Provide a simple LDAP service
Add LDAP stack to deploy a simple OpenLDAP configuration and
its admin server.
This can be used in any cookbook to provide Gerrit an
LDAP service for authentication.
Feature: Issue 12484
Change-Id: I0cc0276ef37c8a044882e85bfa9f0d5c2eff481a
diff --git a/ldap/Makefile b/ldap/Makefile
new file mode 100644
index 0000000..646569d
--- /dev/null
+++ b/ldap/Makefile
@@ -0,0 +1,21 @@
+LDAP_TEMPLATE:=cf-ldap.yml
+AWS_REGION:=us-east-1
+AWS_FC_COMMAND=export AWS_PAGER=;aws cloudformation
+LDAP_STACK_NAME:=gerrit-ldap
+HOSTED_ZONE_NAME:=mycompany.com
+
+.PHONY: ldap delete-ldap
+
+ldap:
+ $(AWS_FC_COMMAND) create-stack \
+ --stack-name $(LDAP_STACK_NAME) \
+ --capabilities CAPABILITY_IAM \
+ --template-body file://`pwd`/$(LDAP_TEMPLATE) \
+ --region $(AWS_REGION) \
+ --parameters \
+ ParameterKey=HostedZoneName,ParameterValue=$(HOSTED_ZONE_NAME)
+
+delete-ldap:
+ $(AWS_FC_COMMAND) delete-stack \
+ --stack-name $(LDAP_STACK_NAME) \
+ --region $(AWS_REGION)
diff --git a/ldap/README.md b/ldap/README.md
new file mode 100644
index 0000000..f56737a
--- /dev/null
+++ b/ldap/README.md
@@ -0,0 +1,59 @@
+# LDAP
+
+This is a set of Cloud Formation Templates and scripts to spin up a simple LDAP
+service and its Admin panel.
+
+It can be used to provide a simple LDAP instance to be used to integrate with
+any Gerrit setup in the different cookbooks.
+
+## How to run it
+
+### Prerequisites
+
+As a prerequisite to run this stack, you will need a registered and correctly
+configured domain in [Route53](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/getting-started.html)
+
+### Getting Started
+
+* Create a key pair to access the EC2 instances in the cluster:
+
+```
+aws ec2 create-key-pair --key-name gerrit-cluster-keys \
+ --query 'KeyMaterial' --output text > gerrit-cluster.pem
+```
+
+*NOTE: the EC2 key pair are useful when you need to connect to the EC2 instances
+for troubleshooting purposes. Store them in a `pem` file to use when ssh-ing into your
+instances as follow: `ssh -i yourKeyPairs.pem <ec2_instance_ip>`*
+
+* Create the LDAP stack:
+
+```
+make ldap HOSTED_ZONE_NAME=mycompany.com
+```
+
+The `HOSTED_ZONE_NAME` value is the Hosted Zone Name where a DSN route pointing
+to the LDAP service will be created.
+
+### Cleaning up
+
+```
+make delete-ldap
+```
+
+### Access your LDAP instance
+
+* LDAP Service:
+ * **URI**: ldap://gerrit-ldap.gerritforgeaws.com
+ * **Port**: 636
+* LDAP Admin Service:
+ * **URI**: https://gerrit-ldap.mycompany.com
+ * **Port**: 6443
+ * **Username**: cn=admin,dc=example,dc=org
+ * **Password**: secret
+
+The LDAP instance provided already has a Gerrit Admin user baked in with the
+following credentials:
+
+* **Username**: gerritadmin
+* **Password**: secret
diff --git a/ldap/cf-ldap.yml b/ldap/cf-ldap.yml
new file mode 100644
index 0000000..0c0dbd4
--- /dev/null
+++ b/ldap/cf-ldap.yml
@@ -0,0 +1,76 @@
+---
+AWSTemplateFormatVersion: '2010-09-09'
+Description: 'AWS CloudFormation Template to Deploy a single EC2 instance
+ with OpenLDAP Installed and configured with a Gerrit Admin User'
+Parameters:
+ KeyName:
+ Description: Name of an existing EC2 KeyPair to enable SSH access to the instance
+ Type: AWS::EC2::KeyPair::KeyName
+ Default: gerrit-cluster-keys
+ ConstraintDescription: must be the name of an existing EC2 KeyPair.
+ InstanceType:
+ Description: EC2 instance type
+ Type: String
+ Default: t2.micro
+ HostedZoneName:
+ Description: The route53 HostedZoneName.
+ Type: String
+Resources:
+ EC2Instance:
+ Type: AWS::EC2::Instance
+ Properties:
+ InstanceType: !Ref InstanceType
+ SecurityGroups:
+ - !Ref InstanceSecurityGroup
+ KeyName: !Ref KeyName
+ ImageId: ami-0472cbe99b81a694a
+ UserData:
+ Fn::Base64: !Sub |
+ #!/bin/bash -xe
+ su - ec2-user bash -c "docker-compose up"
+ InstanceSecurityGroup:
+ Type: AWS::EC2::SecurityGroup
+ Properties:
+ GroupDescription: Enable SSH access via port 22
+ SecurityGroupIngress:
+ - CidrIp: 0.0.0.0/0
+ IpProtocol: -1
+ LDAPDnsRecord:
+ Type: AWS::Route53::RecordSet
+ Properties:
+ Name: !Sub 'gerrit-ldap.${HostedZoneName}'
+ HostedZoneName: !Sub '${HostedZoneName}.'
+ Comment: DNS name for LDAP Test instance.
+ Type: A
+ TTL: '60'
+ ResourceRecords:
+ - !GetAtt EC2Instance.PublicIp
+Outputs:
+ InstanceId:
+ Description: InstanceId of the newly created EC2 instance
+ Value:
+ Ref: EC2Instance
+ AZ:
+ Description: Availability Zone of the newly created EC2 instance
+ Value:
+ Fn::GetAtt:
+ - EC2Instance
+ - AvailabilityZone
+ PublicDNS:
+ Description: Public DNSName of the newly created EC2 instance
+ Value:
+ Fn::GetAtt:
+ - EC2Instance
+ - PublicDnsName
+ PublicIP:
+ Description: Public IP address of the newly created EC2 instance
+ Value:
+ Fn::GetAtt:
+ - EC2Instance
+ - PublicIp
+ LDAPAdminWebUrl:
+ Description: LDAP Admin URL
+ Value: !Sub 'https://gerrit-ldap.${HostedZoneName}:6443'
+ LDAPServiceUrl:
+ Description: LDAP Service URL
+ Value: !Sub 'ldap://gerrit-ldap.${HostedZoneName}:636'
