From 18d36539777f93ade3af1958a228cac289ff0f5b Mon Sep 17 00:00:00 2001 From: jamal68 Date: Tue, 25 May 2021 12:42:49 +0300 Subject: [PATCH 01/25] Create README.md --- keycloak/README.md | 1 + 1 file changed, 1 insertion(+) create mode 100644 keycloak/README.md diff --git a/keycloak/README.md b/keycloak/README.md new file mode 100644 index 0000000..1167712 --- /dev/null +++ b/keycloak/README.md @@ -0,0 +1 @@ +It is a etrraform module to deploy keycloak From 4322896344bc6d3ef549b57c0c435c60508e5c90 Mon Sep 17 00:00:00 2001 From: jamal68 Date: Tue, 25 May 2021 12:43:57 +0300 Subject: [PATCH 02/25] Create mail.tf --- keycloak/mail.tf | 102 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 102 insertions(+) create mode 100644 keycloak/mail.tf diff --git a/keycloak/mail.tf b/keycloak/mail.tf new file mode 100644 index 0000000..d6fceba --- /dev/null +++ b/keycloak/mail.tf @@ -0,0 +1,102 @@ + +data "aws_eks_cluster" "this" { + name = var.cluster_name + +data "aws_region" "current" {} + +resource "kubernetes_namespace" "this" { + depends_on = [ + var.module_depends_on + ] + count = var.namespace == "" ? 1 - local.argocd_enabled : 0 + metadata { + name = var.namespace_name + } +} + +resource "helm_release" "keyclok" { + count = 1 - local.argocd_enabled + depends_on = [ + var.module_depends_on + ] + repository = local.repository + name = local.name + chart = local.chart + chart_version = var.chart_version + namespace = local.namespace + recreate_pods = true + timeout = 1200 + + dynamic "set" { + for_each = local.conf + + content { + name = set.key + value = set.value + } +} + +resource "local_file" "this" { + count = local.argocd_enabled + depends_on = [ + var.module_depends_on + ] + content = yamlencode(local.application) + filename = "${path.root}/${var.argocd.path}/${local.name}.yaml" +} + +locals { + argocd_enabled = length(var.argocd) > 0 ? 1 : 0 + namespace = coalescelist(kubernetes_namespace.this, [{ "metadata" = [{ "name" = var.namespace }] }])[0].metadata[0].name + + repository = "https://charts.bitnami.com/bitnami" + name = "keyclok" + chart = "keyclok" + chart_version = var.chart_version + conf = merge(local.conf_defaults, var.conf) + conf_defaults = merge({ + "rbac.create" = true, + "resources.limits.cpu" = "100m", + "resources.limits.memory" = "2048Mi", + "resources.requests.cpu" = "512m", + "resources.requests.memory" = "512Mi", + "aws.region" = data.aws_region.current.name + + } + ) +} + + application = { + "apiVersion" = "argoproj.io/v1alpha1" + "kind" = "Application" + "metadata" = { + "name" = local.name + "namespace" = var.argocd.namespace + } + "spec" = { + "destination" = { + "namespace" = local.namespace + "server" = "https://kubernetes.default.svc" + } + "project" = "default" + "source" = { + "repoURL" = local.repository + "targetRevision" = var.chart_version + "chart" = local.chart + "helm" = { + "parameters" = values({ + for key, value in local.conf : + key => { + "name" = key + "value" = tostring(value) + } + }) + } + } + "syncPolicy" = { + "automated" = { + "prune" = true + "selfHeal" = true + } + } + } From b27cea7ebe80c5329f17784ea5a0981fe0d5e392 Mon Sep 17 00:00:00 2001 From: jamal68 Date: Tue, 25 May 2021 12:45:06 +0300 Subject: [PATCH 03/25] Create variables.tf --- keycloak/variables.tf | 35 +++++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 keycloak/variables.tf diff --git a/keycloak/variables.tf b/keycloak/variables.tf new file mode 100644 index 0000000..0b82a00 --- /dev/null +++ b/keycloak/variables.tf @@ -0,0 +1,35 @@ +variable "argocd" { + type = map(string) + description = "A set of values for enabling deployment through ArgoCD" + default = {} + + variable "namespace" { + type = string + default = "" + description = "A name of the existing namespace" +} + +variable "namespace_name" { + type = string + default = "" + description = "A name of namespace for creating" +} + +variable "module_depends_on" { + default = [] + type = list(any) + description = "A list of explicit dependencies" +} + +variable "cluster_name" { + type = string + default = null + description = "A name of the Amazon EKS cluster" +} + +variable "chart_version" { + type = string + description = "A Helm Chart version" + default = "" +} + From d08730c4665298e67f3e19595ad06b8724aa68ca Mon Sep 17 00:00:00 2001 From: jamal68 Date: Tue, 25 May 2021 12:54:14 +0300 Subject: [PATCH 04/25] Update README.md --- keycloak/README.md | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/keycloak/README.md b/keycloak/README.md index 1167712..da6bf95 100644 --- a/keycloak/README.md +++ b/keycloak/README.md @@ -1 +1,11 @@ -It is a etrraform module to deploy keycloak +It is a etrraform module to deploy keycloak to EKS with ArgoCD. +to integrate this module with our swiss-army-kube project, we add the module in main terraform file: + + +module "keycloak" { + depends_on = [module.argocd] + source = "github.com/jamal68/sak-incubator/keycloak" + cluster_name = module.kubernetes.cluster_name + argocd = module.argocd.state + domains = local.domain +} From a98ae91c6aab91663a72c32b16d8aecc0ca24d86 Mon Sep 17 00:00:00 2001 From: jamal68 Date: Tue, 25 May 2021 12:55:14 +0300 Subject: [PATCH 05/25] Update README.md --- keycloak/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/keycloak/README.md b/keycloak/README.md index da6bf95..bb9d04c 100644 --- a/keycloak/README.md +++ b/keycloak/README.md @@ -2,10 +2,10 @@ It is a etrraform module to deploy keycloak to EKS with ArgoCD. to integrate this module with our swiss-army-kube project, we add the module in main terraform file: -module "keycloak" { +module "keycloak depends_on = [module.argocd] source = "github.com/jamal68/sak-incubator/keycloak" cluster_name = module.kubernetes.cluster_name argocd = module.argocd.state domains = local.domain -} + From d80b430694a4b61783adac4fdc6ec2d4d5d4e7e2 Mon Sep 17 00:00:00 2001 From: jamal68 Date: Tue, 25 May 2021 12:56:16 +0300 Subject: [PATCH 06/25] Update README.md --- keycloak/README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/keycloak/README.md b/keycloak/README.md index bb9d04c..48c33d5 100644 --- a/keycloak/README.md +++ b/keycloak/README.md @@ -2,9 +2,9 @@ It is a etrraform module to deploy keycloak to EKS with ArgoCD. to integrate this module with our swiss-army-kube project, we add the module in main terraform file: -module "keycloak - depends_on = [module.argocd] - source = "github.com/jamal68/sak-incubator/keycloak" +module keycloak + depends_on = module.argocd + source = github.com/jamal68/sak-incubator/keycloak cluster_name = module.kubernetes.cluster_name argocd = module.argocd.state domains = local.domain From 2c668e291988352ae25aaa510102a59754620d42 Mon Sep 17 00:00:00 2001 From: jamal68 Date: Tue, 25 May 2021 12:59:44 +0300 Subject: [PATCH 07/25] Update README.md --- keycloak/README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/keycloak/README.md b/keycloak/README.md index 48c33d5..9382705 100644 --- a/keycloak/README.md +++ b/keycloak/README.md @@ -2,9 +2,9 @@ It is a etrraform module to deploy keycloak to EKS with ArgoCD. to integrate this module with our swiss-army-kube project, we add the module in main terraform file: -module keycloak - depends_on = module.argocd - source = github.com/jamal68/sak-incubator/keycloak +module "keycloak" { + depends_on = [module.argocd] + source = "github.com/jamal68/sak-incubator/keycloak" cluster_name = module.kubernetes.cluster_name argocd = module.argocd.state domains = local.domain From b3509e833a90ad0f50956b92d98b045bc5f5b6d4 Mon Sep 17 00:00:00 2001 From: jamal68 Date: Tue, 25 May 2021 13:04:30 +0300 Subject: [PATCH 08/25] Rename mail.tf to main.tf --- keycloak/{mail.tf => main.tf} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename keycloak/{mail.tf => main.tf} (100%) diff --git a/keycloak/mail.tf b/keycloak/main.tf similarity index 100% rename from keycloak/mail.tf rename to keycloak/main.tf From e21dfd4f3c88d1a1a8a893c32f3cdd1131750219 Mon Sep 17 00:00:00 2001 From: rufusnufus Date: Thu, 27 May 2021 19:07:31 +0300 Subject: [PATCH 09/25] fix keycloak --- keycloak/README.md | 56 +++++++++++++++++++++++ keycloak/main.tf | 103 ++++++++++++++++++++++++++++++++++++++++++ keycloak/variables.tf | 47 +++++++++++++++++++ 3 files changed, 206 insertions(+) create mode 100644 keycloak/README.md create mode 100644 keycloak/main.tf create mode 100644 keycloak/variables.tf diff --git a/keycloak/README.md b/keycloak/README.md new file mode 100644 index 0000000..c62e931 --- /dev/null +++ b/keycloak/README.md @@ -0,0 +1,56 @@ +It is a terraform module to deploy keycloak to EKS with ArgoCD. To integrate this module with our swiss-army-kube project, we add the module to the main terraform file: + +## Example how add with module +``` +module "keycloak" { + depends_on = [module.argocd] + source = "../../modules/keycloak" + cluster_name = module.kubernetes.cluster_name + argocd = module.argocd.state + domains = local.domain +} +``` + +## Requirements + +No requirements. + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | n/a | +| [helm](#provider\_helm) | n/a | +| [kubernetes](#provider\_kubernetes) | n/a | +| [local](#provider\_local) | n/a | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [helm_release.keycloak](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource | +| [kubernetes_namespace.this](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource | +| [local_file.this](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file) | resource | +| [aws_eks_cluster.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster) | data source | +| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [argocd](#input\_argocd) | A set of values for enabling deployment through ArgoCD | `map(string)` | `{}` | no | +| [chart\_version](#input\_chart\_version) | A Helm Chart version | `string` | `"3.0.3"` | no | +| [cluster\_name](#input\_cluster\_name) | A name of the Amazon EKS cluster | `string` | `null` | no | +| [conf](#input\_conf) | A custom configuration for deployment | `map(string)` | `{}` | no | +| [domains](#input\_domains) | A list of domains to use for ingresses | `list(string)` | 
[
  "local"
]
| no | +| [module\_depends\_on](#input\_module\_depends\_on) | A list of explicit dependencies | `list(any)` | `[]` | no | +| [namespace](#input\_namespace) | A name of the existing namespace | `string` | `""` | no | +| [namespace\_name](#input\_namespace\_name) | A name of namespace for creating | `string` | `"oauth"` | no | + +## Outputs + +No outputs. \ No newline at end of file diff --git a/keycloak/main.tf b/keycloak/main.tf new file mode 100644 index 0000000..659aa38 --- /dev/null +++ b/keycloak/main.tf @@ -0,0 +1,103 @@ +data "aws_eks_cluster" "this" { + name = var.cluster_name +} + +data "aws_region" "current" {} + +resource "kubernetes_namespace" "this" { + depends_on = [ + var.module_depends_on + ] + count = var.namespace == "" ? 1 - local.argocd_enabled : 0 + metadata { + name = var.namespace_name + } +} + +resource "helm_release" "keycloak" { + count = 1 - local.argocd_enabled + depends_on = [ + var.module_depends_on + ] + repository = local.repository + name = local.name + chart = local.chart + version = local.version + namespace = local.namespace + recreate_pods = true + timeout = 1200 + + dynamic "set" { + for_each = local.conf + + content { + name = set.key + value = set.value + } + } +} + +resource "local_file" "this" { + count = local.argocd_enabled + depends_on = [ + var.module_depends_on + ] + content = yamlencode(local.application) + filename = "${path.root}/${var.argocd.path}/${local.name}.yaml" +} + +locals { + argocd_enabled = length(var.argocd) > 0 ? 