adding keycloak terrafrom setup

florianow · florianow · commit b3eca808a1ca · 2025-11-19T16:23:02.000+01:00
diff --git a/README.md b/README.md
@@ -1,6 +1,6 @@
 # MinIO Azure Container App
 
-This repo deploys a MinIO Container to an **Azure Container Group** with Azure Application Gateway for SSL termination, IP restrictions, and Coraza WAF for comprehensive security protection.
+This repo deploys a MinIO Container to an **Azure Container Group** with Azure Application Gateway for SSL termination, IP restrictions, Coraza WAF for comprehensive security protection, and Keycloak for SSO authentication.
 
 ---
 
@@ -9,18 +9,24 @@ This repo deploys a MinIO Container to an **Azure Container Group** with Azure A
 ```mermaid
 flowchart TD
     subgraph External
-        A[External Traffic<br>HTTPS:443 / 8443<br>IP Restricted]
+        A[External Traffic<br>HTTPS:443 / 8443 / 8444<br>IP Restricted]
     end
 
     A --> B[Azure Application Gateway<br>SSL Termination & Load Balancing<br>IP Restrictions via NSG]
 
-    B --> C[Coraza WAF Container<br>Ports: 8080, 8081<br>OWASP CRS + Rate Limiting]
+    B --> C[Coraza WAF Container<br>Ports: 8080, 8081, 8082<br>OWASP CRS + Rate Limiting]
 
     C -->|Port 8080| E[MinIO UI<br>Port 9001]
     C -->|Port 8081| F[MinIO API<br>Port 9000]
+    C -->|Port 8082| K[Keycloak<br>Port 8080]
 
     E --> G[Azure File Share / Storage Account]
     F --> G
+    K --> H[PostgreSQL<br>Port 5432]
+    K --> I[Azure File Share<br>Keycloak Data]
+    H --> J[Azure File Share<br>Postgres Data]
+
+    E -.OIDC Auth.-> K
 
     subgraph "Azure Virtual Network"
         subgraph "Application Gateway Subnet"
@@ -30,6 +36,8 @@ flowchart TD
             C
             E
             F
+            K
+            H
         end
     end
 ```
@@ -38,11 +46,13 @@ flowchart TD
 
 ## Components
 
-* **MinIO Container**: Runs the object storage service (ports 9000/9001 - internal only)
-* **Azure Application Gateway**: Provides SSL termination, load balancing, and IP restrictions (ports 443/8443 - externally exposed)
-* **Coraza WAF Container**: Modern WAF with OWASP Core Rule Set protecting both UI (8080) and API (8081)
+* **MinIO Container**: Runs the object storage service with OIDC authentication (ports 9000/9001 - internal only)
+* **Keycloak Container**: Identity provider for SSO authentication (port 8080 - internal, exposed via port 8444 externally)
+* **PostgreSQL Container**: Database backend for Keycloak (port 5432 - internal only)
+* **Azure Application Gateway**: Provides SSL termination, load balancing, and IP restrictions (ports 443/8443/8444 - externally exposed)
+* **Coraza WAF Container**: Modern WAF with OWASP Core Rule Set protecting MinIO UI (8080), API (8081), and Keycloak (8082)
 * **Network Security Group**: Controls inbound traffic with IP-based access restrictions
-* **Storage**: Uses Azure File Share for persistent data storage
+* **Storage**: Uses Azure File Shares for persistent data storage (MinIO data, Postgres data, Keycloak data)
 * **Virtual Network**: Isolates components with dedicated subnets for Application Gateway and Container Instances
 
 ---
@@ -52,6 +62,7 @@ flowchart TD
 * Azure Subscription
 * Azure Resource Group
 * SSL Certificate (.pfx file) for HTTPS traffic
+* Credentials for PostgreSQL and Keycloak (provided as Terraform variables)
 
