Merge pull request #219 from mdr-engineering/feature/ftd_MSOCI-1781_KeyCloakDeployment

Initial Revamp of Keycloak into a "Deployment"

base/keycloak-single-instance/outputs.tf

@@ -1,11 +0,0 @@
-output instance_arn {
-  value = aws_instance.instance.arn
-}
-
-output instance_public_ip {
-  value = aws_eip.instance.public_ip
-}
-
-output instance_private_ip {
-  value = aws_instance.instance.private_ip
-}

base/keycloak-single-instance/security-groups.tf

@@ -1,115 +0,0 @@
-# Rather than pass in the aws security group, we just look it up. This will
-# probably be useful other places, as well.
-data "aws_security_group" "typical-host" {
-  name   = "typical-host"
-  vpc_id = var.vpc_id
-}
-
-# For now, opening everything:
-#   ajp port: 8009
-#   http: 8080
-#   https: 8443
-#   mgmt-http: 9990
-#   mgmt-https: 9993
-#   txn-recovery-environment: 4712
-#   txn-status-manager: 4713
-#
-#   Also opening 80 and 443 for certbot
-
-resource "aws_security_group" "instance" {
-  name = "instance-${var.instance_name}"
-  description = "Instances of type ${var.instance_name}"
-  vpc_id = var.vpc_id
-  tags = merge(var.standard_tags, var.tags)
-}
-
-resource "aws_security_group_rule" "instance-http-in" {
-  description = ""
-  type = "ingress"
-  from_port = "80"
-  to_port = "80"
-  protocol = "tcp"
-  cidr_blocks = [ "0.0.0.0/0" ]
-  security_group_id = aws_security_group.instance.id
-}
-
-resource "aws_security_group_rule" "instance-https-in" {
-  description = ""
-  type = "ingress"
-  from_port = "443"
-  to_port = "443"
-  protocol = "tcp"
-  cidr_blocks = [ "0.0.0.0/0" ]
-  security_group_id = aws_security_group.instance.id
-}
-
-resource "aws_security_group_rule" "instance-ajp-in" {
-  description = ""
-  type = "ingress"
-  from_port = "8009"
-  to_port = "8009"
-  protocol = "tcp"
-  cidr_blocks = [ "0.0.0.0/0" ]
-  security_group_id = aws_security_group.instance.id
-}
-
-resource "aws_security_group_rule" "instance-alt-http-in" {
-  description = ""
-  type = "ingress"
-  from_port = "8080"
-  to_port = "8080"
-  protocol = "tcp"
-  cidr_blocks = [ "0.0.0.0/0" ]
-  security_group_id = aws_security_group.instance.id
-}
-
-resource "aws_security_group_rule" "instance-alt-https-in" {
-  description = ""
-  type = "ingress"
-  from_port = "8443"
-  to_port = "8443"
-  protocol = "tcp"
-  cidr_blocks = [ "0.0.0.0/0" ]
-  security_group_id = aws_security_group.instance.id
-}
-
-resource "aws_security_group_rule" "instance-mgmt-http-in" {
-  description = ""
-  type = "ingress"
-  from_port = "9990"
-  to_port = "9990"
-  protocol = "tcp"
-  cidr_blocks = [ "0.0.0.0/0" ]
-  security_group_id = aws_security_group.instance.id
-}
-
-resource "aws_security_group_rule" "instance-mgmt-https-in" {
-  description = ""
-  type = "ingress"
-  from_port = "9993"
-  to_port = "9993"
-  protocol = "tcp"
-  cidr_blocks = [ "0.0.0.0/0" ]
-  security_group_id = aws_security_group.instance.id
-}
-
-resource "aws_security_group_rule" "instance-txn-in" {
-  description = ""
-  type = "ingress"
-  from_port = "4712"
-  to_port = "4713"
-  protocol = "tcp"
-  cidr_blocks = [ "0.0.0.0/0" ]
-  security_group_id = aws_security_group.instance.id
-}
-
-# lock down before production, but I couldn't get letsencrypt to work with the proxy
-resource "aws_security_group_rule" "instance-all-out" {
-  description = ""
-  type = "egress"
-  from_port = "-1"
-  to_port = "-1"
-  protocol = "-1"
-  cidr_blocks = [ "0.0.0.0/0" ]
-  security_group_id = aws_security_group.instance.id
-}

