Test keycloak

README.md

@@ -116,8 +116,10 @@ No modules.
 | Name | Type |
 |------|------|
 | [azurerm_dns_a_record.fake](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/dns_a_record) | resource |
+| [azurerm_dns_a_record.kc](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/dns_a_record) | resource |
 | [azurerm_dns_a_record.mtls](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/dns_a_record) | resource |
 | [azurerm_dns_a_record.mtls_fake](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/dns_a_record) | resource |
+| [azurerm_dns_a_record.mtls_kc](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/dns_a_record) | resource |
 | [azurerm_dns_a_record.mtls_tak](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/dns_a_record) | resource |
 | [azurerm_dns_a_record.tak](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/dns_a_record) | resource |
 | [azurerm_dns_a_record.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/dns_a_record) | resource |
@@ -132,8 +134,9 @@ No modules.
 | [random_pet.rg_name](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/pet) | resource |
 | [xkcdpass_generate.kc_admin_pass](https://registry.terraform.io/providers/advian-oss/xkcdpass/latest/docs/resources/generate) | resource |
 | [xkcdpass_generate.kc_db_pass](https://registry.terraform.io/providers/advian-oss/xkcdpass/latest/docs/resources/generate) | resource |
+| [xkcdpass_generate.kc_keystore_pass](https://registry.terraform.io/providers/advian-oss/xkcdpass/latest/docs/resources/generate) | resource |
 | [xkcdpass_generate.kc_ldap_pass](https://registry.terraform.io/providers/advian-oss/xkcdpass/latest/docs/resources/generate) | resource |
-| [xkcdpass_generate.kc_mgr_pass](https://registry.terraform.io/providers/advian-oss/xkcdpass/latest/docs/resources/generate) | resource |
+| [xkcdpass_generate.kc_truststore_pass](https://registry.terraform.io/providers/advian-oss/xkcdpass/latest/docs/resources/generate) | resource |
 | [xkcdpass_generate.postgres_pass](https://registry.terraform.io/providers/advian-oss/xkcdpass/latest/docs/resources/generate) | resource |
 | [xkcdpass_generate.rm_db_pass](https://registry.terraform.io/providers/advian-oss/xkcdpass/latest/docs/resources/generate) | resource |
 | [xkcdpass_generate.tak_db_pass](https://registry.terraform.io/providers/advian-oss/xkcdpass/latest/docs/resources/generate) | resource |
@@ -148,8 +151,8 @@ No modules.
 | <a name="input_CERTBOT_EMAIL"></a> [CERTBOT\_EMAIL](#input\_CERTBOT\_EMAIL) | Email address to send certificate expiration notifications. | `string` | `"benjam.gronmark_arkiproj@hotmail.com"` | no |
 | <a name="input_DEPLOYMENT_NAME"></a> [DEPLOYMENT\_NAME](#input\_DEPLOYMENT\_NAME) | Set DNS name, if not set will be automatically generated | `string` | `null` | no |
 | <a name="input_DOCKER_COMPOSITION_REPO"></a> [DOCKER\_COMPOSITION\_REPO](#input\_DOCKER\_COMPOSITION\_REPO) | The repo to use to get the docker-composition from | `string` | `"https://github.com/pvarki/docker-rasenmaeher-integration.git"` | no |
-| <a name="input_DOCKER_REPO_TAG"></a> [DOCKER\_REPO\_TAG](#input\_DOCKER\_REPO\_TAG) | The branch/tag in DOCKER\_COMPOSITION\_REPO to use | `string` | `"1.5.0"` | no |
-| <a name="input_DOCKER_TAG_EXTRA"></a> [DOCKER\_TAG\_EXTRA](#input\_DOCKER\_TAG\_EXTRA) | If you want to deploy for example a PR tagged version, messing this up is a good way to make everything take forever | `string` | `""` | no |
+| <a name="input_DOCKER_REPO_TAG"></a> [DOCKER\_REPO\_TAG](#input\_DOCKER\_REPO\_TAG) | The branch/tag in DOCKER\_COMPOSITION\_REPO to use | `string` | `"keycloak"` | no |
+| <a name="input_DOCKER_TAG_EXTRA"></a> [DOCKER\_TAG\_EXTRA](#input\_DOCKER\_TAG\_EXTRA) | If you want to deploy for example a PR tagged version, messing this up is a good way to make everything take forever | `string` | `"-95-merge"` | no |
 | <a name="input_EXPIRES"></a> [EXPIRES](#input\_EXPIRES) | ISO 8601 date (yyyy-mm-dd) after which this resource is cleaned up, defaults to 30days from now | `string` | `null` | no |
 | <a name="input_RESOURCE_GROUP_LOCATION"></a> [RESOURCE\_GROUP\_LOCATION](#input\_RESOURCE\_GROUP\_LOCATION) | Location of the resource group. | `string` | `"northeurope"` | no |
 | <a name="input_RESOURCE_GROUP_NAME_PREFIX"></a> [RESOURCE\_GROUP\_NAME\_PREFIX](#input\_RESOURCE\_GROUP\_NAME\_PREFIX) | Prefix of the resource group name that's combined with a random ID so name is unique in your Azure subscription. | `string` | `"rg-miniwerk"` | no |

