fix: Add NAT gateway IPs to Keycloak ALB security group

aarora79 · aarora79 · commit a310826241f2 · 2025-11-30T03:01:43.000Z
When ECS tasks in private subnets call Keycloak's public DNS name,
traffic goes through the NAT gateway and the source IP becomes the
NAT gateway's public IP instead of the ECS task's security group.
This was causing OAuth2 callback failures.

Added dynamic security group rule that allows HTTPS traffic from
all NAT gateway public IPs to the Keycloak load balancer.
diff --git a/terraform/aws-ecs/keycloak-security-groups.tf b/terraform/aws-ecs/keycloak-security-groups.tf
@@ -97,6 +97,8 @@ resource "aws_security_group_rule" "keycloak_lb_ingress_https" {
 }
 
 # Load Balancer Ingress from MCP Gateway Auth Server (HTTPS)
+# Note: This rule is for direct VPC traffic. For traffic via NAT gateway,
+# see keycloak_lb_ingress_nat_gateway rule below.
 resource "aws_security_group_rule" "keycloak_lb_ingress_auth_server" {
   description              = "Ingress from MCP Gateway Auth Server to Keycloak load balancer (HTTPS)"
   type                     = "ingress"
@@ -107,6 +109,19 @@ resource "aws_security_group_rule" "keycloak_lb_ingress_auth_server" {
   source_security_group_id = module.mcp_gateway.ecs_security_group_ids.auth
 }
 
+# Load Balancer Ingress from NAT Gateways (for ECS tasks making HTTPS requests to Keycloak public URL)
+# When ECS tasks in private subnets call Keycloak's public DNS name, traffic goes through NAT gateway.
+# The source IP becomes the NAT gateway's public IP, not the ECS task's security group.
+resource "aws_security_group_rule" "keycloak_lb_ingress_nat_gateway" {
+  description       = "Ingress from NAT gateways to Keycloak load balancer (HTTPS)"
+  type              = "ingress"
+  from_port         = 443
+  to_port           = 443
+  protocol          = "tcp"
+  cidr_blocks       = [for ip in module.vpc.nat_public_ips : "${ip}/32"]
+  security_group_id = aws_security_group.keycloak_lb.id
+}
+
 # Load Balancer Ingress from MCP Gateway Registry (HTTPS)
 resource "aws_security_group_rule" "keycloak_lb_ingress_registry" {
   description              = "Ingress from MCP Gateway Registry to Keycloak load balancer (HTTPS)"