base/keycloak/certificate.tf.disabled

@@ -0,0 +1,31 @@
+#Certificate 
+resource "aws_acm_certificate" "cert" {
+  domain_name       = "keycloak.${var.dns_info["public"]["zone"]}"
+  validation_method = "DNS"
+
+  tags = merge(var.standard_tags, var.tags)
+}
+
+resource "aws_acm_certificate_validation" "cert" {
+  certificate_arn         = aws_acm_certificate.cert.arn
+  validation_record_fqdns = [for record in aws_route53_record.cert_validation: record.fqdn]
+}
+
+resource "aws_route53_record" "cert_validation" {
+  provider = aws.mdr-common-services-commercial
+
+  for_each = {
+    for dvo in aws_acm_certificate.cert.domain_validation_options : dvo.domain_name => {
+      name   = dvo.resource_record_name
+      record = dvo.resource_record_value
+      type   = dvo.resource_record_type
+    }
+  }
+
+  allow_overwrite = true
+  name            = each.value.name
+  records         = [each.value.record]
+  ttl             = 60
+  type            = each.value.type
+  zone_id         = var.dns_info["public"]["zone_id"]
+}

base/keycloak/elbclassic.tf

@@ -0,0 +1,96 @@
+module "public_dns_record" {
+  source = "../../submodules/dns/public_ALIAS_record"
+
+  name = "keycloak.${var.dns_info["public"]["zone"]}"
+  target_dns_name = aws_elb.external.dns_name
+  target_zone_id  = aws_elb.external.zone_id
+  dns_info = var.dns_info
+
+  providers = {
+    aws.mdr-common-services-commercial = aws.mdr-common-services-commercial
+  }
+}
+
+resource "aws_elb" "external" {
+  name = "keycloak-external-elb"
+  subnets     = var.public_subnets
+  security_groups  = [ aws_security_group.elb_external.id ]
+
+  access_logs {
+    bucket  = "xdr-elb-${ var.environment }"
+    enabled = true
+  }
+
+  # We want client certs, so SSL must be terminated on the instance
+  listener {
+    instance_port      = 8443
+    instance_protocol  = "TCP"
+    lb_port            = 443
+    lb_protocol        = "TCP"
+    #ssl_certificate_id = aws_acm_certificate.cert.arn
+  }
+
+  listener {
+    instance_port      = 80
+    instance_protocol  = "HTTP"
+    lb_port            = 8080
+    lb_protocol        = "HTTP"
+  }
+
+  health_check {
+    healthy_threshold   = 2
+    unhealthy_threshold = 2
+    timeout             = 3
+    target              = "HTTPS:8443/"
+    interval            = 10
+  }
+
+  cross_zone_load_balancing   = true
+  idle_timeout                = 300
+  connection_draining         = true
+  connection_draining_timeout = 300
+
+  tags = merge(var.standard_tags, var.tags)
+}
+
+# Create a new load balancer attachment
+resource "aws_elb_attachment" "external_attachment" {
+  count    = var.keycloak_instance_count
+  elb      = aws_elb.external.id
+  instance = aws_instance.instance[count.index].id
+}
+
+# No stickiness on TCP
+#resource "aws_lb_cookie_stickiness_policy" "external" {
+#  name          = "Stickiness"
+#  load_balancer = aws_elb.external.name
+#  lb_port       = 443
+#  cookie_expiration_period = 600
+#}
+
+# No policy on TCP
+## Seems like there should be an easier way for terraform to assign the default policy, but
+## this is how it's done according to https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/load_balancer_listener_policy
+#resource "aws_load_balancer_policy" "elb_external_ssl_policy" {
+#  load_balancer_name = aws_elb.external.name
+#  policy_name        = "CopyOfELBSecurityPolicy-TLS-1-1-2017-01"
+#  policy_type_name   = "SSLNegotiationPolicyType"
+#
+#  policy_attribute {
+#    name  = "Reference-Security-Policy"
+#    value = "ELBSecurityPolicy-TLS-1-1-2017-01" # ALBs have a (superior?) "ELBSecurityPolicy-FS-1-2-Res-2019-08", but this will have to do for ELB
+#  }
+#}
+#
+#resource "aws_load_balancer_listener_policy" "elb-external-listener-policies-443" {
+#  load_balancer_name = aws_elb.external.name
+#  load_balancer_port = 443
+#
+#  policy_names = [
+#    aws_load_balancer_policy.elb_external_ssl_policy.policy_name
+#  ]
+#}
+
+### Client Certificate Configuration
+#
+# No AWS LBs support client certificates, unfortunately.

