MinIO Azure Container App

This repository provides both local development and Azure production deployment for MinIO object storage with Keycloak SSO authentication, Coraza WAF protection, and opkssh SSH certificate authentication.

🚀 Quick Start

Local Development

For local testing and development:

cd docker-compose
./setup-local.sh

See docker-compose/README.md for complete local development documentation.

Azure Deployment

For production deployment to Azure:

terraform init
terraform plan
terraform apply

See Terraform Usage below for details.

📁 Repository Structure

.
├── docker-compose/           # Local development environment
│   ├── README.md            # Complete local dev documentation
│   ├── setup-local.sh       # Automated local setup
│   └── ...                  # Docker Compose configuration
│
├── main.tf                  # Terraform Azure deployment
├── variables.tf             # Terraform variables
├── outputs.tf              # Terraform outputs
└── README.md               # This file

🏗️ Architecture

Azure Production Architecture

graph TD
    subgraph "Client Access"
        Client[External Traffic<br/>HTTPS: 443, 8443, 8444<br/>IP Restricted]
    end

    subgraph "Azure Virtual Network"
        subgraph "Application Gateway Subnet"
            AppGW[Azure Application Gateway<br/>SSL Termination<br/>Load Balancing]
        end

        subgraph "Container Instances Subnet"
            subgraph "WAF Layer"
                WAF[Coraza WAF<br/>Caddy Reverse Proxy<br/>:8080, :8081, :8082]
            end

            subgraph "Application Services"
                MinIO[MinIO Object Storage<br/>UI: :9001<br/>API: :9000]
                Keycloak[Keycloak<br/>OIDC Provider<br/>:8083]
            end

            subgraph "Data Layer"
                DB[(MariaDB<br/>:3306)]
                MinIOStorage[(Azure File Share<br/>MinIO Data)]
                KeycloakStorage[(Azure File Share<br/>Keycloak Data)]
                DBStorage[(Azure File Share<br/>MariaDB Data)]
            end
        end
    end

    Client --> AppGW
    AppGW --> WAF
    WAF -->|:8080/:8081| MinIO
    WAF -->|:8082| Keycloak
    MinIO --> MinIOStorage
    MinIO -.OIDC Auth.-> Keycloak
    Keycloak --> DB
    Keycloak --> KeycloakStorage
    DB --> DBStorage

    style Client fill:#e3f2fd
    style AppGW fill:#fff3e0
    style WAF fill:#ff9800
    style MinIO fill:#2196f3
    style Keycloak fill:#4caf50
    style DB fill:#607d8b
    style MinIOStorage fill:#b0bec5
    style KeycloakStorage fill:#b0bec5
    style DBStorage fill:#b0bec5

🧩 Components

Core Services

MinIO: S3-compatible object storage with OIDC authentication
Keycloak: Enterprise identity and access management
MariaDB: Database backend for Keycloak
Coraza WAF: OWASP Core Rule Set protection with rate limiting

Azure Infrastructure

Application Gateway: SSL termination, load balancing, IP restrictions (ports 443/8443/8444)
Network Security Group: IP-based access control
Azure File Shares: Persistent storage for MinIO, MariaDB, and Keycloak data
Virtual Network: Network isolation with dedicated subnets
Key Vault: Secure certificate storage

Additional Features

opkssh: SSH certificate-based authentication using OIDC (local development only)

🛠️ Terraform Deployment

Prerequisites

Azure Subscription
Terraform >= 1.0
Azure CLI (logged in)

Variables

Create a terraform.tfvars file from the example:

cp terraform.tfvars.example terraform.tfvars
# Edit terraform.tfvars with your values

Minimum required variables:

resource_group_name      = "minio-production"
public_url_domain_name   = "minio-prod"
minio_root_password      = "your-secure-password"
keycloak_admin_password  = "your-keycloak-admin-password"
allowed_ip_addresses     = "203.0.113.0/32,198.51.100.0/24"

See terraform.tfvars.example for all available options.

