How to manage Keycloak secuarely by using Terraform on Google Cloud

Transcript

1. How to manage Keycloak secuarely by using Terraform on Google

   Cloud

2. Self Introduction Atsushi Kitano @Aquamarine_1010 Cloud Ace Inc. 　DevSecOps Department

   Expert • From 2019 I’ve been designing and building IT system on Google Cloud. • In the previous job we researched automation and autonomization for system operation and I developed and operated private cloud.

3. Overview Using Cloud Build Private Pool without public IP

4. Our Service Improve Reliability for customer business • Fix customer

   system failure. ◦ Fix system failure any time (24/365). ◦ Respond to customer inquiries. • Optimize customer system ◦ Make secure. ◦ Optimize cost effectiveness.

5. How to use Keycloak in our service Manage customers and

   operator accounts • Authenticate the system users ◦ customer ▪ Service Desk ▪ Grafana ◦ operator ▪ Argo CD ▪ Backstage ▪ Redmine ▪ PagerDuty

6. How to manage Keycloak configuration Configure Keycloak by IaC •

   Use Terrafom ◦ create realm,user, group,client ◦ configure client scope • Build Deploy pipeline ◦ Create Dev,Prd environments • Use Continuous Deployment (CD) Tool ◦ For not depending on local environment. • Notify result ◦ When the result is fault CD tool notify with mention.

7. How to manage Keycloak configuration Configure Keycloak by IaC Terraform

   Codes • Use Terrafom ◦ create realm,user, group,client ◦ configure client scope • Build Deploy pipeline ◦ Create Dev,Prd environments • Use Continuous Deployment (CD) Tool ◦ For not depending on local environment. • Notify result ◦ When the result is fault CD tool notify with mention.

8. How to manage Keycloak configuration Configure Keycloak by IaC Slack

   Results • Use Terrafom ◦ create realm,user, group,client ◦ configure client scope • Build Deploy pipeline ◦ Create Dev,Prd environments • Use Continuous Deployment (CD) Tool ◦ For not depending on local environment. • Notify result ◦ When the result is fault CD tool notify with mention.

9. Problem for managing configuration through Terraform Difficulty for executing Terraform

   securely • Access Control From CD agent ◦ If we use SaaS GitHub Actions for CD agent, we can’t fix GitHub Actions’ IP address. • Manage authentication information securely ◦ Terraform provider requires the client’s password. If it is leaked someone will change configurations. Terraform code ( not secure ) Access control from GitHub Actions

10. Solve the problems through Cloud Build and Secret Manager Cloud

    Build Secret Manager

11. What is Cloud Build Google Cloud managed CD service •

    What is Cloud Build ◦ Managed serverless CD service ◦ Connect with GitHub,GitLab or Bitbucket ◦ Public / Private build execution environments • How to execute build ◦ Define build steps in yaml file ◦ Execute git operation to repository connected with Cloud Build. • Usecase ◦ Create Docker Image ◦ Deploy Application Job configuration

12. What is Cloud Build Google Cloud managed CD service •

    What is Cloud Build ◦ Managed serverless CD service ◦ Connect with GitHub,GitLab or Bitbucket ◦ Public / Private build execution environments • How to execute build ◦ Define build steps in yaml file ◦ Execute git operation to repository connected with Cloud Build. • Usecase ◦ Create Docker Image ◦ Deploy Application Job result

13. How to fix IP address for Cloud Build Using Cloud

    Build Private Pool 1. Connect Private Pool with VPC Network using Private Service Connect 2. Transfer traffic from private pool to NAT GCE Instance using Cloud Route 3. Transfer traffic from NAT GCE Instance to Internet using Cloud NAT 4. Allow Cloud NAT IP address access using Cloud Armor ( Google Cloud Managed WAF Service )

14. How to manage password for agent Using Secret Manager protected

    by VPC SC • Store Password ◦ Use Secret Manager ▪ Store data from Console • Refer to Password ◦ Use terraform data block ▪ google_secret_manager_secret_v ersion: access Secret Manager • Protect Secret Manager ◦ Authenticate: VPC Service Control ◦ Approval: IAM keycloak provider.tf Protect confidential information securely

15. Summary Using Cloud Build Private pool and Secret Manager

16. Summary • Configure Keycloak by IaC ◦ Use Terraform for

    cunfiguring ◦ Build dev and prd environments ◦ Execute Terraform from CD tool ◦ Notify result to Slack • Problem ◦ Control access from SaaS GitHub Actions ◦ Manage Keycloak agent Password • Solution ◦ Use Cloud Build Private Pool as CD tool ◦ Allow Private Pool access to Keycloak by Cloud Armor ◦ Store Password in Secret Manager ▪ Use Terraform data block to refer to Secret Manager ◦ Use VPC Service Controls and IAM to protect Secret Manager

17. Appendix: Notify Cloud Build results to Slack Use Cloud Build

    Notifier on Cloud Run • Notification application notifies results to Slack ◦ Cloud Build Notifier is developed by Google ◦ Run Cloud Build Notifier on Cloud Run • Design system architecture ◦ Create Cloud Run for each notification destination and results(Success/Failure). ◦ Add mention in failure notification ▪ <!channel> is converted @channel in Slack message