feat: add keycloak integration with database provisioning #14
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
axel-ippon
force-pushed
the
feature/add-keycloak
branch
3 times, most recently
from
bbbf4e7 to
4512870
Compare
Introduces Keycloak authentication service as a containerized Fargate task with dedicated database setup and automated provisioning through a new Lambda function. Establishes secure database connections with proper user roles and permissions, updates network security groups to allow inter-service communication, and configures Route53 DNS routing for the auth subdomain.
axel-ippon
force-pushed
the
feature/add-keycloak
branch
from
4512870 to
ead56f9
Compare
Changes the default project name from "keycloak" to "cur" to properly reflect the CUR analyzer module's purpose and avoid configuration confusion with unrelated services.
Excludes generated lambda payload file from version control to prevent accidental commits of potentially sensitive data
Contributor
Author
|
@Donovan1905 @sroulon-ippon Note: I haven’t included the lambda provisioner function code or package yet. I think we’ll need to have a proper discussion to determine the best approach for managing lambda packages, so we can effectively address the requirements for facilitating deployment. If that's ok for you, we can skip this for this PR and we'll get back to this in another. |
Donovan1905
requested changes
Jan 12, 2026
Updates Terraform version to 1.14.3 and AWS provider to 6.28.0 to leverage new ephemeral resource capabilities for improved password management. Migrates RDS password generation from persistent random resources to ephemeral ones, reducing state bloat and improving security by ensuring passwords are only stored in AWS Secrets Manager. Updates RDS module to version 7.0.1 and adapts configuration to use new password management parameters compatible with ephemeral resources.
Consolidates keycloak-specific module into generic fargate-task module to enable reuse for multiple services. Adds configurable DNS prefixes and container parameters while improving database connection handling by moving credentials from secrets to direct environment variables.
Updates references from data.aws_region.*.name to data.aws_region.*.region to use the correct attribute.
Donovan1905
approved these changes
Jan 18, 2026
Makes health check endpoints configurable per service instead of hardcoded values. Backend API uses Spring Boot Actuator endpoint while Keycloak uses its native health endpoint.
sroulon-ippon
approved these changes
Jan 19, 2026
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Purpose of this PR
Introduces Keycloak authentication service as a containerized Fargate task with dedicated database setup and automated provisioning through a new Lambda function (DB is provisioned inside the backend RDS instance for FinOps)
Establishes secure database connections with proper user roles and permissions, updates network security groups to allow inter-service communication, and configures Route53 DNS routing for the auth subdomain.
Reference issues or tasks
#306