From 23f1450cf32f7ab2e20dc1901e9f8e07a097af61 Mon Sep 17 00:00:00 2001
From: Sheldon Warkentin <sheldonw@forallsecure.com>
Date: Fri, 17 Feb 2023 10:08:01 -0700
Subject: [PATCH] Support for Keycloak 20.0.3

---
 build/keycloak/Dockerfile                     |  65 +-
 build/keycloak/cache-ispn-jdbc-ping.xml       |  89 +++
 build/keycloak/docker-entrypoint.sh           |  36 +-
 build/keycloak/profile.properties             |   2 -
 build/keycloak/standalone-ha.xml              | 707 ------------------
 modules/keycloak/main.tf                      |   8 +-
 .../templates/container_definition.json       |  52 +-
 .../container_definition_datadog.json         |  48 +-
 8 files changed, 196 insertions(+), 811 deletions(-)
 create mode 100644 build/keycloak/cache-ispn-jdbc-ping.xml
 delete mode 100644 build/keycloak/profile.properties
 delete mode 100644 build/keycloak/standalone-ha.xml

diff --git a/build/keycloak/Dockerfile b/build/keycloak/Dockerfile
index f2b6b79..7f9da5c 100644
--- a/build/keycloak/Dockerfile
+++ b/build/keycloak/Dockerfile
@@ -1,41 +1,56 @@
-FROM jboss/keycloak:15.1.1
+##################################################
+# Step 1 - Build an optimized image
+##################################################
+FROM quay.io/keycloak/keycloak:20.0.3 as builder
+
+# These options can be modified to produce a different
+# optimized build.
+#
+# See  https://www.keycloak.org/server/containers
+# for more details.
+ENV KC_METRICS_ENABLED=true
+ENV KC_HEALTH_ENABLED=true
+ENV KC_FEATURES=preview
+ENV KC_DB=postgres
+ENV KC_HTTP_RELATIVE_PATH=/auth
+
+# # Clustering
+# (https://gist.github.com/xgp/768eea11f92806b9c83f95902f7f8f80)
+COPY ./cache-ispn-jdbc-ping.xml /opt/keycloak/conf/cache-ispn-jdbc-ping.xml
+ENV KC_CACHE_CONFIG_FILE=cache-ispn-jdbc-ping.xml
 
-USER root
+# Install custom themes
+COPY themes/ /opt/keycloak/themes
+
+# Create an optimized build
+RUN /opt/keycloak/bin/kc.sh build
+
+##################################################
+# Step 2 - Copy optimized build into running image
+##################################################
+FROM quay.io/keycloak/keycloak:20.0.3
 
 # parses ecs metadata
+USER root
 RUN microdnf update -y && \
     microdnf install -y jq && \
     microdnf clean all
 
-USER jboss
+USER keycloak
+COPY --from=builder /opt/keycloak /opt/keycloak
 
-# Setup keystore
-RUN /opt/jboss/tools/x509.sh
+WORKDIR /opt/keycloak
 
+# Allows server to start in prod mode. Actual certs provided by ALB.
+RUN keytool -genkeypair -storepass password -storetype PKCS12 -keyalg RSA -keysize 2048 -dname "CN=server" -alias server -ext "SAN:c=DNS:localhost,IP:127.0.0.1" -keystore conf/server.keystore
 # Customize entrypoint and config
-# NOTE: jboss/keycloak includes JDBC drivers.
-COPY docker-entrypoint.sh /opt/jboss/tools/docker-entrypoint.sh
-COPY standalone-ha.xml /opt/jboss/keycloak/standalone/configuration/standalone-ha.xml
-# https://www.keycloak.org/docs/latest/server_installation/index.html#profiles
-COPY profile.properties /opt/jboss/keycloak/standalone/configuration/profile.properties
-
-# Install custom themes
-RUN mkdir -p /opt/jboss/keycloak/themes
-COPY themes/ /opt/jboss/keycloak/themes/
-
-# Clustering
-ENV JGROUPS_DISCOVERY_PROTOCOL JDBC_PING
-ENV JGROUPS_DISCOVERY_PROPERTIES datasource_jndi_name=java:jboss/datasources/KeycloakDS
-# https://github.com/keycloak/keycloak-containers/blob/master/server/README.md#replication-and-fail-over
-ENV CACHE_OWNERS_COUNT 2
-ENV CACHE_OWNERS_AUTH_SESSIONS_COUNT 2
-# https://github.com/keycloak/keycloak-containers/blob/master/server/README.md#enabling-proxy-address-forwarding
-ENV PROXY_ADDRESS_FORWARDING true
+COPY docker-entrypoint.sh /docker-entrypoint.sh
 
 # Paranoia: Keycloak is not vulnerable to CVE-2021-44228
 # https://github.com/keycloak/keycloak-containers/issues/344
 # https://logging.apache.org/log4j/log4j-2.14.1/manual/configuration.html#SystemProperties
 ENV FORMAT_MESSAGES_PATTERN_DISABLE_LOOKUPS true
 
-EXPOSE 7600
-CMD ["-b", "0.0.0.0", "--server-config", "standalone-ha.xml"]
+# Port 7800 is used by JDBC_PING by default
+EXPOSE 7800
+ENTRYPOINT ["/docker-entrypoint.sh"]
diff --git a/build/keycloak/cache-ispn-jdbc-ping.xml b/build/keycloak/cache-ispn-jdbc-ping.xml
new file mode 100644
index 0000000..56ad9e3
--- /dev/null
+++ b/build/keycloak/cache-ispn-jdbc-ping.xml
@@ -0,0 +1,89 @@
+<infinispan
+  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="urn:infinispan:config:11.0 http://www.infinispan.org/schemas/infinispan-config-11.0.xsd"
+  xmlns="urn:infinispan:config:11.0">
+
+  <jgroups>
+    <stack name="jdbc-ping-tcp" extends="tcp">
+
+      <!--
+      https://keycloak.discourse.group/t/use-of-jdbc-ping-with-keycloak-17-quarkus-distro/13571/4 -->
+      <JDBC_PING connection_driver="org.postgresql.Driver"