azure-pipelines-solution.yml

@@ -25,6 +25,9 @@ parameters:
 - name: DOCKER_REPO_TAG
   type: string
   default: false
+- name: DOCKER_TAG_EXTRA
+  type: string
+  default: false
 - name: VM_SIZE
   type: string
   default: false
@@ -89,27 +92,27 @@ stages:
               command: apply
               environmentServiceNameAzureRM: FDF-PVARKI-SOLUTION-Dev
 
-          - task: Bash@3
-            displayName: Create github issue
-            inputs:
-              targetType: 'inline'
-              connection: github_connector
-              script: |
-                echo "Creating a GitHub issue..."
-                curl -X POST \
-                  -H "Authorization: Bearer $(GitHubToken)" \
-                  -H "Accept: application/vnd.github.v3+json" \
-                  https://api.github.com/repos/pvarki/terraform-miniwerk-deployment/issues \
-                  -d '{
-                    "title": "Automated Issue: Created ${{ parameters.DEPLOYMENT_NAME }} with workspace ${{ parameters.WORKSPACE_NAME }}",
-                    "body": "This issue was created by an Azure DevOps pipeline using the GitHub service connection.",
-                    "labels": ["automation","instance"]
-                  }'
-              displayName: 'Create GitHub Issue'
-              workingDirectory: $(System.DefaultWorkingDirectory)
-            env:
-              GitHubToken: $(serviceConnection.github_connector.auth.token)
-              
+          # - task: Bash@3
+          #   displayName: Create github issue
+          #   inputs:
+          #     targetType: 'inline'
+          #     connection: github_connector
+          #     script: |
+          #       echo "Creating a GitHub issue..."
+          #       curl -X POST \
+          #         # -H "Authorization: Bearer $(GitHubToken)" \
+          #         -H "Accept: application/vnd.github.v3+json" \
+          #         https://api.github.com/repos/pvarki/terraform-miniwerk-deployment/issues \
+          #         -d '{
+          #           "title": "Automated Issue: Created ${{ parameters.DEPLOYMENT_NAME }} with workspace ${{ parameters.WORKSPACE_NAME }}",
+          #           "body": "This issue was created by an Azure DevOps pipeline using the GitHub service connection.",
+          #           "labels": ["automation","instance"]
+          #         }'
+          #     displayName: 'Create GitHub Issue'
+          #     workingDirectory: $(System.DefaultWorkingDirectory)
+          #     env:
+          #       GitHubToken: $(serviceConnection.github_connector.auth.token)
+
   - stage: destroy_resources
     displayName: Destroy miniwerk resources
     jobs:

main.tf

@@ -18,7 +18,11 @@ resource "xkcdpass_generate" "kc_admin_pass" {
   length = 6
 }
 
-resource "xkcdpass_generate" "kc_mgr_pass" {
+resource "xkcdpass_generate" "kc_keystore_pass" {
+  length = 6
+}
+
+resource "xkcdpass_generate" "kc_truststore_pass" {
   length = 6
 }
 
