This article is going to be a two part series, this first part demonstrates how to deploy the SAML application to Okta in order to generate provider .xml file and the second part creates all the required AWS resources and deploys the Client VPN to AWS using terraform. This is really an interesting project for me and i'm so sure it will be useful to someone out there.
What is a VPN
Virtual Private Networks (VPNs) are essential for secure remote access to company resources. AWS provides a service called AWS Client VPN that allows users to access resources within a Virtual Private Cloud (VPC) securely. In this article, we will demonstrate how to create a Client VPN in AWS using Terraform and integrate it with Okta for authentication and self service.
Random
Personally, before I embark on a terraform project using any provider, I make sure that I am convenient using their services on the web console before automation and okta is not an exception, so if you are a beginner i will advise you understand the manual process before automation to organize your thought on how find and use the right terraform resources.
But if you are familiar with Okta and AWS you can just skip the manual step and go straight to write the terraform configuration.
Step 1: Okta account configuration
To start, we need to configure Okta as our Identity Provider (IdP). If you don't have an Okta account, you can sign up for a free developer account.
- Login to your Okta account to get the organization name, base url and api token. The org_name and base_url can be gotten from the url after log in (check the image below)
- For my test environment account, check the image
org_name = "trial-7458580"
base_url = "okta.com"
And to get the api key
- Click on the “Admin” button
- At the left-hand nav bar,Click “Security” and under security click on the “API” tab
- Click on the “Tokens” tab and click “Create Token” to get your token
Step 2: Okta Terraform Configuration
The Okta provider is used to manage authentication and authorization for applications and services in the cloud. In this code snippet, the provider is being configured with the required parameters, such as the organization name and base URL. Additionally, an API token is provided for testing purposes, which can be generated from the Okta security page. This code demonstrates the ease of integrating Okta into your infrastructure code, allowing for efficient and secure management of your cloud applications.
Creating the SAML applications in order to download the provider's .xml file to be uploaded to aws
The terraform file will be creating two SAML applications, a SAML application for single sign-on (SSO) and another SAML application to access the AWS Self Service Page. The below section of the code is used to create a SAML application for single sign-on (SSO) VPN authentication. Specifically, it is creating an Okta SAML application for AWS Client VPN. The okta_app_saml resource is used to define the configuration of the application, including the label, SSO URL, recipient, destination, audience, subject name ID template, response signing, signature and digest algorithms, authentication context class reference, and self-service accessibility. Additionally, it includes an attribute statement for specifying group information and a lifecycle block to ignore changes to the groups attribute. The code is designed to help streamline the process of setting up SSO VPN authentication.
This section creates a SAML application for self-service, this enables users to download the latest version of the application after any administrator modification or updates to the network
Creating a group and assigning the apps to the group
The first resource block creates an Okta group that can be used to organize users within an application. The Okta_group resource requires a name and a description to be provided. The name and description help identify the group in the Okta console and provide a brief description of the group's purpose.
The second and third resource blocks assign an Okta application to the group created in the first resource block. The Okta_app_group_assignment resource allows you to specify an Okta app_id and a group_id that the application should be assigned to. This assignment enables all users within the group to access the assigned application.
Creating app users
This block creates Okta users. The Okta_user resource requires an email address, first name, last name, login, and password to be provided. The login is usually set to the user's email address, and the password is provided in plain text. For security purposes, it's recommended to use a secure password and a Terraform variable to store the password. You can also enable password change inside the this resource
Adding the users to the group with access to the apps
This resource block adds users to the group created. The Okta_group_memberships resource requires a group_id and a list of user ids to be provided. Once the users are added to the group, they will have access to any applications assigned to that group.
STEP 3: Run terraform commands to create okta resources
cd into the directory —- okta-module/ and run the terraform commands
$ terraform init
$ terraform plan
$ terraform apply
STEP 4: Log in to Okta admin account to copy the App metadata
The okta terraform config creates two applications on okta.
- The self-service app
- The SSO app
Copy the Self service and SSO metadata of the provider. These two are for the different apps created on okta
To download the metadata for both
- Go to “applications”
- select one of the apps created, then click on “Sign On” tab
- Copy the Metadata URL and paste in the browser to save and download it with the .xml extension
Fantastic, we now have the SAML application metadata ready to be uploaded to AWS as the provider's SAML file, wooray. The image below shows how the metadata is being uploaded to AWS using the "aws_iam_saml_provider" resource, this will be explained in detail in Part 2.
Thanks for reading.
You can find the Okta module in my Github page.
Please like, comment and share to help improve this article.
Top comments (0)