Skip to content

Commit

Permalink
Merge pull request #292 from 1Password/solutions/pike/google-cloud-run
Browse files Browse the repository at this point in the history 
Introduce Google Cloud Run deployment example
  • Loading branch information
@ag-adampike
ag-adampike committed May 9, 2024
2 parents ea4dcb4 + ed6abf1 commit 1cf870e
Show file tree
Hide file tree
Showing 6 changed files with 407 additions and 2 deletions.
5 changes: 3 additions & 2 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,8 +44,9 @@ If you have particular requirements for your environment, we recommend an advanc

These are beta versions of 1Password SCIM Bridge deployment examples. These deployments _should_ work, but aren't guaranteed and will change in the future. See the [README](./beta/README.md) for more information about the "beta" designation.

-**NEW** [AWS with CloudFormation](/beta/aws-ecsfargate-cfn)
-**NEW** [Docker](/beta/docker)
- [AWS with CloudFormation](/beta/aws-ecsfargate-cfn)
- [Docker](/beta/docker)
-**NEW** [Google Cloud Run](/beta/google-cloud-run)

## Deprecated deployment methods

Expand Down
186 changes: 186 additions & 0 deletions beta/google-cloud-run/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,186 @@
# Deploy 1Password SCIM Bridge on Google Cloud Run

_Learn how to deploy 1Password SCIM Bridge on [Cloud Run](https://cloud.google.com/run/docs/overview/what-is-cloud-run) using the Cloud Shell in Google Cloud._

This guide can be used to deploy 1Password SCIM Bridge as an ingress container for a single replica [Cloud Run service](https://cloud.google.com/run/docs/overview/what-is-cloud-run#services) with the required Redis cache deployed as a sidecar container. Credentials are stored in Secret Manager and mounted as volumes attached to the SCIM Bridge container.

The included [Cloud Run service YAML](https://cloud.google.com/run/docs/reference/yaml/v1#service) manifests are suitable for use in a production environment without modification, but are intentionally minimal for simplicity, to allow any identity provider to connect to its public endpoint, and to facilitate its use as a base for a customized deployment.

**Table of contents:**

- [Before you begin](#before-you-begin)
- [Step 1: Set up Google Cloud](#step-1-set-up-google-cloud)
- [Step 2: Create a secret for your `scimsession` credentials](#step-2-create-a-secret-for-your-scimsession-credentials)
- [Step 3: Deploy your SCIM bridge](#step-3-deploy-your-scim-bridge)
- [Step 4: Test your SCIM bridge](#step-4-test-your-scim-bridge)
- [Step 5: Connect your identity provider](#step-5-connect-your-identity-provider)
- [Appendix: Update your SCIM Bridge](#update-your-scim-bridge)

## Before you begin

Complete the necessary [preparation steps to deploy 1Password SCIM Bridge](/PREPARATION.md). You'll also need a Google Cloud account with permissions to create a project, set up billing, and enable Google Cloud APIs to create and manage secrets in Secret Manager.

> [!NOTE]
> If you don't have a Google Cloud account, you can sign up for a free trial with starting credit: <https://console.cloud.google.com/freetrial>
## Step 1: Set up Google Cloud

1. Sign in to the Google Cloud console and activate Cloud Shell: <https://console.cloud.google.com?cloudshell=true>
2. Create a [project](https://cloud.google.com/docs/overview#projects) to organize the Google Cloud resources for your 1Password SCIM Bridge deployment, and set it as the default project for your Cloud Shell environment:

```sh
gcloud projects create op-scim-bridge --set-as-default
```

> [!TIP]
> If you have already created a project for SCIM Bridge, set it as the default project for this Cloud Shell session. For example:
>
> ```sh
> gcloud config set project op-scim-bridge
> ```
3. Enable the Secret Manager and Cloud Run APIs for your project:

```sh
gcloud services enable secretmanager.googleapis.com run.googleapis.com
```

4. Set the default region for Cloud Run:

```sh
gcloud config set run/region us-central1
```

> [!NOTE]
> All region-bound resources created in the following steps will be created in the specified region. You may replace `us-central1` in the above commmand with your preferred region.
## Step 2: Create a secret for your `scimsession` credentials

The Cloud Run service for SCIM Bridge will be configured to mount volume using a secret from Secret Manager. Follow these steps to upload your `scimsession` credentials file to the Cloud Shell, create a secret, and store the file contents as its first secret version:

