Keycloak Improvements

Drops keycloak to 1 server
Adds keycloak configuration module
Adds usage notes in update-ami-accounts

bin/update-ami-accounts

@@ -12,6 +12,12 @@ Some notes:
          boto3 does not use it.  It uses AWS_DEFAULT_REGION instead.  If your
          $HOME/.aws/config lists a region for a given profile this is not needed.
 
+Quick Common Usage:
+    If you've added an XDR managed account (such as a customer slice account):
+      AWS_PROFILE=mdr-common-services-gov update-ami-accounts MSOC* <account>
+    If you've added a customer account (such as a place for their LCPs)
+      AWS_PROFILE=mdr-common-services-gov update-ami-accounts TODO_DETERMINEWHATGOESHERE <account>
+
 
 Example 1: Let's just run a report of all AMIs matching '*Duane*' in all regions that the
 profile has access to.  Notice the wildcards in quotes so bash won't try to expand them

test/aws-us-gov/mdr-test-c2/086-keycloak-configuration/.terraform.lock.hcl

@@ -0,0 +1,130 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/aws" {
+  version     = "3.37.0"
+  constraints = "3.37.0"
+  hashes = [
+    "h1:GeRKgHncFkh8vd+Rlq6G/5D7wgfd9LXLYrfNvLiMy48=",
+    "h1:RvLGIfRZfbzY58wUja9B6CvGdgVVINy7zLVBdLqIelA=",
+    "h1:Tf6Os+utUxE8rEr/emCXLFEDdCb0Y6rsN4Ee84+aDCQ=",
+    "h1:mxnOC4CXzhG+/JiAs6u2QTn6ecDBoiZBqxaXwqp2TB0=",
+    "zh:064c9b21bcd69be7a8631ccb3eccb8690c6a9955051145920803ef6ce6fc06bf",
+    "zh:277dd05750187a41282cf6e066e882eac0dd0056e3211d125f94bf62c19c4b8b",
+    "zh:47050211f72dcbf3d99c82147abd2eefbb7238efb94d5188979f60de66c8a3df",
+    "zh:4a4e0d070399a050847545721dae925c192a2d6354802fdfbea73769077acca5",
+    "zh:4cbc46f79239c85d69389f9e91ca9a9ebf6a8a937cfada026c5a037fd09130fb",
+    "zh:6548dcb1ac4a388ed46034a5317fa74b3b0b0f68eec03393f2d4d09342683f95",
+    "zh:75b4a82596aa525d95b0b2847fe648368c6e2b054059c4dc4dcdee01d374b592",
+    "zh:75cf5cc674b61c82300667a82650f56722618b119ab0526b47b5ecbb4bbf49d0",
+    "zh:93c896682359039960c38eb5a4b29d1cc06422f228db0572b90330427e2a21ec",
+    "zh:c7256663aedbc9de121316b6d0623551386a476fc12b8eb77e88532ce15de354",
+    "zh:e995c32f49c23b5938200386e08b2a3fd69cf5102b5299366c0608bbeac68429",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/random" {
+  version     = "3.1.0"
+  constraints = ">= 2.2.0, >= 3.1.0"
+  hashes = [
+    "h1:BZMEPucF+pbu9gsPk0G0BHx7YP04+tKdq2MrRDF1EDM=",
+    "h1:EPIax4Ftp2SNdB9pUfoSjxoueDoLc/Ck3EUoeX0Dvsg=",
+    "h1:cH1JxJhQqK+FqqkJkmpX9QPC1OD08Bak1fm5IZcnMYw=",
+    "h1:rKYu5ZUbXwrLG1w81k7H3nce/Ys6yAxXhWcbtk36HjY=",
+    "zh:2bbb3339f0643b5daa07480ef4397bd23a79963cc364cdfbb4e86354cb7725bc",
