From db1153f56027945300ed2d82b9eb0ee022b2773e Mon Sep 17 00:00:00 2001 From: Siva Kanakala Date: Tue, 20 Aug 2024 10:28:22 +0530 Subject: [PATCH 1/3] keycloak --- Keycloak/README.md | 68 +++++++++++++++++++++++++++++++++++ Keycloak/cloud-init.sh | 53 +++++++++++++++++++++++++++ Keycloak/main.tf | 76 +++++++++++++++++++++++++++++++++++++++ Keycloak/terraform.tfvars | 35 ++++++++++++++++++ Keycloak/variables.tf | 57 +++++++++++++++++++++++++++++ 5 files changed, 289 insertions(+) create mode 100644 Keycloak/README.md create mode 100644 Keycloak/cloud-init.sh create mode 100644 Keycloak/main.tf create mode 100644 Keycloak/terraform.tfvars create mode 100644 Keycloak/variables.tf diff --git a/Keycloak/README.md b/Keycloak/README.md new file mode 100644 index 0000000..560cca7 --- /dev/null +++ b/Keycloak/README.md @@ -0,0 +1,68 @@ +# Keycloak Server Automation with Terraform + +Terraform configurations for automating the deployment of a Keycloak server on AWS. The deployment script provisions an EC2 instance with Keycloak installed and configured, using specified AWS resources and settings. + +## Prerequisites + +Before you begin, ensure you have the following: + +- **Terraform**: Make sure Terraform is installed on your local machine. You can download it from [Terraform's official website](https://www.terraform.io/downloads.html). + + +## Configuration + +1. Clone the Repository + + ``` + git clone + cd + ``` + +2. Update `terraform.tfvars` + + Edit the terraform.tfvars file with your specific AWS and Keycloak configurations: + +4. Initialize Terraform + + Run the following command to initialize Terraform. This will download the necessary provider plugins: + + ``` + terraform init + ``` +6. Plan the Deployment + + Create an execution plan to review the resources that Terraform will create or modify: + ``` + terraform plan + ``` +7. Apply the Configuration + + Apply the Terraform configuration to create the resources: + ``` + terraform apply + ``` + Confirm the action by typing `yes` when prompted. + +## Keycloak Access +Once the deployment is complete, you can access your Keycloak server using the provided domain. +~~~ +Admin URL: https://prefix-keycloak.test.rancher.space +Admin Username: admin +Admin Password: The password specified in `terraform.tfvars`. +~~~ + +Cleanup: + +To remove the resources created by Terraform, run: +``` +terraform destroy +``` +Confirm the action by typing `yes` when prompted. + +# Important Notice + +This deployment is intended for internal use only and is not suitable for production environments or customer deployments. It is provided as-is, without any warranties or guarantees. There is no official support provided by SUSE for this deployment. + +# Additional Information + +Feel free to customize the content further based on your specific project details and preferences. \ No newline at end of file diff --git a/Keycloak/cloud-init.sh b/Keycloak/cloud-init.sh new file mode 100644 index 0000000..18c4cd7 --- /dev/null +++ b/Keycloak/cloud-init.sh @@ -0,0 +1,53 @@ +#!