1. Click **** _(More)_ > **Upload** in the Cloud Shell terminal menu bar.
2. Click **Choose Files**. Select the `scimsession` file that you saved to your computer.
3. Use the suggested destination directory. Click **Upload**.
> [!NOTE]
> If the file is saved to a different directory or using a different file name, make a note of the full path to
> the file.
4. Create a secret with the contents of this file as its first secret version using the following command:

```sh
gcloud secrets create scimsession --data-file=$HOME/scimsession
```

> [!TIP]
> The command above is expected work as is if the file is named `scimsession` and if it was saved to the home
> directory when uploading the file. If not, replace `$HOME/scimsession` with the actual path to the file. For
> example:
>
> ```sh
> gcloud secrets create scimsession --data-file=/example/path/to/scimsession.file
> ```
5. Enable Cloud Run to access the secret using the Compute Engine default service account for the project:

```sh
gcloud secrets add-iam-policy-binding scimsession --member=serviceAccount:$(
gcloud iam service-accounts list --filter="$(
gcloud projects describe op-scim-bridge --format="value(projectNumber)"
)-compute@developer.gserviceaccount.com" --format="value(email)"
) --role=roles/secretmanager.secretAccessor
```

## Step 3: Deploy your SCIM Bridge

Run this command to stream [`op-scim-bridge.yaml`](./op-scim-bridge.yaml) Cloud Run service YAML from this repository, use it to deploy SCIM Bridge inline, and enable public ingress for your SCIM Bridge so that you and your identity provider can connect to its public endpoint:

```sh
curl --silent --show-error \
https://raw.githubusercontent.com/1Password/scim-examples/main/beta/google-cloud-run/op-scim-bridge.yaml |
gcloud run services replace - &&
gcloud run services add-iam-policy-binding op-scim-bridge --member=allUsers --role=roles/run.invoker &&
gcloud run services describe op-scim-bridge --format="value(status.url)"
```

The final line of the above chained command should output a URL for the HTTPS endpoint provided by Cloud Run. This is your **SCIM Bridge URL**.

## Step 4: Test your SCIM bridge

Use your SCIM Bridge URL to test the connection and view status information. For example:

```sh
curl --silent --show-error --request GET --header "Accept: application/json" \
--header "Authorization: Bearer mF_9.B5f-4.1JqM" \
https://op-scim-bridge-example-uc.a.run.app/health
```

Replace `mF_9.B5f-4.1JqM` with your bearer token and `https://op-scim-bridge-example-uc.a.run.app` with your SCIM Bridge URL.

<details>
<summary>Example JSON response:</summary>

```json
{
"build": "209031",
"version": "2.9.3",
"reports": [
{
"source": "ConfirmationWatcher",
"time": "2024-04-25T14:06:09Z",
"expires": "2024-04-25T14:16:09Z",
"state": "healthy"
},
{
"source": "RedisCache",
"time": "2024-04-25T14:06:09Z",
"expires": "2024-04-25T14:16:09Z",
"state": "healthy"
},
{
"source": "SCIMServer",
"time": "2024-04-25T14:06:56Z",
"expires": "2024-04-25T14:16:56Z",
"state": "healthy"
},
{
"source": "StartProvisionWatcher",
"time": "2024-04-25T14:06:09Z",
"expires": "2024-04-25T14:16:09Z",
"state": "healthy"
}
],
"retrievedAt": "2024-04-25T14:06:56Z"
}
```

</details>
<br />

Similar information is presented graphically by accessing your SCIM Bridge URL in a web browser. Sign in with your bearer token to view status information and download container log files.

## Step 5: Connect your identity provider

> [!IMPORTANT]
> **If Google Workspace is your identity provider**, additional steps are required: [connect your 1Password SCIM Bridge to Google Workspace](./google-workspace/README.md).
To finish setting up automated user provisioning, [connect your identity provider to your SCIM Bridge](https://support.1password.com/scim/#step-3-connect-your-identity-provider).

## Update your SCIM Bridge

> [!IMPORTANT]
> **If Google Workspace is your identity provider**, alternate steps are required: [update your SCIM Bridge when Google Workspace is your IdP](./google-workspace/README.md#update-your-scim-bridge-when-google-workspace-is-your-idp)
1. Sign in to the Google Cloud console and activate Cloud Shell: <https://console.cloud.google.com?cloudshell=true>

2. Redeploy your SCIM Bridge using the latest version of the Cloud Run services YAML from this directory in our repository:

```sh
curl --silent --show-error \
https://raw.githubusercontent.com/1Password/scim-examples/main/beta/google-cloud-run/op-scim-bridge.yaml |
gcloud run services replace -
```

> [!TIP]
> Check for 1Password SCIM Bridge updates on the [SCIM Bridge releases notes website](https://releases.1password.com/provisioning/scim-bridge/).
3. [Test your SCIM Bridge deployment](#step-4-test-your-scim-bridge) using your bearer token.