 ---
 
@@ -65,12 +76,28 @@ flowchart TD
 https://your-domain.region.azurecontainer.io/
 ```
 
+You can log in using:
+- **Root credentials**: MinIO root user/password (configured via Terraform variables)
+- **SSO**: Click "Login with SSO" to authenticate via Keycloak
+
 **S3 API (for applications/tools):**
 
 ```
 https://your-domain.region.azurecontainer.io:8443/
 ```
 
+### Accessing Keycloak
+
+**Admin Console:**
+
+```
+https://your-domain.region.azurecontainer.io:8444/
+```
+
+Default realm: `minio_realm`
+- Pre-configured with OpenID client `minio-client`
+- Test user: `testuser` with role `readonly` (credentials in `keycloak-minio-docker/minio-realm-config.json`)
+
 ### Using MinIO Client (mc)
 
 1. **Install MinIO Client:**
@@ -109,12 +136,12 @@ aws s3 ls --endpoint-url https://your-domain.region.azurecontainer.io:8443 --no-
 
 ## Resources Created
 
-* **Application Gateway**: Provides SSL termination, load balancing, and public access
+* **Application Gateway**: Provides SSL termination, load balancing, and public access (ports 443, 8443, 8444)
 * **Virtual Network**: Network isolation with dedicated subnets
 * **Network Security Group**: IP-based access restrictions
-* **Container Group**: Hosts MinIO and Coraza WAF containers
+* **Container Group**: Hosts MinIO, Keycloak, PostgreSQL, and Coraza WAF containers
 * **Storage Account**: Provides persistent storage
-* **Storage Share**: Azure File Share for MinIO data
+* **Storage Shares**: Azure File Shares for MinIO data, PostgreSQL data, and Keycloak data
 * **Key Vault**: Stores SSL certificates securely
 * **Log Analytics Workspace**: For monitoring and logs
 
diff --git a/main.tf b/main.tf
@@ -71,6 +71,18 @@ resource "azurerm_storage_share" "minio_share" {
   quota              = var.storage_share_size
 }
 
+resource "azurerm_storage_share" "postgres_share" {
+  name               = "postgresstorageshare"
+  storage_account_id = azurerm_storage_account.minio_storage_account.id
+  quota              = 10
+}
+
+resource "azurerm_storage_share" "keycloak_share" {
+  name               = "keycloakstorageshare"
+  storage_account_id = azurerm_storage_account.minio_storage_account.id
+  quota              = 10
+}
+
 data "azurerm_client_config" "current" {}
 
 resource "azurerm_key_vault" "minio_kv" {
@@ -184,6 +196,21 @@ resource "azurerm_network_security_rule" "allow_https_api" {
   network_security_group_name = azurerm_network_security_group.agw_nsg.name
 }
 
+resource "azurerm_network_security_rule" "allow_https_keycloak" {
+  count                       = length(local.allowed_ips_list)
+  name                        = "AllowHTTPS-Keycloak-${count.index}"
+  priority                    = 250 + count.index
+  direction                   = "Inbound"
+  access                      = "Allow"
+  protocol                    = "Tcp"
+  source_port_range           = "*"
+  destination_port_range      = "8444"
+  source_address_prefix       = local.allowed_ips_list[count.index]
+  destination_address_prefix  = "*"
+  resource_group_name         = azurerm_resource_group.minio_rg.name
+  network_security_group_name = azurerm_network_security_group.agw_nsg.name
+}
+
 resource "azurerm_network_security_rule" "allow_agw_management" {
   name                        = "AllowApplicationGatewayManagement"
   priority                    = 300
@@ -262,6 +289,11 @@ resource "azurerm_application_gateway" "minio_agw" {
     port = 8443
   }
 
+  frontend_port {
+    name = "https-keycloak"
+    port = 8444
+  }
+
   ssl_certificate {
     name                = "minio-cert"
     key_vault_secret_id = azurerm_key_vault_certificate.minio_cert.secret_id
@@ -296,6 +328,18 @@ resource "azurerm_application_gateway" "minio_agw" {
     pick_host_name_from_backend_http_settings = false