1 : 0 + namespace = coalescelist(kubernetes_namespace.this, [{ "metadata" = [{ "name" = var.namespace }] }])[0].metadata[0].name + + repository = "https://charts.bitnami.com/bitnami" + name = "keycloak" + chart = "keycloak" + version = var.chart_version + conf = merge(local.conf_defaults, var.conf) + conf_defaults = { + "rbac.create" = true, + "resources.limits.cpu" = "512m", + "resources.limits.memory" = "2048Mi", + "resources.requests.cpu" = "512m", + "resources.requests.memory" = "512Mi", + "aws.region" = data.aws_region.current.name + } + + application = { + "apiVersion" = "argoproj.io/v1alpha1" + "kind" = "Application" + "metadata" = { + "name" = local.name + "namespace" = var.argocd.namespace + } + "spec" = { + "destination" = { + "namespace" = local.namespace + "server" = "https://kubernetes.default.svc" + } + "project" = "default" + "source" = { + "repoURL" = local.repository + "targetRevision" = local.version + "chart" = local.chart + "helm" = { + "parameters" = values({ + for key, value in local.conf : + key => { + "name" = key + "value" = tostring(value) + } + }) + } + } + "syncPolicy" = { + "automated" = { + "prune" = true + "selfHeal" = true + } + } + } + } +} + diff --git a/keycloak/variables.tf b/keycloak/variables.tf new file mode 100644 index 0000000..03792d1 --- /dev/null +++ b/keycloak/variables.tf @@ -0,0 +1,47 @@ +variable "argocd" { + type = map(string) + description = "A set of values for enabling deployment through ArgoCD" + default = {} +} + +variable "namespace" { + type = string + default = "" + description = "A name of the existing namespace" +} + +variable "namespace_name" { + type = string + default = "oauth" + description = "A name of namespace for creating" +} + +variable "module_depends_on" { + default = [] + type = list(any) + description = "A list of explicit dependencies" +} + +variable "cluster_name" { + type = string + default = null + description = "A name of the Amazon EKS cluster" +} + +variable "chart_version" { + type = string + description = "A Helm Chart version" + default = "3.0.3" +} + +variable "domains" { + type = list(string) + default = ["local"] + description = "A list of domains to use for ingresses" +} + +variable "conf" { + type = map(string) + description = "A custom configuration for deployment" + default = {} +} \ No newline at end of file From 19a0363d29221fe64cab8b8d23e4e9f2b3c80f5a Mon Sep 17 00:00:00 2001 From: jamal68 Date: Sun, 30 May 2021 22:38:33 +0300 Subject: [PATCH 10/25] Update main.tf --- keycloak/main.tf | 231 +++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 222 insertions(+), 9 deletions(-) diff --git a/keycloak/main.tf b/keycloak/main.tf index d6fceba..f9bb364 100644 --- a/keycloak/main.tf +++ b/keycloak/main.tf @@ -20,8 +20,8 @@ resource "helm_release" "keyclok" { var.module_depends_on ] repository = local.repository - name = local.name - chart = local.chart + name = var.release_name + chart = var.chart_name chart_version = var.chart_version namespace = local.namespace recreate_pods = true @@ -35,6 +35,67 @@ resource "helm_release" "keyclok" { value = set.value } } + +module "iam_assumable_role_admin" { + source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc" + # version = "~> v3.6.0" + create_role = true + role_name = "${var.cluster_name}_keycloak" + provider_url = replace(data.aws_eks_cluster.this.identity.0.oidc.0.issuer, "https://", "") + role_policy_arns = [aws_iam_policy.this.arn] + oidc_fully_qualified_subjects = ["system:serviceaccount:${local.namespace}:keyclok"] + tags = var.tags +} + +resource "aws_iam_policy" "this" { + name_prefix = "keyclok" + description = "EKS keyclok policy for cluster ${data.aws_eks_cluster.this.id}" + policy = data.aws_iam_policy_document.this.json +} + +data "aws_iam_policy_document" "this" { + statement { + sid = "keyclock" + effect = "Allow" + + actions = [ + "kms:Decrypt" + ] + + resources = [aws_kms_key.this.arn] + } +} + +resource "kubernetes_config_map" "decryptor" { + metadata { + name = "keyclock-decryptor" + namespace = local.namespace + } + + data = { + decryptor = < 0: + encrypted = line.split("KMS_ENC")[1].split(":")[1] + decrypted = decrypt(encrypted) + line = line.replace("KMS_ENC:%s:" % encrypted, decrypted) + print(line,end = '') + EOT + } +} resource "local_file" "this" { count = local.argocd_enabled @@ -45,14 +106,65 @@ resource "local_file" "this" { filename = "${path.root}/${var.argocd.path}/${local.name}.yaml" } +resource "random_password" "this" { + length = 20 + special = true +} + +resource "aws_ssm_parameter" "this" { + name = "/${var.cluster_name}/keyclock/password" + type = "SecureString" + value = random_password.this.result + description = "A password for accessing keyclock installation in ${var.cluster_name} EKS cluster" + + lifecycle { + ignore_changes = [value] + } + + tags = var.tags +} + +resource "aws_ssm_parameter" "encrypted" { + name = "/${var.cluster_name}/keycolck/password/encrypted" + type = "SecureString" + value = bcrypt(random_password.this.result, 10) + description = "An encrypted password for accessing keycolck installation in ${var.cluster_name} EKS cluster" + + lifecycle { + ignore_changes = [value] + } + + tags = var.tags +} + +resource "aws_kms_key" "this" { + description = "keycolck key" + is_enabled = true + + tags = var.tags +} + +resource "aws_kms_ciphertext" "client_secret" { + count = lookup(var.oidc, "secret", null) == null ? 