@@ -166,6 +170,30 @@ resource "azurerm_dns_a_record" "mtls_fake" {
   }
 }
 
+resource "azurerm_dns_a_record" "kc" {
+  name                = "kc.${local.DEPLOYMENT_NAME}"
+  zone_name           = data.azurerm_dns_zone.this.name
+  resource_group_name = data.azurerm_dns_zone.this.resource_group_name
+  ttl                 = 300
+  target_resource_id  = azurerm_public_ip.this.id
+  tags = {
+    "fi.fdf.pilvi.expires" : local.expires
+    backup = "nobackup"
+  }
+}
+
+resource "azurerm_dns_a_record" "mtls_kc" {
+  name                = "mtls.kc.${local.DEPLOYMENT_NAME}"
+  zone_name           = data.azurerm_dns_zone.this.name
+  resource_group_name = data.azurerm_dns_zone.this.resource_group_name
+  ttl                 = 300
+  target_resource_id  = azurerm_public_ip.this.id
+  tags = {
+    "fi.fdf.pilvi.expires" : local.expires
+    backup = "nobackup"
+  }
+}
+
 resource "azurerm_dns_a_record" "mtls_keycloak" {
   name                = "mtls.kc.${local.DEPLOYMENT_NAME}"
   zone_name           = data.azurerm_dns_zone.this.name
@@ -319,25 +347,23 @@ resource "azurerm_linux_virtual_machine" "this" {
   }
 
   user_data = base64encode(templatefile("userdata.tftpl", {
-    CERTBOT_EMAIL                       = var.CERTBOT_EMAIL
-    DEPLOYMENT_DNS                      = trimsuffix(azurerm_dns_a_record.this.fqdn, ".")
-    POSTGRES_PASSWORD                   = xkcdpass_generate.postgres_pass.result
-    COMP_REPO_URI                       = var.DOCKER_COMPOSITION_REPO
-    COMP_REPO_TAG                       = var.DOCKER_REPO_TAG
-    DOCKER_TAG_EXTRA                    = var.DOCKER_TAG_EXTRA
-    VITE_ASSET_SET                      = var.VITE_ASSET_SET
-    DEPLOYMENT_NAME                     = local.DEPLOYMENT_NAME
-    RM_DATABASE_PASSWORD                = xkcdpass_generate.rm_db_pass.result
-    KEYCLOAK_DATABASE_PASSWORD          = xkcdpass_generate.kc_db_pass.result
-    KEYCLOAK_ADMIN_PASSWORD             = xkcdpass_generate.kc_admin_pass.result
-    KEYCLOAK_MANAGEMENT_PASSWORD        = xkcdpass_generate.kc_mgr_pass.result
-    LDAP_ADMIN_PASSWORD                 = xkcdpass_generate.kc_ldap_pass.result
-    TAK_DATABASE_PASSWORD               = xkcdpass_generate.tak_db_pass.result
-    TAKSERVER_CERT_PASS                 = xkcdpass_generate.tak_jks1_pass.result
-    TAK_CA_PASS                         = xkcdpass_generate.tak_jks2_pass.result
-    EXPIRES                             = local.expires
-    KEYCLOAK_HTTPS_KEY_STORE_PASSWORD   = xkcdpass_generate.keystore_pass.result
-    KEYCLOAK_HTTPS_TRUST_STORE_PASSWORD = xkcdpass_generate.trust_pass.result
+    CERTBOT_EMAIL                = var.CERTBOT_EMAIL
+    DEPLOYMENT_DNS               = trimsuffix(azurerm_dns_a_record.this.fqdn, ".")
+    POSTGRES_PASSWORD            = xkcdpass_generate.postgres_pass.result
+    COMP_REPO_URI                = var.DOCKER_COMPOSITION_REPO
+    COMP_REPO_TAG                = var.DOCKER_REPO_TAG
+    DOCKER_TAG_EXTRA             = var.DOCKER_TAG_EXTRA
+    VITE_ASSET_SET               = var.VITE_ASSET_SET
+    DEPLOYMENT_NAME              = local.DEPLOYMENT_NAME
+    RM_DATABASE_PASSWORD         = xkcdpass_generate.rm_db_pass.result
+    KEYCLOAK_DATABASE_PASSWORD   = xkcdpass_generate.kc_db_pass.result
+    KEYCLOAK_ADMIN_PASSWORD      = xkcdpass_generate.kc_admin_pass.result
+    KEYCLOAK_MANAGEMENT_PASSWORD = xkcdpass_generate.kc_mgr_pass.result
+    LDAP_ADMIN_PASSWORD          = xkcdpass_generate.kc_ldap_pass.result
+    TAK_DATABASE_PASSWORD        = xkcdpass_generate.tak_db_pass.result
+    TAKSERVER_CERT_PASS          = xkcdpass_generate.tak_jks1_pass.result
+    TAK_CA_PASS                  = xkcdpass_generate.tak_jks2_pass.result
+    EXPIRES                      = local.expires
   }))
 