+        connection_username="${env.KC_DB_USERNAME}" connection_password="${env.KC_DB_PASSWORD}"
+        connection_url="${env.KC_DB_URL}"
+        initialize_sql="CREATE TABLE IF NOT EXISTS JGROUPSPING (own_addr varchar(200) NOT NULL, bind_addr VARCHAR(200) NOT NULL, created timestamp NOT NULL, cluster_name varchar(200) NOT NULL, ping_data BYTEA, constraint PK_JGROUPSPING PRIMARY KEY (own_addr, cluster_name));"
+        insert_single_sql="INSERT INTO JGROUPSPING (own_addr, bind_addr, created, cluster_name, ping_data) values (?,'${env.EXTERNAL_ADDR:127.0.0.1}',NOW(), ?, ?);"
+        delete_single_sql="DELETE FROM JGROUPSPING WHERE own_addr=? AND cluster_name=?;"
+        select_all_pingdata_sql="SELECT ping_data FROM JGROUPSPING WHERE cluster_name=?;"
+        info_writer_sleep_time="5000"
+        info_writer_max_writes_after_view="2"
+        remove_all_data_on_view_change="true"
+        stack.combine="REPLACE"
+        stack.position="MPING" />
+    </stack>
+  </jgroups>
+
+  <cache-container name="keycloak">
+    <!-- custom stack must be referenced by name in the stack attribute of the transport element -->
+    <transport lock-timeout="60000" stack="jdbc-ping-tcp" />
+
+    <local-cache name="realms">
+      <encoding>
+        <key media-type="application/x-java-object" />
+        <value media-type="application/x-java-object" />
+      </encoding>
+      <memory max-count="10000" />
+    </local-cache>
+    <local-cache name="users">
+      <encoding>
+        <key media-type="application/x-java-object" />
+        <value media-type="application/x-java-object" />
+      </encoding>
+      <memory max-count="10000" />
+    </local-cache>
+    <distributed-cache name="sessions" owners="2">
+      <expiration lifespan="-1" />
+    </distributed-cache>
+    <distributed-cache name="authenticationSessions" owners="2">
+      <expiration lifespan="-1" />
+    </distributed-cache>
+    <distributed-cache name="offlineSessions" owners="2">
+      <expiration lifespan="-1" />
+    </distributed-cache>
+    <distributed-cache name="clientSessions" owners="2">
+      <expiration lifespan="-1" />
+    </distributed-cache>
+    <distributed-cache name="offlineClientSessions" owners="2">
+      <expiration lifespan="-1" />
+    </distributed-cache>
+    <distributed-cache name="loginFailures" owners="2">
+      <expiration lifespan="-1" />
+    </distributed-cache>
+    <local-cache name="authorization">
+      <encoding>
+        <key media-type="application/x-java-object" />
+        <value media-type="application/x-java-object" />
+      </encoding>
+      <memory max-count="10000" />
+    </local-cache>
+    <replicated-cache name="work">
+      <expiration lifespan="-1" />
+    </replicated-cache>
+    <local-cache name="keys">
+      <encoding>
+        <key media-type="application/x-java-object" />
+        <value media-type="application/x-java-object" />
+      </encoding>
+      <expiration max-idle="3600000" />
+      <memory max-count="1000" />
+    </local-cache>
+    <distributed-cache name="actionTokens" owners="2">
+      <encoding>
+        <key media-type="application/x-java-object" />
+        <value media-type="application/x-java-object" />
+      </encoding>
+      <expiration max-idle="-1" lifespan="-1" interval="300000" />
+      <memory max-count="-1" />
+    </distributed-cache>
+  </cache-container>
+</infinispan>
diff --git a/build/keycloak/docker-entrypoint.sh b/build/keycloak/docker-entrypoint.sh
index f5dc84f..e45ca38 100755
--- a/build/keycloak/docker-entrypoint.sh
+++ b/build/keycloak/docker-entrypoint.sh
@@ -17,44 +17,10 @@ if [ -z "${EXTERNAL_ADDR}" ]; then
 fi
 export EXTERNAL_ADDR
 
-# Add admin user
-if [ -n "${KEYCLOAK_USER}" ] && [ -n "${KEYCLOAK_PASSWORD}" ]; then
-  /opt/jboss/keycloak/bin/add-user-keycloak.sh --user "${KEYCLOAK_USER}" --password "${KEYCLOAK_PASSWORD}"
-fi
-
-# Default to H2 if DB type not detected
-if [ -z "${DB_VENDOR}" ]; then
-  export DB_VENDOR="h2"
-fi
-
-# Set DB name
-DB_VENDOR=$(echo "${DB_VENDOR}" | tr '[:upper:]' '[:lower:]')
-case "${DB_VENDOR}" in
-  h2)
-    DB_NAME="Embedded H2" ;;
-  mariadb)
-    DB_NAME="MariaDB" ;;
-  mysql)
-    DB_NAME="MySQL" ;;
-  postgres)
-    DB_NAME="PostgreSQL" ;;
-  *)
-    echo "Unknown DB vendor ${DB_VENDOR}"
-    exit 1
-esac
-echo "Using ${DB_NAME} database"
-
-if [ "${DB_VENDOR}" != "h2" ]; then
-  /bin/sh /opt/jboss/tools/databases/change-database.sh "${DB_VENDOR}"
-fi
 
 if [ -z "${HOSTNAME}" ]; then
   HOSTNAME="localhost"
 fi
 
-SYS_PROPS="-Dkeycloak.hostname.provider=fixed \
-  -Dkeycloak.hostname.fixed.hostname=${HOSTNAME} \
-  -Dkeycloak.hostname.fixed.httpPort=8080"
-
-exec /opt/jboss/keycloak/bin/standalone.sh "${SYS_PROPS}" "$@"
+exec /opt/keycloak/bin/kc.sh start --optimized "$@"
 exit $?