Deployment

terraform init
terraform plan
terraform apply

Outputs

After deployment, Terraform provides:

console_url: MinIO web console URL
s3_api_url: MinIO S3 API endpoint
keycloak_url: Keycloak admin console
fqdn: Fully qualified domain name
mc_alias_command: MinIO client configuration command
certificate_download_command: Download self-signed certificate

🌐 Accessing Services (Azure)

MinIO Web Console

https://your-domain.azurecontainer.io/

Login with:

Root credentials: Configured via minio_root_user and minio_root_password
SSO: Click "Login with SSO" for Keycloak authentication

MinIO S3 API

https://your-domain.azurecontainer.io:8443/

Keycloak Admin Console

https://your-domain.azurecontainer.io:8444/

Default realm: minio_realm

Admin user: admin (password from keycloak_admin_password)
Test user: testuser / [email protected]

MinIO Client Setup

# Get the setup command from Terraform output
terraform output -raw mc_alias_command

# Or manually configure
mc alias set myminio https://your-fqdn.azurecontainer.io:8443 minioadmin your-password

# Download certificate if needed
terraform output -raw certificate_pem > minio-cert.pem

🔒 Security Features

WAF Protection (Coraza + OWASP CRS)

OWASP Core Rule Set v4
SQL injection prevention
XSS protection
Command injection blocking
Path traversal prevention
Rate limiting per source IP
Audit logging

Infrastructure Security

IP Restrictions: NSG rules limit access to specified IPs
SSL Termination: Azure Application Gateway encrypts all traffic
Network Isolation: Dedicated VNet with subnet segmentation
Internal Communication: Container-to-container traffic stays within group
Certificate Storage: Azure Key Vault for SSL certificates
No Direct Access: MinIO/Keycloak ports not exposed externally

📦 Azure Resources Created

Application Gateway: SSL termination, load balancing (ports 443, 8443, 8444)
Virtual Network: Network isolation with Application Gateway + Container Instance subnets
Network Security Group: IP-based access restrictions
Container Group: Hosts MinIO, Keycloak, MariaDB, and Coraza WAF
Storage Account: Persistent storage backend
Storage Shares: Separate shares for MinIO, MariaDB, and Keycloak data
Key Vault: Secure certificate storage
Log Analytics Workspace: Monitoring and diagnostics

📚 Additional Documentation

docker-compose/README.md - Complete local development guide
README-coraza.md - Coraza WAF container documentation
Terraform Variables - Complete variable reference below

Requirements

Name	Version
azurerm	4.36.0
random	~> 3.1

Modules

No modules.

Resources

Name	Type
azurerm_application_gateway.minio_agw	resource
azurerm_container_group.minio_aci_container_group	resource
azurerm_key_vault.minio_kv	resource
azurerm_key_vault_access_policy.agw_policy	resource
azurerm_key_vault_access_policy.minio_cert_policy	resource
azurerm_key_vault_certificate.minio_cert	resource
azurerm_log_analytics_workspace.minio_law	resource
azurerm_network_security_group.agw_nsg	resource
azurerm_network_security_rule.allow_agw_management	resource
azurerm_network_security_rule.allow_azureloadbalancer	resource
azurerm_network_security_rule.allow_https_api	resource
azurerm_network_security_rule.allow_https_keycloak	resource
azurerm_network_security_rule.allow_https_ui	resource
azurerm_network_security_rule.deny_all	resource
azurerm_public_ip.agw_pip	resource
azurerm_resource_group.minio_rg	resource
azurerm_storage_account.minio_storage_account	resource
azurerm_storage_share.keycloak_share	resource
azurerm_storage_share.mariadb_share	resource
azurerm_storage_share.minio_share	resource
azurerm_subnet.aci_subnet	resource
azurerm_subnet.agw_subnet	resource
azurerm_subnet_network_security_group_association.agw_nsg_association	resource
azurerm_user_assigned_identity.agw_identity	resource
azurerm_virtual_network.minio_vnet	resource
random_password.keycloak_client_secret	resource
random_password.mariadb_password	resource
random_string.storage_suffix	resource
azurerm_client_config.current	data source

