feat: add keycloak integration with database provisioning

Introduces Keycloak authentication service as a containerized Fargate task with dedicated database setup and automated provisioning through a new Lambda function.

Establishes secure database connections with proper user roles and permissions, updates network security groups to allow inter-service communication, and configures Route53 DNS routing for the auth subdomain.

Author: axel-ippon

layers/iroco2-cur-analyzer/00-variables.tf

@@ -27,7 +27,7 @@ variable "environment" {
 variable "project_name" {
   type        = string
   description = "Project's name"
-  default     = "cur"
+  default     = "keycloak"
 }
 
 variable "project_type" {

main.tf

@@ -62,6 +62,56 @@ module "data" {
   depends_on = [module.network]
 }
 
+module "rds_provisioner" {
+  source = "./modules/lambdas/iroco2-rds-db-provisioner"
+
+  lambda_function_name     = "${var.namespace}-${var.environment}-rds-db-provisioner"
+  lambda_subnet_ids        = module.network.private_subnet_ids
+  lambda_security_group_id = module.network.security_group_ids["iroco2-${var.environment}-rds-lambda-provisioner"]
+
+  lambda_force_invoke = false
+
+  rds_db_driver       = "postgres"
+  rds_default_db_name = "irocalc"
+  rds_endpoint        = module.data.rds_database.db_instance_address
+  rds_db_port         = 5432
+  rds_db_user         = "iroco2"
+
+  rds_secret_arn = module.data.rds_database_secret_arn
+
+  databases = [
+    "keycloak"
+  ]
+  schemas = [
+    { name = "keycloak", database = "keycloak", owner = "keycloak_readwrite" }
+  ]
+  roles = [
+    { name = "keycloak_readwrite" }
+  ]
+  users = [
+    { name = "keycloak", password_arn = module.data.rds_keycloak_secret_arn, roles = ["keycloak_readwrite"] }
+  ]
+
+  grants = [
+    {
+      object_type = "DATABASE",
+      target      = "keycloak",
+      grant_to    = "keycloak",
+      database    = "keycloak",
+      privileges  = ["CONNECT"]
+    },
+    {
+      object_type = "SCHEMA",
+      target      = "keycloak",
+      grant_to    = "keycloak_readwrite",
+      database    = "keycloak",
+      privileges  = ["USAGE", "CREATE"]
+    }
+  ]
+
+  depends_on = [module.data]
+}
+
 module "lambda_cur" {
   source = "./modules/lambdas/iroco2-cur-analyzer"
 
@@ -80,15 +130,14 @@ module "backend_api" {
   cur_s3_bucket_arn = module.lambda_cur.s3_cur_bucket_arn
 
   # Network variables
-  vpc_id                = module.network.vpc_id
-  private_subnet_ids    = module.network.private_subnet_ids
-  alb_dns_name          = module.network.alb_dns_name
-  alb_zone_id           = module.network.alb_zone_id
-  alb_arn_suffix        = module.network.alb_arn_suffix
-  alb_listener_arn      = module.network.alb_listener_https_arn
-  alb_security_group_id = module.network.security_group_ids["iroco2-${var.environment}-alb"]
-  subdomain_name        = var.subdomain_name
-  zone_name             = var.zone_name
+  vpc_id             = module.network.vpc_id
+  private_subnet_ids = module.network.private_subnet_ids
+  alb_dns_name       = module.network.alb_dns_name
+  alb_zone_id        = module.network.alb_zone_id
+  alb_arn_suffix     = module.network.alb_arn_suffix
+  alb_listener_arn   = module.network.alb_listener_https_arn
+  subdomain_name     = var.subdomain_name
+  zone_name          = var.zone_name
 
   # ECS variables
   cluster_name                  = module.services.cluster.name
@@ -103,7 +152,7 @@ module "backend_api" {
 
