PingFederate cluster demo using CDK in Typescript

This repo is an IaC (Infrastructure as Code) example demonstrating building a PingFederate cluster, with an Aurora Postgres RDS cluster as the datastore, using CDK in Typescript for AWS resources provisioning, and Bash scripts for application configuration.

To be bit more specific, this system includes the following:

• A VPC stack, which will deploy a new VPC in your AWS account, with 3 public subnets and 3 private subnets across 3 AZs in your region. So please be aware of your quota on the number of VPCs in your account, before you run the deploy command below.
• A RDS stack, which will deploy an Aurora Postgres RDS cluster as the datastore for PingFed. (connectable from and registered in PingFederate, without any SAML/OAuth setup)
• A PingFederate stack, which will deploy a PingFed cluster including 1 admin node and 3 engine nodes, in 2 auto scaling groups respectively.
• No public verifiable server certificate created in this app, also you don't need to create one as a prerequisite. In this app we will use the self-signed certificate generated automatically by PingFederate for demo purposes.

Here is a concise architecture of this system:

Usage

Assumptions when running the following commands

1. You are using an administrator IAM user/role in order to prevent possible permission issues.
2. You can directly access IPs/endpoints of resources created in a public subnet in a newly created VPC, from your local device.

• Install npm and cdk (npm install -g aws-cdk) on your device.
• Run npm install after you clone this repo and switch into the directory as the working directory.
• NODE_ENV="[dev|sit|staging|prod]" cdk synth [stacks] -c stackName="what-ever-to-prevent-collision" --profile "your-aws-cli-profile"
  • e.g. NODE_ENV="dev" cdk synth pingfed-demo -c stackName="pingfed-demo" --profile dev
• NODE_ENV="[dev|sit|staging|prod]" cdk deploy [stacks] -c stackName="what-ever-to-prevent-collision" --profile "your-aws-cli-profile" [--require-approval never]
  • e.g. NODE_ENV="dev" cdk deploy pingfed-demo -c stackName="pingfed-demo" --profile dev --require-approval never
  • Note: When first time running the above command, it will deploy dependency stacks pingfed-demo-vpc and pingfed-demo-rds, before deploy the pingfed-demo stack.
• NODE_ENV="[dev|sit|staging|prod]" cdk destoy [stacks] -c stackName="name-of-stack-which-you-wanna-delete" --profile "your-aws-cli-profile" [--force]
  • e.g. NODE_ENV="dev" cdk destroy pingfed-demo -c stackName="pingfed-demo" --profile dev --force
  • Note: The above command will destroy only the pingfed-demo stack. If you want to destroy the whole system, run NODE_ENV="dev" cdk destroy --all -c stackName="pingfed-demo" --profile dev --force. for more details please refer to cdk command usage.

Access the established PingFederate admin console

After the PingFederate stack is successfully deployed via cdk deploy command, it will output 2 ELB endpoint, one for PingFederate admin (NLB) and one for PingFederate engine (ALB). Use the admin (NLB) endpoint to access the admin console: https://<NLB endpoint>. e.g. https://pingf-nlbad-QW28ST25AUDY-916dec8b6b401153.elb.ap-southeast-2.amazonaws.com

• It's normal that your browser tells you it's not a safe/private connection, because we use the self-signed certificate generated by PingFederate to access the console.
• At the sign-on page, enter "administrator/2Federate" to log in for demo purposes.
• After you log in, you will see the index page, and there will be 4 dots in the bottom half, indicating current cluster members, as highlighted in a red box.
• You can go to SYSTEM -> Server -> Cluster Management to see more info about cluster members.
• And you can go to SYSTEM -> Data & Credential Stores -> Data Stores to see the Aurora Postgres RDS registered already.