The new version number that you updated to should appear in the health check, the container logs for SCIM Bridge, and the top left-hand side of the page if signing in to the SCIM Bridge at its URL in a web browser. After you sign in to your SCIM Bridge, the [Automated User Provisioning page](https://start.1password.com/integrations/provisioning/) in your 1Password account will also update with the latest access time and SCIM Bridge version.
107 changes: 107 additions & 0 deletions beta/google-cloud-run/google-workspace/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,107 @@
# Connect 1Password SCIM Bridge to Google Workspace

_Learn how to configure your 1Password SCIM Bridge deployed on [Cloud Run](https://cloud.google.com/run/docs/overview/what-is-cloud-run) to connect to Google Workspace using Cloud Shell._

This directory includes [a template JSON file](./workspace-settings.json) used to configure the connection to Workspace and [a Cloud Run YAML](./op-scim-bridge-gw.yaml) that includes the additional configuration required by Cloud Run.

**Table of contents:**

- [Before you begin](#before-you-begin)
- [Step 1: Create a secret for Workspace credentials](#step-1-create-a-secret-for-workspace-credentials)
- [Step 2: Download and edit the Workspace settings template](#step-2-download-and-edit-the-workspace-settings-template)
- [Step 3: Create a secret for Workspace setting](#step-3-create-a-secret-for-workspace-settings)
- [Step 4: Redeploy your SCIM Bridge to connect to Workspace](#step-4-redeploy-your-scim-bridge-to-connect-to-workspace)
- [Appendix: Update your SCIM Bridge when Google Workspace is your IdP](#update-your-scim-bridge-when-google-workspace-is-your-idp)

## Before you begin

> [!IMPORTANT]
> Complete the steps to [deploy 1Password SCIM Bridge on Cloud Run](../README.md) **before** the next steps in this guide.
To connect your SCIM Bridge to Workspace, you'll need permissions in Google Cloud to enable the required APIs, create a service account, and an administrator with the required permissions to use the service account with your Workspace tenant.

## Step 1: Create a secret for Workspace credentials

1. Sign in to the Google Cloud console and activate Cloud Shell: <https://console.cloud.google.com?cloudshell=true>
2. Enable the Admin SDK API, create a service account named `onepassword-provisioning` and a secret named `workspace-credentials`, and add a secret version from a private key for the service account:

```sh
gcloud services enable admin.googleapis.com &&
gcloud secrets create workspace-credentials &&
gcloud iam service-accounts keys create - --iam-account=$(
gcloud iam service-accounts create onepassword-provisioning --format='value(email)'
) | gcloud secrets versions add workspace-credentials --data-file=-
```

3. Get the client ID of the service account:

```sh
gcloud secrets versions access latest --secret=workspace-credentials | jq '.client_id' --raw-output
```

Copy the client ID returned by this command to use in the next step.
4. In a separate browser tab or window, open the domain-wide delegation setup in the Workspace console: <https://admin.google.com/ac/owl/domainwidedelegation>. Click **Add new**, then fill out the information:
- **Client ID**: paste the client ID for the service account key that is output by the last command.
- **OAuth scopes**: paste this comma-separated list:

```sh
https://www.googleapis.com/auth/admin.directory.user.readonly, https://www.googleapis.com/auth/admin.directory.group.readonly, https://www.googleapis.com/auth/admin.directory.group.member.readonly, https://www.googleapis.com/auth/admin.reports.audit.readonly
```

## Step 2: Download and edit the Workspace settings template

1. Download the [`workspace-settings.json`](./workspace-settings.json) template file from this repository.
2. Edit the following in this file:
- **Actor**: Enter the email address for a Google Workspace administrator to use with the service account.
- **Bridge Address**: Enter your SCIM Bridge URL.
> [!IMPORTANT]
> This is the URL for the Cloud Run service from [Step 3: Deploy your SCIM Bridge](../README.md#step-3-deploy-your-scim-bridge)
> (_**not**_ your 1Password account sign-in address). For example: `https://op-scim-bridge-example-uc.a.run.app`.
3. Save the file.