0 : 1 + key_id = aws_kms_key.this.key_id + plaintext = lookup(var.oidc, "secret", null) +} + locals { argocd_enabled = length(var.argocd) > 0 ? 1 : 0 namespace = coalescelist(kubernetes_namespace.this, [{ "metadata" = [{ "name" = var.namespace }] }])[0].metadata[0].name + + legacy_defaults = merge({ + "installCRDs" = false + "server.ingress.enabled" = length(var.domains) > 0 ? true : false + "server.config.url" = length(var.domains) > 0 ? "https://keycloak.${var.domains[0]}" : "" + }, + { for i, domain in tolist(var.domains) : "server.ingress.tls[${i}].hosts[0]" => "keyclok.${domain}" }, + { for i, domain in tolist(var.domains) : "server.ingress.hosts[${i}]" => "keycloak.${domain}" }, + { for i, domain in tolist(var.domains) : "server.ingress.tls[${i}].secretName" => "keycloak-${domain}-tls" } + ) repository = "https://charts.bitnami.com/bitnami" - name = "keyclok" - chart = "keyclok" - chart_version = var.chart_version conf = merge(local.conf_defaults, var.conf) conf_defaults = merge({ "rbac.create" = true, @@ -64,8 +176,110 @@ locals { } ) -} - + + conf = { + + "configs.secret.createSecret" = true + "configs.secret.argocdServerAdminPassword" = aws_ssm_parameter.encrypted.value + "global.securityContext.fsGroup" = "999" + "repoServer.env[0].name" = "AWS_DEFAULT_REGION" + "repoServer.env[0].value" = data.aws_region.current.name + "repoServer.serviceAccount.create" = "true" + "repoServer.serviceAccount.annotations.eks\\.amazonaws\\.com/role-arn" = module.iam_assumable_role_admin.iam_role_arn + "repoServer.volumes[0].name" = "decryptor" + "repoServer.volumes[0].configMap.name" = "keyclock-decryptor" + "repoServer.volumes[0].configMap.items[0].key" = "decryptor" + "repoServer.volumes[0].configMap.items[0].path" = "decryptor" + "repoServer.volumeMounts[0].name" = "decryptor" + "repoServer.volumeMounts[0].mountPath" = "/opt/decryptor/bin" + "server.config.repositories" = local.secrets_conf + "server.config.configManagementPlugins" = yamlencode( + [{ + "name" = "decryptor" + "init" = { + "command" = ["/usr/bin/pip3"] + "args" = ["install", "boto3"] + } + "generate" = { + "command" = ["/usr/bin/python3"] + "args" = ["/opt/decryptor/bin/decryptor"] + } + }] + ) + + "server.service.type" = "NodePort" + "server.ingress.enabled" = length(var.domains) > 0 ? "true" : "false" + } + values = concat(coalescelist( + [ + { + "name" = "server.rbacConfig.policy\\.csv" + "value" = < { + "name" = "server.ingress.tls[${i}].hosts[0]" + "value" = "keyclock.${domain}" + } + }), + values({ + for i, domain in tolist(var.domains) : + "key" => { + "name" = "server.ingress.hosts[${i}]" + "value" = "keyclock.${domain}" + } + }), + values({ + for i, domain in tolist(var.domains) : + "key" => { + "name" = "server.ingress.tls[${i}].secretName" + "value" = "keyclock-${domain}-tls" + } + }), + values({ + for key, value in var.ingress_annotations : + key => { + "name" = "server.ingress.annotations.${replace(key, ".", "\\.")}" + "value" = value + } + }), + values({ + for key, value in merge(local.conf, var.conf) : + key => { + "name" = key + "value" = tostring(value) + } + }) + ) application = { "apiVersion" = "argoproj.io/v1alpha1" "kind" = "Application" @@ -82,7 +296,7 @@ locals { "source" = { "repoURL" = local.repository "targetRevision" = var.chart_version - "chart" = local.chart + "chart" = var.chart_name "helm" = { "parameters" = values({ for key, value in local.conf : @@ -99,4 +313,3 @@ locals { "selfHeal" = true } } - } From 758324ce1bba714699dab98aad89c5c03f0b12ff Mon Sep 17 00:00:00 2001 From: jamal68 Date: Sun, 30 May 2021 22:39:45 +0300 Subject: [PATCH 11/25] Update variables.tf --- keycloak/variables.tf | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/keycloak/variables.tf b/keycloak/variables.tf index 0b82a00..dee3194 100644 --- a/keycloak/variables.tf +++ b/keycloak/variables.tf @@ -33,3 +33,21 @@ variable "chart_version" { default = "" } + +variable "chart_name" { + type = string + description = "A chart name" + default = "" +} + +variable "release_name" { + type = string + description = "A release name" + default = "" +} + +variable "conf" { + type = map(string) + description = "A custom configuration for deployment" + default = {} +} From 028d1033f08a5935ad5d64cfa146d7f269e6baf1 Mon Sep 17 00:00:00 2001 From: jamal68 Date: Mon, 31 May 2021 00:00:12 +0300 Subject: [PATCH 12/25] Update README.md --- keycloak/README.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/keycloak/README.md b/keycloak/README.md index 9382705..9e4e3b3 100644 --- a/keycloak/README.md +++ b/keycloak/README.md @@ -8,4 +8,9 @@ module "keycloak" { cluster_name = module.kubernetes.cluster_name argocd = module.argocd.state domains = local.domain + + + +To retrive keyclock password: +aws --region ssm get-parameter --with-decryption --name //keyclock/password | jq -r '.Parameter.Value' From dc97411d5031e65cd5c39c66f086b59e66db1add Mon Sep 17 00:00:00 2001 From: jamal68 Date: Mon, 31 May 2021 17:43:53 +0300 Subject: [PATCH 13/25] Update README.md --- keycloak/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/keycloak/README.md b/keycloak/README.md index 9e4e3b3..9dc408f 100644 --- a/keycloak/README.md +++ b/keycloak/README.md @@ -2,9 +2,9 @@ It is a etrraform module to deploy keycloak to EKS with ArgoCD. to integrate this module with our swiss-army-kube project, we add the module in main terraform file: -module "keycloak" { +module keycloak depends_on = [module.argocd] - source = "github.com/jamal68/sak-incubator/keycloak" + source = "github.com/sak-incubator/keycloak" cluster_name = module.kubernetes.cluster_name argocd = module.argocd.state domains = local.domain From 9e5b2c35f53f923a92d94ccd1cffe2cca916a44c Mon Sep 17 00:00:00 2001 From: jamal68 Date: Mon, 31 May 2021 17:53:44 +0300 Subject: [PATCH 14/25] Update main.tf --- keycloak/main.tf | 1 - 1 file changed, 1 deletion(-) diff --git a/keycloak/main.tf b/keycloak/main.tf index f9bb364..7a873c6 100644 --- a/keycloak/main.tf +++ b/keycloak/main.tf @@ -1,4 +1,3 @@ - data "aws_eks_cluster" "this" { name = var.cluster_name From dd445f1555929efeaf70c2e65f6ca0a9fa63aafc Mon Sep 17 00:00:00 2001 From: jamal68 Date: Mon, 31 May 2021 18:07:45 +0300 Subject: [PATCH 15/25] Update main.tf From 9c0ba10b3e807fca6174f042228126ddfc6c2feb Mon Sep 17 00:00:00 2001 From: jamal68 Date: Tue, 15 Jun 2021 14:06:55 +0300 Subject: [PATCH 16/25] Update README.md --- keycloak/README.md | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/keycloak/README.md b/keycloak/README.md index 9dc408f..6803c41 100644 --- a/keycloak/README.md +++ b/keycloak/README.md @@ -1,15 +1,7 @@ It is a etrraform module to deploy keycloak to EKS with ArgoCD. to integrate this module with our swiss-army-kube project, we add the module in main terraform file: - -module keycloak - depends_on = [module.argocd] - source = "github.com/sak-incubator/keycloak" - cluster_name = module.kubernetes.cluster_name - argocd = module.argocd.state - domains = local.domain - - + To retrive keyclock password: aws --region ssm get-parameter --with-decryption --name //keyclock/password | jq -r '.Parameter.Value' From 9fdf4f8308e3a80321bd46e2d6529dd394944f5e Mon Sep 17 00:00:00 2001 From: jamal68 Date: Tue, 15 Jun 2021 19:54:50 +0300 Subject: [PATCH 17/25] Update variables.tf --- keycloak/variables.tf | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/keycloak/variables.tf b/keycloak/variables.tf index dee3194..430ceb7 100644 --- a/keycloak/variables.tf +++ b/keycloak/variables.tf @@ -30,9 +30,15 @@ variable "cluster_name" { variable "chart_version" { type = string description = "A Helm Chart version" - default = "" + default = "3.0.3" } +variable "domains" { + type = list(string) + default = ["local"] + description = "A list of domains to use for ingresses" + default = "" +} variable "chart_name" { type = string From 806dca01545452ea5419592be3ef9ea7b6b7b49e Mon Sep 17 00:00:00 2001 From: jamal68 Date: Tue, 15 Jun 2021 20:05:09 +0300 Subject: [PATCH 18/25] Update main.tf --- keycloak/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/keycloak/main.tf b/keycloak/main.tf index 7a873c6..0029e15 100644 --- a/keycloak/main.tf +++ b/keycloak/main.tf @@ -1,5 +1,6 @@ data "aws_eks_cluster" "this" { name = var.cluster_name +} data "aws_region" "current" {} @@ -20,7 +21,6 @@ resource "helm_release" "keyclok" { ] repository = local.repository name = var.release_name - chart = var.chart_name chart_version = var.chart_version namespace = local.namespace recreate_pods = true From bbabde4716b76dcf7eba78e55a6335988939b89b Mon Sep 17 00:00:00 2001 From: jamal68 Date: Tue, 15 Jun 2021 20:10:32 +0300 Subject: [PATCH 19/25] Update main.tf --- keycloak/main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/keycloak/main.tf b/keycloak/main.tf index 0029e15..eade860 100644 --- a/keycloak/main.tf +++ b/keycloak/main.tf @@ -1,9 +1,9 @@ +data "aws_region" "current" {} + data "aws_eks_cluster" "this" { name = var.cluster_name } -data "aws_region" "current" {} - resource "kubernetes_namespace" "this" { depends_on = [ var.module_depends_on From 0520a98534873cee844835f40411a09fa60d3806 Mon Sep 17 00:00:00 2001 From: jamal68 Date: Tue, 15 Jun 2021 20:21:47 +0300 Subject: [PATCH 20/25] Update main.tf --- keycloak/main.tf | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/keycloak/main.tf b/keycloak/main.tf index eade860..29b4c72 100644 --- a/keycloak/main.tf +++ b/keycloak/main.tf @@ -19,9 +19,11 @@ resource "helm_release" "keyclok" { depends_on = [ var.module_depends_on ] + + name = local.name repository = local.repository - name = var.release_name - chart_version = var.chart_version + chart = local.chart + version = var.chart_version namespace = local.namespace recreate_pods = true timeout = 1200 @@ -164,6 +166,8 @@ locals { ) repository = "https://charts.bitnami.com/bitnami" + name = "argocd" + chart = "argo-cd" conf = merge(local.conf_defaults, var.conf) conf_defaults = merge({ "rbac.create" = true, From d76ac159d8b5839e965b0ee1aa79bc7b11342173 Mon Sep 17 00:00:00 2001 From: jamal68 Date: Tue, 15 Jun 2021 20:23:28 +0300 Subject: [PATCH 21/25] Update main.tf --- keycloak/main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/keycloak/main.tf b/keycloak/main.tf index 29b4c72..0f2e167 100644 --- a/keycloak/main.tf +++ b/keycloak/main.tf @@ -166,8 +166,8 @@ locals { ) repository = "https://charts.bitnami.com/bitnami" - name = "argocd" - chart = "argo-cd" + name = "keycloak" + chart = "keycloak" conf = merge(local.conf_defaults, var.conf) conf_defaults = merge({ "rbac.create" = true, From f8a14e95ba0d38bf62b7ec0b1549c905930a17f9 Mon Sep 17 00:00:00 2001 From: jamal68 Date: Wed, 23 Jun 2021 16:33:01 +0300 Subject: [PATCH 22/25] kecloak modification --- keycloak/main.tf | 393 ++++++++++++------------------------------ keycloak/variables.tf | 56 ++++-- 2 files changed, 152 insertions(+), 297 deletions(-) diff --git a/keycloak/main.tf b/keycloak/main.tf index 9a1fb9d..2d7a3a6 100644 --- a/keycloak/main.tf +++ b/keycloak/main.tf @@ -1,9 +1,24 @@ -data "aws_region" "current" {} - data "aws_eks_cluster" "this" { name = var.cluster_name } - + +data "aws_region" "current" {} + +resource "random_password" "keycloak_password" { + depends_on = [ + var.module_depends_on + ] + length = 16 + special = true + override_special = "!