+    "zh:3cd456047805bf639fbf2c761b1848880ea703a054f76db51852008b11008626",
+    "zh:4f251b0eda5bb5e3dc26ea4400dba200018213654b69b4a5f96abee815b4f5ff",
+    "zh:7011332745ea061e517fe1319bd6c75054a314155cb2c1199a5b01fe1889a7e2",
+    "zh:738ed82858317ccc246691c8b85995bc125ac3b4143043219bd0437adc56c992",
+    "zh:7dbe52fac7bb21227acd7529b487511c91f4107db9cc4414f50d04ffc3cab427",
+    "zh:a3a9251fb15f93e4cfc1789800fc2d7414bbc18944ad4c5c98f466e6477c42bc",
+    "zh:a543ec1a3a8c20635cf374110bd2f87c07374cf2c50617eee2c669b3ceeeaa9f",
+    "zh:d9ab41d556a48bd7059f0810cf020500635bfc696c9fc3adab5ea8915c1d886b",
+    "zh:d9e13427a7d011dbd654e591b0337e6074eef8c3b9bb11b2e39eaaf257044fd7",
+    "zh:f7605bd1437752114baf601bdf6931debe6dc6bfe3006eb7e9bb9080931dca8a",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/template" {
+  version     = "2.2.0"
+  constraints = "2.2.0"
+  hashes = [
+    "h1:0wlehNaxBX7GJQnPfQwTNvvAf38Jm0Nv7ssKGMaG6Og=",
+    "h1:12Bac8B6Aq2+18xe8iqp5iYytav2Bw+jG43z/VaK5zI=",
+    "h1:94qn780bi1qjrbC3uQtjJh3Wkfwd5+tTtJHOb7KTg9w=",
+    "h1:LN84cu+BZpVRvYlCzrbPfCRDaIelSyEx/W9Iwwgbnn4=",
+    "zh:01702196f0a0492ec07917db7aaa595843d8f171dc195f4c988d2ffca2a06386",
+    "zh:09aae3da826ba3d7df69efeb25d146a1de0d03e951d35019a0f80e4f58c89b53",
+    "zh:09ba83c0625b6fe0a954da6fbd0c355ac0b7f07f86c91a2a97849140fea49603",
+    "zh:0e3a6c8e16f17f19010accd0844187d524580d9fdb0731f675ffcf4afba03d16",
+    "zh:45f2c594b6f2f34ea663704cc72048b212fe7d16fb4cfd959365fa997228a776",
+    "zh:77ea3e5a0446784d77114b5e851c970a3dde1e08fa6de38210b8385d7605d451",
+    "zh:8a154388f3708e3df5a69122a23bdfaf760a523788a5081976b3d5616f7d30ae",
+    "zh:992843002f2db5a11e626b3fc23dc0c87ad3729b3b3cff08e32ffb3df97edbde",
+    "zh:ad906f4cebd3ec5e43d5cd6dc8f4c5c9cc3b33d2243c89c5fc18f97f7277b51d",
+    "zh:c979425ddb256511137ecd093e23283234da0154b7fa8b21c2687182d9aea8b2",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/vault" {
+  version     = "2.19.1"
+  constraints = "2.19.1"
+  hashes = [
+    "h1:04SjcwVTpGqFOAZezd9vmo/ceQGovZL/Cb9kVPjQscQ=",
+    "h1:3LNNXigzNkIAALc1v8uRfKmjzlUYyfQH+r/N5plUUeA=",
+    "h1:Sqdnqh2CHtEEVdTQom0+qQsgn+gjnVZXk6Xb9iOPQi4=",
+    "h1:yz5QWTvycJvjR3Z5EaCLF6UC8hugPAz2eIy9NzymPoI=",
+    "zh:0c6ca9d49bc116788015bbf83f7e8e405e4e63bfd9dd198f29d501632bc7d79f",
+    "zh:1f13cbe8d6b98a9e0392c72320cd86d5253a09f3c45fe9f4baa2b71660621d1e",
+    "zh:365d07bec517cb17523526c3a6f1bd23dbedb7fe8868d28976998c5eff3b9932",
+    "zh:3ac807ce39cd11d5a573377b868bc547f1f24ac2fb7bf3d7e1ec5a62ead7c31f",
+    "zh:5eb21cf4628353fcbd44231b92d1e027340af98b2ba02aaa01d91b07989caa8c",
+    "zh:66bed701cd0372b864ba656c9a01deb15e6cd7ac4390a3933e034a01f7bbe703",
