Status: Accepted
Date: 2026-01-25
Decide whether Keycloak should be shared between environments or isolated.
Keycloak per environment (isolated). Each AWS account (HML, PRD) has its own Keycloak instances with separate configurations in Git.
- Data isolation between HML and Prod
- Allows testing configuration changes in HML
- Avoids cross-account dependency
- Reduced blast radius
- Progressive rollout (HML → PRD with approval)
- Multiple instances to manage
- Separate configurations per account in
platform-keycloak/realms/{account}/ - Promotion from HML to PRD via Pull Request (see ADR-010)
- Synchronization only cross-region within the same account (GitOps)
- ADR-010: Keycloak Multi-Region with GitOps Sync (implementation details)