diff --git a/build/keycloak/profile.properties b/build/keycloak/profile.properties
deleted file mode 100644
index 174a17f..0000000
--- a/build/keycloak/profile.properties
+++ /dev/null
@@ -1,2 +0,0 @@
-feature.scripts=enabled
-feature.upload=enabled
diff --git a/build/keycloak/standalone-ha.xml b/build/keycloak/standalone-ha.xml
deleted file mode 100644
index b73b9a4..0000000
--- a/build/keycloak/standalone-ha.xml
+++ /dev/null
@@ -1,707 +0,0 @@
-<?xml version='1.0' encoding='UTF-8'?>
-
-<server xmlns="urn:jboss:domain:16.0">
-    <extensions>
-        <extension module="org.jboss.as.clustering.infinispan"/>
-        <extension module="org.jboss.as.clustering.jgroups"/>
-        <extension module="org.jboss.as.connector"/>
-        <extension module="org.jboss.as.deployment-scanner"/>
-        <extension module="org.jboss.as.ee"/>
-        <extension module="org.jboss.as.ejb3"/>
-        <extension module="org.jboss.as.jaxrs"/>
-        <extension module="org.jboss.as.jmx"/>
-        <extension module="org.jboss.as.jpa"/>
-        <extension module="org.jboss.as.logging"/>
-        <extension module="org.jboss.as.mail"/>
-        <extension module="org.jboss.as.naming"/>
-        <extension module="org.jboss.as.remoting"/>
-        <extension module="org.jboss.as.security"/>
-        <extension module="org.jboss.as.transactions"/>
-        <extension module="org.jboss.as.weld"/>
-        <extension module="org.keycloak.keycloak-server-subsystem"/>
-        <extension module="org.wildfly.extension.bean-validation"/>
-        <extension module="org.wildfly.extension.core-management"/>
-        <extension module="org.wildfly.extension.elytron"/>
-        <extension module="org.wildfly.extension.health"/>
-        <extension module="org.wildfly.extension.io"/>
-        <extension module="org.wildfly.extension.metrics"/>
-        <extension module="org.wildfly.extension.request-controller"/>
-        <extension module="org.wildfly.extension.security.manager"/>
-        <extension module="org.wildfly.extension.undertow"/>
-    </extensions>
-    <management>
-        <security-realms>
-            <security-realm name="ManagementRealm">
-                <authentication>
-                    <local default-user="$local" skip-group-loading="true"/>
-                    <properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/>
-                </authentication>
-                <authorization map-groups-to-roles="false">
-                    <properties path="mgmt-groups.properties" relative-to="jboss.server.config.dir"/>
-                </authorization>
-            </security-realm>
-            <security-realm name="ApplicationRealm">
-                <server-identities>
-                    <ssl>
-                        <keystore path="application.keystore" relative-to="jboss.server.config.dir" keystore-password="password" alias="server" key-password="password" generate-self-signed-certificate-host="localhost"/>
-                    </ssl>
-                </server-identities>
-                <authentication>
-                    <local default-user="$local" allowed-users="*" skip-group-loading="true"/>
-                    <properties path="application-users.properties" relative-to="jboss.server.config.dir"/>
-                </authentication>
-                <authorization>
-                    <properties path="application-roles.properties" relative-to="jboss.server.config.dir"/>
-                </authorization>
-            </security-realm>
-        </security-realms>
-        <audit-log>
-            <formatters>
-                <json-formatter name="json-formatter"/>
-            </formatters>
-            <handlers>
-                <file-handler name="file" formatter="json-formatter" path="audit-log.log" relative-to="jboss.server.data.dir"/>
-            </handlers>
-            <logger log-boot="true" log-read-only="false" enabled="false">
-                <handlers>
-                    <handler name="file"/>
-                </handlers>
-            </logger>
-        </audit-log>
-        <management-interfaces>
-            <http-interface security-realm="ManagementRealm">
-                <http-upgrade enabled="true"/>
-                <socket-binding http="management-http"/>
-            </http-interface>
-        </management-interfaces>
-        <access-control provider="simple">
-            <role-mapping>
-                <role name="SuperUser">
-                    <include>
-                        <user name="$local"/>
-                    </include>
-                </role>
-            </role-mapping>
-        </access-control>
-    </management>
-    <profile>
-        <subsystem xmlns="urn:jboss:domain:logging:8.0">
-            <console-handler name="CONSOLE">
-                <level name="${env.KEYCLOAK_LOGLEVEL:WARN}"/>
-                <formatter>
-                    <named-formatter name="PATTERN"/>
-                </formatter>
-            </console-handler>
-            <periodic-rotating-file-handler name="FILE" autoflush="true">
-                <formatter>
-                    <named-formatter name="PATTERN"/>
-                </formatter>
-                <file relative-to="jboss.server.log.dir" path="server.log"/>
-                <suffix value=".yyyy-MM-dd"/>
-                <append value="true"/>
-            </periodic-rotating-file-handler>
-            <logger category="com.arjuna">
-                <level name="${env.KEYCLOAK_LOGLEVEL:WARN}"/>
-            </logger>
-            <logger category="io.jaegertracing.Configuration">
-                <level name="${env.KEYCLOAK_LOGLEVEL:WARN}"/>
-            </logger>
-            <logger category="org.jboss.as.config">
-                <level name="${env.KEYCLOAK_LOGLEVEL:DEBUG}"/>
-            </logger>
-            <logger category="sun.rmi">
-                <level name="${env.KEYCLOAK_LOGLEVEL:WARN}"/>
-            </logger>
-            <root-logger>
-                <level name="${env.KEYCLOAK_LOGLEVEL:INFO}"/>
-                <handlers>
-                    <handler name="CONSOLE"/>
-                </handlers>
-            </root-logger>
-            <formatter name="PATTERN">
-                <pattern-formatter pattern="keycloak-${env.ENVIRONMENT_NAME:dev} %d{yyyy-MM-dd HH:mm:ss,SSS} %-5p [%c] (%t) %s%e%n"/>
-            </formatter>
-            <formatter name="COLOR-PATTERN">
-                <pattern-formatter pattern="keycloak-${env.ENVIRONMENT_NAME:dev} %d{yyyy-MM-dd HH:mm:ss,SSS} %-5p [%c] (%t) %s%e%n"/>
-            </formatter>
-        </subsystem>
-        <subsystem xmlns="urn:jboss:domain:bean-validation:1.0"/>
-        <subsystem xmlns="urn:jboss:domain:core-management:1.0"/>
-        <subsystem xmlns="urn:jboss:domain:datasources:6.0">
-            <datasources>
-                <datasource jndi-name="java:jboss/datasources/KeycloakDS" pool-name="KeycloakDS" enabled="true" use-java-context="true" statistics-enabled="${wildfly.datasources.statistics-enabled:${wildfly.statistics-enabled:false}}">
-                    <connection-url>jdbc:postgresql://${env.DB_ADDR}/keycloak</connection-url>
-                    <connection-property name="ssl">
-                        true
-                    </connection-property>
-                    <connection-property name="sslmode">
-                        allow
-                    </connection-property>
-                    <connection-property name="loginTimeout">
-                        5
-                    </connection-property>
-                    <connection-property name="connectTimeout">
-                        5
-                    </connection-property>
-                    <connection-property name="socketTimeout">