   }
 
+  probe {
+    name                                      = "keycloak-health-probe"
+    protocol                                  = "Http"
+    path                                      = "/health/ready"
+    host                                      = azurerm_container_group.minio_aci_container_group.ip_address
+    interval                                  = 30
+    timeout                                   = 20
+    unhealthy_threshold                       = 3
+    port                                      = 8082
+    pick_host_name_from_backend_http_settings = false
+  }
+
   backend_http_settings {
     name                                = "ui-http"
     port                                = 8080
@@ -327,6 +371,21 @@ resource "azurerm_application_gateway" "minio_agw" {
 
   }
 
+  backend_http_settings {
+    name                                = "keycloak-http"
+    port                                = 8082
+    protocol                            = "Http"
+    request_timeout                     = 300
+    pick_host_name_from_backend_address = false
+    cookie_based_affinity               = "Disabled"
+    probe_name                          = "keycloak-health-probe"
+    connection_draining {
+      enabled           = true
+      drain_timeout_sec = 300
+    }
+
+  }
+
   http_listener {
     name                           = "listener-ui"
     frontend_ip_configuration_name = "public-ip"
@@ -343,6 +402,14 @@ resource "azurerm_application_gateway" "minio_agw" {
     ssl_certificate_name           = "minio-cert"
   }
 
+  http_listener {
+    name                           = "listener-keycloak"
+    frontend_ip_configuration_name = "public-ip"
+    frontend_port_name             = "https-keycloak"
+    protocol                       = "Https"
+    ssl_certificate_name           = "minio-cert"
+  }
+
   request_routing_rule {
     name                       = "rule-ui"
     rule_type                  = "Basic"
@@ -361,6 +428,15 @@ resource "azurerm_application_gateway" "minio_agw" {
     priority                   = 20
   }
 
+  request_routing_rule {
+    name                       = "rule-keycloak"
+    rule_type                  = "Basic"
+    http_listener_name         = "listener-keycloak"
+    backend_address_pool_name  = "coraza-backend-pool"
+    backend_http_settings_name = "keycloak-http"
+    priority                   = 30
+  }
+
   identity {
     type         = "UserAssigned"
     identity_ids = [azurerm_user_assigned_identity.agw_identity.id]
@@ -388,6 +464,116 @@ resource "azurerm_container_group" "minio_aci_container_group" {
     }
   }
 
+  container {
+    name         = "postgres"
+    image        = "postgres:16-alpine"
+    cpu          = "0.5"
+    memory       = "1.0"
+    cpu_limit    = 1.0
+    memory_limit = 1.5
+
+    environment_variables = {
+      POSTGRES_DB       = var.postgres_db
+      POSTGRES_USER     = var.postgres_user
+      POSTGRES_PASSWORD = var.postgres_password
+    }
+
+    ports {
+      port     = 5432
+      protocol = "TCP"
+    }
+
+    volume {
+      name                 = "postgres-data"
+      mount_path           = "/var/lib/postgresql/data"
+      read_only            = false
+      storage_account_name = azurerm_storage_account.minio_storage_account.name
+      storage_account_key  = azurerm_storage_account.minio_storage_account.primary_access_key
+      share_name           = azurerm_storage_share.postgres_share.name
+    }
+
+    liveness_probe {
+      exec = ["pg_isready", "-U", var.postgres_user, "-d", var.postgres_db]
+
+      initial_delay_seconds = 30
+      period_seconds        = 10
+      timeout_seconds       = 5
+      failure_threshold     = 3
+    }
+  }
+
+  container {
+    name         = "keycloak"
