixedResponse(statusCode *float64, options *awselasticloadbalancingv2.FixedResponseOptions) awselasticloadbalancingv2.ListenerAction
Return a fixed response. See: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-listeners.html#fixed-response-actions
func AuthenticateCognitoAction_Forward ¶
func AuthenticateCognitoAction_Forward(targetGroups *[]awselasticloadbalancingv2.IApplicationTargetGroup, options *awselasticloadbalancingv2.ForwardOptions) awselasticloadbalancingv2.ListenerAction
Forward to one or more Target Groups. See: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-listeners.html#forward-actions
func AuthenticateCognitoAction_Redirect ¶
func AuthenticateCognitoAction_Redirect(options *awselasticloadbalancingv2.RedirectOptions) awselasticloadbalancingv2.ListenerAction
Redirect to a different URI.
A URI consists of the following components: protocol://hostname:port/path?query. You must modify at least one of the following components to avoid a redirect loop: protocol, hostname, port, or path. Any components that you do not modify retain their original values.
You can reuse URI components using the following reserved keywords:
- `#{protocol}` - `#{host}` - `#{port}` - `#{path}` (the leading "/" is removed) - `#{query}`
For example, you can change the path to "/new/#{path}", the hostname to "example.#{host}", or the query to "#{query}&value=xyz". See: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-listeners.html#redirect-actions
func AuthenticateCognitoAction_WeightedForward ¶
func AuthenticateCognitoAction_WeightedForward(targetGroups *[]*awselasticloadbalancingv2.WeightedTargetGroup, options *awselasticloadbalancingv2.ForwardOptions) awselasticloadbalancingv2.ListenerAction
Forward to one or more Target Groups which are weighted differently. See: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-listeners.html#forward-actions
func NewAuthenticateCognitoAction_Override ¶
func NewAuthenticateCognitoAction_Override(a AuthenticateCognitoAction, options *AuthenticateCognitoActionProps)
Authenticate using an identity provide (IdP) that is compliant with OpenID Connect (OIDC).
Types ¶
type AuthenticateCognitoAction ¶
type AuthenticateCognitoAction interface {
awselasticloadbalancingv2.ListenerAction
Next() awselasticloadbalancingv2.ListenerAction
// Called when the action is being used in a listener.
Bind(scope constructs.Construct, listener awselasticloadbalancingv2.IApplicationListener, associatingConstruct constructs.IConstruct)
// Render the actions in this chain.
RenderActions() *[]*awselasticloadbalancingv2.CfnListener_ActionProperty
// Renumber the "order" fields in the actions array.
//
// We don't number for 0 or 1 elements, but otherwise number them 1...#actions
// so ELB knows about the right order.
//
// Do this in `ListenerAction` instead of in `Listener` so that we give
// users the opportunity to override by subclassing and overriding `renderActions`.
Renumber(actions *[]*awselasticloadbalancingv2.CfnListener_ActionProperty) *[]*awselasticloadbalancingv2.CfnListener_ActionProperty
}
A Listener Action to authenticate with Cognito.
Example:
import cognito "github.com/aws/aws-cdk-go/awscdk"
import ec2 "github.com/aws/aws-cdk-go/awscdk"
import elbv2 "github.com/aws/aws-cdk-go/awscdk"
import "github.com/aws/aws-cdk-go/awscdk"
import "github.com/aws/constructs-go/constructs"
import actions "github.com/aws/aws-cdk-go/awscdk"
cognitoStack struct {
stack
}
lb := elbv2.NewApplicationLoadBalancer(this, jsii.String("LB"), &applicationLoadBalancerProps{
vpc: vpc,
internetFacing: jsii.Boolean(true),
})
userPool := cognito.NewUserPool(this, jsii.String("UserPool"))
userPoolClient := cognito.NewUserPoolClient(this, jsii.String("Client"), &userPoolClientProps{
userPool: userPool,
// Required minimal configuration for use with an ELB
generateSecret: jsii.Boolean(true),
authFlows: &authFlow{
userPassword: jsii.Boolean(true),
},
oAuth: &oAuthSettings{
flows: &oAuthFlows{
authorizationCodeGrant: jsii.Boolean(true),
},
scopes: []oAuthScope{
cognito.*oAuthScope_EMAIL(),
},
callbackUrls: []*string{
fmt.Sprintf("https://%v/oauth2/idpresponse", lb.loadBalancerDnsName),
},
},
})
cfnClient := userPoolClient.node.defaultChild.(cfnUserPoolClient)
cfnClient.addPropertyOverride(jsii.String("RefreshTokenValidity"), jsii.Number(1))
cfnClient.addPropertyOverride(jsii.String("SupportedIdentityProviders"), []interface{}{
jsii.String("COGNITO"),
})
userPoolDomain := cognito.NewUserPoolDomain(this, jsii.String("Domain"), &userPoolDomainProps{
userPool: userPool,
cognitoDomain: &cognitoDomainOptions{
domainPrefix: jsii.String("test-cdk-prefix"),
},
})
lb.addListener(jsii.String("Listener"), &baseApplicationListenerProps{
port: jsii.Number(443),
certificates: []iListenerCertificate{
certificate,
},
defaultAction: actions.NewAuthenticateCognitoAction(&authenticateCognitoActionProps{
userPool: userPool,
userPoolClient: userPoolClient,
userPoolDomain: userPoolDomain,
next: elbv2.listenerAction.fixedResponse(jsii.Number(200), &fixedResponseOptions{
contentType: jsii.String("text/plain"),
messageBody: jsii.String("Authenticated"),
}),
}),
})
awscdk.NewCfnOutput(this, jsii.String("DNS"), &cfnOutputProps{
value: lb.loadBalancerDnsName,
})
app := awscdk.NewApp()
NewCognitoStack(app, jsii.String("integ-cognito"))
app.synth()
func NewAuthenticateCognitoAction ¶
func NewAuthenticateCognitoAction(options *AuthenticateCognitoActionProps) AuthenticateCognitoAction
Authenticate using an identity provide (IdP) that is compliant with OpenID Connect (OIDC).
type AuthenticateCognitoActionProps ¶
type AuthenticateCognitoActionProps struct {
// What action to execute next.