   task_container_environment = {
     DATABASE_NAME                      = module.data.rds_database.db_instance_name
-    IROCO2_CORS_ALLOWED_ORIGINS        = var.cors_allowed_origins
+    IROCO2_CORS_ALLOWED_ORIGINS        = "https://${var.subdomain_name}.${var.zone_name},http://localhost:3000"
     IROCO2_AWS_ANALYZER_SQS_QUEUE_NAME = module.lambda_cur.analyzer_sqs_cur_name
     IROCO2_AWS_SCANNER_SQS_QUEUE_NAME  = module.lambda_cur.scanner_sqs_cur_name
     IROCO2_AWS_SQS_QUEUE_ENDPOINT      = trimsuffix(module.lambda_cur.analyzer_sqs_cur_url, module.lambda_cur.analyzer_sqs_cur_name)
@@ -114,8 +163,8 @@ module "backend_api" {
     IROCO2_CLERK_PUBLIC_KEY            = module.services.ssm_parameters["clerk_public_key"].value
     IROCO2_KMS_IDENTITY_KEY_ID         = module.data.iroco_identity_provider_key_id.id
     IROCO2_KMS_IDENTITY_PUBLIC_KEY     = data.aws_kms_public_key.by_id.public_key
-    JWT_ISSUER                         = var.zone_name
-    JWT_AUDIENCE                       = var.zone_name
+    JWT_ISSUER                         = module.services.ssm_parameters["clerk_issuer"].value
+    JWT_AUDIENCE                       = module.services.ssm_parameters["clerk_audience"].value
   }
   task_container_secrets_arn = {}
   task_container_secrets_arn_with_key = {
@@ -141,3 +190,63 @@ module "backend_api" {
     }
   }
 }
+
+module "keycloak" {
+  source = "./modules/fargate-task-keycloak"
+
+  # Global variables
+  aws_region   = var.aws_region
+  project_name = "keycloak"
+  environment  = var.environment
+
+  # Network variables
+  vpc_id             = module.network.vpc_id
+  private_subnet_ids = module.network.private_subnet_ids
+  alb_dns_name       = module.network.alb_dns_name
+  alb_zone_id        = module.network.alb_zone_id
+  alb_arn_suffix     = module.network.alb_arn_suffix
+  alb_listener_arn   = module.network.alb_listener_https_arn
+  subdomain_name     = var.subdomain_name
+  zone_name          = var.zone_name
+
+  # ECS variables
+  cluster_name                  = module.services.cluster.name
+  cluster_id                    = module.services.cluster.id
+  container_cpu                 = 512
+  container_memory              = 2048
+  container_port                = 8080
+  container_image               = "quay.io/keycloak/keycloak:24.0.1"
+  container_desired_count       = var.container_desired_count
+  container_command             = ["-c", "/opt/keycloak/bin/kc.sh build --health-enabled=true && /opt/keycloak/bin/kc.sh start --http-enabled=true --hostname=$HOSTNAME"]
+  kms_identity_key_arn          = data.aws_kms_key.signing_key.arn
+  ecs_backend_security_group_id = module.network.security_group_ids["iroco2-${var.environment}-keycloak"]
+
+  task_container_environment = {
+    HOSTNAME          = "auth.${var.subdomain_name}.${var.zone_name}"
+    KC_PROXY          = "edge"
+    KC_DB_URL         = "jdbc:postgresql://${module.data.rds_database.db_instance_address}:5432/keycloak"
+    KC_DB             = "postgres"
+    KC_DB_SCHEMA      = "keycloak"
+    KC_HEALTH_ENABLED = "true"
+    KC_HEALTH_DB      = "enabled"
+  }
+  task_container_secrets_arn = {}
+  task_container_secrets_arn_with_key = {
+    KEYCLOAK_ADMIN = {
+      arn = module.data.rds_keycloak_admin_secret_arn
+      key = "KEYCLOAK_ADMIN"
+    }
+    KEYCLOAK_ADMIN_PASSWORD = {
+      arn = module.data.rds_keycloak_admin_secret_arn
+      key = "KEYCLOAK_ADMIN_PASSWORD"
+    }
+    KC_DB_USERNAME = {
+      arn = module.data.rds_keycloak_secret_arn
+      key = "username"
+    }
+    KC_DB_PASSWORD = {
+      arn = module.data.rds_keycloak_secret_arn
+      key = "password"
+    }
+  }
+}

modules/data/00-outputs.tf

@@ -23,6 +23,7 @@ output "rds_database" {
   value = {
     db_instance_arn      = module.rds.db_instance_arn
     db_instance_endpoint = module.rds.db_instance_endpoint
+    db_instance_address  = module.rds.db_instance_address
     db_instance_name     = module.rds.db_instance_name
     db_instance_port     = module.rds.db_instance_port
   }
@@ -33,3 +34,13 @@ output "rds_database_secret_arn" {
   value       = aws_secretsmanager_secret.rds_master_pass.arn
   description = "The ARN of the secret containing the RDS master password"
 }
+
+output "rds_keycloak_secret_arn" {
+  value       = aws_secretsmanager_secret.rds_keycloak_pass.arn
+  description = "The ARN of the secret containing the RDS master password"
+}
+
+output "rds_keycloak_admin_secret_arn" {
+  value       = aws_secretsmanager_secret.rds_keycloak_admin_pass.arn
+  description = "The ARN of the secret containing the RDS master password"
+}