#%&*()-_=+[]{}<>:?" +} + +resource "aws_ssm_parameter" "keycloak_password" { + name = "/${var.cluster_name}/keycloak/password" + type = "SecureString" + value = local.password +} + resource "kubernetes_namespace" "this" { depends_on = [ var.module_depends_on @@ -14,115 +29,101 @@ resource "kubernetes_namespace" "this" { } } -resource "helm_release" "keycloak" { - count = 1 - local.argocd_enabled +resource "kubernetes_secret" "keycloak_auth" { depends_on = [ var.module_depends_on ] - repository = local.repository - name = local.name - chart = local.chart - version = local.version - namespace = local.namespace - recreate_pods = true - timeout = 1200 - dynamic "set" { - for_each = local.conf + count = var.keycloak_google_auth ? 1 - local.argocd_enabled : 0 - content { - name = set.key - value = set.value - } + metadata { + name = "keycloak-auth" + namespace = local.namespace + } + + data = { + KC_AUTH_GOOGLE_CLIENT_ID = var.keycloak_client_id + KC_AUTH_GOOGLE_CLIENT_SECRET = var.keycloak_client_secret } } -resource "local_file" "this" { - count = local.argocd_enabled +resource "aws_kms_ciphertext" "keycloak_client_secret" { + count = var.keycloak_google_auth && local.argocd_enabled > 0 ? 1 : 0 + key_id = var.argocd.kms_key_id + plaintext = base64encode(var.keycloak_client_secret) +} + +resource "aws_kms_ciphertext" "keycloak_password" { + count = local.argocd_enabled + key_id = var.argocd.kms_key_id + plaintext = local.password +} + +resource "local_file" "namespace" { + count = local.argocd_enabled depends_on = [ var.module_depends_on ] - content = yamlencode(local.application) - filename = "${path.root}/${var.argocd.path}/${local.name}.yaml" - - name = local.name - repository = local.repository - chart = local.chart - version = var.chart_version - namespace = local.namespace - recreate_pods = true - timeout = 1200 - - dynamic "set" { - for_each = local.conf - - content { - name = set.key - value = set.value + content = yamlencode({ + "apiVersion" = "v1" + "kind" = "Namespace" + "metadata" = { + "name" = local.namespace } + }) + filename = "${path.root}/${var.argocd.path}/ns-${local.namespace}.yaml" } -module "iam_assumable_role_admin" { - source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc" - # version = "~> v3.6.0" - create_role = true - role_name = "${var.cluster_name}_keycloak" - provider_url = replace(data.aws_eks_cluster.this.identity.0.oidc.0.issuer, "https://", "") - role_policy_arns = [aws_iam_policy.this.arn] - oidc_fully_qualified_subjects = ["system:serviceaccount:${local.namespace}:keyclok"] - tags = var.tags +resource "local_file" "keycloak_auth" { + count = var.keycloak_google_auth ? local.argocd_enabled : 0 + depends_on = [ + var.module_depends_on + ] + content = yamlencode({ + "apiVersion" = "v1" + "kind" = "Secret" + "metadata" = { + "name" = "keycloak-auth" + "namespace" = local.namespace + } + "stringData" = { + "KC_AUTH_GOOGLE_CLIENT_ID" = var.keycloak_client_id + "KC_AUTH_GOOGLE_CLIENT_SECRET" = "KMS_ENC:${aws_kms_ciphertext.keycloak_client_secret[0].ciphertext_blob}:" + } + }) + filename = "${path.root}/${var.argocd.path}/secret-keycloak-auth.yaml" } -resource "aws_iam_policy" "this" { - name_prefix = "keyclok" - description = "EKS keyclok policy for cluster ${data.aws_eks_cluster.this.id}" - policy = data.aws_iam_policy_document.this.json +locals { + argocd_enabled = length(var.argocd) > 0 ? 1 : 0 + namespace = coalescelist(var.namespace == "" && local.argocd_enabled > 0 ? [{ "metadata" = [{ "name" = var.namespace_name }] }] : kubernetes_namespace.this, [{ "metadata" = [{ "name" = var.namespace }] }])[0].metadata[0].name } -data "aws_iam_policy_document" "this" { - statement { - sid = "keyclock" - effect = "Allow" +resource "helm_release" "this" { + count = 1 - local.argocd_enabled - actions = [ - "kms:Decrypt" - ] + depends_on = [ + var.module_depends_on + ] - resources = [aws_kms_key.this.arn] - } -} + name = local.name + repository = local.repository + chart = local.chart + version = var.chart_version + namespace = local.namespace + recreate_pods = true + timeout = 1200 -resource "kubernetes_config_map" "decryptor" { - metadata { - name = "keyclock-decryptor" - namespace = local.namespace - } + dynamic "set" { + for_each = merge(local.conf) - data = { - decryptor = < 0: - encrypted = line.split("KMS_ENC")[1].split(":")[1] - decrypted = decrypt(encrypted) - line = line.replace("KMS_ENC:%s:" % encrypted, decrypted) - print(line,end = '') - EOT + content { + name = set.key + value = set.value + } } } - + resource "local_file" "this" { count = local.argocd_enabled depends_on = [ @@ -132,199 +133,33 @@ resource "local_file" "this" { filename = "${path.root}/${var.argocd.path}/${local.name}.yaml" } -resource "random_password" "this" { - length = 20 - special = true -} - -resource "aws_ssm_parameter" "this" { - name = "/${var.cluster_name}/keyclock/password" - type = "SecureString" - value = random_password.this.result - description = "A password for accessing keyclock installation in ${var.cluster_name} EKS cluster" - - lifecycle { - ignore_changes = [value] - } - - tags = var.tags -} - -resource "aws_ssm_parameter" "encrypted" { - name = "/${var.cluster_name}/keycolck/password/encrypted" - type = "SecureString" - value = bcrypt(random_password.this.result, 10) - description = "An encrypted password for accessing keycolck installation in ${var.cluster_name} EKS cluster" - - lifecycle { - ignore_changes = [value] - } - - tags = var.tags -} - -resource "aws_kms_key" "this" { - description = "keycolck key" - is_enabled = true - - tags = var.tags -} - -resource "aws_kms_ciphertext" "client_secret" { - count = lookup(var.oidc, "secret", null) == null ? 