Inputs

Name	Description	Type	Default	Required
allowed_ip_addresses	Comma-separated list of IP addresses that will be allowed to access the MinIO service in CIDR format. Example: '203.0.113.0/32' for a single IP or '10.10.10.2/32,192.168.1.0/24' for multiple IPs.	`string`	`"10.10.10.2/32"`	no
coraza_waf_image	Coraza WAF container image	`string`	`"ghcr.io/meshcloud/minio_azure_container_app/coraza-caddy:caddy-2.8-coraza-v2.0.0"`	no
keycloak_admin_password	Keycloak admin password	`string`	n/a	yes
keycloak_admin_user	Keycloak admin username	`string`	`"admin"`	no
keycloak_test_user_email	Keycloak test user email	`string`	`"[email protected]"`	no
keycloak_test_user_password	Keycloak test user password	`string`	`"password"`	no
keycloak_test_user_username	Keycloak test user username	`string`	`"testuser"`	no
location	Azure region for deployment	`string`	`"germanywestcentral"`	no
mariadb_database	MariaDB database name for Keycloak	`string`	`"mariadb"`	no
mariadb_user	MariaDB username	`string`	`"keycloak"`	no
minio_image	MinIO container image	`string`	`"quay.io/minio/minio:RELEASE.2025-04-22T22-12-26Z"`	no
minio_root_password	MinIO root password for admin access	`string`	n/a	yes
minio_root_user	MinIO root username for admin access	`string`	`"minioadmin"`	no
nginx_image	Nginx container image	`string`	`"mcr.microsoft.com/azurelinux/base/nginx:1.25"`	no
opkssh_redirect_uris	OpenPubkey SSH client redirect URIs for local development	`list(string)`	[ "http://localhost:3000/login-callback", "http://localhost:10001/login-callback", "http://localhost:11110/login-callback" ]	no
public_url_domain_name	Domain name for the public URL (e.g., 'miniotest' creates 'miniotest.westeurope.azurecontainer.io')	`string`	n/a	yes
resource_group_name	Name of the Resource Group where you want to deploy MinIO	`string`	n/a	yes
storage_account_name	Storage Account Name prefix (random suffix will be added for global uniqueness)	`string`	`"miniostorage"`	no
storage_share_size	Storage space needed in GBs (minimum 1GB, maximum 5120GB/5TB)	`number`	`100`	no

Outputs

Name	Description
certificate_download_command	Command to download certificate locally
certificate_pem	Self-signed certificate in PEM format (public cert)
console_url	MinIO Web Console URL
fqdn	Fully qualified domain name
keycloak_client_secret	Generated Keycloak OIDC client secret for MinIO
keycloak_url	Keycloak admin console URL
mc_alias_command	MinIO client setup command
public_ip	Public IP address
s3_api_url	MinIO S3 API endpoint
storage_account_name	Azure Storage Account name

Name		Name	Last commit message	Last commit date
Latest commit History 93 Commits
.github		.github
docker-compose		docker-compose
.gitignore		.gitignore
.pre-commit-config.yaml		.pre-commit-config.yaml
.terraform-docs.yml		.terraform-docs.yml
.tflint.hcl		.tflint.hcl
Caddyfile		Caddyfile
Caddyfile.azure		Caddyfile.azure
Dockerfile		Dockerfile
README-coraza.md		README-coraza.md
README.md		README.md
flake.lock		flake.lock
flake.nix		flake.nix
main.tf		main.tf
minio-realm-config.json.tpl		minio-realm-config.json.tpl
outputs.tf		outputs.tf
providers.tf		providers.tf
terraform.tftest.hcl		terraform.tftest.hcl
terraform.tfvars.example		terraform.tfvars.example
variables.tf		variables.tf
versions.tf		versions.tf

meshcloud/minio_azure_container_app

Folders and files

Latest commit

History

Repository files navigation

MinIO Azure Container App

🚀 Quick Start

Local Development

Azure Deployment

📁 Repository Structure

🏗️ Architecture

Azure Production Architecture

🧩 Components

Core Services

Azure Infrastructure

Additional Features

🛠️ Terraform Deployment

Prerequisites

Variables

Deployment

Outputs

🌐 Accessing Services (Azure)

MinIO Web Console

MinIO S3 API

Keycloak Admin Console

MinIO Client Setup

🔒 Security Features

WAF Protection (Coraza + OWASP CRS)

Infrastructure Security

📦 Azure Resources Created

📚 Additional Documentation

Requirements

Modules

Resources

Inputs

Outputs

About

Resources

Uh oh!

Stars

Watchers

Forks

Releases 1

Packages 0

Uh oh!

Contributors 3

Uh oh!

Languages

Packages