Add CI tests for Azure SQL Database

Closes: #42986

Signed-off-by: Peter Zaoral <pzaoral@redhat.com>

.github/actions/azure-create-database/action.yml

@@ -0,0 +1,105 @@
+name: Create Azure SQL Database
+description: Create Azure SQL Database
+
+inputs:
+  name:
+    description: 'The name prefix for the Azure SQL resources'
+    required: true
+  region:
+    description: 'The Azure region used to host the SQL server'
+    required: true
+  azure-credentials:
+    description: 'Azure service principal credentials JSON'
+    required: true
+  admin-user:
+    description: 'The admin username for the SQL server'
+    required: false
+    default: 'sqladmin'
+  db-user:
+    description: 'The db username for the Keycloak DB'
+    required: false
+    default: 'keycloak'
+  admin-password:
+    description: 'Override admin password (auto-generated if not provided)'
+    required: false
+  db-password:
+    description: 'Override DB password (auto-generated if not provided)'
+    required: false
+  subscription:
+    description: 'Azure subscription ID'
+    required: true
+
+outputs:
+  endpoint:
+    description: 'The Endpoint URL for SQL clients to connect to'
+    value: ${{ steps.create.outputs.endpoint }}
+  db:
+    description: 'Database name'
+    value: ${{ steps.create.outputs.db }}
+  username:
+    description: 'DB user principal'
+    value: ${{ steps.create.outputs.username }}
+
+runs:
+  using: "composite"
+  steps:
+    - name: Generate secure passwords
+      id: generate-passwords
+      shell: bash
+      run: |
+        # Generate passwords using OpenSSL
+        generate_password() {
+          openssl rand -base64 48 | tr -d '\n/' | head -c 32
+        }
+        
+        # Use provided passwords or generate random ones
+        if [[ -n "${{ inputs.admin-password }}" ]]; then
+          ADMIN_PASSWORD="${{ inputs.admin-password }}"
+          echo "INFO: Using provided admin password"
+        else
+          ADMIN_PASSWORD=$(generate_password)
+          echo "INFO: Using generated admin password"
+        fi
+        
+        if [[ -n "${{ inputs.db-password }}" ]]; then
+          DB_PASSWORD="${{ inputs.db-password }}"
+          echo "INFO: Using provided DB password"
+        else
+          DB_PASSWORD=$(generate_password)
+          echo "INFO: Using generated DB password"
+        fi
+        
+        # Mask passwords
+        echo "::add-mask::$ADMIN_PASSWORD"
+        echo "::add-mask::$DB_PASSWORD"
+        
+        # Export to environment for subsequent steps
+        {
+          echo "AZURE_ADMIN_PASSWORD=$ADMIN_PASSWORD"
+          echo "AZURE_DB_PASSWORD=$DB_PASSWORD"
+        } >> $GITHUB_ENV
+    
+    - name: Install sqlcmd (mssql-tools)
+      shell: bash
+      run: |
+        sudo apt-get update
+        sudo ACCEPT_EULA=Y apt-get install -y curl apt-transport-https gnupg
+        curl https://packages.microsoft.com/keys/microsoft.asc | sudo apt-key add -
+        curl https://packages.microsoft.com/config/ubuntu/22.04/prod.list | sudo tee /etc/apt/sources.list.d/msprod.list
+        sudo apt-get update
+        sudo ACCEPT_EULA=Y apt-get install -y mssql-tools unixodbc-dev
+        echo "/opt/mssql-tools/bin" >> $GITHUB_PATH
+
+    - id: create
+      shell: bash
+      run: |
+        ./azure_create_sql.sh
+      working-directory: .github/scripts/azure/sql
+      env:
+        AZURE_NAME: ${{ inputs.name }}
+        AZURE_REGION: ${{ inputs.region }}
+        AZURE_SUBSCRIPTION: ${{ inputs.subscription }}
+        AZURE_ADMIN_PASSWORD: ${{ env.AZURE_ADMIN_PASSWORD }}
+        AZURE_ADMIN_USER: ${{ inputs.admin-user }}
+        AZURE_DB_PASSWORD: ${{ env.AZURE_DB_PASSWORD }}
+        AZURE_DB_USER: ${{ inputs.db-user }}