0 : 1 - key_id = aws_kms_key.this.key_id - plaintext = lookup(var.oidc, "secret", null) -} locals { - argocd_enabled = length(var.argocd) > 0 ? 1 : 0 - namespace = coalescelist(kubernetes_namespace.this, [{ "metadata" = [{ "name" = var.namespace }] }])[0].metadata[0].name - - repository = "https://charts.bitnami.com/bitnami" - name = "keycloak" - chart = "keycloak" - version = var.chart_version - conf = merge(local.conf_defaults, var.conf) + name = "kube-keycloak" + repository = "https://github.com/bitnami/charts/tree/master/bitnami/keycloak/" + chart = "kube-keycloak" + conf = merge(local.conf_defaults, var.conf) + password = var.keycloak_password == "" ? random_password.keycloak_password.result : var.keycloak_password conf_defaults = { - "rbac.create" = true, - "resources.limits.cpu" = "512m", - "resources.limits.memory" = "2048Mi", - "resources.requests.cpu" = "512m", - "resources.requests.memory" = "512Mi", - "aws.region" = data.aws_region.current.name + "keycloak.enabled" = true + "keycloak.pvc.enabled" = true + "keycloak.ingress.enabled" = true + "keycloak.ingress.hosts[0]" = "keycloak.${var.domains[0]}" + "keycloak.adminPassword" = local.argocd_enabled > 0 ? "KMS_ENC:${aws_kms_ciphertext.keycloak_password[0].ciphertext_blob}:" : local.password + "keycloak.env.KC_AUTH_GOOGLE_ENABLED" = var.keycloak_google_auth + "keycloak.env.KC_AUTH_GOOGLE_ALLOWED_DOMAINS" = var.keycloak_allowed_domains + "keycloak.env.KC_AUTH_GOOGLE_CLIENT_ID" = var.keycloak_client_id + //TODO: Change to work with secret + "keycloak.env.KC_AUTH_GOOGLE_CLIENT_SECRET" = var.keycloak_client_secret + "keycloak.ingress.enabled" = false + "namespace" = local.namespace + "rbac.create" = true, + "resources.limits.cpu" = "100m", + "resources.limits.memory" = "300Mi", + "resources.requests.cpu" = "100m", + "resources.requests.memory" = "300Mi" } - application = { - - legacy_defaults = merge({ - "installCRDs" = false - "server.ingress.enabled" = length(var.domains) > 0 ? true : false - "server.config.url" = length(var.domains) > 0 ? "https://keycloak.${var.domains[0]}" : "" - }, - { for i, domain in tolist(var.domains) : "server.ingress.tls[${i}].hosts[0]" => "keyclok.${domain}" }, - { for i, domain in tolist(var.domains) : "server.ingress.hosts[${i}]" => "keycloak.${domain}" }, - { for i, domain in tolist(var.domains) : "server.ingress.tls[${i}].secretName" => "keycloak-${domain}-tls" } - ) - - repository = "https://charts.bitnami.com/bitnami" - name = "keycloak" - chart = "keycloak" - conf = merge(local.conf_defaults, var.conf) - conf_defaults = merge({ - "rbac.create" = true, - "resources.limits.cpu" = "100m", - "resources.limits.memory" = "2048Mi", - "resources.requests.cpu" = "512m", - "resources.requests.memory" = "512Mi", - "aws.region" = data.aws_region.current.name - - } - ) - - conf = { - - "configs.secret.createSecret" = true - "configs.secret.argocdServerAdminPassword" = aws_ssm_parameter.encrypted.value - "global.securityContext.fsGroup" = "999" - "repoServer.env[0].name" = "AWS_DEFAULT_REGION" - "repoServer.env[0].value" = data.aws_region.current.name - "repoServer.serviceAccount.create" = "true" - "repoServer.serviceAccount.annotations.eks\\.amazonaws\\.com/role-arn" = module.iam_assumable_role_admin.iam_role_arn - "repoServer.volumes[0].name" = "decryptor" - "repoServer.volumes[0].configMap.name" = "keyclock-decryptor" - "repoServer.volumes[0].configMap.items[0].key" = "decryptor" - "repoServer.volumes[0].configMap.items[0].path" = "decryptor" - "repoServer.volumeMounts[0].name" = "decryptor" - "repoServer.volumeMounts[0].mountPath" = "/opt/decryptor/bin" - "server.config.repositories" = local.secrets_conf - "server.config.configManagementPlugins" = yamlencode( - [{ - "name" = "decryptor" - "init" = { - "command" = ["/usr/bin/pip3"] - "args" = ["install", "boto3"] - } - "generate" = { - "command" = ["/usr/bin/python3"] - "args" = ["/opt/decryptor/bin/decryptor"] - } - }] - ) - - "server.service.type" = "NodePort" - "server.ingress.enabled" = length(var.domains) > 0 ? "true" : "false" - } - values = concat(coalescelist( - [ - { - "name" = "server.rbacConfig.policy\\.csv" - "value" = < { - "name" = "server.ingress.tls[${i}].hosts[0]" - "value" = "keyclock.${domain}" - } - }), - values({ - for i, domain in tolist(var.domains) : - "key" => { - "name" = "server.ingress.hosts[${i}]" - "value" = "keyclock.${domain}" - } - }), - values({ - for i, domain in tolist(var.domains) : - "key" => { - "name" = "server.ingress.tls[${i}].secretName" - "value" = "keyclock-${domain}-tls" - } - }), - values({ - for key, value in var.ingress_annotations : - key => { - "name" = "server.ingress.annotations.${replace(key, ".", "\\.")}" - "value" = value - } - }), - values({ - for key, value in merge(local.conf, var.conf) : - key => { - "name" = key - "value" = tostring(value) - } - }) - ) - application = { "apiVersion" = "argoproj.io/v1alpha1" "kind" = "Application" "metadata" = { @@ -339,10 +174,8 @@ EOF "project" = "default" "source" = { "repoURL" = local.repository - "targetRevision" = local.version - "chart" = local.chart "targetRevision" = var.chart_version - "chart" = var.chart_name + "chart" = local.chart "helm" = { "parameters" = values({ for key, value in local.conf : @@ -361,4 +194,4 @@ EOF } } } -} +} \ No newline at end of file diff --git a/keycloak/variables.tf b/keycloak/variables.tf index ed94cf0..8a2a20f 100644 --- a/keycloak/variables.tf +++ b/keycloak/variables.tf @@ -4,7 +4,13 @@ variable "argocd" { default = {} } -variable "namespace" { +variable "conf" { + type = map(string) + description = "A custom configuration for deployment" + default = {} +} + +variable "namespace" { type = string