From b01aab4e50525c23b9c9dd430c8faffd9bc8f75a Mon Sep 17 00:00:00 2001
From: Simon Li <spli@dundee.ac.uk>
Date: Mon, 11 Dec 2023 17:53:57 +0000
Subject: [PATCH 1/8] Optional VPC: Allow use of existing VPC and subnets

---
 ecs-cluster/keycloak.tf  | 18 +++++++++++-------
 ecs-cluster/variables.tf | 18 ++++++++++++++++++
 ecs-cluster/vpc.tf       |  8 ++++++++
 3 files changed, 37 insertions(+), 7 deletions(-)

diff --git a/ecs-cluster/keycloak.tf b/ecs-cluster/keycloak.tf
index 8706233..8d82350 100644
--- a/ecs-cluster/keycloak.tf
+++ b/ecs-cluster/keycloak.tf
@@ -3,6 +3,10 @@ data "aws_caller_identity" "current" {}
 locals {
   container-port    = 8443
   keycloak-hostname = var.keycloak-hostname == "" ? aws_lb.keycloak.dns_name : var.keycloak-hostname
+
+  vpc_id          = var.vpc-id == "" ? module.vpc[0].vpc_id : var.vpc-id
+  public_subnets  = var.public-subnets == [] ? module.vpc[0].public_subnets : var.public-subnets
+  private_subnets = var.private-subnets == [] ? module.vpc[0].private_subnets : var.private-subnets
 }
 
 resource "random_password" "db-password" {
@@ -18,7 +22,7 @@ resource "random_string" "initial-keycloak-password" {
 
 resource "aws_security_group" "rds" {
   name   = "${var.name}-sg-rds"
-  vpc_id = module.vpc.vpc_id
+  vpc_id = local.vpc_id
 
   ingress {
     from_port       = 5432
@@ -30,7 +34,7 @@ resource "aws_security_group" "rds" {
 
 resource "aws_security_group" "alb" {
   name   = "${var.name}-sg-alb"
-  vpc_id = module.vpc.vpc_id
+  vpc_id = local.vpc_id
 
   ingress {
     protocol    = "tcp"
@@ -56,7 +60,7 @@ resource "aws_security_group" "alb" {
 
 resource "aws_security_group" "ecs-task-keycloak" {
   name   = "${var.name}-sg-task-keycloak"
-  vpc_id = module.vpc.vpc_id
+  vpc_id = local.vpc_id
 
   ingress {
     protocol        = "tcp"
@@ -80,7 +84,7 @@ resource "aws_lb" "keycloak" {
   internal           = false
   load_balancer_type = "application"
   security_groups    = [aws_security_group.alb.id]
-  subnets            = module.vpc.public_subnets
+  subnets            = local.public_subnets
 
   enable_deletion_protection = true
 
@@ -91,7 +95,7 @@ resource "aws_alb_target_group" "keycloak" {
   name        = "${var.name}-tg"
   port        = 443
   protocol    = "HTTPS"
-  vpc_id      = module.vpc.vpc_id
+  vpc_id      = local.vpc_id
   target_type = "ip"
 
   health_check {
@@ -172,7 +176,7 @@ resource "aws_db_parameter_group" "keycloak" {
 
 resource "aws_db_subnet_group" "keycloak" {
   name       = "${var.name}-keycloak"
-  subnet_ids = module.vpc.private_subnets
+  subnet_ids = local.private_subnets
 }
 
 resource "aws_db_instance" "keycloak" {
@@ -352,7 +356,7 @@ resource "aws_ecs_service" "keycloak" {
       aws_security_group.rds.id,
       aws_security_group.ecs-task-keycloak.id
     ]
-    subnets = module.vpc.private_subnets
+    subnets = local.private_subnets
     # TODO: Setting this to False means the image can't be pulled. Why? It works in K8s.
     # assign_public_ip = true
   }
diff --git a/ecs-cluster/variables.tf b/ecs-cluster/variables.tf
index 656ffe0..53ca523 100644
--- a/ecs-cluster/variables.tf
+++ b/ecs-cluster/variables.tf
@@ -22,6 +22,24 @@ variable "lb-cidr-blocks-in" {
   description = "CIDR blocks to allow access to the load balancer"
 }
 