base/keycloak-single-instance/main.tf → base/keycloak/main.tf

@@ -9,24 +9,28 @@ data "aws_kms_key" "ebs-key" {
 }
 
 resource "aws_network_interface" "instance" {
-  subnet_id = var.subnets[0]
+  count = var.keycloak_instance_count
+  subnet_id = var.public_subnets[count.index % 3]
   security_groups = [ data.aws_security_group.typical-host.id, aws_security_group.instance.id ]
-  description = var.instance_name
-  tags = merge(var.standard_tags, var.tags, { Name = var.instance_name })
+  description = "keycloak-${count.index}"
+  tags = merge(var.standard_tags, var.tags, { Name = "keycloak-${count.index}" })
 }
 
 resource "aws_eip" "instance" {
+  count = var.keycloak_instance_count
   vpc = true
-  tags = merge(var.standard_tags, var.tags, { Name = var.instance_name })
+  tags = merge(var.standard_tags, var.tags, { Name = "keycloak-${count.index}" })
 }
 
 resource "aws_eip_association" "instance" {
-  network_interface_id = aws_network_interface.instance.id
-  allocation_id = aws_eip.instance.id
+  count = var.keycloak_instance_count
+  network_interface_id = aws_network_interface.instance[count.index].id
+  allocation_id = aws_eip.instance[count.index].id
 }
 
 resource "aws_instance" "instance" {
-  #availability_zone = var.azs[count.index % 2]
+  count = var.keycloak_instance_count
+  
   tenancy = "default"
   ebs_optimized = true
   disable_api_termination = var.instance_termination_protection
@@ -73,7 +77,6 @@ resource "aws_instance" "instance" {
     encrypted = true
     kms_key_id = data.aws_kms_key.ebs-key.arn
     snapshot_id = local.block_device_mappings[local.ami_selection]["/dev/xvdn"].ebs.snapshot_id
-
   }
   ebs_block_device {
     # /var
@@ -123,19 +126,21 @@ resource "aws_instance" "instance" {
 
   network_interface {
     device_index = 0
-    network_interface_id = aws_network_interface.instance.id
+    network_interface_id = aws_network_interface.instance[count.index].id
   }
 
-  user_data = data.template_cloudinit_config.cloud_init_config.rendered
-  tags = merge( var.standard_tags, var.tags, { Name = var.instance_name })
-  volume_tags = merge( var.standard_tags, var.tags, { Name = var.instance_name })
+  user_data = data.template_cloudinit_config.cloud_init_config[count.index].rendered
+  tags = merge( var.standard_tags, var.tags, { Name = "keycloak-${count.index}" })
+  volume_tags = merge( var.standard_tags, var.tags, { Name = "keycloak-${count.index}" })
 }
 
 module "private_dns_record" {
+  count = var.keycloak_instance_count
+
   source = "../../submodules/dns/private_A_record"
 