-                        5
-                    </connection-property>
-                    <connection-property name="cancelSignalTimeout">
-                        5
-                    </connection-property>
-                    <connection-property name="tcpKeepAlive">
-                        true
-                    </connection-property>
-                    <connection-property name="targetServerType">
-                        master
-                    </connection-property>
-                    <connection-property name="ApplicationName">
-                        keycloak
-                    </connection-property>
-                    <driver>postgresql</driver>
-                    <pool>
-                        <min-pool-size>40</min-pool-size>
-                        <max-pool-size>100</max-pool-size>
-                    </pool>
-                    <security>
-                        <user-name>${env.DB_USER}</user-name>
-                        <password>${env.DB_PASSWORD}</password>
-                    </security>
-                </datasource>
-                <drivers>
-                    <driver name="h2" module="com.h2database.h2">
-                        <xa-datasource-class>org.h2.jdbcx.JdbcDataSource</xa-datasource-class>
-                    </driver>
-                </drivers>
-            </datasources>
-        </subsystem>
-        <subsystem xmlns="urn:jboss:domain:deployment-scanner:2.0">
-            <deployment-scanner path="deployments" relative-to="jboss.server.base.dir" scan-interval="5000" runtime-failure-causes-rollback="${jboss.deployment.scanner.rollback.on.failure:false}"/>
-        </subsystem>
-        <subsystem xmlns="urn:jboss:domain:ee:6.0">
-            <spec-descriptor-property-replacement>false</spec-descriptor-property-replacement>
-            <concurrent>
-                <context-services>
-                    <context-service name="default" jndi-name="java:jboss/ee/concurrency/context/default" use-transaction-setup-provider="true"/>
-                </context-services>
-                <managed-thread-factories>
-                    <managed-thread-factory name="default" jndi-name="java:jboss/ee/concurrency/factory/default" context-service="default"/>
-                </managed-thread-factories>
-                <managed-executor-services>
-                    <managed-executor-service name="default" jndi-name="java:jboss/ee/concurrency/executor/default" context-service="default" hung-task-termination-period="0" hung-task-threshold="60000" keepalive-time="5000"/>
-                </managed-executor-services>
-                <managed-scheduled-executor-services>
-                    <managed-scheduled-executor-service name="default" jndi-name="java:jboss/ee/concurrency/scheduler/default" context-service="default" hung-task-termination-period="0" hung-task-threshold="60000" keepalive-time="3000"/>
-                </managed-scheduled-executor-services>
-            </concurrent>
-            <default-bindings context-service="java:jboss/ee/concurrency/context/default" managed-executor-service="java:jboss/ee/concurrency/executor/default" managed-scheduled-executor-service="java:jboss/ee/concurrency/scheduler/default" managed-thread-factory="java:jboss/ee/concurrency/factory/default"/>
-        </subsystem>
-        <subsystem xmlns="urn:jboss:domain:ejb3:9.0">
-            <session-bean>
-                <stateless>
-                    <bean-instance-pool-ref pool-name="slsb-strict-max-pool"/>
-                </stateless>
-                <stateful default-access-timeout="5000" cache-ref="distributable" passivation-disabled-cache-ref="simple"/>
-                <singleton default-access-timeout="5000"/>
-            </session-bean>
-            <pools>
-                <bean-instance-pools>
-                    <strict-max-pool name="mdb-strict-max-pool" derive-size="from-cpu-count" instance-acquisition-timeout="5" instance-acquisition-timeout-unit="MINUTES"/>
-                    <strict-max-pool name="slsb-strict-max-pool" derive-size="from-worker-pools" instance-acquisition-timeout="5" instance-acquisition-timeout-unit="MINUTES"/>
-                </bean-instance-pools>
-            </pools>
-            <caches>
-                <cache name="simple"/>
-                <cache name="distributable" passivation-store-ref="infinispan" aliases="passivating clustered"/>
-            </caches>
-            <passivation-stores>
-                <passivation-store name="infinispan" cache-container="ejb" max-size="10000"/>
-            </passivation-stores>
-            <async thread-pool-name="default"/>
-            <timer-service thread-pool-name="default" default-data-store="default-file-store">
-                <data-stores>
-                    <file-data-store name="default-file-store" path="timer-service-data" relative-to="jboss.server.data.dir"/>
-                </data-stores>
-            </timer-service>
-            <remote connectors="http-remoting-connector" thread-pool-name="default">
-                <channel-creation-options>
-                    <option name="MAX_OUTBOUND_MESSAGES" value="1234" type="remoting"/>
-                </channel-creation-options>
-            </remote>
-            <thread-pools>
-                <thread-pool name="default">
-                    <max-threads count="20"/>
-                    <keepalive-time time="200" unit="milliseconds"/>
-                </thread-pool>
-            </thread-pools>
-            <default-security-domain value="other"/>
-            <default-missing-method-permissions-deny-access value="true"/>
-            <statistics enabled="true"/>
-            <log-system-exceptions value="true"/>
-        </subsystem>
-        <subsystem xmlns="urn:wildfly:elytron:13.0" final-providers="combined-providers" disallowed-providers="OracleUcrypto">
-            <providers>
-                <aggregate-providers name="combined-providers">
-                    <providers name="elytron"/>
-                    <providers name="openssl"/>
-                </aggregate-providers>
-                <provider-loader name="elytron" module="org.wildfly.security.elytron"/>
-                <provider-loader name="openssl" module="org.wildfly.openssl"/>
-            </providers>
-            <audit-logging>
-                <file-audit-log name="local-audit" path="audit.log" relative-to="jboss.server.log.dir" format="JSON"/>
-            </audit-logging>
-            <security-domains>
-                <security-domain name="ApplicationDomain" default-realm="ApplicationRealm" permission-mapper="default-permission-mapper">
-                    <realm name="ApplicationRealm" role-decoder="groups-to-roles"/>
-                    <realm name="local"/>
-                </security-domain>
-                <security-domain name="ManagementDomain" default-realm="ManagementRealm" permission-mapper="default-permission-mapper">
-                    <realm name="ManagementRealm" role-decoder="groups-to-roles"/>
-                    <realm name="local" role-mapper="super-user-mapper"/>
-                </security-domain>
-            </security-domains>
-            <security-realms>
-                <identity-realm name="local" identity="$local"/>
-                <properties-realm name="ApplicationRealm">
-                    <users-properties path="application-users.properties" relative-to="jboss.server.config.dir" digest-realm-name="ApplicationRealm"/>
-                    <groups-properties path="application-roles.properties" relative-to="jboss.server.config.dir"/>
-                </properties-realm>
-                <properties-realm name="ManagementRealm">
