feat: Helix Authentication Extension (#82)

assets/packer/perforce/helix-core/p4_configure.sh

@@ -31,6 +31,41 @@ resolve_aws_secret() {
   echo $result
 }
 
+# Setup Helix Authentication Extension
+setup_helix_auth() {
+  local p4port=$1
+  local super=$2
+  local super_password=$3
+  local service_url=$4
+  local default_protocol=$5
+  local name_identifier=$6
+  local user_identifier=$7
+
+  log_message "Starting Helix Authentication Extension setup."
+  log_message "configure-login-hook.sh will be run with the following parameters:"
+  log_message "p4port: $p4port"
+  log_message "super: $super"
+  log_message "superpassword: $super_password"
+  log_message "service-url: $service_url"
+  log_message "default-protocol: $default_protocol"
+  log_message "name_identifier: $name_identifier"
+  log_message "user_identifier: $user_identifier"
+
+  curl -L https://github.com/perforce/helix-authentication-extension/releases/download/2024.1/2024.1-signed.tar.gz | tar zx -C /tmp
+  chmod +x "/tmp/helix-authentication-extension/bin/configure-login-hook.sh"
+  sudo /tmp/helix-authentication-extension/bin/configure-login-hook.sh -n \
+    --p4port "$p4port" \
+    --super "$super" \
+    --superpassword "$super_password" \
+    --service-url "$service_url" \
+    --default-protocol "$default_protocol" \
+    --name-identifier "$name_identifier" \
+    --user-identifier "$user_identifier" \
+    --non-sso-users "$super" \
+    --enable-logging --debug --yes \
+    >> $LOG_FILE 2>> $LOG_FILE
+}
+
 
 # Function to create and mount XFS on EBS
 prepare_ebs_volume() {
@@ -160,6 +195,8 @@ else
     log_message "One or more required paths are not valid EBS volumes or FSx mount points. No operations performed. Will continue with single disk setup"
 fi
 
+log_message "$0" "$@"
+
 log_message "Starting the configuration part after mounting was done later will configure the commit or replica depending on configuration."
 
 SDP_Setup_Script=/hxdepots/sdp/Server/Unix/setup/mkdirs.sh 
@@ -318,14 +355,18 @@ else
     log_message "Created SiteTags file appended AWS Region of this instance"
 fi
 
-
+# Check if the HELIX_AUTH_SERVICE_URL is empty. if not, configure Helix Authentication Extension
+if [-z $8]; then
+  log_message "Helix Authentication Service URL was not provided. Skipping configuration."
+else
+  log_message "Configuring Helix Authentication Extension against $8"
+  HELIX_AUTH_SERVICE_URL=$8
+  setup_helix_auth "$P4PORT" "$P4D_ADMIN_USERNAME" "$P4D_ADMIN_PASS" "$HELIX_AUTH_SERVICE_URL" "oidc" "email" "email"
+fi
 
 # Create the flag file to prevent re-run
 touch "$FLAG_FILE"
 
-
-
-
 # Ending the script
 log_message "EC2 mount script finished."
 

assets/packer/perforce/helix-core/perforce.pkr.hcl

@@ -66,6 +66,13 @@ build {
   sources = [
     "source.amazon-ebs.rocky"
   ]
+
+    provisioner "shell" {
+      inline = [
+        "sudo dnf install -y git"
+      ]
+    }
+
     provisioner "shell" {
       script = "p4_setup.sh"
       execute_command = "sudo sh {{.Path}}"

modules/perforce/helix-authentication-service/alb.tf

@@ -1,46 +1,46 @@
 ################################################################################
 # Load Balancer
 ################################################################################
-resource "aws_lb" "HAS_alb" {
+resource "aws_lb" "helix_authentication_service_alb" {
   name               = "${local.name_prefix}-alb"
   internal           = var.internal
   load_balancer_type = "application"
-  subnets            = var.HAS_alb_subnets
-  security_groups    = concat(var.existing_security_groups, [aws_security_group.HAS_alb_sg.id])
+  subnets            = var.helix_authentication_service_alb_subnets
+  security_groups    = concat(var.existing_security_groups, [aws_security_group.helix_authentication_service_alb_sg.id])
 
   dynamic "access_logs" {
-    for_each = var.enable_HAS_alb_access_logs ? [1] : []
+    for_each = var.enable_helix_authentication_service_alb_access_logs ? [1] : []
     content {
-      enabled = var.enable_HAS_alb_access_logs
-      bucket  = var.HAS_alb_access_logs_bucket != null ? var.HAS_alb_access_logs_bucket : aws_s3_bucket.HAS_alb_access_logs_bucket[0].id
-      prefix  = var.HAS_alb_access_logs_prefix != null ? var.HAS_alb_access_logs_prefix : "${local.name_prefix}-alb"
+      enabled = var.enable_helix_authentication_service_alb_access_logs
+      bucket  = var.helix_authentication_service_alb_access_logs_bucket != null ? var.helix_authentication_service_alb_access_logs_bucket : aws_s3_bucket.helix_authentication_service_alb_access_logs_bucket[0].id
+      prefix  = var.helix_authentication_service_alb_access_logs_prefix != null ? var.helix_authentication_service_alb_access_logs_prefix : "${local.name_prefix}-alb"
     }
   }
 