-  name = var.instance_name
-  ip_addresses = [ aws_instance.instance.private_ip ]
+  name = "keycloak-${count.index}"
+  ip_addresses = [ aws_instance.instance[count.index].private_ip ]
   dns_info = var.dns_info
   reverse_enabled = var.reverse_enabled
 
@@ -144,26 +149,28 @@ module "private_dns_record" {
   }
 }
 
-module "public_dns_record" {
-  source = "../../submodules/dns/public_A_record"
-
-  name = var.instance_name
-  ip_addresses = [ aws_eip.instance.public_ip ]
-  dns_info = var.dns_info
-
-  providers = {
-    aws.mdr-common-services-commercial = aws.mdr-common-services-commercial
-  }
-}
+#module "public_dns_record" {
+#  source = "../../submodules/dns/public_A_record"
+#
+#  name = var.instance_name
+#  ip_addresses = [ aws_eip.instance.public_ip ]
+#  dns_info = var.dns_info
+#
+#  providers = {
+#    aws.mdr-common-services-commercial = aws.mdr-common-services-commercial
+#  }
+#}
 
 #The Cloud init data is to prepare the instance for use. 
 data "template_file" "cloud_init" {
+  count = var.keycloak_instance_count
+
   # Should these be in a common directory? I suspect they'd be reusable
   template = file("${path.module}/cloud-init/cloud-init.tpl")
 
   vars = {
-    hostname = var.instance_name
-    fqdn = "${var.instance_name}.${var.dns_info["private"]["zone"]}"
+    hostname = "keycloak-${count.index}"
+    fqdn = "keycloak-${count.index}.${var.dns_info["private"]["zone"]}"
     environment = var.environment
     salt_master  = var.salt_master
     proxy = var.proxy
@@ -176,6 +183,7 @@ data "template_file" "cloud_init" {
 # Render a multi-part cloud-init config making use of the part
 # above, and other source files
 data "template_cloudinit_config" "cloud_init_config" {
+  count = var.keycloak_instance_count
   gzip          = true
   base64_encode = true
 
@@ -183,6 +191,6 @@ data "template_cloudinit_config" "cloud_init_config" {
   part {
     filename     = "init.cfg"
     content_type = "text/cloud-config"
-    content      = data.template_file.cloud_init.rendered
+    content      = data.template_file.cloud_init[count.index].rendered
   }
 }

base/keycloak/outputs.tf

@@ -0,0 +1,16 @@
+output db_password {
+  value = random_password.password.result
+  sensitive = true # To get this output, request it specifically with `terragrunt output db_password`
+}
+
+#output instance_arn {
+#  value = aws_instance.instance.arn
+#}
+#
+#output instance_public_ip {
+#  value = aws_eip.instance.public_ip
+#}
+#
+#output instance_private_ip {
+#  value = aws_instance.instance.private_ip
+#}

base/keycloak/rds-key.tf

@@ -0,0 +1,19 @@
+locals {
+  # For the default EBS key, we allow the entire account access
+  root_arn = "arn:${var.aws_partition}:iam::${var.aws_account_id}:root"
+}
+
+module "keycloak_key" {
+  source = "../../submodules/kms/ebs-key"
+
+  name = "keycloak_key"
+  alias = "alias/keycloak"
+  description = "encrypt and decrypt the keycloak RDS" 
+  tags = merge(var.standard_tags, var.tags)
+  key_admin_arns = [ ]
+  key_user_arns = concat([ local.root_arn ], var.extra_key_users)
+  key_attacher_arns = concat([ local.root_arn ], var.extra_key_attachers)
+  standard_tags = var.standard_tags
+  aws_account_id = var.aws_account_id
+  aws_partition = var.aws_partition
+}