modules/data/10-rds-password.tf

@@ -51,3 +51,73 @@ resource "aws_secretsmanager_secret_version" "rds_master_pass" {
     }
   )
 }
+
+# Password for Keycloak DB
+resource "random_password" "rds_keycloak_pass" {
+  length           = 40
+  special          = true
+  min_special      = 5
+  override_special = "!#$%^&*()-_=+[]{}<>:?"
+
+  lifecycle {
+    ignore_changes = [
+      override_special,
+      min_special
+    ]
+  }
+}
+
+# The secret for Keycloak DB
+resource "aws_secretsmanager_secret" "rds_keycloak_pass" {
+  name = "${var.namespace}/${var.environment}/rds/keycloak-db-secret"
+
+  tags = {
+    project = var.project_name
+  }
+}
+
+# Initial version for Keycloak DB
+resource "aws_secretsmanager_secret_version" "rds_keycloak_pass" {
+  secret_id = aws_secretsmanager_secret.rds_keycloak_pass.id
+  secret_string = jsonencode(
+    {
+      username = "keycloak"
+      password = random_password.rds_keycloak_pass.result
+    }
+  )
+}
+
+# Password for Keycloak Admin
+resource "random_password" "rds_keycloak_admin_pass" {
+  length           = 40
+  special          = true
+  min_special      = 5
+  override_special = "!#$%^&*()-_=+[]{}<>:?"
+
+  lifecycle {
+    ignore_changes = [
+      override_special,
+      min_special
+    ]
+  }
+}
+
+# The secret for Keycloak Admin
+resource "aws_secretsmanager_secret" "rds_keycloak_admin_pass" {
+  name = "${var.namespace}/${var.environment}/rds/keycloak-admin-secret"
+
+  tags = {
+    project = var.project_name
+  }
+}
+
+# Initial version for Keycloak Admin
+resource "aws_secretsmanager_secret_version" "rds_keycloak_admin_pass" {
+  secret_id = aws_secretsmanager_secret.rds_keycloak_admin_pass.id
+  secret_string = jsonencode(
+    {
+      KEYCLOAK_ADMIN          = "keycloak-admin"
+      KEYCLOAK_ADMIN_PASSWORD = random_password.rds_keycloak_admin_pass.result
+    }
+  )
+}

modules/fargate-task-keycloak/00-datasources.tf

@@ -0,0 +1,23 @@
+# Copyright 2025 Ippon Technologies
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+data "aws_route53_zone" "main" {
+  name = var.zone_name
+}
+
+data "aws_kms_alias" "secrets_manager" {
+  name = "alias/aws/secretsmanager"
+}

modules/fargate-task-keycloak/00-locals.tf

@@ -0,0 +1,22 @@
+locals {
+  domain_name = "${var.subdomain_name}.${var.zone_name}"
+
+  task_environment = [
+    for k, v in var.task_container_environment : {
+      name  = k
+      value = v
+    }
+  ]
+  task_secrets_arn = [
+    for k, v in var.task_container_secrets_arn : {
+      name      = k
+      valueFrom = v
+    }
+  ]
+  task_secrets_arn_with_key = [
+    for k, v in var.task_container_secrets_arn_with_key : {
+      name      = k
+      valueFrom = "${v.arn}:${v.key}::"
+    }
+  ]
+}

modules/fargate-task-keycloak/00-outputs.tf

@@ -0,0 +1,35 @@
+# Copyright 2025 Ippon Technologies
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+output "ecs_task_definition" {
+  value       = aws_ecs_task_definition.keycloak
+  description = "ECS task definition"
+}
+
+output "ecs_service" {
+  value       = aws_ecs_service.main
+  description = "ECS service"
+}
+
+output "alb_target_group" {
+  value       = aws_lb_target_group.keycloak
+  description = "ALB target group"
+}
+
+output "alb_listener_rule" {
+  value       = aws_lb_listener_rule.keycloak
+  description = "ALB listener rule"
+}