create keycloak

keycloak/README.md

@@ -0,0 +1,17 @@
+
+It is a terraform module to deploy keycloak to EKS with ArgoCD. To integrate this module with our swiss-army-kube project, we add the module to the main terraform file:
+
+## Example how add with module
+```
+module "keycloak" {
+  source        = "git::https://github.com/provectus/sak-keycloak.git"
+  cluster_name      = module.kubernetes.cluster_name
+  argocd            = module.argocd.state
+  domains           = local.domain
+}
+```
+
+
+
+
+

keycloak/main.tf

@@ -0,0 +1,197 @@
+data "aws_eks_cluster" "this" {
+  name = var.cluster_name
+}
+
+data "aws_region" "current" {}
+
+resource "random_password" "keycloak_password" {
+  depends_on = [
+    var.module_depends_on
+  ]
+  length           = 16
+  special          = true
+  override_special = "!#%&*()-_=+[]{}<>:?"
+}
+
+resource "aws_ssm_parameter" "keycloak_password" {
+  name  = "/${var.cluster_name}/keycloak/password"
+  type  = "SecureString"
+  value = local.password
+}
+
+resource "kubernetes_namespace" "this" {
+  depends_on = [
+    var.module_depends_on
+  ]
+  count = var.namespace == "" ? 1 - local.argocd_enabled : 0
+  metadata {
+    name = var.namespace_name
+  }
+}
+
+resource "kubernetes_secret" "keycloak_auth" {
+  depends_on = [
+    var.module_depends_on
+  ]
+
+  count = var.keycloak_google_auth ? 1 - local.argocd_enabled : 0
+
+  metadata {
+    name      = "keycloak-auth"
+    namespace = local.namespace
+  }
+
+  data = {
+    KC_AUTH_GOOGLE_CLIENT_ID     = var.keycloak_client_id
+    KC_AUTH_GOOGLE_CLIENT_SECRET = var.keycloak_client_secret
+  }
+}
+
+resource "aws_kms_ciphertext" "keycloak_client_secret" {
+  count     = var.keycloak_google_auth && local.argocd_enabled > 0 ? 1 : 0
+  key_id    = var.argocd.kms_key_id
+  plaintext = base64encode(var.keycloak_client_secret)
+}
+
+resource "aws_kms_ciphertext" "keycloak_password" {
+  count     = local.argocd_enabled
+  key_id    = var.argocd.kms_key_id
+  plaintext = local.password
+}
+
+resource "local_file" "namespace" {
+  count = local.argocd_enabled
+  depends_on = [
+    var.module_depends_on
+  ]
+  content = yamlencode({
+    "apiVersion" = "v1"
+    "kind"       = "Namespace"
+    "metadata" = {
+      "name" = local.namespace
+    }
+  })
+  filename = "${path.root}/${var.argocd.path}/ns-${local.namespace}.yaml"
+}
+
+resource "local_file" "keycloak_auth" {
+  count = var.keycloak_google_auth ? local.argocd_enabled : 0
+  depends_on = [
+    var.module_depends_on
+  ]
+  content = yamlencode({
+    "apiVersion" = "v1"
+    "kind"       = "Secret"
+    "metadata" = {
+      "name"      = "keycloak-auth"
+      "namespace" = local.namespace
+    }
+    "stringData" = {
+      "KC_AUTH_GOOGLE_CLIENT_ID"     = var.keycloak_client_id
+      "KC_AUTH_GOOGLE_CLIENT_SECRET" = "KMS_ENC:${aws_kms_ciphertext.keycloak_client_secret[0].ciphertext_blob}:"
+    }
+  })
+  filename = "${path.root}/${var.argocd.path}/secret-keycloak-auth.yaml"
+}
+
+locals {
+  argocd_enabled = length(var.argocd) > 0 ? 1 : 0
+  namespace      = coalescelist(var.namespace == "" && local.argocd_enabled > 0 ? [{ "metadata" = [{ "name" = var.namespace_name }] }] : kubernetes_namespace.this, [{ "metadata" = [{ "name" = var.namespace }] }])[0].metadata[0].name
+}
+
+resource "helm_release" "this" {
+  count = 1 - local.argocd_enabled
+
+  depends_on = [
+    var.module_depends_on
+  ]
+
+  name          = local.name
+  repository    = local.repository
+  chart         = local.chart
+  version       = var.chart_version
+  namespace     = local.namespace
+  recreate_pods = true
+  timeout       = 1200
+
+  dynamic "set" {
+    for_each = merge(local.conf)
+
+    content {
+      name  = set.key
+      value = set.value
+    }
+  }
+}
+
+resource "local_file" "this" {
+  count = local.argocd_enabled
+  depends_on = [
+    var.module_depends_on
+  ]
+  content  = yamlencode(local.application)
+  filename = "${path.root}/${var.argocd.path}/${local.name}.yaml"
+}
+
+
+locals {
+  name       = "kube-keycloak"
+  repository = "https://github.com/bitnami/charts/tree/master/bitnami/keycloak/"
+  chart      = "kube-keycloak"
+  conf       = merge(local.conf_defaults, var.conf)
+  password   = var.keycloak_password == "" ? random_password.keycloak_password.result : var.keycloak_password
+  conf_defaults = {
+    "keycloak.enabled"                                 = true
+    "keycloak.pvc.enabled"                             = true
+    "keycloak.ingress.enabled"                         = true
+    "keycloak.ingress.hosts[0]"                        = "keycloak.${var.domains[0]}"
+    "keycloak.adminPassword"                           = local.argocd_enabled > 0 ? "KMS_ENC:${aws_kms_ciphertext.keycloak_password[0].ciphertext_blob}:" : local.password
+    "keycloak.env.KC_AUTH_GOOGLE_ENABLED"              = var.keycloak_google_auth
+    "keycloak.env.KC_AUTH_GOOGLE_ALLOWED_DOMAINS"      = var.keycloak_allowed_domains
+    "keycloak.env.KC_AUTH_GOOGLE_CLIENT_ID"            = var.keycloak_client_id
+    //TODO: Change to work with secret
+    "keycloak.env.KC_AUTH_GOOGLE_CLIENT_SECRET"        = var.keycloak_client_secret
+    "keycloak.ingress.enabled"                      = false
+    "namespace"                                       = local.namespace
+    "rbac.create"                                     = true,
+    "resources.limits.cpu"                            = "100m",
+    "resources.limits.memory"                         = "300Mi",
+    "resources.requests.cpu"                          = "100m",
+    "resources.requests.memory"                       = "300Mi"
+  }
+  application = {
+    "apiVersion" = "argoproj.io/v1alpha1"
+    "kind"       = "Application"
+    "metadata" = {
+      "name"      = local.name
+      "namespace" = var.argocd.namespace
+    }
+    "spec" = {
+      "destination" = {
+        "namespace" = local.namespace
+        "server"    = "https://kubernetes.default.svc"
+      }
+      "project" = "default"
+      "source" = {
+        "repoURL"        = local.repository
+        "targetRevision" = var.chart_version
+        "chart"          = local.chart
+        "helm" = {
+          "parameters" = values({
+            for key, value in local.conf :
+            key => {
+              "name"  = key
+              "value" = tostring(value)
+            }
+          })
+        }
+      }
+      "syncPolicy" = {
+        "automated" = {
+          "prune"    = true
+          "selfHeal" = true
+        }
+      }
+    }
+  }
+}