/bin/bash +apt update -y +apt install -y docker* +systemctl enable --now docker.service + + +# Generate certificates using Docker +docker run -v $PWD/certs:/certs \ + -e CA_SUBJECT="My own root CA" \ + -e CA_EXPIRE="1825" \ + -e SSL_EXPIRE="365" \ + -e SSL_SUBJECT="${keycloak_server_name}" \ + -e SSL_DNS="${keycloak_server_name}" \ + -e SILENT="true" \ + superseb/omgwtfssl + +# Combine certificate and CA into fullchain.pem +cat certs/cert.pem certs/ca.pem > certs/fullchain.pem + + +# Set up Keycloak certificates directory +mkdir -p /opt/keycloak/certs +cp certs/fullchain.pem /opt/keycloak/certs/ +cp certs/key.pem /opt/keycloak/certs/ + + +cat < /opt/keycloak/keycloak.yml +version: '3' +services: + keycloak: + image: quay.io/keycloak/keycloak:latest + container_name: keycloak + restart: always + ports: + - 80:8080 + - 443:8443 + volumes: + - ./certs/fullchain.pem:/etc/x509/https/tls.crt + - ./certs/key.pem:/etc/x509/https/tls.key + environment: + - KEYCLOAK_ADMIN=admin + - KEYCLOAK_ADMIN_PASSWORD=${keycloak_password} + - KC_HOSTNAME=${keycloak_server_name} + - KC_HTTPS_CERTIFICATE_FILE=/etc/x509/https/tls.crt + - KC_HTTPS_CERTIFICATE_KEY_FILE=/etc/x509/https/tls.key + command: + - start-dev +EOF + +# Start Keycloak with Docker Compose +curl -L "https://github.com/docker/compose/releases/download/1.24.1/docker-compose-$(uname -s)-$(uname -m)" -o /usr/bin/docker-compose +chmod +x /usr/bin/docker-compose +docker-compose -f /opt/keycloak/keycloak.yml up diff --git a/Keycloak/main.tf b/Keycloak/main.tf new file mode 100644 index 0000000..4f017ba --- /dev/null +++ b/Keycloak/main.tf @@ -0,0 +1,76 @@ +provider "aws" { + region = var.region + access_key = var.aws_access_key + secret_key = var.aws_secret_key +} + +data "aws_route53_zone" "selected" { + name = var.aws_domain + private_zone = false +} + +data "template_file" "keycloak" { + template = file("cloud-init.sh") + vars = { + keycloak_server_name = "${var.instance_suffix}-keycloak.${var.aws_domain}" + keycloak_password = var.keycloak_password + } +} + +resource "aws_instance" "keycloak" { + ami = var.ami_id + instance_type = var.instance_type + subnet_id = var.subnet_id + vpc_security_group_ids = var.security_group_ids + key_name = var.key_name + + associate_public_ip_address = true + + user_data = data.template_file.keycloak.rendered + + tags = { + Name = "${var.instance_suffix}-keycloak" + } +} + +resource "aws_route53_record" "dns" { + zone_id = data.aws_route53_zone.selected.zone_id + name = "${var.instance_suffix}-keycloak" + type = "A" + ttl = 300 + records = [aws_instance.keycloak.public_ip] +} + +resource "null_resource" "keycloak_readiness_check" { + provisioner "local-exec" { + command = < Date: Tue, 20 Aug 2024 14:06:38 +0530 Subject: [PATCH 2/3] remove default hardcoded region --- Keycloak/terraform.tfvars | 4 ++-- Keycloak/variables.tf | 1 - 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/Keycloak/terraform.tfvars b/Keycloak/terraform.tfvars index 817caab..2cf2eb9 100644 --- a/Keycloak/terraform.tfvars +++ b/Keycloak/terraform.tfvars @@ -1,14 +1,14 @@ # terraform.tfvars # AWS region to deploy the instance -region = "us-east-2" +region = "" # AWS credentials aws_access_key = "" # Replace with your AWS Access Key aws_secret_key = "" # Replace with your AWS Secret Key # EC2 instance type -instance_type = "t3.medium" +instance_type = "" # Name of the SSH key pair to use for the EC2 instance key_name = "" # Replace with your actual key pair name diff --git a/Keycloak/variables.tf b/Keycloak/variables.tf index 