.github/scripts/ansible/azure_vm_manager.sh

@@ -0,0 +1,88 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Usage: ./azure_vm_manager.sh <create|delete> <region> <cluster_name>
+ACTION=${1:-}
+REGION=${2:-}
+CLUSTER=${3:-}
+
+if [[ -z "$ACTION" || -z "$REGION" || -z "$CLUSTER" ]]; then
+  echo "Usage: $0 <create|delete> <region> <cluster_name>"
+  exit 1
+fi
+
+SSH_KEY="$CLUSTER"_"$REGION"
+ADMIN_USER="azureuser"
+VM_SIZE="Standard_D2s_v5"
+IMAGE="Ubuntu2404"
+
+if [[ "$ACTION" == "create" ]]; then
+  # 1. Resource group (created via idempotent command)
+  az group create --name "$CLUSTER" --location "$REGION"
+
+  # 2. SSH key
+  if [[ ! -f "${SSH_KEY}" ]]; then
+    ssh-keygen -t rsa -b 2048 -f "${SSH_KEY}" -N ""
+  fi
+
+  # 3. Network security group
+  az network nsg create --resource-group "$CLUSTER" --name "$CLUSTER-nsg"
+  az network nsg rule create --resource-group "$CLUSTER" --nsg-name "$CLUSTER-nsg" --name Allow-SSH --protocol Tcp --priority 1000 --destination-port-range 22 --access Allow --direction Inbound
+
+  # 4. Public IP
+  az network public-ip create --resource-group "$CLUSTER" --name "$CLUSTER-pip" --allocation-method Static
+
+  # 5. Virtual network
+  az network vnet create --resource-group "$CLUSTER" --name "$CLUSTER-vnet" --address-prefix 10.0.0.0/16
+
+  # 6. Subnet
+  az network vnet subnet create --resource-group "$CLUSTER" --vnet-name "$CLUSTER-vnet" --name "$CLUSTER-subnet" --address-prefix 10.0.0.0/24
+
+  # 7. Network interface
+  az network nic create --resource-group "$CLUSTER" --name "$CLUSTER-nic" --vnet-name "$CLUSTER-vnet" --subnet "$CLUSTER-subnet" --network-security-group "$CLUSTER-nsg" --public-ip-address "$CLUSTER-pip"
+
+  # 8. VM
+  az vm create \
+    --resource-group "$CLUSTER" \
+    --name "$CLUSTER-vm" \
+    --nics "$CLUSTER-nic" \
+    --image "$IMAGE" \
+    --size "$VM_SIZE" \
+    --admin-username "$ADMIN_USER" \
+    --ssh-key-values "${SSH_KEY}.pub" \
+    --authentication-type ssh \
+    --no-wait
+
+  # 9. Wait for VM IP
+  az vm wait --created --resource-group "$CLUSTER" --name "$CLUSTER-vm"
+  VM_IP=$(az network public-ip show --resource-group "$CLUSTER" --name "$CLUSTER-pip" --query ipAddress -o tsv)
+
+  # 10. Wait for SSH
+  for i in {1..30}; do
+    if nc -z "$VM_IP" 22; then break; fi
+    sleep 5
+  done
+
+  # 11. Create inventory file with both host and group
+  cat > "${CLUSTER}_${REGION}_inventory.yml" <<EOF
+all:
+  hosts:
+    keycloak:
+      ansible_host: $VM_IP
+      ansible_user: $ADMIN_USER
+      ansible_ssh_private_key_file: ${SSH_KEY}
+  children:
+    keycloak_group:
+      hosts:
+        keycloak:
+EOF
+
+  echo "VM provisioned. Inventory: ${CLUSTER}_${REGION}_inventory.yml"
+
+elif [[ "$ACTION" == "delete" ]]; then
+  az group delete --name "$CLUSTER" --yes --no-wait
+  echo "Resource group $CLUSTER deletion initiated."
+else
+  echo "Unknown action: $ACTION"
+  exit 2
+fi

.github/scripts/ansible/keycloak.yml

@@ -1,2 +1,2 @@
 - hosts: keycloak
-  roles: [keycloak_ec2_installer]
+  roles: [keycloak_remote_installer]

.github/scripts/ansible/mvn.yml

@@ -1,2 +1,2 @@
 - hosts: keycloak
-  roles: [mvn_ec2_runner]
+  roles: [mvn_remote_runner]

.github/scripts/ansible/roles/keycloak_remote_installer/README.md

@@ -1,4 +1,4 @@
-# Ansible Role `keycloak_ec2_installer`
+# Ansible Role `keycloak_remote_installer`
 
 Ansible role for installing Keycloak sources and build dependencies on remote nodes.
 