-                    <users-properties path="mgmt-users.properties" relative-to="jboss.server.config.dir" digest-realm-name="ManagementRealm"/>
-                    <groups-properties path="mgmt-groups.properties" relative-to="jboss.server.config.dir"/>
-                </properties-realm>
-            </security-realms>
-            <mappers>
-                <simple-permission-mapper name="default-permission-mapper" mapping-mode="first">
-                    <permission-mapping>
-                        <principal name="anonymous"/>
-                        <permission-set name="default-permissions"/>
-                    </permission-mapping>
-                    <permission-mapping match-all="true">
-                        <permission-set name="login-permission"/>
-                        <permission-set name="default-permissions"/>
-                    </permission-mapping>
-                </simple-permission-mapper>
-                <constant-realm-mapper name="local" realm-name="local"/>
-                <simple-role-decoder name="groups-to-roles" attribute="groups"/>
-                <constant-role-mapper name="super-user-mapper">
-                    <role name="SuperUser"/>
-                </constant-role-mapper>
-            </mappers>
-            <permission-sets>
-                <permission-set name="login-permission">
-                    <permission class-name="org.wildfly.security.auth.permission.LoginPermission"/>
-                </permission-set>
-                <permission-set name="default-permissions">
-                    <permission class-name="org.wildfly.extension.batch.jberet.deployment.BatchPermission" module="org.wildfly.extension.batch.jberet" target-name="*"/>
-                    <permission class-name="org.wildfly.transaction.client.RemoteTransactionPermission" module="org.wildfly.transaction.client"/>
-                    <permission class-name="org.jboss.ejb.client.RemoteEJBPermission" module="org.jboss.ejb-client"/>
-                </permission-set>
-            </permission-sets>
-            <http>
-                <http-authentication-factory name="management-http-authentication" security-domain="ManagementDomain" http-server-mechanism-factory="global">
-                    <mechanism-configuration>
-                        <mechanism mechanism-name="DIGEST">
-                            <mechanism-realm realm-name="ManagementRealm"/>
-                        </mechanism>
-                    </mechanism-configuration>
-                </http-authentication-factory>
-                <provider-http-server-mechanism-factory name="global"/>
-            </http>
-            <sasl>
-                <sasl-authentication-factory name="application-sasl-authentication" sasl-server-factory="configured" security-domain="ApplicationDomain">
-                    <mechanism-configuration>
-                        <mechanism mechanism-name="JBOSS-LOCAL-USER" realm-mapper="local"/>
-                        <mechanism mechanism-name="DIGEST-MD5">
-                            <mechanism-realm realm-name="ApplicationRealm"/>
-                        </mechanism>
-                    </mechanism-configuration>
-                </sasl-authentication-factory>
-                <sasl-authentication-factory name="management-sasl-authentication" sasl-server-factory="configured" security-domain="ManagementDomain">
-                    <mechanism-configuration>
-                        <mechanism mechanism-name="JBOSS-LOCAL-USER" realm-mapper="local"/>
-                        <mechanism mechanism-name="DIGEST-MD5">
-                            <mechanism-realm realm-name="ManagementRealm"/>
-                        </mechanism>
-                    </mechanism-configuration>
-                </sasl-authentication-factory>
-                <configurable-sasl-server-factory name="configured" sasl-server-factory="elytron">
-                    <properties>
-                        <property name="wildfly.sasl.local-user.default-user" value="$local"/>
-                    </properties>
-                </configurable-sasl-server-factory>
-                <mechanism-provider-filtering-sasl-server-factory name="elytron" sasl-server-factory="global">
-                    <filters>
-                        <filter provider-name="WildFlyElytron"/>
-                    </filters>
-                </mechanism-provider-filtering-sasl-server-factory>
-                <provider-sasl-server-factory name="global"/>
-            </sasl>
-            <tls>
-                <key-stores>
-                    <key-store name="applicationKS">
-                        <credential-reference clear-text="password"/>
-                        <implementation type="JKS"/>
-                        <file path="application.keystore" relative-to="jboss.server.config.dir"/>
-                    </key-store>
-                </key-stores>
-                <key-managers>
-                    <key-manager name="applicationKM" key-store="applicationKS" generate-self-signed-certificate-host="localhost">
-                        <credential-reference clear-text="password"/>
-                    </key-manager>
-                </key-managers>
-                <server-ssl-contexts>
-                    <server-ssl-context name="applicationSSC" key-manager="applicationKM"/>
-                </server-ssl-contexts>
-            </tls>
-        </subsystem>
-        <subsystem xmlns="urn:wildfly:health:1.0" security-enabled="false"/>
-        <subsystem xmlns="urn:jboss:domain:infinispan:12.0">
-            <cache-container name="keycloak" modules="org.keycloak.keycloak-model-infinispan">
-                <transport lock-timeout="60000"/>
-                <local-cache name="realms">
-                    <heap-memory size="10000"/>
-                </local-cache>
-                <local-cache name="users">
-                    <heap-memory size="10000"/>
-                </local-cache>
-                <local-cache name="authorization">
-                    <heap-memory size="10000"/>
-                </local-cache>
-                <local-cache name="keys">
-                    <heap-memory size="1000"/>
-                    <expiration max-idle="3600000"/>
-                </local-cache>
-                <replicated-cache name="work" remote-timeout="60000">
-                    <expiration lifespan="900000000000000000"/>
-                </replicated-cache>
-                <distributed-cache name="sessions" owners="2">
-                    <expiration lifespan="900000000000000000"/>
-                </distributed-cache>
-                <distributed-cache name="authenticationSessions" owners="2">
-                    <expiration lifespan="900000000000000000"/>
-                </distributed-cache>
-                <distributed-cache name="offlineSessions" owners="2">
-                    <expiration lifespan="900000000000000000"/>
-                </distributed-cache>
-                <distributed-cache name="clientSessions" owners="2">
-                    <expiration lifespan="900000000000000000"/>
-                </distributed-cache>
-                <distributed-cache name="offlineClientSessions" owners="2">
-                    <expiration lifespan="900000000000000000"/>
-                </distributed-cache>
-                <distributed-cache name="loginFailures" owners="2">
-                    <expiration lifespan="900000000000000000"/>
-                </distributed-cache>
-                <distributed-cache name="actionTokens" owners="2">
-                    <heap-memory size="-1"/>
-                    <expiration interval="300000" lifespan="900000000000000000" max-idle="-1"/>
-                </distributed-cache>