+    image        = "quay.io/keycloak/keycloak:latest"
+    cpu          = "1.0"
+    memory       = "2.0"
+    cpu_limit    = 1.0
+    memory_limit = 2.5
+
+    environment_variables = {
+      KC_BOOTSTRAP_ADMIN_USERNAME = var.keycloak_admin_user
+      KC_BOOTSTRAP_ADMIN_PASSWORD = var.keycloak_admin_password
+      KC_HTTP_ENABLED             = "true"
+      KC_HOSTNAME_STRICT          = "false"
+      KC_PROXY_HEADERS            = "xforwarded"
+      KEYCLOAK_IMPORT             = "/opt/keycloak/data/import/realm-config.json"
+      KC_DB                       = "postgres"
+      KC_DB_URL                   = "jdbc:postgresql://localhost/${var.postgres_db}"
+      KC_DB_USERNAME              = var.postgres_user
+      KC_DB_PASSWORD              = var.postgres_password
+    }
+
+    ports {
+      port     = 8080
+      protocol = "TCP"
+    }
+
+    volume {
+      name       = "keycloak-realm-config"
+      mount_path = "/opt/keycloak/data/import"
+      read_only  = true
+
+      secret = {
+        "minio-realm-config.json" = filebase64("${path.module}/keycloak-minio-docker/minio-realm-config.json")
+      }
+    }
+
+    volume {
+      name                 = "keycloak-data"
+      mount_path           = "/opt/keycloak/data/h2"
+      read_only            = false
+      storage_account_name = azurerm_storage_account.minio_storage_account.name
+      storage_account_key  = azurerm_storage_account.minio_storage_account.primary_access_key
+      share_name           = azurerm_storage_share.keycloak_share.name
+    }
+
+    commands = ["start", "--import-realm"]
+
+    liveness_probe {
+      http_get {
+        path   = "/health/live"
+        port   = 8080
+        scheme = "http"
+      }
+      initial_delay_seconds = 120
+      period_seconds        = 30
+      timeout_seconds       = 10
+      failure_threshold     = 3
+    }
+
+    readiness_probe {
+      http_get {
+        path   = "/health/ready"
+        port   = 8080
+        scheme = "http"
+      }
+      initial_delay_seconds = 60
+      period_seconds        = 10
+      timeout_seconds       = 5
+      failure_threshold     = 3
+    }
+  }
+
   container {
     name         = "minio"
     image        = var.minio_image
@@ -404,9 +590,16 @@ resource "azurerm_container_group" "minio_aci_container_group" {
       protocol = "TCP"
     }
     environment_variables = {
-      MINIO_ROOT_USER            = var.minio_root_user
-      MINIO_ROOT_PASSWORD        = var.minio_root_password
-      MINIO_BROWSER_REDIRECT_URL = "https://${azurerm_public_ip.agw_pip.fqdn}"
+      MINIO_ROOT_USER                     = var.minio_root_user
+      MINIO_ROOT_PASSWORD                 = var.minio_root_password
+      MINIO_BROWSER_REDIRECT_URL          = "https://${azurerm_public_ip.agw_pip.fqdn}"
+      MINIO_IDENTITY_OPENID_CONFIG_URL    = "http://localhost:8082/realms/minio_realm/.well-known/openid-configuration"
+      MINIO_IDENTITY_OPENID_CLIENT_ID     = "minio-client"
+      MINIO_IDENTITY_OPENID_CLIENT_SECRET = var.keycloak_client_secret
+      MINIO_IDENTITY_OPENID_CLAIM_NAME    = "policy"
+      MINIO_IDENTITY_OPENID_SCOPES        = "openid,profile,email"
+      MINIO_IDENTITY_OPENID_REDIRECT_URI  = "https://${azurerm_public_ip.agw_pip.fqdn}/oauth_callback"
+      MINIO_IDENTITY_OPENID_DISPLAY_NAME  = "Login with SSO"
     }
 
     volume {
diff --git a/outputs.tf b/outputs.tf
@@ -8,6 +8,11 @@ output "s3_api_url" {
   value       = "https://${azurerm_public_ip.agw_pip.fqdn}:8443"
 }
 
+output "keycloak_url" {
+  description = "Keycloak admin console URL"
+  value       = "https://${azurerm_public_ip.agw_pip.fqdn}:8444"
+}
+
 output "fqdn" {
   description = "Fully qualified domain name"
   value       = azurerm_public_ip.agw_pip.fqdn
diff --git a/variables.tf b/variables.tf