.github/scripts/ansible/roles/keycloak_remote_installer/defaults/main.yml

@@ -1,5 +1,3 @@
-# This should match the user in the *_inventory.yml
-ansible_ssh_user: ec2-user
 # Workspace on the remote hosts
 kc_home: /opt/keycloak
 m2_home: ~/.m2

.github/scripts/ansible/roles/keycloak_remote_installer/tasks/install.yml

@@ -4,8 +4,26 @@
     name: "*"
     state: latest
 
-- name: Install Java {{ java_version }} packages on the remote hosts
-  when: install_java
+- name: Update apt cache on Ubuntu/Debian
+  when: ansible_os_family == 'Debian'
+  apt:
+    update_cache: yes
+
+
+- name: Install Java {{ java_version }} packages on Ubuntu/Debian
+  when:
+    - install_java
+    - ansible_os_family == 'Debian'
+  package:
+    name:
+      - "openjdk-{{ java_version }}-jdk"
+      - "openjdk-{{ java_version }}-jre"
+    state: present
+
+- name: Install Java {{ java_version }} packages on RedHat/Amazon
+  when:
+    - install_java
+    - ansible_os_family != 'Debian'
   package:
     name:
       - "java-{{ java_version }}-openjdk"

.github/scripts/ansible/roles/mvn_remote_runner/README.md

@@ -1,4 +1,4 @@
-# Ansible Role `mvn_ec2_runner`
+# Ansible Role `mvn_remote_runner`
 
 Ansible role for executing `mvn` commands against a Keycloak src on a remote node.
 

.github/scripts/azure/sql/README.md

@@ -0,0 +1,63 @@
+# Azure SQL Automation
+
+This folder contains scripts, a composite action, and Ansible helpers to:
+- Create an Azure SQL Server + database and the Keycloak DB user
+- Provision an Azure VM and run Maven/Keycloak tasks on it (Ansible role)
+
+---
+
+## Prerequisites
+
+Make sure that your Azure subscription is registered to use the `Microsoft.Sql` resource provider in order to create SQL resources. You can do this via the Azure Portal or Azure CLI:
+
+```bash
+# Ensure correct subscription is selected
+az account set --subscription <your-subscription-id>
+
+# Check registration status
+az provider show --namespace Microsoft.Sql --query registrationState -o table
+
+# Register the provider
+az provider register --namespace Microsoft.Sql
+```
+
+---
+
+## Files
+
+### Azure-specific scripts
+- **`azure_common.sh`** - Shared defaults and environment checks
+- **`azure_create_sql.sh`** - Create resource group, server, database and DB user using Azure CLI + sqlcmd
+- **`azure_vm_manager.sh`** - CLI wrapper to create/delete Azure VM and produce inventory via Ansible
+
+### Common files shared with EC2 automation
+- **`mvn_remote_runner.sh`** - Runs the existing `mvn.yml` Ansible playbook against the created Azure or EC2 VM
+- **`keycloak_remote_installer.sh`** - Shell script that runs the Ansible playbook to install Keycloak on the provisioned VM
+- **Ansible playbooks and roles** - Under `.github/scripts/ansible/roles/`
+
+---
+
+## GitHub Secrets and Configuration
+
+### Required Secret
+
+**`AZURE_CREDENTIALS`** *(required)* - Service principal JSON used by the `azure/login` action
+
+Create via Azure CLI:
+```bash
+az ad sp create-for-rbac \
+  --name "keycloak-ci" \
+  --role contributor \
+  --scopes /subscriptions/<your-subscription-id> \
+  --sdk-auth
+```
+
+### Optional Variables (override defaults)
+
+- **`AZURE_ADMIN_USER`** - SQL Server admin username *(default: `sqladmin`)*
+- **`AZURE_DB_USER`** - Keycloak database username *(default: `keycloak`)*
+
+### Optional Secrets (override auto-generated passwords)
+
+- **`AZURE_ADMIN_PASSWORD`** - SQL Server admin password *(default: auto-generated)*
+- **`AZURE_DB_PASSWORD`** - Keycloak database user password *(default: auto-generated)*

