AWS region is hard coded in the IAM Policy for Keyclock (keyclock.tf)

[shivkanwer]

AWS region is hard coded to us-west-2 when creating the IAM policy for keyclock. If the user chooses to deploy the reference architecture in a different AWS region, the KeyClock IAM policy still looks for a secret in us-west-2 which does not exist and breaks the implementation.

Proposed Solution:
"arn:aws:secretsmanager:us-west-2:${data.aws_caller_identity.current.account_id}:secret:cnoe/keycloak/*" should be replaced by "arn:aws:secretsmanager:${var.region}:${data.aws_caller_identity.current.account_id}:secret:cnoe/keycloak/*"

[nabuskey]

I think this was supposed to be addressed in #5. @kahilof Any update on the PR?

[allamand]

Maybe related, but tried to isntall ref architecture, and hist the following : Error: secret "keycloak-config" not found I deploy in eu-west-3

[nimakaviani]

takes a bit of time for the idpbuilder to reconcile and register keycloak-config. did it eventually resolve or did it completely fail?

[allamand]

I just see the postgresql failed also, seems i need to install ebs csi driver

[allamand]

with that it works, but I also patch the terraform to use my region, not sure if it was needed or not

[allamand]

in fact it does not progress:

kubectl_manifest.application_argocd_keycloak: Still creating... [21m50s elapsed]

while the ArgoCD keycload Application seems healthy:

argocd keycloak Synced Healthy