Propagating WSO2 Identity Server Configurations across Multiple Environments
In today’s fast-moving world of technology, it’s crucial to have CI/CD pipelines that automate processes. They help deliver software quickly, integrate changes smoothly, and deploy it effortlessly. This way, we can keep up with the pace of innovation, boost productivity, and make things easier for everyone involved.
We have provided the IAM CLI tool as a tool that can be used to automate deployment and propagation of WSO2 IS configurations across multiple environments. This tool is officially available at identity-tools-cli repo[1] and the documentation on using this tool is available at the docs section of that repository.
When running in the CLI mode, this tool basically supports 2 major commands — exportAll and importAll. The exportAll command will export all the specified IS configurations from a given identity server to a local folder while the importAll command will import them back to a secondary IS server. Therefore, using these basic functionalities, following requirements can be catered:
- Export all/selected resources from a WSO2 IS to a local directory.
- Import all/selected resources from a local directory to a WSO2 IS.
- Propagate resources across multiple environments.
- Deploy new resources from resource configuration files to a WSO2 IS.
- Have a backup of resources in a local directory.
The IAM CLI tool can be used to export/import/propagate the following types of IS resources:
- Applications
- Identity Providers
- Claim Configurations
- Userstores
WSO2 IS Configuration Propagation
In this blog, I will show you how you can propagate your IS configurations from one IS environment to another.
Let us assume we have two Identity Servers running in two different environments: dev and prod, and in need to promote configurations in dev environment to the prod.
This tool can be used to export resource configurations from the dev environment to a local directory and import them back to the prod environment.
Preparing the IS servers
- Download the latest WSO2 Identity Server from the product-is releases[2].
- Extract the wso2is folder and get 2 copies of the IS pack (one representing each environment) and rename accordingly (dev-IS and prod-IS).
- Create a management application in each IS.
a. Open a terminal and start the dev IS server with sh wso2server.sh. The dev IS server will be accessible at https://localhost:9443.
b. Open another terminal and start the prod IS server by giving a port offset so that it will run in port 9444 instead of the default port(9443).
sh wso2server.sh -DportOffset=1The prod IS server will be accessible at https://localhost:9444.
c. For each IS, open a browser and access the management console at https://localhost:<port>/carbon.
d. Go to Service Providers → Add → Provide a suitable name → Tick Management Application option → Register.
e. Go to Inbound Authentication Configuration → OAuth/OpenID Connect Configuration → Configure → Add a dummy URL for Callback Url → Update.
f. Create a similar management application for the other environment as well and note down the Client Id and Client Secret of both applications.
Configuring the CLI Tool
- Download the CLI tool from the latest releases.
- Create a new folder where the resource configurations should be exported into. I will refer to this folder as the local directory.
- Extract the downloaded CLI tool and open a terminal inside it.
- Create an alias for the IAM-CTL executable file available inside bin folder.
alias iamctl="bin/iamctl" 5. Run the following command to create the config files needed to configure the tool against the IS servers inside the local directory created at step 2.
iamctl setupCLI -d <local directory>A new folder named configs will be created inside the local directory.
6. Go inside the configs folder and create another copy of the env folder and rename these two folders as dev and prod to suit our two environments.
7. Open the configs/dev/serverConfigs.json file and add the following details.
{
"SERVER_URL" : "https://localhost:9443",
"CLIENT-ID" : <client-id-of-the-management-app-created-in-dev-IS>,
"CLIENT-SECRET" : <client-secret-of-the-management-app-created-in-dev-IS>,
"TENANT-DOMAIN" : "carbon.super"
}8. Similarly edit the configs/prod/serverConfigs.json file and add https://localhost:9444 as the server url and add the client id and secret of the management application created in prod IS.
Running the CLI Tool
- Login to the management console of dev IS and create a sample application (named Sample).
- In the terminal opened inside the tool, run the following command to export configurations from the dev IS.
iamctl exportAll -c <path-to-local-directory>/configs/dev -o <local-directory>This command will get the configs needed for the tool from the configs/dev folder that we configured earlier and will export all resources from dev IS and create files inside the local directory.
Go inside local-directory/Applications folder and check whether the newly created application is available as a file named Sample.yml.
3. Open the /configs/prod/toolConfigs.json file and add the following:
{
"APPLICATIONS" : {
"EXCLUDE" : ["Console", "My Account", "Dev-mgt-SP"]
},
"IDENTITY_PROVIDERS" : {
"EXCLUDE" : ["Local"]
}If we directly run the import command pointing to our exported files, all the resources will be updated according to the exported content. In this situation as I do not require to update apps such as Console, My Account and the management application we created earlier as well as the Resident Identity Provider, I have added them under “EXCLUDE” option, which will exclude these resources during import. Find more details on these configurations at the tool’s documentation.
4. Run the import command pointing to the prod environment configs that we added under the configs/prod folder.
iamctl importAll -c <path-to-local-directory>/configs/prod -i <local-directory>5. Login to the management console of the prod IS and check the Service Provider list.
You can see that the Sample app has been newly created in the prod environment.
Similarly, you can follow the same procedure to edit/delete an existing resource and propagate the changes to higher environments.
Check out other features available in this CLI tool to smoothly carry out your CI/CD requirements related to WSO2 Identity Server configurations using this tool.
Happy Coding!