.github/scripts/azure/sql/azure_common.sh

@@ -0,0 +1,26 @@
+#!/usr/bin/env bash
+set -e
+
+if [[ "$RUNNER_DEBUG" == "1" ]]; then
+  set -x
+fi
+
+function requiredEnv() {
+  for ENV in $@; do
+      if [ -z "${!ENV}" ]; then
+        echo "${ENV} variable must be set"
+        exit 1
+      fi
+  done
+}
+
+requiredEnv AZURE_NAME AZURE_REGION AZURE_ADMIN_PASSWORD AZURE_DB_PASSWORD
+
+SCRIPT_DIR=${SCRIPT_DIR:-$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )}
+export AZURE_RG=${AZURE_RG:-"${AZURE_NAME}-rg"}
+export AZURE_ADMIN_USER=${AZURE_ADMIN_USER:-"sqladmin"}
+export AZURE_ADMIN_PASSWORD=${AZURE_ADMIN_PASSWORD}
+export AZURE_DB=${AZURE_DB:-"keycloakdb"}
+export AZURE_DB_USER=${AZURE_DB_USER:-"keycloak"}
+export AZURE_DB_PASSWORD=${AZURE_DB_PASSWORD}
+export AZURE_ALLOW_ALL_FIREWALL=${AZURE_ALLOW_ALL_FIREWALL:-"true"}

.github/scripts/azure/sql/azure_create_sql.sh

@@ -0,0 +1,65 @@
+#!/usr/bin/env bash
+set -e
+
+if [[ "$RUNNER_DEBUG" == "1" ]]; then
+  set -x
+fi
+
+SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+source ${SCRIPT_DIR}/azure_common.sh
+
+requiredEnv AZURE_SUBSCRIPTION AZURE_ADMIN_USER AZURE_DB_USER
+
+# Login is expected to be done by the workflow via az login with service principal
+
+# Resource group (created via idempotent command)
+echo "Creating resource group ${AZURE_RG} in ${AZURE_REGION}"
+az group create --name ${AZURE_RG} --location ${AZURE_REGION} --subscription ${AZURE_SUBSCRIPTION}
+
+echo "Creating SQL server ${AZURE_NAME}-sqlsrv"
+az sql server create \
+  --name ${AZURE_NAME}-sqlsrv \
+  --resource-group ${AZURE_RG} \
+  --location ${AZURE_REGION} \
+  --admin-user ${AZURE_ADMIN_USER} \
+  --admin-password "${AZURE_ADMIN_PASSWORD}" \
+  --subscription ${AZURE_SUBSCRIPTION}
+
+echo "Creating database ${AZURE_DB}"
+az sql db create \
+  --resource-group ${AZURE_RG} \
+  --server ${AZURE_NAME}-sqlsrv \
+  --name ${AZURE_DB} \
+  --service-objective Basic \
+  --subscription ${AZURE_SUBSCRIPTION}
+
+if [ "${AZURE_ALLOW_ALL_FIREWALL}" = "true" ]; then
+  echo "Allowing Azure services and current IP (0.0.0.0) - use with caution"
+  az sql server firewall-rule create --resource-group ${AZURE_RG} --server ${AZURE_NAME}-sqlsrv --name AllowAll --start-ip-address 0.0.0.0 --end-ip-address 0.0.0.0 --subscription ${AZURE_SUBSCRIPTION}
+fi
+
+# Create login in master and then create user in the database
+# Wait until server is provisioned
+echo "Waiting for SQL server to be provisioned..."
+for i in {1..30}; do
+  state=$(az sql server show --name ${AZURE_NAME}-sqlsrv --resource-group ${AZURE_RG} --subscription ${AZURE_SUBSCRIPTION} --query "state" -o tsv || echo "")
+  if [ "${state}" = "Ready" ] || [ -z "${state}" ]; then
+    break
+  fi
+  echo "server state=${state}, retrying..."
+  sleep 5
+done
+
+ENDPOINT="${AZURE_NAME}-sqlsrv.database.windows.net"
+ADMIN_USER_FULL="${AZURE_ADMIN_USER}@${AZURE_NAME}-sqlsrv"
+
+echo "Creating login ${AZURE_DB_USER} in master via sqlcmd"
+PASS_ESCAPED=${AZURE_DB_PASSWORD//\'/''}
+sqlcmd -S ${ENDPOINT} -U "${ADMIN_USER_FULL}" -P "${AZURE_ADMIN_PASSWORD}" -d master -Q "IF EXISTS (SELECT 1 FROM sys.sql_logins WHERE name = '${AZURE_DB_USER}') BEGIN ALTER LOGIN [${AZURE_DB_USER}] WITH PASSWORD='${PASS_ESCAPED}'; END ELSE BEGIN CREATE LOGIN [${AZURE_DB_USER}] WITH PASSWORD='${PASS_ESCAPED}'; END"
+
+echo "Creating user ${AZURE_DB_USER} in database ${AZURE_DB} and adding db_owner"
+sqlcmd -S ${ENDPOINT} -U "${ADMIN_USER_FULL}" -P "${AZURE_ADMIN_PASSWORD}" -d ${AZURE_DB} -Q "IF NOT EXISTS (SELECT name FROM sys.database_principals WHERE name = '${AZURE_DB_USER}') BEGIN CREATE USER [${AZURE_DB_USER}] FOR LOGIN [${AZURE_DB_USER}]; END; IF NOT EXISTS (SELECT 1 FROM sys.database_role_members drm JOIN sys.database_principals r ON drm.role_principal_id = r.principal_id JOIN sys.database_principals m ON drm.member_principal_id = m.principal_id WHERE r.name = 'db_owner' AND m.name='${AZURE_DB_USER}') BEGIN ALTER ROLE db_owner ADD MEMBER [${AZURE_DB_USER}]; END"
+
+echo "endpoint=${ENDPOINT}" >> $GITHUB_OUTPUT
+echo "db=${AZURE_DB}" >> $GITHUB_OUTPUT
+echo "username=${AZURE_DB_USER}@${AZURE_NAME}-sqlsrv" >> $GITHUB_OUTPUT