default = "" description = "A name of the existing namespace" @@ -12,8 +18,7 @@ variable "namespace" { variable "namespace_name" { type = string - default = "oauth" - default = "" + default = "keycloak" description = "A name of namespace for creating" } @@ -29,33 +34,50 @@ variable "cluster_name" { description = "A name of the Amazon EKS cluster" } +variable "domains" { + type = list(string) + default = ["local"] + description = "A list of domains to use for ingresses" +} + variable "chart_version" { type = string description = "A Helm Chart version" - default = "3.0.3" + default = "3.1.1" } -variable "domains" { - type = list(string) - default = ["local"] - description = "A list of domains to use for ingresses" - default = "" +variable "tags" { + type = map(string) + default = {} + description = "A tags for attaching to new created AWS resources" } -variable "chart_name" { +variable "keycloak_password" { type = string - description = "A chart name" + description = "Password for keycloak admin" default = "" } -variable "release_name" { +variable "keycloak_google_auth" { type = string - description = "A release name" + description = "Enables Google auth for keycloak" + default = false +} + +variable "keycloak_client_id" { + type = string + description = "The id of the client for keycloak Google auth" default = "" } -variable "conf" { - type = map(string) - description = "A custom configuration for deployment" - default = {} +variable "keycloak_client_secret" { + type = string + description = "The token of the client for keycloak Google auth" + default = "" } + +variable "keycloak_allowed_domains" { + type = string + description = "Allowed domain for keycloak Google auth" + default = "local" +} \ No newline at end of file From 02aa2c464349cbc65d26c6f426b7358603046a6e Mon Sep 17 00:00:00 2001 From: jamal68 Date: Wed, 23 Jun 2021 16:37:15 +0300 Subject: [PATCH 23/25] keyclock output --- keycloak/output.tf | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 keycloak/output.tf diff --git a/keycloak/output.tf b/keycloak/output.tf new file mode 100644 index 0000000..6cd5869 --- /dev/null +++ b/keycloak/output.tf @@ -0,0 +1,4 @@ +output "path_to_keycloak_password" { + value = aws_ssm_parameter.keycloak_password.id + description = "A SystemManager ParemeterStore key with keycloak admin password" +} \ No newline at end of file From 5b99f77595a05af8d9c9afab2e712ac894fb9f7e Mon Sep 17 00:00:00 2001 From: jamal68 Date: Wed, 23 Jun 2021 16:41:22 +0300 Subject: [PATCH 24/25] Update README.md --- keycloak/README.md | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/keycloak/README.md b/keycloak/README.md index 46860be..7e3f2df 100644 --- a/keycloak/README.md +++ b/keycloak/README.md @@ -4,11 +4,10 @@ It is a terraform module to deploy keycloak to EKS with ArgoCD. To integrate thi ## Example how add with module ``` module "keycloak" { - depends_on = [module.argocd] - source = "../../modules/keycloak" - cluster_name = module.kubernetes.cluster_name - argocd = module.argocd.state - domains = local.domain + source = "git::https://github.com/provectus/sak-keycloak.git" + cluster_name = module.kubernetes.cluster_name + argocd = module.argocd.state + domains = local.domain } ``` From b34d90d79e7b96b9ef9ed532cca24367b254acd5 Mon Sep 17 00:00:00 2001 From: jamal68 Date: Wed, 23 Jun 2021 16:43:13 +0300 Subject: [PATCH 25/25] Update README.md --- keycloak/README.md | 47 ---------------------------------------------- 1 file changed, 47 deletions(-) diff --git a/keycloak/README.md b/keycloak/README.md index 7e3f2df..7540159 100644 --- a/keycloak/README.md +++ b/keycloak/README.md @@ -11,54 +11,7 @@ module "keycloak" { } ``` -## Requirements -No requirements. -## Providers -| Name | Version | -|------|---------| -| [aws](#provider\_aws) | n/a | -| [helm](#provider\_helm) | n/a | -| [kubernetes](#provider\_kubernetes) | n/a | -| [local](#provider\_local) | n/a | - -## Modules - -No modules. - -## Resources - -| Name | Type | -|------|------| -| [helm_release.keycloak](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource | -| [kubernetes_namespace.this](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource | -| [local_file.this](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file) | resource | -| [aws_eks_cluster.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster) | data source | -| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | - -## Inputs - -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [argocd](#input\_argocd) | A set of values for enabling deployment through ArgoCD | `map(string)` | `{}` | no | -| [chart\_version](#input\_chart\_version) | A Helm Chart version | `string` | `"3.0.3"` | no | -| [cluster\_name](#input\_cluster\_name) | A name of the Amazon EKS cluster | `string` | `null` | no | -| [conf](#input\_conf) | A custom configuration for deployment | `map(string)` | `{}` | no | -| [domains](#input\_domains) | A list of domains to use for ingresses | `list(string)` | 
[
  "local"
]
| no | -| [module\_depends\_on](#input\_module\_depends\_on) | A list of explicit dependencies | `list(any)` | `[]` | no | -| [namespace](#input\_namespace) | A name of the existing namespace | `string` | `""` | no | -| [namespace\_name](#input\_namespace\_name) | A name of namespace for creating | `string` | `"oauth"` | no | - -## Outputs - -No outputs. -It is a etrraform module to deploy keycloak to EKS with ArgoCD. -to integrate this module with our swiss-army-kube project, we add the module in main terraform file: - - - -To retrive keyclock password: -aws --region ssm get-parameter --with-decryption --name //keyclock/password | jq -r '.Parameter.Value'