Life ConnectLife Connect
Wiki index
Architecture
Services
Concepts
Runbooks
Infra
Swagger Docs
GitHub
Wiki index
Architecture
Services
Concepts
Runbooks
Infra
Swagger Docs
GitHub
  • Cross-cutting concepts

    • EventBridge fanout
    • Atlas Triggers
    • ECS Fargate deploy lifecycle
    • Keycloak hosting
    • Cloudflare Pages auto-deploy
    • Bitbucket Pipelines (legacy)
    • Terraform-managed envs (legacy)
  • Accounting model

    • Accounting model
    • Events catalog
    • Accounting journals
    • Plan of accounts (PCG)
    • Auxiliary accounts
    • FEC fields (Fichier des Écritures Comptables)
    • pieceReference numbering
    • Tenant matrix (payable / receivable)
    • Owner matrix (payable / receivable)
    • Take-over UI display rules
Last updated 2026-05-03

Keycloak hosting

AI-generated content

This document was generated by an AI assistant. Verify accuracy before relying on the details.

Keycloak runs as per-env standalone EC2 instances (t3.micro) provisioned via Elestio.app — not on the AKS cluster, not on ECS. Currently four instances exist: dev-keycloak, int-keycloak, stage-keycloak, prod-keycloak, all in the same AWS account 182790345476 region eu-west-3. The Spring Boot services authenticate against the matching env's Keycloak via SECURITY_ISSUER_URI / SECURITY_TOKEN_URI env vars.

At a glance

EnvHostnameEC2 instance
devdev-keycloak-u4241.vm.elestio.appi-0976a8a1045e03a1d
intint-keycloak-u4241.vm.elestio.appi-06febc3e146151275
stagestage-keycloak-u4241.vm.elestio.appi-00532949bbb64add5
prodprod-keycloak-u4241.vm.elestio.appi-0d866753fa09df66f

Source: AWS audit (describe-instances) on 2026-05-03.

Details

Why standalone EC2 (not ECS / AKS)

The Keycloak instances are managed by Elestio, not by us. Elestio provisions a single-node Keycloak in a Docker container on a t3.micro, handles backups + TLS + minor version upgrades, and exposes it on its *.vm.elestio.app domain. We pay them; they own the operational burden.

Trade-offs:

  • ✅ Zero ops cost on our side (no Helm chart, no Pulumi resource, no PG database to run).
  • ✅ Predictable per-env isolation.
  • ⚠️ Vendor lock-in to Elestio.
  • ⚠️ The instances appear in our AWS account but we don't own the AMI / userdata.

Implication for the new infra/ project

The Pulumi project does NOT recreate the Keycloak EC2s — they live outside our IaC. The new infra references them via Secrets Manager (adb/<env>/keycloak), where the secret payload contains:

{
  "issuerUri": "https://<env>-keycloak-u4241.vm.elestio.app/realms/adb",
  "tokenUri":  "https://<env>-keycloak-u4241.vm.elestio.app/realms/adb/protocol/openid-connect/token",
  "clientId": "adb",
  "clientSecret": "..."
}

The Pulumi secrets.js component creates the secret containers; values are seeded out-of-band via infra/scripts/seed-secrets.sh.

Local stack

The infra/docker/compose.yaml local stack runs Keycloak 26.0 in a container with a pre-imported realm (infra/docker/keycloak/realm-export.json) for offline development. This is NOT a mirror of the Elestio setup — it's a thin development stand-in.

Open questions

  • Should we add preview and any future env to Elestio, or migrate Keycloak to a containerised model (Fargate or AKS) once the new infra stabilises?
  • Elestio handles TLS — but we don't have visibility on cert renewal alerts. Worth adding a TLS expiry monitor.
  • The Keycloak realm definition lives in infra/docker/keycloak/realm-export.json for local; what's the source of truth for the prod/stage realm config? Currently it's whatever's in Elestio's database.
Edit this page
Last Updated:
Contributors: Yevhenii Khudolii
Prev
ECS Fargate deploy lifecycle
Next
Cloudflare Pages auto-deploy