.github/workflows/ci.yml

@@ -37,6 +37,7 @@ jobs:
       ci-sssd: ${{ steps.conditional.outputs.ci-sssd }}
       ci-webauthn: ${{ steps.conditional.outputs.ci-webauthn }}
       ci-aurora: ${{ steps.auroradb-tests.outputs.run-aurora-tests }}
+      ci-azure: ${{ steps.azure-tests.outputs.run-azure-tests }}
       ci-compatibility-matrix: ${{ steps.version-compatibility.outputs.matrix }}
       ci-additional-dbs: ${{ steps.additional-dbs-tests.outputs.run-additional-dbs-tests }}
       ci-admin-v2: ${{ steps.conditional.outputs.admin-v2 }}
@@ -60,6 +61,15 @@ jobs:
           fi
           echo "run-aurora-tests=$RUN_AURORADB_TESTS" >> $GITHUB_OUTPUT
 
+      - name: Azure conditional check
+        id: azure-tests
+        run: |
+          RUN_AZURE_TESTS=false
+          if [[ $GITHUB_EVENT_NAME != "pull_request" && -n "${{ secrets.AZURE_CREDENTIALS }}" ]]; then
+            RUN_AZURE_TESTS=true
+          fi
+          echo "run-azure-tests=$RUN_AZURE_TESTS" >> $GITHUB_OUTPUT
+
       - name: Additional DBs conditional check
         id: additional-dbs-tests
         run: |
@@ -494,9 +504,9 @@ jobs:
           ./aws_ec2.sh requirements
           pipx inject ansible-core boto3 botocore
           ./aws_ec2.sh create ${AWS_REGION} ${EC2_CLUSTER_NAME}
-          ./keycloak_ec2_installer.sh ${AWS_REGION} ${EC2_CLUSTER_NAME} /tmp/keycloak.zip m2.tar.gz
-          ./mvn_ec2_runner.sh ${AWS_REGION} ${EC2_CLUSTER_NAME} "clean install -B -DskipTests -Pdistribution -DskipProtoLock=true"
-          ./mvn_ec2_runner.sh ${AWS_REGION} ${EC2_CLUSTER_NAME} "clean install -B -DskipTests -pl testsuite/integration-arquillian/servers/auth-server/quarkus -Pauth-server-quarkus -Pdb-aurora-postgres -Dmaven.build.cache.enabled=true"
+          ./keycloak_remote_installer.sh ${AWS_REGION} ${EC2_CLUSTER_NAME} /tmp/keycloak.zip m2.tar.gz
+          ./mvn_remote_runner.sh ${AWS_REGION} ${EC2_CLUSTER_NAME} "clean install -B -DskipTests -Pdistribution -DskipProtoLock=true"
+          ./mvn_remote_runner.sh ${AWS_REGION} ${EC2_CLUSTER_NAME} "clean install -B -DskipTests -pl testsuite/integration-arquillian/servers/auth-server/quarkus -Pauth-server-quarkus -Pdb-aurora-postgres -Dmaven.build.cache.enabled=true"
 