+variable "vpc-id" {
+  type        = string
+  default     = ""
+  description = "VPC ID, if empty creates a new VPC"
+}
+
+variable "public-subnets" {
+  type        = list(string)
+  default     = []
+  description = "Public subnet IDs, must be defined if vpc-id is provided"
+}
+
+variable "private-subnets" {
+  type        = list(string)
+  default     = []
+  description = "Private subnet IDs, must be defined if vpc-id is provided"
+}
+
 variable "db-name" {
   type        = string
   default     = "keycloak"
diff --git a/ecs-cluster/vpc.tf b/ecs-cluster/vpc.tf
index 0303fb4..273ea79 100644
--- a/ecs-cluster/vpc.tf
+++ b/ecs-cluster/vpc.tf
@@ -3,6 +3,7 @@ data "aws_availability_zones" "available" {}
 module "vpc" {
   source  = "terraform-aws-modules/vpc/aws"
   version = "5.2.0"
+  count   = var.vpc-id == "" ? 1 : 0
 
   name                 = "${var.name}-vpc"
   cidr                 = "10.199.0.0/16"
@@ -18,3 +19,10 @@ module "vpc" {
   manage_default_network_acl    = false
   map_public_ip_on_launch       = true
 }
+
+# Backwards compatibility with existing deployments
+# https://developer.hashicorp.com/terraform/language/modules/develop/refactoring#enabling-count-or-for_each-for-a-resource
+moved {
+  from = module.vpc
+  to   = module.vpc[0]
+}

From dc8987cae95e46384c69e62aedd4ac6de0498fe7 Mon Sep 17 00:00:00 2001
From: Simon Li <spli@dundee.ac.uk>
Date: Wed, 24 Jan 2024 15:13:12 +0000
Subject: [PATCH 2/8] Keycloak 23.0.4

---
 container/Dockerfile     | 2 +-
 ecs-cluster/terraform.tf | 5 -----
 2 files changed, 1 insertion(+), 6 deletions(-)

diff --git a/container/Dockerfile b/container/Dockerfile
index 65567e2..e2293ae 100644
--- a/container/Dockerfile
+++ b/container/Dockerfile
@@ -1,6 +1,6 @@
 # https://www.keycloak.org/server/containers
 
-ARG KEYCLOAK_VERSION=22.0.5
+ARG KEYCLOAK_VERSION=23.0.4
 FROM quay.io/keycloak/keycloak:$KEYCLOAK_VERSION as builder
 
 ENV KC_DB=postgres
diff --git a/ecs-cluster/terraform.tf b/ecs-cluster/terraform.tf
index 5af2fbb..446a5cd 100644
--- a/ecs-cluster/terraform.tf
+++ b/ecs-cluster/terraform.tf
@@ -1,8 +1,3 @@
-terraform {
-  backend "s3" {
-  }
-}
-
 provider "aws" {
   region = var.region
 

From d3d9805e5a1ff76130a9b3b9a27d2ff686272865 Mon Sep 17 00:00:00 2001
From: Simon Li <spli@dundee.ac.uk>
Date: Tue, 5 Mar 2024 17:54:56 +0000
Subject: [PATCH 3/8] Keycloak 24.0.0, replace `KC_PROXY` with
 `KC_PROXY_HEADERS`

---
 container/Dockerfile    | 2 +-
 ecs-cluster/keycloak.tf | 8 +++++---
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/container/Dockerfile b/container/Dockerfile
index e2293ae..f6ec107 100644
--- a/container/Dockerfile
+++ b/container/Dockerfile
@@ -1,6 +1,6 @@
 # https://www.keycloak.org/server/containers
 