   admin_username                  = "azureuser"

userdata.tftpl

@@ -55,13 +55,16 @@ echo "RM_DATABASE_PASSWORD=${RM_DATABASE_PASSWORD}" >>.env
 echo "KEYCLOAK_DATABASE_PASSWORD=${KEYCLOAK_DATABASE_PASSWORD}" >>.env
 echo "LDAP_ADMIN_PASSWORD=${LDAP_ADMIN_PASSWORD}" >>.env
 echo "KEYCLOAK_ADMIN_PASSWORD=${KEYCLOAK_ADMIN_PASSWORD}" >>.env
-echo "KEYCLOAK_MANAGEMENT_PASSWORD=${KEYCLOAK_MANAGEMENT_PASSWORD}" >>.env
+echo "KEYCLOAK_HTTPS_KEY_STORE_PASSWORD=${KEYCLOAK_HTTPS_KEY_STORE_PASSWORD}" >>.env
+echo "KEYCLOAK_HTTPS_TRUST_STORE_PASSWORD=${KEYCLOAK_HTTPS_TRUST_STORE_PASSWORD}" >>.env
 echo "TAK_DATABASE_PASSWORD=${TAK_DATABASE_PASSWORD}" >>.env
 echo "TAKSERVER_CERT_PASS=${TAKSERVER_CERT_PASS}" >>.env
 echo "TAK_CA_PASS=${TAK_CA_PASS}" >>.env
 echo "CFSSL_CA_EXPIRY=$EXPIRES_IN_HOURS" >>.env
 echo "CFSSL_SIGN_DEFAULT_EXPIRY=$EXPIRES_IN_HOURS" >>.env
 echo "KEYCLOAK_PROFILEROOT_UUID=$(uuidgen -r)" >>.env
+echo "KEYCLOAK_HTTPS_KEY_STORE_PASSWORD=${KEYCLOAK_HTTPS_KEY_STORE_PASSWORD}" >> .env
+echo "KEYCLOAK_HTTPS_TRUST_STORE_PASSWORD=${KEYCLOAK_HTTPS_TRUST_STORE_PASSWORD}" >> .env
 if [ ! -z "${DOCKER_TAG_EXTRA}" ]
 then
   echo "DOCKER_TAG_EXTRA=${DOCKER_TAG_EXTRA}" >>.env

variables.tf

@@ -43,7 +43,7 @@ variable "DOCKER_COMPOSITION_REPO" {
   type        = string
 }
 
-
+# FIXME: Update the tag when https://github.com/pvarki/docker-rasenmaeher-integration/pull/95 is merged
 variable "DOCKER_REPO_TAG" {
   default     = "1.5.1" # do not set to "main", nothing guarantees there are no backwards incompatible changes
   description = "The branch/tag in DOCKER_COMPOSITION_REPO to use"
@@ -75,19 +75,7 @@ variable "CERTBOT_EMAIL" {
 }
 
 variable "DOCKER_TAG_EXTRA" {
-  default     = ""
+  default     = "-95-merge"
   description = "If you want to deploy for example a PR tagged version, messing this up is a good way to make everything take forever"
   type        = string
-}
-
-variable "KEYCLOAK_HTTPS_KEY_STORE_PASSWORD" {
-  description = "Keycloak key store password"
-  type        = string
-  default     = ""
-}
-
-variable "KEYCLOAK_HTTPS_TRUST_STORE_PASSWORD" {
-  description = "Keycloak trust store password"
-  type        = string
-  default     = ""
-}
+}