base/keycloak/rds-security-groups.tf

@@ -0,0 +1,26 @@
+resource "aws_security_group" "keycloak_rds_sg" {
+  name = "${var.identifier}_rds_sg"
+  description = "Security Group for KeyCloak RDS"
+  vpc_id = var.vpc_id
+  tags = merge(var.standard_tags, var.tags)
+}
+
+resource "aws_security_group_rule" "keycloak_rds_in" {
+  description = "Inbound Postgres"
+  type = "ingress"
+  from_port = 5432
+  to_port = 5432
+  protocol = "tcp"
+  cidr_blocks = var.cidr_map["vpc-public"]
+  security_group_id = aws_security_group.keycloak_rds_sg.id
+}
+
+resource "aws_security_group_rule" "keycloak_security_in" {
+  description = "Inbound From Scanners"
+  type = "ingress"
+  from_port =  0
+  to_port = 65535
+  protocol = "-1"
+  cidr_blocks = var.cidr_map["vpc-scanners"]
+  security_group_id = aws_security_group.keycloak_rds_sg.id
+}

base/keycloak/rds.tf

@@ -0,0 +1,84 @@
+data "aws_rds_certificate" "latest" {
+  latest_valid_till = true
+}
+
+locals {
+  # GovCloud and Commercial use different CA certs
+  ca_cert_identifier = var.aws_partition == "aws" ? "rds-ca-2019" : "rds-ca-2017"
+}
+
+output "ca_cert_identifier" {
+  value = {
+    "current": local.ca_cert_identifier,
+    "latest":  data.aws_rds_certificate.latest.id
+  }
+}
+
+resource "random_password" "password" {
+  keepers          = {
+    "version": 1 # increment to change the password
+    # n.b. you could add other stuff to make this change automatically, e.g.
+    # "instance_type": var.instance_type
+    # Would then change this password every time the instance type changes.
+  }
+  length           = 32
+  special          = true
+  min_lower = 1
+  min_numeric = 1
+  min_upper = 1
+  min_special = 1
+  override_special = "~!@%^()-_+"
+}
+
+module "keycloak_db" {
+  source = "terraform-aws-modules/rds/aws"
+  version = "~> v2.0"
+
+  identifier = var.identifier # this is the RDS identifier, not the DB name
+  name = "keycloak" # the DB name
+
+  engine             = "postgres"
+  engine_version     = "12.5"
+  instance_class     = var.db_instance_type
+  allocated_storage  = var.rds_storage
+  storage_encrypted  = true
+  kms_key_id = module.keycloak_key.key_arn
+  ca_cert_identifier = local.ca_cert_identifier
+
+  # NOTE: Do NOT use 'user' as the value for 'username' as it throws:
+  # "Error creating DB Instance: InvalidParameterValue: MasterUsername
+  # user cannot be used as it is a reserved word used by the engine"
+  username = "keycloak"
+  password = random_password.password.result
+
+  port     = "5432"
+  create_random_password = true
+  random_password_length = 32
+
+  vpc_security_group_ids = [ aws_security_group.keycloak_rds_sg.id ]
+
+  backup_window      = "00:00-03:00"
+  maintenance_window = "Mon:03:00-Mon:06:00"
+
+  # disable backups to create DB faster
+  backup_retention_period = var.environment == "test" ? 0 : 35
+
+  tags = merge(var.standard_tags, var.tags)
+
+  enabled_cloudwatch_logs_exports = ["postgresql", "upgrade"]
+
+  # DB subnet group
+  subnet_ids = var.private_subnets
+
+  # DB parameter group
+  family = "postgres12"
+
+  # DB option group
+  major_engine_version = "12"
+
+  # Snapshot name upon DB deletion
+  final_snapshot_identifier = "${var.identifier}-final-snapshot"
+
+  # Database Deletion Protection
+  deletion_protection = var.instance_termination_protection
+}