-            </cache-container>
-            <cache-container name="server" default-cache="default" aliases="singleton cluster" modules="org.wildfly.clustering.server">
-                <transport lock-timeout="60000"/>
-                <replicated-cache name="default" remote-timeout="60000">
-                    <transaction mode="BATCH"/>
-                </replicated-cache>
-            </cache-container>
-            <cache-container name="web" default-cache="dist" modules="org.wildfly.clustering.web.infinispan">
-                <transport lock-timeout="60000"/>
-                <replicated-cache name="sso" remote-timeout="60000">
-                    <locking isolation="REPEATABLE_READ"/>
-                    <transaction mode="BATCH"/>
-                </replicated-cache>
-                <distributed-cache name="dist">
-                    <locking isolation="REPEATABLE_READ"/>
-                    <transaction mode="BATCH"/>
-                    <file-store/>
-                </distributed-cache>
-                <distributed-cache name="routing"/>
-            </cache-container>
-            <cache-container name="ejb" default-cache="dist" aliases="sfsb" modules="org.wildfly.clustering.ejb.infinispan">
-                <transport lock-timeout="60000"/>
-                <distributed-cache name="dist">
-                    <locking isolation="REPEATABLE_READ"/>
-                    <transaction mode="BATCH"/>
-                    <file-store/>
-                </distributed-cache>
-            </cache-container>
-            <cache-container name="hibernate" modules="org.infinispan.hibernate-cache">
-                <transport lock-timeout="60000"/>
-                <local-cache name="local-query">
-                    <heap-memory size="10000"/>
-                    <expiration max-idle="100000"/>
-                </local-cache>
-                <local-cache name="pending-puts">
-                    <expiration max-idle="60000"/>
-                </local-cache>
-                <invalidation-cache name="entity">
-                    <transaction mode="NON_XA"/>
-                    <heap-memory size="10000"/>
-                    <expiration max-idle="100000"/>
-                </invalidation-cache>
-                <replicated-cache name="timestamps" remote-timeout="60000"/>
-            </cache-container>
-        </subsystem>
-        <subsystem xmlns="urn:jboss:domain:io:3.0">
-            <worker name="default"/>
-            <buffer-pool name="default"/>
-        </subsystem>
-        <subsystem xmlns="urn:jboss:domain:jaxrs:2.0"/>
-        <subsystem xmlns="urn:jboss:domain:jca:5.0">
-            <archive-validation enabled="true" fail-on-error="true" fail-on-warn="false"/>
-            <bean-validation enabled="true"/>
-            <default-workmanager>
-                <short-running-threads>
-                    <core-threads count="50"/>
-                    <queue-length count="50"/>
-                    <max-threads count="50"/>
-                    <keepalive-time time="10" unit="seconds"/>
-                </short-running-threads>
-                <long-running-threads>
-                    <core-threads count="50"/>
-                    <queue-length count="50"/>
-                    <max-threads count="50"/>
-                    <keepalive-time time="10" unit="seconds"/>
-                </long-running-threads>
-            </default-workmanager>
-            <cached-connection-manager/>
-        </subsystem>
-        <subsystem xmlns="urn:jboss:domain:jgroups:8.0">
-            <channels default="ee">
-                <channel name="ee" stack="tcp" cluster="ejb"/>
-            </channels>
-            <stacks>
-                <stack name="tcp">
-                    <transport type="TCP" socket-binding="jgroups-tcp"/>
-                    <protocol type="org.jgroups.protocols.JDBC_PING">
-                        <property name="datasource_jndi_name">java:jboss/datasources/KeycloakDS</property>
-                        <property name="remove_old_coords_on_view_change">true</property>
-                        <property name="info_writer_sleep_time">5000</property>
-                        <property name="info_writer_max_writes_after_view">2</property>
-                        <property name="initialize_sql">CREATE TABLE IF NOT EXISTS JGROUPSPING (own_addr varchar(200) NOT NULL,bind_addr varchar(200) NOT NULL,created timestamp NOT NULL,cluster_name varchar(200) NOT NULL,ping_data BYTEA,constraint PK_JGROUPSPING PRIMARY KEY (own_addr, cluster_name));</property>
-                        <property name="insert_single_sql">INSERT INTO JGROUPSPING (own_addr, bind_addr, created, cluster_name, ping_data) values (?,'${env.EXTERNAL_ADDR:127.0.0.1}',NOW(), ?, ?);</property>
-                        <property name="delete_single_sql">DELETE FROM JGROUPSPING WHERE own_addr=? AND cluster_name=?;</property>
-                        <property name="select_all_pingdata_sql">SELECT ping_data FROM JGROUPSPING WHERE cluster_name=?;</property>
-                    </protocol>
-                    <protocol type="MERGE3"/>
-                    <protocol type="FD_ALL"/>
-                    <protocol type="VERIFY_SUSPECT"/>
-                    <protocol type="pbcast.NAKACK2"/>
-                    <protocol type="UNICAST3"/>
-                    <protocol type="pbcast.STABLE"/>
-                    <protocol type="pbcast.GMS"/>
-                    <protocol type="MFC"/>
-                    <protocol type="FRAG3"/>
-                    <socket-protocol type="FD_SOCK" socket-binding="jgroups-tcp-fd"/>
-                </stack>
-            </stacks>
-        </subsystem>
-        <subsystem xmlns="urn:jboss:domain:jmx:1.3">
-            <expose-resolved-model/>
-            <expose-expression-model/>
-            <remoting-connector/>
-        </subsystem>
-        <subsystem xmlns="urn:jboss:domain:jpa:1.1">
-            <jpa default-extended-persistence-inheritance="DEEP"/>
-        </subsystem>
-        <subsystem xmlns="urn:jboss:domain:keycloak-server:1.1">
-            <web-context>auth</web-context>
-            <providers>
-                <provider>
-                    classpath:${jboss.home.dir}/providers/*
-                </provider>
-            </providers>
-            <master-realm-name>master</master-realm-name>
-            <scheduled-task-interval>900</scheduled-task-interval>
-            <theme>
-                <staticMaxAge>2592000</staticMaxAge>
-                <cacheThemes>true</cacheThemes>
-                <cacheTemplates>true</cacheTemplates>
-                <dir>${jboss.home.dir}/themes</dir>
-            </theme>
-            <spi name="stickySessionEncoder">
-                <provider name="infinispan" enabled="true">
-                    <properties>
-                        <property name="shouldAttachRoute" value="false"/>
-                    </properties>
-                </provider>
-            </spi>
-            <spi name="eventsStore">
-                <provider name="jpa" enabled="true">
-                    <properties>
-                        <property name="exclude-events" value="[&quot;REFRESH_TOKEN&quot;]"/>
-                    </properties>
-                </provider>
-            </spi>
-            <spi name="userCache">
-                <provider name="default" enabled="true"/>
-            </spi>
-            <spi name="userSessionPersister">
-                <default-provider>jpa</default-provider>
-            </spi>
-            <spi name="timer">
-                <default-provider>basic</default-provider>
-            </spi>
-            <spi name="connectionsHttpClient">
-                <provider name="default" enabled="true"/>
