KeyCloak Updates

* Adds the URL to outputs
* Updates the RDS module to actually use the password that was created
* Updates the seurity group to allow access to the DB

base/keycloak/outputs.tf

@@ -3,6 +3,10 @@ output db_password {
   sensitive = true # To get this output, request it specifically with `terragrunt output db_password`
 }
 
+output db_endpoint {
+  value = module.keycloak_db.db_instance_endpoint
+}
+
 #output instance_arn {
 #  value = aws_instance.instance.arn
 #}

base/keycloak/rds.tf

@@ -27,12 +27,12 @@ resource "random_password" "password" {
   min_numeric = 1
   min_upper = 1
   min_special = 1
-  override_special = "~!@%^()-_+"
+  override_special = "~!%^()-_+"
 }
 
 module "keycloak_db" {
   source = "terraform-aws-modules/rds/aws"
-  version = "~> v2.0"
+  version = "~> v3.0"
 
   identifier = var.identifier # this is the RDS identifier, not the DB name
   name = "keycloak" # the DB name
@@ -52,8 +52,6 @@ module "keycloak_db" {
   password = random_password.password.result
 
   port     = "5432"
-  create_random_password = true
-  random_password_length = 32
 
   vpc_security_group_ids = [ aws_security_group.keycloak_rds_sg.id ]
 
@@ -77,7 +75,7 @@ module "keycloak_db" {
   major_engine_version = "12"
 
   # Snapshot name upon DB deletion
-  final_snapshot_identifier = "${var.identifier}-final-snapshot"
+  final_snapshot_identifier_prefix = "${var.identifier}-final-snapshot"
 
   # Database Deletion Protection
   deletion_protection = var.instance_termination_protection

base/keycloak/security-groups.tf

@@ -5,6 +5,11 @@ data "aws_security_group" "typical-host" {
   vpc_id = var.vpc_id
 }
 
+data "aws_security_group" "aws_endpoints" {
+  name   = "aws_endpoints"
+  vpc_id = var.vpc_id
+}
+
 # For now, opening everything:
 #   ajp port: 8009
 #   http: 8080
@@ -23,6 +28,27 @@ resource "aws_security_group" "instance" {
   tags = merge(var.standard_tags, var.tags)
 }
 
+resource "aws_security_group_rule" "cluster-connectivity-ingress" {
+  description = "Receive any from other cluster members"
+  type = "ingress"
+  from_port = -1
+  to_port = -1
+  protocol = -1
+  security_group_id = aws_security_group.instance.id
+  source_security_group_id = aws_security_group.instance.id
+}
+
+resource "aws_security_group_rule" "cluster-connectivity-egress" {
+  description = "send any to other cluster members"
+  type = "egress"
+  from_port = -1
+  to_port = -1
+  protocol = -1
+  security_group_id = aws_security_group.instance.id
+  source_security_group_id = aws_security_group.instance.id
+}
+
+
 #resource "aws_security_group_rule" "instance-http-in" {
 #  description = ""
 #  type = "ingress"
@@ -93,6 +119,17 @@ resource "aws_security_group_rule" "instance-alt-https-in-from-elb" {
   source_security_group_id = aws_security_group.elb_external.id
 }
 
+resource "aws_security_group_rule" "instance-db-outbound" {
+  description = "Postgres Outbound"
+  type = "egress"
+  from_port = "5432"
+  to_port = "5432"
+  protocol = "tcp"
+  security_group_id = aws_security_group.instance.id
+  source_security_group_id = data.aws_security_group.aws_endpoints.id
+}
+
+
 #resource "aws_security_group_rule" "instance-mgmt-http-in" {
 #  description = ""
 #  type = "ingress"