A step function to maintain LDAP users via slack.
This project deploys a collection of lambda functions, an api gateway endpoint, and a step function implemented with the callback pattern that will automate disabling LDAP users via an interactive slack message.
- API Gateway: An API endpoint that responds asynchronously to slack events and triggers the Slack Listener lambda function
- LDAP Query: Lambda function used to perform actions against a target ldap database
- Slack Listener: Lambda function that responds to slack events via an asynchronously executed lambda function
- Slack Notifier: Lambda function that sends status updates to slack and a target step function
- Slack Bot: API Gateway endpoint and Lambda function that responds to slash commands from slack
-
Retrieve the LDAPS endpoint of your target AD deployment.
Note: This can be accomplished via SimpleAD by creating an ALB that listens via TLS on port 636 and forwards requests to your SimpleAD A record. See the associated AWS blog post or the tests of this project for a reference architecture.
-
Within your LDAP directory create a user that will be used by the lambda function. This user will need permissions to query LDAP and disable users.
Note: Refer to the following article to scope this permission to a single user: Delegate the Enable/Disable Accounts Permission in Active Directory
-
Populate an encrypted ssm parameter with this new user's password and use the key value as the input for
svc_user_pwd_ssm_keyvariable. -
Generate the lambda layers for this project by running
bin/generate-layers.shuse the-roption to generate the layers via docker or-cto create them locally. -
Register a new slack application at https://api.slack.com and capture the required inputs:
- the Slack signing secret: Located under the slack application Settings > Basic Information
- the Bot User OAuth Access Token: Located under the slack application Settings > Install App > Bot User OAuth Access Token
-
Configure your
terraform.tfvarswith the required inputs. -
Run
terraform init/apply -
Using the provided output url, enable slack events for your slack integration
- Go to https://api.slack.com
- Find your app
- Navigate to Features > Event Subscriptions > Enable Events
- Enter the api gateway url created in the previous step
- Navigate to Features > Slash Commands
- Create a new command called
/ldap - Add the slackbot request url to this command
-
Test the integration from slack by calling
/ldap runor manually by triggering the LDAP maintenance step function with the following payload:{"action": "query" }
- The AD Schema
- Bobbie Couhbor's awesome blogpost on using python-ldap via lambda
- Rigel Di Scala's blog post Write a serverless Slack chat bot using AWS
| Name | Version |
|---|---|
| aws | n/a |
| random | n/a |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| domain_base_dn | Distinguished name of the domain | string |
n/a | yes |
| dynamodb_table_arn | ARN of the dynamodb to take actions against | string |
n/a | yes |
| dynamodb_table_name | Name of the dynamodb to take actions against | string |
n/a | yes |
| ldaps_url | LDAPS URL of the target domain | string |
n/a | yes |
| slack_api_token | API token used by the slack client. Located under the slack application Settings > Install App > Bot User OAuth Access Token | string |
n/a | yes |
| slack_channel_id | Channel that the slack notifier will post to | string |
n/a | yes |
| slack_signing_secret | The slack application's signing secret. Located under the slack application Settings > Basic Information | string |
n/a | yes |
| svc_user_dn | Distinguished name of the LDAP Maintenance service account used to manage simpleAD | string |
n/a | yes |
| svc_user_pwd_ssm_key | SSM parameter key that contains the LDAP Maintenance service account password | string |
n/a | yes |
| vpc_id | ID of the VPC hosting the target Simple AD instance | string |
n/a | yes |
| additional_cleanup_tasks | (Optional) List of step function tasks to execute in parallel once the cleanup action has been approved. | string |
"" |
no |
| days_since_pwdlastset | Number of days since the pwdLastSet ldap attribute has been updated. This metric is used to disable the target ldap object. | number |
120 |
no |
| enable_dynamodb_cleanup | Controls wether to enable the dynamodb cleanup resources. The lambda function and supporting resources will still be deployed. | bool |
true |
no |
| hands_off_accounts | (Optional) List of user names to filter out of the user search results | list(string) |
[] |
no |
| log_level | (Optional) Log level of the lambda output, one of: Debug, Info, Warning, Error, or Critical | string |
"Info" |
no |
| maintenance_schedule | Periodicity at which to trigger the ldap maintenance step function | string |
"cron(0 8 1 * ? *)" |
no |
| project_name | Name of the project | string |
"ldap-maintainer" |
no |
| tags | Map of tags to assign to this module's resources | map(string) |
{} |
no |
| Name | Description |
|---|---|
| slack_listener_endpoint | API endpoint to use as the slack application's Interactive Components request URL |