keycloak/output.tf

@@ -0,0 +1,4 @@
+output "path_to_keycloak_password" {
+  value       = aws_ssm_parameter.keycloak_password.id
+  description = "A SystemManager ParemeterStore key with keycloak admin password"
+}

keycloak/variables.tf

@@ -0,0 +1,83 @@
+variable "argocd" {
+  type        = map(string)
+  description = "A set of values for enabling deployment through ArgoCD"
+  default     = {}
+}
+
+variable "conf" {
+  type        = map(string)
+  description = "A custom configuration for deployment"
+  default     = {}
+}
+
+variable "namespace" {
+  type        = string
+  default     = ""
+  description = "A name of the existing namespace"
+}
+
+variable "namespace_name" {
+  type        = string
+  default     = "keycloak"
+  description = "A name of namespace for creating"
+}
+
+variable "module_depends_on" {
+  default     = []
+  type        = list(any)
+  description = "A list of explicit dependencies"
+}
+
+variable "cluster_name" {
+  type        = string
+  default     = null
+  description = "A name of the Amazon EKS cluster"
+}
+
+variable "domains" {
+  type        = list(string)
+  default     = ["local"]
+  description = "A list of domains to use for ingresses"
+}
+
+variable "chart_version" {
+  type        = string
+  description = "A Helm Chart version"
+  default     = "3.1.1"
+}
+
+variable "tags" {
+  type        = map(string)
+  default     = {}
+  description = "A tags for attaching to new created AWS resources"
+}
+
+variable "keycloak_password" {
+  type        = string
+  description = "Password for keycloak admin"
+  default     = ""
+}
+
+variable "keycloak_google_auth" {
+  type        = string
+  description = "Enables Google auth for keycloak"
+  default     = false
+}
+
+variable "keycloak_client_id" {
+  type        = string
+  description = "The id of the client for keycloak Google auth"
+  default     = ""
+}
+
+variable "keycloak_client_secret" {
+  type        = string
+  description = "The token of the client for keycloak Google auth"
+  default     = ""
+}
+
+variable "keycloak_allowed_domains" {
+  type        = string
+  description = "Allowed domain for keycloak Google auth"
+  default     = "local"
+}