SCIM deploy using a single Docker container (without Redis)

edited July 22 in SCIM Bridge

Hi,

I'm trying to deploy SCIM bridge in a docker container over EC2 AWS instance.
I don't want to use Redis, because I have a valid certificate for my domain in AWS Certificate Manager. This certificate is assigned in my public load balancer.

I wrote following docker-compose file:

`version: "3"

services:
scim:
image: 1password/scim:v1.4.3
container_name: 1password-scim
restart: always
entrypoint: ["/op-scim/op-scim"]
env_file: scim-base64.env
ports:
- 3002:3002`

QUESTIONS:

  • Do I need expose port 3002 in my EC2 instance for incoming traffic from load balancer?
  • Do I need expose port 3002 in load balancer to public internet?
  • Do I need a trafic redirection from 443 to 3002 port?
  • Ports 80 and 443 also should be opened in load balancer and server if I'n not using Redis?

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • graham_1Pgraham_1P

    Team Member

    Hi @leonardopech,

    The redis container is a hard dependency for the SCIM Bridge. It does not just hold the TLS certificate. It also holds persistent log files as well as ExternalID mappings for AzureAD.

    Assuming you were not using AzureAD, it is in theory possible for us to modify the code to make it detachable. However that would be not a small undertaking. What is your rationale for not wanting to use the redis container?

    To answer your questions explicity:

    Do I need expose port 3002 in my EC2 instance for incoming traffic from load balancer? Yes. By default the SCIM Bridge listens on this port for unsecured traffic when running without LetsEncrypt.
    Do I need expose port 3002 in load balancer to public internet? No. Terminate TLS connections at the load balancer, and route the resulting unsecured traffic through your network to the SCIM Bridge on port 3002.
    Do I need a trafic redirection from 443 to 3002 port? Yes. You have the right idea.
    Ports 80 and 443 also should be opened in load balancer and server if I'n not using Redis? If we were able to detach it somehow, no ports would change. The service would still receive traffic on 443.

    Let me know what questions you have.

    Graham

  • Perfect!!

    My final docker-compose file was:

    `version: "3"

    services:
    scim:
    image: 1password/scim:v1.4.3
    container_name: 1password-scim
    restart: always
    depends_on:
    - redis
    ports:
    - 3002:3002
    entrypoint: ["/op-scim/op-scim"]
    env_file: scim-base64.env
    redis:
    image: redis:latest
    container_name: 1password-redis
    restart: always`

    Load balancer receive traffic in 443 and is redirected to porto 3002 in my EC2 instance and is also redirected to port 3002 in SCIM container. It works so good!

  • ag_anaag_ana

    Team Member

    On behalf of graham_1P, you are welcome @leonardopech! It's great to hear :)

    If you have any other questions, please feel free to reach out anytime.

    Have a wonderful day :)

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file