92ce7d4..150d796 100644 --- a/Keycloak/variables.tf +++ b/Keycloak/variables.tf @@ -1,7 +1,6 @@ variable "region" { description = "AWS region" type = string - default = "us-east-2" } variable "aws_access_key" { From c91d035b09c070f72d7d7a350c24d74ea5e9ee8b Mon Sep 17 00:00:00 2001 From: Siva Kanakala Date: Fri, 23 Aug 2024 21:41:23 +0530 Subject: [PATCH 3/3] update ssl creation with certbot --- Keycloak/cloud-init.sh | 35 ++++++++++++++++------------------- Keycloak/main.tf | 6 +++++- Keycloak/terraform.tfvars | 14 ++++++++++---- Keycloak/variables.tf | 14 ++++++++++---- 4 files changed, 41 insertions(+), 28 deletions(-) diff --git a/Keycloak/cloud-init.sh b/Keycloak/cloud-init.sh index 18c4cd7..086ad6e 100644 --- a/Keycloak/cloud-init.sh +++ b/Keycloak/cloud-init.sh @@ -1,27 +1,19 @@ #!/bin/bash apt update -y -apt install -y docker* +apt install docker* -y systemctl enable --now docker.service +apt install certbot -y -# Generate certificates using Docker -docker run -v $PWD/certs:/certs \ - -e CA_SUBJECT="My own root CA" \ - -e CA_EXPIRE="1825" \ - -e SSL_EXPIRE="365" \ - -e SSL_SUBJECT="${keycloak_server_name}" \ - -e SSL_DNS="${keycloak_server_name}" \ - -e SILENT="true" \ - superseb/omgwtfssl - -# Combine certificate and CA into fullchain.pem -cat certs/cert.pem certs/ca.pem > certs/fullchain.pem - +# Request Certificate. +certbot certonly --non-interactive --standalone -d ${keycloak_server_name} --agree-tos -m ${email} # Set up Keycloak certificates directory mkdir -p /opt/keycloak/certs -cp certs/fullchain.pem /opt/keycloak/certs/ -cp certs/key.pem /opt/keycloak/certs/ +cp /etc/letsencrypt/live/${keycloak_server_name}/fullchain.pem /opt/keycloak/certs +cp /etc/letsencrypt/live/${keycloak_server_name}/privkey.pem /opt/keycloak/certs +chmod 755 /opt/keycloak/certs +chmod 644 /opt/keycloak/certs/* cat < /opt/keycloak/keycloak.yml @@ -36,7 +28,7 @@ services: - 443:8443 volumes: - ./certs/fullchain.pem:/etc/x509/https/tls.crt - - ./certs/key.pem:/etc/x509/https/tls.key + - ./certs/privkey.pem:/etc/x509/https/tls.key environment: - KEYCLOAK_ADMIN=admin - KEYCLOAK_ADMIN_PASSWORD=${keycloak_password} @@ -47,7 +39,12 @@ services: - start-dev EOF -# Start Keycloak with Docker Compose -curl -L "https://github.com/docker/compose/releases/download/1.24.1/docker-compose-$(uname -s)-$(uname -m)" -o /usr/bin/docker-compose + + +# Install docker compose +curl -SL https://github.com/docker/compose/releases/download/${docker_compose_version}/docker-compose-linux-x86_64 -o /usr/bin/docker-compose chmod +x /usr/bin/docker-compose + +# Start Keycloak with Docker Compose +cd /opt/keycloak docker-compose -f /opt/keycloak/keycloak.yml up diff --git a/Keycloak/main.tf b/Keycloak/main.tf index 4f017ba..d46e526 100644 --- a/Keycloak/main.tf +++ b/Keycloak/main.tf @@ -14,6 +14,8 @@ data "template_file" "keycloak" { vars = { keycloak_server_name = "${var.instance_suffix}-keycloak.${var.aws_domain}" keycloak_password = var.keycloak_password + docker_compose_version = var.docker_compose_version + email = var.email } } @@ -41,6 +43,8 @@ resource "aws_route53_record" "dns" { records = [aws_instance.keycloak.public_ip] } +# check the keycloak server rediness and print the status + resource "null_resource" "keycloak_readiness_check" { provisioner "local-exec" { command = <