base/keycloak/security-groups-elb.tf

@@ -0,0 +1,46 @@
+resource "aws_security_group" "elb_external" {
+  name = "Keycloak ELB"
+  description = "Keycloak Instances"
+  vpc_id = var.vpc_id
+  tags = merge(var.standard_tags, var.tags)
+}
+
+resource "aws_security_group_rule" "elb-http-in" {
+  description = "Inbound HTTP, for redirect only"
+  type = "ingress"
+  from_port = "80"
+  to_port = "80"
+  protocol = "tcp"
+  cidr_blocks = [ "0.0.0.0/0" ]
+  security_group_id = aws_security_group.elb_external.id
+}
+
+resource "aws_security_group_rule" "elb-https-in" {
+  description = "Inbound HTTPS, where the magic happens"
+  type = "ingress"
+  from_port = "443"
+  to_port = "443"
+  protocol = "tcp"
+  cidr_blocks = [ "0.0.0.0/0" ]
+  security_group_id = aws_security_group.elb_external.id
+}
+
+resource "aws_security_group_rule" "elb-alt-http-to-instances" {
+  description = ""
+  type = "egress"
+  from_port = "8080"
+  to_port = "8080"
+  protocol = "TCP"
+  security_group_id = aws_security_group.elb_external.id
+  source_security_group_id = aws_security_group.instance.id
+}
+
+resource "aws_security_group_rule" "elb-alt-https-to-instances" {
+  description = ""
+  type = "egress"
+  from_port = "8443"
+  to_port = "8443"
+  protocol = "TCP"
+  security_group_id = aws_security_group.elb_external.id
+  source_security_group_id = aws_security_group.instance.id
+}

base/keycloak/security-groups.tf

@@ -0,0 +1,135 @@
+# Rather than pass in the aws security group, we just look it up. This will
+# probably be useful other places, as well.
+data "aws_security_group" "typical-host" {
+  name   = "typical-host"
+  vpc_id = var.vpc_id
+}
+
+# For now, opening everything:
+#   ajp port: 8009
+#   http: 8080
+#   https: 8443
+#   mgmt-http: 9990
+#   mgmt-https: 9993
+#   txn-recovery-environment: 4712
+#   txn-status-manager: 4713
+#
+#   Also opening 80 and 443 for certbot
+
+resource "aws_security_group" "instance" {
+  name = "Keycloak"
+  description = "Keycloak Instances"
+  vpc_id = var.vpc_id
+  tags = merge(var.standard_tags, var.tags)
+}
+
+#resource "aws_security_group_rule" "instance-http-in" {
+#  description = ""
+#  type = "ingress"
+#  from_port = "80"
+#  to_port = "80"
+#  protocol = "tcp"
+#  cidr_blocks = [ "0.0.0.0/0" ]
+#  security_group_id = aws_security_group.instance.id
+#}
+#
+#resource "aws_security_group_rule" "instance-https-in" {
+#  description = ""
+#  type = "ingress"
+#  from_port = "443"
+#  to_port = "443"
+#  protocol = "tcp"
+#  cidr_blocks = [ "0.0.0.0/0" ]
+#  security_group_id = aws_security_group.instance.id
+#}
+#
+#resource "aws_security_group_rule" "instance-ajp-in" {
+#  description = ""
+#  type = "ingress"
+#  from_port = "8009"
+#  to_port = "8009"
+#  protocol = "tcp"
+#  cidr_blocks = [ "0.0.0.0/0" ]
+#  security_group_id = aws_security_group.instance.id
+#}
+
+resource "aws_security_group_rule" "instance-alt-http-in-from-access" {
+  description = "Alt HTTP from access"
+  type = "ingress"
+  from_port = "8080"
+  to_port = "8080"
+  protocol = "tcp"
+  cidr_blocks = var.cidr_map["vpc-access"]
+  security_group_id = aws_security_group.instance.id
+}
+
+resource "aws_security_group_rule" "instance-alt-http-in-from-elb" {
+  description = "Alt HTTP from ELB"
+  type = "ingress"
+  from_port = "8080"
+  to_port = "8080"
+  protocol = "tcp"
+  security_group_id = aws_security_group.instance.id
+  source_security_group_id = aws_security_group.elb_external.id
+}
+
+resource "aws_security_group_rule" "instance-alt-https-in-from-access" {
+  description = "Alt HTTPS from Access"
+  type = "ingress"
+  from_port = "8443"
+  to_port = "8443"
+  protocol = "tcp"
+  cidr_blocks = var.cidr_map["vpc-access"]
+  security_group_id = aws_security_group.instance.id
+}
+
+resource "aws_security_group_rule" "instance-alt-https-in-from-elb" {
+  description = "Alt HTTPS from ELB"
+  type = "ingress"
+  from_port = "8443"
+  to_port = "8443"
+  protocol = "tcp"
+  security_group_id = aws_security_group.instance.id
+  source_security_group_id = aws_security_group.elb_external.id
+}
+
+#resource "aws_security_group_rule" "instance-mgmt-http-in" {
+#  description = ""
+#  type = "ingress"
+#  from_port = "9990"
+#  to_port = "9990"
+#  protocol = "tcp"
+#  cidr_blocks = [ "0.0.0.0/0" ]
+#  security_group_id = aws_security_group.instance.id
+#}
+#
+#resource "aws_security_group_rule" "instance-mgmt-https-in" {
+#  description = ""
+#  type = "ingress"
+#  from_port = "9993"
+#  to_port = "9993"
+#  protocol = "tcp"
+#  cidr_blocks = [ "0.0.0.0/0" ]
+#  security_group_id = aws_security_group.instance.id
+#}
+#
+#resource "aws_security_group_rule" "instance-txn-in" {
+#  description = ""
+#  type = "ingress"
+#  from_port = "4712"
+#  to_port = "4713"
+#  protocol = "tcp"
+#  cidr_blocks = [ "0.0.0.0/0" ]
+#  security_group_id = aws_security_group.instance.id
+#}
+#
+## lock down before production, but I couldn't get letsencrypt to work with the proxy
+#resource "aws_security_group_rule" "instance-all-out" {
+#  description = ""
+#  type = "egress"
+#  from_port = "-1"
+#  to_port = "-1"
+#  protocol = "-1"
+#  cidr_blocks = [ "0.0.0.0/0" ]
+#  security_group_id = aws_security_group.instance.id
+#}