-  enable_deletion_protection = var.enable_HAS_alb_deletion_protection
+  enable_deletion_protection = var.enable_helix_authentication_service_alb_deletion_protection
 
   drop_invalid_header_fields = true
 
   tags = local.tags
 }
 
-resource "random_string" "HAS_alb_access_logs_bucket_suffix" {
-  count   = var.enable_HAS_alb_access_logs && var.HAS_alb_access_logs_bucket == null ? 1 : 0
+resource "random_string" "helix_authentication_service_alb_access_logs_bucket_suffix" {
+  count   = var.enable_helix_authentication_service_alb_access_logs && var.helix_authentication_service_alb_access_logs_bucket == null ? 1 : 0
   length  = 8
   special = false
   upper   = false
 }
 
-resource "aws_s3_bucket" "HAS_alb_access_logs_bucket" {
-  count  = var.enable_HAS_alb_access_logs && var.HAS_alb_access_logs_bucket == null ? 1 : 0
-  bucket = "${local.name_prefix}-alb-access-logs-${random_string.HAS_alb_access_logs_bucket_suffix[0].result}"
+resource "aws_s3_bucket" "helix_authentication_service_alb_access_logs_bucket" {
+  count  = var.enable_helix_authentication_service_alb_access_logs && var.helix_authentication_service_alb_access_logs_bucket == null ? 1 : 0
+  bucket = "${local.name_prefix}-alb-access-logs-${random_string.helix_authentication_service_alb_access_logs_bucket_suffix[0].result}"
 
   tags = merge(local.tags, {
-    Name = "${local.name_prefix}-alb-access-logs-${random_string.HAS_alb_access_logs_bucket_suffix[0].result}"
+    Name = "${local.name_prefix}-alb-access-logs-${random_string.helix_authentication_service_alb_access_logs_bucket_suffix[0].result}"
   })
 }
 
-resource "aws_lb_target_group" "HAS_alb_target_group" {
+resource "aws_lb_target_group" "helix_authentication_service_alb_target_group" {
   name        = "${local.name_prefix}-tg"
   port        = var.container_port
   protocol    = "HTTP"
@@ -61,15 +61,15 @@ resource "aws_lb_target_group" "HAS_alb_target_group" {
 }
 
 
-# HTTPS listener for HAS ALB
-resource "aws_lb_listener" "HAS_alb_https_listener" {
-  load_balancer_arn = aws_lb.HAS_alb.arn
+# HTTPS listener for helix_authentication_service ALB
+resource "aws_lb_listener" "helix_authentication_service_alb_https_listener" {
+  load_balancer_arn = aws_lb.helix_authentication_service_alb.arn
   port              = "443"
   protocol          = "HTTPS"
   certificate_arn   = var.certificate_arn
 
   default_action {
-    target_group_arn = aws_lb_target_group.HAS_alb_target_group.arn
+    target_group_arn = aws_lb_target_group.helix_authentication_service_alb_target_group.arn
     type             = "forward"
   }
 

modules/perforce/helix-authentication-service/data.tf

@@ -1,7 +1,7 @@
 data "aws_region" "current" {}
 
 # If cluster name is provided use a data source to access existing resource
-data "aws_ecs_cluster" "HAS_cluster" {
+data "aws_ecs_cluster" "helix_authentication_service_cluster" {
   count        = var.cluster_name != null ? 1 : 0
   cluster_name = var.cluster_name
 }

modules/perforce/helix-authentication-service/iam.tf

@@ -1,5 +1,5 @@
 # - Random Strings to prevent naming conflicts -
-resource "random_string" "HAS" {
+resource "random_string" "helix_authentication_service" {
   length  = 4
   special = false
   upper   = false
@@ -20,9 +20,9 @@ data "aws_iam_policy_document" "ecs_tasks_trust_relationship" {
 }
 
 # - Policies -
-# HAS
-data "aws_iam_policy_document" "HAS_default_policy" {
-  count = var.create_HAS_default_policy ? 1 : 0
+# helix_authentication_service
+data "aws_iam_policy_document" "helix_authentication_service_default_policy" {
+  count = var.create_helix_authentication_service_default_policy ? 1 : 0
   # ECS
   statement {
     sid    = "ECSExec"
@@ -48,38 +48,38 @@ data "aws_iam_policy_document" "HAS_default_policy" {
       "secretsmanager:BatchGetSecretValue"
     ]
     resources = [
-      var.has_admin_username_secret_arn == null ? awscc_secretsmanager_secret.has_admin_username[0].secret_id : var.has_admin_username_secret_arn,
-      var.has_admin_password_secret_arn == null ? awscc_secretsmanager_secret.has_admin_password[0].secret_id : var.has_admin_password_secret_arn,
+      var.helix_authentication_service_admin_username_secret_arn == null ? awscc_secretsmanager_secret.helix_authentication_service_admin_username[0].secret_id : var.helix_authentication_service_admin_username_secret_arn,
+      var.helix_authentication_service_admin_password_secret_arn == null ? awscc_secretsmanager_secret.helix_authentication_service_admin_password[0].secret_id : var.helix_authentication_service_admin_password_secret_arn,
     ]
   }
 }
 