+    "zh:8dd523de854b59f7e837102064f23fcf33ee69d4d46feeb5a67796b7ba03d003",
+    "zh:a514911915ab7d7b5fda18a7ca1404ca0496a54088a6ef52e0b92e4e0d7ff85e",
+    "zh:b4020c332c2b5b992f56d0e3e7b4940f7dab63f2af5558d913e79834b90b4d80",
+    "zh:bdb1c77d22e7accedf4b501f139c306c46dcb58ff693b9a6dcaef356c6749ee1",
+  ]
+}
+
+provider "registry.terraform.io/jtopjian/sensu" {
+  version     = "0.10.5"
+  constraints = "0.10.5"
+  hashes = [
+    "h1:/i+iYOhp7+nC7rZHJcQ4TWf4POHGhbwShPuvyko+/0s=",
+    "h1:DwoEsKZDLh315Q99LFdnzgqJR0kNHTBeUC9rZRJP2iU=",
+    "h1:MGRbVNP4L1FNXzAKUwBTUu9loNUGmRJQSndDrubRm7o=",
+    "h1:ZMsKGpRtwCSpkxZrpB4jFMxJ+RQCMs9Xed+RLPzMTm4=",
+    "zh:3225f4916085c97dd49deab54a8a590f6d32f9e7b07c4781e1da7a639bacc412",
+    "zh:45dc4d6edd2943f77967bd50065070e3eece274b9a32a5de4541b80609d53aaf",
+    "zh:4a35d980af50e4e86935fe3e1a55baf917f46921bea288abc53f438dc334ada2",
+    "zh:6b1bee30e0d0c2713ae684920c3a9ae0d01bb847e616358e254412b382671d4c",
+    "zh:7f0d10555eff2748c03a5642e785be3624e304cc174874c6ab52cb05041efecf",
+    "zh:7f70a20b92759afd7f5dd9b4877328b657545377e4e6e1f67c9b55e883d08b81",
+    "zh:844c3b405620779d06871d9ca9f84fa3745bbae668af8bd790504fd4649fbb7a",
+    "zh:95aba67c1ccdf6dd3f75c257f1a91e936fbd0ddb47b21fc85e90b7204abe7c05",
+    "zh:97f20679d06fcf74c6dbb30930541c8e12e07e8210213b4437d6b79034b8b60d",
+    "zh:c77dd3019a11eb7e047a09e38d8347de1bd1fecc7893c2f52512ede811ab7103",
+    "zh:c86d3aa646335ac7d5bb85475e7be115b62adc8d06ab4fb962c7f2874a1b5108",
+  ]
+}
+
+provider "registry.terraform.io/mrparkers/keycloak" {
+  version     = "3.0.1"
+  constraints = "3.0.1"
+  hashes = [
+    "h1:IrAwRXe/8Wp/qdN8BLmA3fOtn8fTe9GOM72NiPduQ9s=",
+    "zh:1126fd3b851b9764b68251259629de5433da9fe84b5a41c747819cfd53b07227",
+    "zh:1a8a6777016d53011dd773c90880ba8521f344965b8b7bf82c5f9a9d9ba1c099",
+    "zh:5c6ec73033c794d5cc0a0c3abd7547a2bf9c62385feaa1459b7115e8010d8903",
+    "zh:69ddff873d308bd6429bf4ccdb7b50a4ae9cf02eb19d30288edfccc201f72eb5",
+    "zh:6b739f3eeb69bb1beab75812678059a86263788cbd8e1279cb3753ff9369a4aa",
+    "zh:8d10b0bbeb85272dae0ae7dc7d59c3161e10fd32bcc504dc01535d286bcf08d5",
+    "zh:bf9aea83a2d8165e2d6b68b4b88c53b5639ee02f7a363c4bf1f1a0c4bd23cb4c",
+    "zh:c22059482ae6e37571ea0538dfb449407ad7c27b70ffa7384f8242ae0bbeea54",
+    "zh:c44960a402372dbfe077f966ff1d2eec4bcdc83920b6e5974ac28ca214928f78",
+    "zh:c766bdb154e98698d777466a97d36cb04d46835283f74e472bf405a9d05ac078",
+    "zh:e1ae3c37887be3a29eaf705851fd92128ff772038cc2c611fcb8e602134175f2",
+    "zh:f82aaa8b8595e277731d1af6f1dd16b154a17402aeacde27abe96903494c5f15",
+  ]
+}