-            </spi>
-            <spi name="connectionsJpa">
-                <provider name="default" enabled="true">
-                    <properties>
-                        <property name="dataSource" value="java:jboss/datasources/KeycloakDS"/>
-                        <property name="initializeEmpty" value="true"/>
-                        <property name="migrationStrategy" value="update"/>
-                        <property name="migrationExport" value="${jboss.home.dir}/keycloak-database-update.sql"/>
-                    </properties>
-                </provider>
-            </spi>
-            <spi name="realmCache">
-                <provider name="default" enabled="true"/>
-            </spi>
-            <spi name="connectionsInfinispan">
-                <default-provider>default</default-provider>
-                <provider name="default" enabled="true">
-                    <properties>
-                        <property name="cacheContainer" value="java:jboss/infinispan/container/keycloak"/>
-                    </properties>
-                </provider>
-            </spi>
-            <spi name="jta-lookup">
-                <default-provider>${keycloak.jta.lookup.provider:jboss}</default-provider>
-                <provider name="jboss" enabled="true"/>
-            </spi>
-            <spi name="publicKeyStorage">
-                <provider name="infinispan" enabled="true">
-                    <properties>
-                        <property name="minTimeBetweenRequests" value="10"/>
-                    </properties>
-                </provider>
-            </spi>
-            <spi name="x509cert-lookup">
-                <default-provider>${keycloak.x509cert.lookup.provider:default}</default-provider>
-                <provider name="default" enabled="true"/>
-            </spi>
-            <spi name="hostname">
-                <default-provider>default</default-provider>
-                <provider name="default" enabled="true">
-                    <properties>
-                        <property name="frontendUrl" value="${keycloak.frontendUrl:}"/>
-                        <property name="forceBackendUrlToFrontendUrl" value="false"/>
-                    </properties>
-                </provider>
-            </spi>
-        </subsystem>
-        <subsystem xmlns="urn:jboss:domain:mail:4.0">
-            <mail-session name="default" jndi-name="java:jboss/mail/Default">
-                <smtp-server outbound-socket-binding-ref="mail-smtp"/>
-            </mail-session>
-        </subsystem>
-        <subsystem xmlns="urn:wildfly:metrics:1.0" security-enabled="false" exposed-subsystems="*" prefix="${wildfly.metrics.prefix:wildfly}"/>
-        <subsystem xmlns="urn:jboss:domain:naming:2.0">
-            <remote-naming/>
-        </subsystem>
-        <subsystem xmlns="urn:jboss:domain:remoting:4.0">
-            <http-connector name="http-remoting-connector" connector-ref="default" security-realm="ApplicationRealm"/>
-        </subsystem>
-        <subsystem xmlns="urn:jboss:domain:request-controller:1.0"/>
-        <subsystem xmlns="urn:jboss:domain:security:2.0">
-            <security-domains>
-                <security-domain name="other" cache-type="default">
-                    <authentication>
-                        <login-module code="Remoting" flag="optional">
-                            <module-option name="password-stacking" value="useFirstPass"/>
-                        </login-module>
-                        <login-module code="RealmDirect" flag="required">
-                            <module-option name="password-stacking" value="useFirstPass"/>
-                        </login-module>
-                    </authentication>
-                </security-domain>
-                <security-domain name="jboss-web-policy" cache-type="default">
-                    <authorization>
-                        <policy-module code="Delegating" flag="required"/>
-                    </authorization>
-                </security-domain>
-                <security-domain name="jboss-ejb-policy" cache-type="default">
-                    <authorization>
-                        <policy-module code="Delegating" flag="required"/>
-                    </authorization>
-                </security-domain>
-                <security-domain name="jaspitest" cache-type="default">
-                    <authentication-jaspi>
-                        <login-module-stack name="dummy">
-                            <login-module code="Dummy" flag="optional"/>
-                        </login-module-stack>
-                        <auth-module code="Dummy"/>
-                    </authentication-jaspi>
-                </security-domain>
-            </security-domains>
-        </subsystem>
-        <subsystem xmlns="urn:jboss:domain:security-manager:1.0">
-            <deployment-permissions>
-                <maximum-set>
-                    <permission class="java.security.AllPermission"/>
-                </maximum-set>
-            </deployment-permissions>
-        </subsystem>
-        <subsystem xmlns="urn:jboss:domain:transactions:6.0">
-            <core-environment node-identifier="${env.EXTERNAL_ADDR}">
-                <process-id>
-                    <uuid/>
-                </process-id>
-            </core-environment>
-            <recovery-environment socket-binding="txn-recovery-environment" status-socket-binding="txn-status-manager"/>
-            <coordinator-environment statistics-enabled="true"/>
-            <object-store path="tx-object-store" relative-to="jboss.server.data.dir"/>
-        </subsystem>
-        <subsystem xmlns="urn:jboss:domain:undertow:12.0" default-server="default-server" default-virtual-host="default-host" default-servlet-container="default" default-security-domain="other" statistics-enabled="${wildfly.undertow.statistics-enabled:${wildfly.statistics-enabled:false}}">
-            <buffer-cache name="default"/>
-            <server name="default-server">
-                <ajp-listener name="ajp" socket-binding="ajp"/>
-                <http-listener name="default" read-timeout="30000" socket-binding="http" redirect-socket="proxy-https" proxy-address-forwarding="true" enable-http2="true"/>
-                <https-listener name="https" read-timeout="30000" socket-binding="https" security-realm="ApplicationRealm" enable-http2="true"/>
-                <host name="default-host" alias="localhost">
-                    <location name="/" handler="welcome-content"/>
-                    <http-invoker security-realm="ApplicationRealm"/>
-                </host>
-            </server>
-            <servlet-container name="default">
-                <jsp-config/>
-                <websockets/>
-            </servlet-container>
-            <handlers>
-                <file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
-            </handlers>
-        </subsystem>
-        <subsystem xmlns="urn:jboss:domain:weld:4.0"/>
-    </profile>
-    <interfaces>
-        <interface name="management">
-            <inet-address value="${jboss.bind.address.management:127.0.0.1}"/>
-        </interface>
-        <interface name="private">
-            <inet-address value="${jboss.bind.address.private:127.0.0.1}"/>
-        </interface>
-        <interface name="public">
-            <inet-address value="${env.EXTERNAL_ADDR:127.0.0.1}"/>
-        </interface>
-    </interfaces>
-    <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
-        <socket-binding name="ajp" port="${jboss.ajp.port:8009}"/>
-        <socket-binding name="http" port="${jboss.http.port:8080}"/>
-        <socket-binding name="https" port="${jboss.https.port:8443}"/>