 
-resource "aws_iam_policy" "HAS_default_policy" {
-  count = var.create_HAS_default_policy ? 1 : 0
+resource "aws_iam_policy" "helix_authentication_service_default_policy" {
+  count = var.create_helix_authentication_service_default_policy ? 1 : 0
 
-  name        = "${var.project_prefix}-HAS-default-policy"
-  description = "Policy granting permissions for HAS."
-  policy      = data.aws_iam_policy_document.HAS_default_policy[0].json
+  name        = "${var.project_prefix}-helix_authentication_service-default-policy"
+  description = "Policy granting permissions for helix_authentication_service."
+  policy      = data.aws_iam_policy_document.helix_authentication_service_default_policy[0].json
 }
 
 
 
 # - Roles -
-# HAS
-resource "aws_iam_role" "HAS_default_role" {
-  count = var.create_HAS_default_role ? 1 : 0
+# helix_authentication_service
+resource "aws_iam_role" "helix_authentication_service_default_role" {
+  count = var.create_helix_authentication_service_default_role ? 1 : 0
 
-  name               = "${var.project_prefix}-HAS-default-role"
+  name               = "${var.project_prefix}-helix_authentication_service-default-role"
   assume_role_policy = data.aws_iam_policy_document.ecs_tasks_trust_relationship.json
 
   managed_policy_arns = [
-    aws_iam_policy.HAS_default_policy[0].arn
+    aws_iam_policy.helix_authentication_service_default_policy[0].arn
   ]
   tags = local.tags
 }
 
-data "aws_iam_policy_document" "HAS_secrets_manager_policy" {
+data "aws_iam_policy_document" "helix_authentication_service_secrets_manager_policy" {
   statement {
     effect = "Allow"
     actions = [
@@ -91,21 +91,21 @@ data "aws_iam_policy_document" "HAS_secrets_manager_policy" {
       "secretsmanager:BatchGetSecretValue"
     ]
     resources = [
-      var.has_admin_username_secret_arn == null ? awscc_secretsmanager_secret.has_admin_username[0].secret_id : var.has_admin_username_secret_arn,
-      var.has_admin_password_secret_arn == null ? awscc_secretsmanager_secret.has_admin_password[0].secret_id : var.has_admin_password_secret_arn,
+      var.helix_authentication_service_admin_username_secret_arn == null ? awscc_secretsmanager_secret.helix_authentication_service_admin_username[0].secret_id : var.helix_authentication_service_admin_username_secret_arn,
+      var.helix_authentication_service_admin_password_secret_arn == null ? awscc_secretsmanager_secret.helix_authentication_service_admin_password[0].secret_id : var.helix_authentication_service_admin_password_secret_arn,
     ]
   }
 }
 
-resource "aws_iam_policy" "HAS_secrets_manager_policy" {
-  name        = "${var.project_prefix}-HAS-secrets-manager-policy"
-  description = "Policy granting permissions for HAS task execution role to access SSM."
-  policy      = data.aws_iam_policy_document.HAS_secrets_manager_policy.json
+resource "aws_iam_policy" "helix_authentication_service_secrets_manager_policy" {
+  name        = "${var.project_prefix}-helix_authentication_service-secrets-manager-policy"
+  description = "Policy granting permissions for helix_authentication_service task execution role to access SSM."
+  policy      = data.aws_iam_policy_document.helix_authentication_service_secrets_manager_policy.json
 }
 
-resource "aws_iam_role" "HAS_task_execution_role" {
-  name = "${var.project_prefix}-HAS-task-execution-role"
+resource "aws_iam_role" "helix_authentication_service_task_execution_role" {
+  name = "${var.project_prefix}-helix_authentication_service-task-execution-role"
 
   assume_role_policy  = data.aws_iam_policy_document.ecs_tasks_trust_relationship.json
-  managed_policy_arns = ["arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy", aws_iam_policy.HAS_secrets_manager_policy.arn]
+  managed_policy_arns = ["arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy", aws_iam_policy.helix_authentication_service_secrets_manager_policy.arn]
 }

modules/perforce/helix-authentication-service/local.tf

@@ -1,6 +1,6 @@
 locals {
-  HAS_image   = "perforce/helix-auth-svc"
-  name_prefix = "${var.project_prefix}-${var.name}"
+  helix_authentication_service_image = "perforce/helix-auth-svc"
+  name_prefix                        = "${var.project_prefix}-${var.name}"
 
   tags = merge(var.tags, {
     "ENVIRONMENT" = var.environment