base/keycloak-single-instance/vars.tf → base/keycloak/vars.tf

@@ -1,13 +1,40 @@
-variable "instance_name" {
-  description = "Hostname, DNS entry, etc."
+variable extra_key_users {
+  description = "Extra encryption key users."
+  type = list
+  default = [ ]
+}
+
+variable extra_key_attachers {
+  description = "Extra encryption key attachers."
+  type = list
+  default = [ ]
+}
+
+variable identifier {
+  description = "RDS Identifier"
   type = string
+  default = "keycloak"
+}
+
+variable rds_storage {
+  type = number
+  default = 10
+}
+
+variable "keycloak_instance_count" {
+  description = "how many instances"
+  type = number
 }
 
 variable "azs" {
   type = list(string)
 }
 
-variable "subnets" {
+variable "private_subnets" {
+  type = list(string)
+}
+
+variable "public_subnets" {
   type = list(string)
 }
 
@@ -26,6 +53,11 @@ variable "instance_type" {
   default = "t3a.micro"
 }
 
+variable "db_instance_type" { 
+  type = string
+  default = "db.t3.micro"
+}
+
 variable "reverse_enabled" { 
   description = "Whether to create the reverse DNS entry."
   type = bool

submodules/kms/ebs-key/vars.tf

@@ -9,4 +9,8 @@ variable "key_attacher_arns" { type = list }
 variable "standard_tags" { type = map }
 variable "aws_account_id" { type = string }
 variable "aws_partition" { type = string }
-variable "is_legacy" { type = bool }
+variable "is_legacy" { 
+  description = "Is this in our legacy AWS commercial account?"
+  type = bool
+  default = false 
+}