-ARG KEYCLOAK_VERSION=23.0.4
+ARG KEYCLOAK_VERSION=24.0.0
 FROM quay.io/keycloak/keycloak:$KEYCLOAK_VERSION as builder
 
 ENV KC_DB=postgres
diff --git a/ecs-cluster/keycloak.tf b/ecs-cluster/keycloak.tf
index 8d82350..ab36ff7 100644
--- a/ecs-cluster/keycloak.tf
+++ b/ecs-cluster/keycloak.tf
@@ -315,10 +315,12 @@ resource "aws_ecs_task_definition" "keycloak" {
         name  = "KC_HOSTNAME"
         value = local.keycloak-hostname
       },
-      # https://github.com/keycloak/keycloak/issues/13114
+      # https://www.keycloak.org/server/reverseproxy
+      # AWS load balancers set X-Forwarded not Forwarded
+      # https://docs.aws.amazon.com/elasticloadbalancing/latest/application/x-forwarded-headers.html
       {
-        name  = "KC_PROXY"
-        value = "reencrypt"
+        name  = "KC_PROXY_HEADERS"
+        value = "xforwarded"
       },
       # {
       #   name  = "KC_LOG_LEVEL"

From 7fb825b7167a75060506913abcf5dea2bc816990 Mon Sep 17 00:00:00 2001
From: Simon Li <spli@dundee.ac.uk>
Date: Wed, 6 Mar 2024 13:07:56 +0000
Subject: [PATCH 4/8] keycloak log-level can be configured

---
 ecs-cluster/keycloak.tf  | 8 ++++----
 ecs-cluster/variables.tf | 6 ++++++
 2 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/ecs-cluster/keycloak.tf b/ecs-cluster/keycloak.tf
index ab36ff7..adb35a0 100644
--- a/ecs-cluster/keycloak.tf
+++ b/ecs-cluster/keycloak.tf
@@ -322,10 +322,10 @@ resource "aws_ecs_task_definition" "keycloak" {
         name  = "KC_PROXY_HEADERS"
         value = "xforwarded"
       },
-      # {
-      #   name  = "KC_LOG_LEVEL"
-      #   value = "debug"
-      # }
+      {
+        name  = "KC_LOG_LEVEL"
+        value = var.keycloak-loglevel
+      },
     ]
     portMappings = [{
       protocol      = "tcp"
diff --git a/ecs-cluster/variables.tf b/ecs-cluster/variables.tf
index 53ca523..f5e7d54 100644
--- a/ecs-cluster/variables.tf
+++ b/ecs-cluster/variables.tf
@@ -75,6 +75,12 @@ variable "keycloak-hostname" {
   description = "Keycloak hostname, if empty uses the load-balancer hostname"
 }
 
+variable "keycloak-loglevel" {
+  type        = string
+  default     = "INFO"
+  description = "Keycloak log-level e.g. DEBUG."
+}
+
 variable "desired-count" {
   type        = number
   description = "Number of Keycloak containers to run, set to 0 for DB maintenance"

From d381fa5a9b47edbd42a19945f95e296124dc2d22 Mon Sep 17 00:00:00 2001
From: Simon Li <spli@dundee.ac.uk>
Date: Wed, 6 Mar 2024 13:08:13 +0000
Subject: [PATCH 5/8] Allow KC_DB to be overridden at runtime

---
 container/entrypoint.sh | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/container/entrypoint.sh b/container/entrypoint.sh
index f08368d..e3ca085 100755
--- a/container/entrypoint.sh
+++ b/container/entrypoint.sh
@@ -6,4 +6,10 @@ set -eu
 cd /opt/keycloak
 keytool -genkeypair -storepass password -storetype PKCS12 -keyalg RSA -keysize 2048 -dname "CN=$KC_HOSTNAME" -alias server -ext "SAN:c=DNS:$KC_HOSTNAME,DNS:localhost,IP:127.0.0.1" -keystore conf/server.keystore
 