-        <socket-binding name="jgroups-mping" interface="private" multicast-address="${jboss.default.multicast.address:230.0.0.4}" multicast-port="45700"/>
-        <socket-binding name="jgroups-tcp" interface="public" port="7600"/>
-        <socket-binding name="jgroups-tcp-fd" interface="private" port="57600"/>
-        <socket-binding name="jgroups-udp" interface="private" port="55200" multicast-address="${jboss.default.multicast.address:230.0.0.4}" multicast-port="45688"/>
-        <socket-binding name="jgroups-udp-fd" interface="private" port="54200"/>
-        <socket-binding name="management-http" interface="management" port="${jboss.management.http.port:9990}"/>
-        <socket-binding name="management-https" interface="management" port="${jboss.management.https.port:9993}"/>
-        <socket-binding name="proxy-https" port="443"/>
-        <socket-binding name="txn-recovery-environment" port="4712"/>
-        <socket-binding name="txn-status-manager" port="4713"/>
-        <outbound-socket-binding name="mail-smtp">
-            <remote-destination host="${jboss.mail.server.host:localhost}" port="${jboss.mail.server.port:25}"/>
-        </outbound-socket-binding>
-    </socket-binding-group>
-</server>
\ No newline at end of file
diff --git a/modules/keycloak/main.tf b/modules/keycloak/main.tf
index 9c72ed7..fe32202 100644
--- a/modules/keycloak/main.tf
+++ b/modules/keycloak/main.tf
@@ -52,7 +52,7 @@ module "alb" {
   certificate_arn                         = var.alb_certificate_arn
   deletion_protection_enabled             = var.deletion_protection
   health_check_interval                   = 60
-  health_check_path                       = "/auth"
+  health_check_path                       = "/auth/health"
   health_check_timeout                    = 10
   http_ingress_cidr_blocks                = var.http_ingress_cidr_blocks
   http_redirect                           = var.http_redirect
@@ -253,10 +253,10 @@ module "ecs" {
   ]
 }
 
-resource "aws_security_group_rule" "jgroups" {
+resource "aws_security_group_rule" "jdbc_ping" {
   type              = "ingress"
-  from_port         = 7600
-  to_port           = 7600
+  from_port         = 7800
+  to_port           = 7800
   protocol          = "tcp"
   cidr_blocks       = var.private_subnet_cidrs
   security_group_id = module.ecs.service_security_group_id
diff --git a/modules/keycloak/templates/container_definition.json b/modules/keycloak/templates/container_definition.json
index 00a8860..aed66f1 100644
--- a/modules/keycloak/templates/container_definition.json
+++ b/modules/keycloak/templates/container_definition.json
@@ -15,7 +15,7 @@
       },
       {
         "protocol": "tcp",
-        "containerPort": 7600
+        "containerPort": 7800
       },
       {
         "protocol": "tcp",
@@ -25,25 +25,21 @@
     "cpu": ${container_cpu_units},
     "environment": [
       {
-        "name": "DB_ADDR",
-        "value": "${db_addr}"
+        "name": "KC_DB",
+        "value": "postgres"
       },
       {
-        "name": "DB_DATABASE",
-        "value": "keycloak"
+        "name": "KC_DB_URL",
+        "value": "jdbc:postgresql://${db_addr}:5432/keycloak"
       },
       {
-        "name": "DB_PORT",
-        "value": "5432"
+        "name": "KC_DB_ADDR",
+        "value": "${db_addr}"
       },
       {
-        "name": "DB_USER",
+        "name": "KC_DB_USERNAME",
         "value": "keycloak"
       },
-      {
-        "name": "DB_VENDOR",
-        "value": "postgres"
-      },
       {
         "name": "DNS_NAME",
         "value": "${dns_name}"
@@ -57,16 +53,32 @@
         "value": "-XX:+DisableExplicitGC -XX:+UseG1GC -Xms${jvm_heap_min}m -Xmx${jvm_heap_max}m -XX:MetaspaceSize=${jvm_meta_min}m -XX:MaxMetaspaceSize=${jvm_meta_max}m -Djava.net.preferIPv4Stack=true -Djava.net.preferIPv4Addresses -Djava.security.egd=file:/dev/urandom -Dnashorn.args=--no-deprecation-warning"
       },
       {
-        "name": "KEYCLOAK_DEFAULT_THEME",
-        "value": "keycloak"
+        "name": "KEYCLOAK_ADMIN",
+        "value": "keycloak_admin"
       },
       {
-        "name": "KEYCLOAK_USER",
-        "value": "keycloak_admin"
+        "name": "KC_LOG_LEVEL",
+        "value": "INFO,org.infinispan:ERROR,org.jgroups:ERROR"
+      },
+      {
+        "name": "KC_HTTP_ENABLED",
+        "value": "true"
+      },
+      {
+        "name": "KC_PROXY",
+        "value": "edge"
+      },
+      {
+        "name": "KC_HOSTNAME_STRICT",
+        "value": "false"
+      },
+      {
+        "name": "KC_HOSTNAME_PATH",
+        "value": "/auth"
       },
       {
-        "name": "KEYCLOAK_LOGLEVEL",
-        "value": "INFO"
+        "name": "KC_HTTP_RELATIVE_PATH",
+        "value": "/auth"
       },
       {
           "name": "ROOT_LOGLEVEL",
@@ -75,11 +87,11 @@
     ],
     "secrets": [
       {
-        "name": "DB_PASSWORD",
+        "name": "KC_DB_PASSWORD",
         "valueFrom": "arn:aws:ssm:${region}:${aws_account_id}:parameter/${name}/${environment}/DB_PASSWORD"
       },
       {
-        "name": "KEYCLOAK_PASSWORD",
+        "name": "KEYCLOAK_ADMIN_PASSWORD",
         "valueFrom": "arn:aws:ssm:${region}:${aws_account_id}:parameter/${name}/${environment}/KEYCLOAK_PASSWORD"
       }
     ],
diff --git a/modules/keycloak/templates/container_definition_datadog.json b/modules/keycloak/templates/container_definition_datadog.json
index 40334ad..943ede5 100644
--- a/modules/keycloak/templates/container_definition_datadog.json
+++ b/modules/keycloak/templates/container_definition_datadog.json
@@ -15,7 +15,7 @@
       },
       {
         "protocol": "tcp",
-        "containerPort": 7600
+        "containerPort": 7800
       },
       {
         "protocol": "tcp",
@@ -25,25 +25,21 @@
     "cpu": ${container_cpu_units},
     "environment": [
       {
-        "name": "DB_ADDR",
-        "value": "${db_addr}"
+        "name": "KC_DB",
+        "value": "postgres"
       },
       {
-        "name": "DB_DATABASE",
-        "value": "keycloak"
+        "name": "KC_DB_URL",
+        "value": "jdbc:postgresql://${db_addr}:5432/keycloak"
       },
       {
-        "name": "DB_PORT",
-        "value": "5432"
+        "name": "KC_DB_ADDR",
+        "value": "${db_addr}"
       },
       {
-        "name": "DB_USER",
+        "name": "KC_DB_USERNAME",
         "value": "keycloak"
       },
-      {
-        "name": "DB_VENDOR",
-        "value": "postgres"
-      },
       {
         "name": "DNS_NAME",
         "value": "${dns_name}"
@@ -57,16 +53,32 @@
         "value": "-XX:+DisableExplicitGC -XX:+UseG1GC -Xms${jvm_heap_min}m -Xmx${jvm_heap_max}m -XX:MetaspaceSize=${jvm_meta_min}m -XX:MaxMetaspaceSize=${jvm_meta_max}m -Djava.net.preferIPv4Stack=true -Djava.net.preferIPv4Addresses -Djava.security.egd=file:/dev/urandom -Dnashorn.args=--no-deprecation-warning"
       },
       {
-        "name": "KEYCLOAK_DEFAULT_THEME",
-        "value": "keycloak"
+        "name": "KEYCLOAK_ADMIN",
+        "value": "keycloak_admin"
       },
       {
-        "name": "KEYCLOAK_USER",
-        "value": "keycloak_admin"
+        "name": "KC_LOG_LEVEL",
+        "value": "INFO,org.infinispan:ERROR,org.jgroups:ERROR"
+      },
+      {
+        "name": "KC_HTTP_ENABLED",
+        "value": "true"
+      },
+      {
+        "name": "KC_PROXY",
+        "value": "edge"
+      },
+      {
+        "name": "KC_HOSTNAME_STRICT",
+        "value": "false"
+      },
+      {
+        "name": "KC_HOSTNAME_PATH",
+        "value": "/auth"
       },
       {
-        "name": "KEYCLOAK_LOGLEVEL",
-        "value": "INFO"
+        "name": "KC_HTTP_RELATIVE_PATH",
+        "value": "/auth"
       },
       {
           "name": "ORG_MANAGER_HOST",