test/aws-us-gov/mdr-test-c2/086-keycloak-configuration/README.md

@@ -0,0 +1,6 @@
+Apply via:
+```
+KEYCLOAK_URL=https://10.x.x.x:8443 KEYCLOAK_CLIENT_SECRET=blah terragrunt apply
+```
+
+You *must* use the IP address and not the hostname, or DNS resolution will fail (for whatever reason, it doesn't use the VPN). You should only need to run against one server.

test/aws-us-gov/mdr-test-c2/086-keycloak-configuration/terragrunt.hcl

@@ -0,0 +1,81 @@
+locals {
+  # If you want to use any of the variables in _this_ file, you have to load them here.
+  # However, they will all be available as inputs to the module loaded in terraform.source
+  # below.
+  environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+  partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
+  region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+  account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
+  global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
+}
+
+# Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
+# working directory, into a temporary folder, and execute your Terraform commands in that folder.
+terraform {
+  # Double slash is intentional and required to show root of modules
+  source = "git@github.xdr.accenturefederalcyber.com:mdr-engineering/xdr-terraform-modules.git//base/keycloak-configuration?ref=v1.25.0"
+}
+
+generate "required_providers" {
+  path      = "required_provider.tf"
+  if_exists = "overwrite_terragrunt"
+  contents  = <<EOF
+terraform {
+  required_providers {
+    aws = {
+      source = "hashicorp/aws"
+      version = "= 3.37.0" # 2021-04-29: upgrade from 2.66
+    }
+    template = {
+      source = "hashicorp/template"
+      version = "= 2.2.0" # 2021-04-29: ugprade from 2.1.0
+    }
+    vault = {
+      source = "hashicorp/vault"
+      version = "= 2.19.1" # 2021-04-29: upgrade from 2.18.0
+    }
+    sensu = {
+      source = "jtopjian/sensu"
+      version = "= 0.10.5"
+    }
+    keycloak = {
+      source = "mrparkers/keycloak"
+      version = "= 3.0.1"
+    }
+  }
+}
+EOF
+}
+
+generate "provider-keycloak" {
+  path      = "provider-keycloak.tf"
+  if_exists = "overwrite_terragrunt"
+  contents  = <<EOF
+provider "keycloak" {
+   client_id     = "terraform"
+   # Specify the secret in the environment variable KEYCLOAK_CLIENT_SECRET
+   #client_secret = blahblahblah
+   # Specify the url in the environment variable KEYCLOAK_URL
+   #url           = "http://keycloak-0.pvt.xdrtest.accenturefederalcyber.com:8443"
+   tls_insecure_skip_verify = true # Should probably specify the CA
+}
+EOF
+}
+
+# Include all settings from the root terragrunt.hcl file
+include {
+  path = find_in_parent_folders()
+}
+
+# These are the variables we have to pass in to use the module specified in the terragrunt source above
+inputs = {
+  # All of the inputs from the inherited hcl files are available automatically
+  # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
+  # will be more flexible if you specify particular input values.
+  tags = {
+    Purpose = "Identity Provider Configuration",
+    Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
+  }
+}
+terraform_version_constraint = "= 0.15.1"
+terragrunt_version_constraint = ">= 0.29, < 0.30"

test/aws-us-gov/mdr-test-c2/account.hcl

@@ -174,7 +174,7 @@ locals {
   bastion_instance_type = "t3a.micro"
 
   # Keycloak
-  keycloak_instance_count = 2
+  keycloak_instance_count = 1 # May or may not support > 1
 
   # Salt Master
   salt_master_instance_type = "t3a.large"