+# If KC_DB has been overridden then need to rebuild the config
+if [ "$KC_DB" != postgres ]; then
+  echo "KC_DB has been overridden to $KC_DB, rebuilding"
+  /opt/keycloak/bin/kc.sh build
+fi
+
 exec /opt/keycloak/bin/kc.sh "$@"

From 0d11baf2480807debaad3f463713dd01fb0357b9 Mon Sep 17 00:00:00 2001
From: Simon Li <spli@dundee.ac.uk>
Date: Wed, 6 Mar 2024 13:10:09 +0000
Subject: [PATCH 6/8] Add and check /health endpoint

---
 ecs-cluster/keycloak.tf | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/ecs-cluster/keycloak.tf b/ecs-cluster/keycloak.tf
index adb35a0..567a48a 100644
--- a/ecs-cluster/keycloak.tf
+++ b/ecs-cluster/keycloak.tf
@@ -104,7 +104,7 @@ resource "aws_alb_target_group" "keycloak" {
     protocol            = "HTTPS"
     matcher             = "200"
     timeout             = "5"
-    path                = "/"
+    path                = "/health"
     unhealthy_threshold = "2"
   }
 }
@@ -322,6 +322,10 @@ resource "aws_ecs_task_definition" "keycloak" {
         name  = "KC_PROXY_HEADERS"
         value = "xforwarded"
       },
+      {
+        name  = "KC_HEALTH_ENABLED"
+        value = "true"
+      },
       {
         name  = "KC_LOG_LEVEL"
         value = var.keycloak-loglevel

From 1a5e458c58bcdeaa03249c7b61f7040ef0070d22 Mon Sep 17 00:00:00 2001
From: Simon Li <spli@dundee.ac.uk>
Date: Wed, 6 Mar 2024 13:28:00 +0000
Subject: [PATCH 7/8] Healthcheck has to be defined at build time not runtime

---
 container/Dockerfile    | 1 +
 ecs-cluster/keycloak.tf | 4 ----
 2 files changed, 1 insertion(+), 4 deletions(-)

diff --git a/container/Dockerfile b/container/Dockerfile
index f6ec107..a9a70dc 100644
--- a/container/Dockerfile
+++ b/container/Dockerfile
@@ -5,6 +5,7 @@ FROM quay.io/keycloak/keycloak:$KEYCLOAK_VERSION as builder
 
 ENV KC_DB=postgres
 ENV KC_HOSTNAME=localhost
+ENV KC_HEALTH_ENABLED=true
 
 RUN /opt/keycloak/bin/kc.sh build
 
diff --git a/ecs-cluster/keycloak.tf b/ecs-cluster/keycloak.tf
index 567a48a..b5bcd1e 100644
--- a/ecs-cluster/keycloak.tf
+++ b/ecs-cluster/keycloak.tf
@@ -322,10 +322,6 @@ resource "aws_ecs_task_definition" "keycloak" {
         name  = "KC_PROXY_HEADERS"
         value = "xforwarded"
       },
-      {
-        name  = "KC_HEALTH_ENABLED"
-        value = "true"
-      },
       {
         name  = "KC_LOG_LEVEL"
         value = var.keycloak-loglevel

From 0d76936dfc9c635a734c6a00122ca5d1792a5658 Mon Sep 17 00:00:00 2001
From: Simon Li <spli@dundee.ac.uk>
Date: Thu, 4 Apr 2024 17:30:49 +0100
Subject: [PATCH 8/8] Keycloak 24.0.2

---
 container/Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/container/Dockerfile b/container/Dockerfile
index a9a70dc..eb34f69 100644
--- a/container/Dockerfile
+++ b/container/Dockerfile
@@ -1,6 +1,6 @@
 # https://www.keycloak.org/server/containers
 
-ARG KEYCLOAK_VERSION=24.0.0
+ARG KEYCLOAK_VERSION=24.0.2
 FROM quay.io/keycloak/keycloak:$KEYCLOAK_VERSION as builder
 
 ENV KC_DB=postgres