## Step 3: Create a secret for Workspace settings

In the Cloud Console:

1. Click **** _(More)_ > **Upload** in the Cloud Shell terminal menu bar.
2. Click **Choose Files**. Select the `workspace-settings.json` file that you saved to your computer.
3. Use the destination directory as is (or note the path if you saved it elsewhere). Click **Upload**.
4. Create the secret using the following command (replace `$HOME/workspace-settings.json` with the appropriate path if you saved it elsewhere):

```sh
gcloud secrets create workspace-settings --data-file=$HOME/workspace-settings.json
```

## Step 4: Redeploy your SCIM Bridge to connect to Workspace

1. Use the [`op-scim-bridge-gw.yaml`](./op-scim-bridge-gw.yaml) Cloud Run YAML from this repository to create a new revision of the service that is configured to connect to Google Workspace:

```sh
curl --silent --show-error \
https://raw.githubusercontent.com/1Password/scim-examples/main/beta/google-cloud-run/google-workspace/op-scim-bridge-gw.yaml |
gcloud run services replace - &&
gcloud run services describe op-scim-bridge --format="value(status.url)"
```

2. Sign in to your SCIM Bridge in a web browser at the HTTPS endpoint provided by Cloud Run.
3. Select the Google group(s) you would like to assign to 1Password in the Google Workspace configuration. Click **Save**.

Learn more about automated provisioning in 1Password with Google Workspace: [Connect Google Workspace to 1Password SCIM Bridge (Next steps)](https://support.1password.com/scim-google-workspace/#next-steps).

## Update your SCIM Bridge when Google Workspace is your IdP

1. Sign in to the Google Cloud console and activate Cloud Shell: <https://console.cloud.google.com?cloudshell=true>

2. Create a new revision of your SCIM Bridge deployment using the latest version of the [`op-scim-bridge-gw.yaml`](./op-scim-bridge-gw.yaml) Cloud Run services YAML from this directory in our repository:

```sh
curl --silent --show-error \
https://raw.githubusercontent.com/1Password/scim-examples/main/beta/google-cloud-run/google-workspace/op-scim-bridge-gw.yaml |
gcloud run services replace -
```

> [!TIP]
> Check for 1Password SCIM Bridge updates on the [SCIM Bridge releases notes website](https://releases.1password.com/provisioning/scim-bridge/).
3. [Test your SCIM Bridge deployment](../README.md#step-4-test-your-scim-bridge) using your bearer token.

The new version number that you updated to should appear in the health check, the container logs for SCIM Bridge, and the top left-hand side of the page if signing in to the SCIM Bridge at its URL in a web browser. After you sign in to your SCIM Bridge, the [Automated User Provisioning page](https://start.1password.com/integrations/provisioning/) in your 1Password account will also update with the latest access time and SCIM Bridge version.
64 changes: 64 additions & 0 deletions beta/google-cloud-run/google-workspace/op-scim-bridge-gw.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,64 @@
apiVersion: serving.knative.dev/v1
kind: Service
metadata:
name: op-scim-bridge
spec:
template:
metadata:
annotations:
autoscaling.knative.dev/minScale: "1"
autoscaling.knative.dev/maxScale: "1"
run.googleapis.com/cpu-throttling: "false"
run.googleapis.com/startup-cpu-boost: "true"
spec:
containers:
- name: scim
image: 1password/scim:v2.9.4
ports:
- name: http1
containerPort: 3002
env:
- name: OP_WORKSPACE_CREDENTIALS
value: /home/opuser/.op/workspace-credentials/.json
- name: OP_WORKSPACE_SETTINGS
value: /home/opuser/.op/workspace-settings/.json
resources:
limits:
cpu: 500m
memory: 512Mi
volumeMounts:
- name: credentials
mountPath: /home/opuser/.op
- name: workspace-credentials
mountPath: /home/opuser/.op/workspace-credentials
- name: workspace-settings
mountPath: /home/opuser/.op/workspace-settings
- name: redis
image: redis
args:
- --maxmemory 256mb
- --maxmemory-policy volatile-lru
- --save ""
resources:
limits:
cpu: 500m
memory: 512Mi
volumes:
- name: credentials
secret:
secretName: scimsession
items:
- key: latest
path: scimsession
- name: workspace-credentials
secret:
secretName: workspace-credentials
items:
- key: latest
path: .json
- name: workspace-settings
secret:
secretName: workspace-settings
items:
- key: latest
path: .json
4 changes: 4 additions & 0 deletions beta/google-cloud-run/google-workspace/workspace-settings.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
{
"actor":"admin.email.goes.here@example.com",
"bridgeAddress":"https://op-scim-bridge-example.run.app"
}
Loading

0 comments on commit 1cf870e

Please sign in to comment.