Skip to content

Commit d6dd170

Browse files
milldrosterman
milldr
and
osterman
authored
feat: ECS 1Password SCIM Bridge Guide (#664)
Co-authored-by: Erik Osterman (CEO @ Cloud Posse) <erik@cloudposse.com>
1 parent ddccef2 commit d6dd170

File tree

1 file changed

+137
-0
lines changed

1 file changed

+137
-0
lines changed

docs/layers/ecs/tutorials/1password-scim-bridge.mdx

Lines changed: 137 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,137 @@
1+
---
2+
title: "Deploy 1Password SCIM Bridge"
3+
sidebar_label: "1Password SCIM Bridge"
4+
description: "Deploy the 1Password SCIM Bridge for ECS environments"
5+
---
6+
7+
import Intro from "@site/src/components/Intro";
8+
import Steps from "@site/src/components/Steps";
9+
import Step from "@site/src/components/Step";
10+
import StepNumber from "@site/src/components/StepNumber";
11+
import CollapsibleText from "@site/src/components/CollapsibleText";
12+
13+
<Intro>
14+
The 1Password SCIM Bridge is a service that allows you to automate the management of users and groups in 1Password. This guide will walk you through deploying the SCIM Bridge for ECS environments.
15+
</Intro>
16+
17+
## Implementation
18+
19+
The implementation of this is fairly simple. We will generate credentials for the SCIM bridge in 1Password, store them in AWS SSM Parameter Store, deploy the SCIM bridge ECS service, and then finally connect your choosen identity provider.
20+
21+
<Steps>
22+
<Step>
23+
### <StepNumber/> Generate Credentials for your SCIM bridge in 1Password
24+
25+
The first step is to generate credentials for your SCIM bridge in 1Password. We will pass these credentials to Terraform and the ECS task definition to create the SCIM bridge.
26+
27+
<Steps>
28+
1. Log in to your 1Password account
29+
1. Click Integrations in the sidebar
30+
1. Select "Set up user provisioning"
31+
1. Choose "Custom"
32+
1. You should now see the SCIM bridge credentials. We will need the "Bearer Token" for the next steps.
33+
1. Save this token in a secure location (such as 1Password) for future reference
34+
1. Store the credentials in AWS SSM Parameter Store. This will allow the ECS task definition to access the credentials securely.
35+
36+
<Steps>
37+
- Open the AWS Web Console - Navigate to the target account, such as `core-auto`, and target region, such as `us-west-2`
38+
- Open "AWS System Manager" > "Parameter Store"
39+
- Create a new Secure String parameter using the credentials you generated in the previous step: `/1password/scim/bearer-token`
40+
</Steps>
41+
</Steps>
42+
43+
There will be additional steps to complete the integration in 1Password, but first we need to deploy the SCIM bridge service.
44+
</Step>
45+
46+
<Step>
47+
### <StepNumber /> Deploy the SCIM bridge ECS Service
48+
49+
The next step is to deploy the SCIM bridge ECS service. We will use Terraform to create the necessary resources with our existing `ecs-service` component. Ensure you have the `ecs-service` component and `ecs` cluster before proceeding.
50+
51+
If you do not have ECS prerequisites, please see the [ECS layer](/layers/ecs) to create the necessary resources.
52+
53+
<Steps>
54+
1. Create a new stack configuration for the SCIM bridge. The placement of this file will depend on your project structure. For example, you could create a new file such as `stacks/catalog/ecs-services/1password-scim-bridge.yaml` with the following content:
55+
56+
<CollapsibleText type="medium">
57+
```yaml
58+
import:
59+
- catalog/terraform/services/defaults
60+
61+
components:
62+
terraform:
63+
1pass-scim:
64+
metadata:
65+
component: ecs-service
66+
inherits:
67+
- ecs-service/defaults
68+
vars:
69+
enabled: true
70+
name: 1pass-scim
71+
containers:
72+
service:
73+
name: op_scim_bridge
74+
image: 1password/scim:v2.9.5
75+
cpu: 128
76+
memory: 512
77+
essential: true
78+
dependsOn:
79+
- containerName: redis
80+
condition: START
81+
port_mappings:
82+
- containerPort: 3002
83+
hostPort: 3002
84+
protocol: tcp
85+
map_environment:
86+
OP_REDIS_URL: redis://localhost:6379
87+
OP_TLS_DOMAIN: ""
88+
OP_CONFIRMATION_INTERVAL: "300"
89+
map_secrets:
90+
OP_SESSION: "1password/scim/bearer-token"
91+
# OP_WORKSPACE_CREDENTIALS: ""
92+
# OP_WORKSPACE_SETTINGS: ""
93+
log_configuration:
94+
logDriver: awslogs
95+
options: {}
96+
redis:
97+
name: redis
98+
image: redis:latest
99+
cpu: 128
100+
memory: 512
101+
essential: true
102+
restart: always
103+
port_mappings:
104+
- containerPort: 6379
105+
hostPort: 6379
106+
protocol: tcp
107+
map_environment:
108+
REDIS_ARGS: "--maxmemory 256mb --maxmemory-policy volatile-lru"
109+
log_configuration:
110+
logDriver: awslogs
111+
options: {}
112+
```
113+
</CollapsibleText>
114+
2. Confirm the `map_secrets` value for `OP_SESSION` matches the AWS SSM Parameter Store path you created previously, an confirm they are in the same account and region as this ECS service component.
115+
3. Deploy the ECS service with Atmos:
116+
```bash
117+
atmos terraform apply 1pass-scim -s core-usw2-auto
118+
```
119+
</Steps>
120+
</Step>
121+
122+
<Step>
123+
### <StepNumber/> Validate the Integration
124+
125+
The final step is to validate the integration. Connect to the VPN (if deployed the ECS service is deployed with a private ALB), navigate to the SCIM bridge URL, and confirm the service is running.
126+
127+
For example, go to `https://1pass-scim.platform.usw1.auto.core.acme-svc.com/`
128+
</Step>
129+
130+
<Step>
131+
### <StepNumber/> Connect your Identity Provider
132+
133+
Finally, connect your identity provider to the SCIM bridge. The SCIM bridge URL will be the URL you validated in the previous step. Follow the instructions in the 1Password SCIM Bridge documentation to connect your identity provider.
134+
135+
</Step>
136+
137+
</Steps>

0 commit comments

Comments
 (0)