//
// Multiple actions form a linked chain; the chain must always terminate in a
// (weighted)forward, fixedResponse or redirect action.
Next awselasticloadbalancingv2.ListenerAction `field:"required" json:"next" yaml:"next"`
// The Amazon Cognito user pool.
UserPool awscognito.IUserPool `field:"required" json:"userPool" yaml:"userPool"`
// The Amazon Cognito user pool client.
UserPoolClient awscognito.IUserPoolClient `field:"required" json:"userPoolClient" yaml:"userPoolClient"`
// The domain prefix or fully-qualified domain name of the Amazon Cognito user pool.
UserPoolDomain awscognito.IUserPoolDomain `field:"required" json:"userPoolDomain" yaml:"userPoolDomain"`
// The query parameters (up to 10) to include in the redirect request to the authorization endpoint.
AuthenticationRequestExtraParams *map[string]*string `field:"optional" json:"authenticationRequestExtraParams" yaml:"authenticationRequestExtraParams"`
// The behavior if the user is not authenticated.
OnUnauthenticatedRequest awselasticloadbalancingv2.UnauthenticatedAction `field:"optional" json:"onUnauthenticatedRequest" yaml:"onUnauthenticatedRequest"`
// The set of user claims to be requested from the IdP.
//
// To verify which scope values your IdP supports and how to separate multiple values, see the documentation for your IdP.
Scope *string `field:"optional" json:"scope" yaml:"scope"`
// The name of the cookie used to maintain session information.
SessionCookieName *string `field:"optional" json:"sessionCookieName" yaml:"sessionCookieName"`
// The maximum duration of the authentication session.
SessionTimeout awscdk.Duration `field:"optional" json:"sessionTimeout" yaml:"sessionTimeout"`
}
Properties for AuthenticateCognitoAction.
Example:
import cognito "github.com/aws/aws-cdk-go/awscdk"
import ec2 "github.com/aws/aws-cdk-go/awscdk"
import elbv2 "github.com/aws/aws-cdk-go/awscdk"
import "github.com/aws/aws-cdk-go/awscdk"
import "github.com/aws/constructs-go/constructs"
import actions "github.com/aws/aws-cdk-go/awscdk"
cognitoStack struct {
stack
}
lb := elbv2.NewApplicationLoadBalancer(this, jsii.String("LB"), &applicationLoadBalancerProps{
vpc: vpc,
internetFacing: jsii.Boolean(true),
})
userPool := cognito.NewUserPool(this, jsii.String("UserPool"))
userPoolClient := cognito.NewUserPoolClient(this, jsii.String("Client"), &userPoolClientProps{
userPool: userPool,
// Required minimal configuration for use with an ELB
generateSecret: jsii.Boolean(true),
authFlows: &authFlow{
userPassword: jsii.Boolean(true),
},
oAuth: &oAuthSettings{
flows: &oAuthFlows{
authorizationCodeGrant: jsii.Boolean(true),
},
scopes: []oAuthScope{
cognito.*oAuthScope_EMAIL(),
},
callbackUrls: []*string{
fmt.Sprintf("https://%v/oauth2/idpresponse", lb.loadBalancerDnsName),
},
},
})
cfnClient := userPoolClient.node.defaultChild.(cfnUserPoolClient)
cfnClient.addPropertyOverride(jsii.String("RefreshTokenValidity"), jsii.Number(1))
cfnClient.addPropertyOverride(jsii.String("SupportedIdentityProviders"), []interface{}{
jsii.String("COGNITO"),
})
userPoolDomain := cognito.NewUserPoolDomain(this, jsii.String("Domain"), &userPoolDomainProps{
userPool: userPool,
cognitoDomain: &cognitoDomainOptions{
domainPrefix: jsii.String("test-cdk-prefix"),
},
})
lb.addListener(jsii.String("Listener"), &baseApplicationListenerProps{
port: jsii.Number(443),
certificates: []iListenerCertificate{
certificate,
},
defaultAction: actions.NewAuthenticateCognitoAction(&authenticateCognitoActionProps{
userPool: userPool,
userPoolClient: userPoolClient,
userPoolDomain: userPoolDomain,
next: elbv2.listenerAction.fixedResponse(jsii.Number(200), &fixedResponseOptions{
contentType: jsii.String("text/plain"),
messageBody: jsii.String("Authenticated"),
}),
}),
})
awscdk.NewCfnOutput(this, jsii.String("DNS"), &cfnOutputProps{
value: lb.loadBalancerDnsName,
})
app := awscdk.NewApp()
NewCognitoStack(app, jsii.String("integ-cognito"))
app.synth()
Source Files
¶
Directories
Click to show internal directories.
Click to hide internal directories.