       - name: Run Aurora migration tests on EC2
         id: aurora-migration-tests
@@ -511,7 +521,7 @@ jobs:
           PROPS+=" -Djdbc.mvn.groupId=software.amazon.jdbc -Djdbc.mvn.artifactId=aws-advanced-jdbc-wrapper -Djdbc.mvn.version=2.3.1 -Djdbc.driver.tmp.dir=target/unpacked/keycloak-${{ env.old-version }}/providers"
 
           cd .github/scripts/ansible
-          ./mvn_ec2_runner.sh ${AWS_REGION} ${EC2_CLUSTER_NAME} "clean install -B ${{ env.SUREFIRE_RETRY }} -Pauth-server-quarkus -Pdb-aurora-postgres -Pauth-server-migration $PROPS -Dtest=MigrationTest -Dmigration.mode=auto -Dmigrated.auth.server.version=${{ env.old-version }} -Dmigration.import.file.name=migration-realm-${{ env.old-version }}.json -Dauth.server.ssl.required=false -f testsuite/integration-arquillian/pom.xml 2>&1 | misc/log/trimmer.sh"
+          ./mvn_remote_runner.sh ${AWS_REGION} ${EC2_CLUSTER_NAME} "clean install -B ${{ env.SUREFIRE_RETRY }} -Pauth-server-quarkus -Pdb-aurora-postgres -Pauth-server-migration $PROPS -Dtest=MigrationTest -Dmigration.mode=auto -Dmigrated.auth.server.version=${{ env.old-version }} -Dmigration.import.file.name=migration-realm-${{ env.old-version }}.json -Dauth.server.ssl.required=false -f testsuite/integration-arquillian/pom.xml 2>&1 | misc/log/trimmer.sh"
 
           # Copy returned surefire-report directories to workspace root to ensure they're discovered
           results=(files/keycloak/results/*)
@@ -545,7 +555,7 @@ jobs:
           echo "Tests: $TESTS"
           
           cd .github/scripts/ansible
-          ./mvn_ec2_runner.sh ${AWS_REGION} ${EC2_CLUSTER_NAME} "test -B ${{ env.SUREFIRE_RETRY }} -Pauth-server-quarkus -Pdb-aurora-postgres $PROPS -Dtest=$TESTS -pl testsuite/integration-arquillian/tests/base 2>&1 | misc/log/trimmer.sh"
+          ./mvn_remote_runner.sh ${AWS_REGION} ${EC2_CLUSTER_NAME} "test -B ${{ env.SUREFIRE_RETRY }} -Pauth-server-quarkus -Pdb-aurora-postgres $PROPS -Dtest=$TESTS -pl testsuite/integration-arquillian/tests/base 2>&1 | misc/log/trimmer.sh"
           
           # Copy returned surefire-report directories to workspace root to ensure they're discovered
           results=(files/keycloak/results/*)
@@ -584,6 +594,152 @@ jobs:
         env:
           GH_TOKEN: ${{ github.token }}
 
+  azure-integration-tests:
+    name: AzureDB IT
+    needs: conditional
+    if: needs.conditional.outputs.ci-azure == 'true'
+    runs-on: ubuntu-latest
+    timeout-minutes: 150
+    permissions:
+      contents: read
+      actions: write
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - id: node-cache
+        name: Node cache
+        uses: ./.github/actions/node-cache
+
+      - id: azure-init
+        name: Initialize Azure environment
+        run: |
+          AZURE_REGION=westeurope
+          echo "AZURE Region: ${AZURE_REGION}"
+
+          AZURE_CLUSTER_NAME="gh-action-$(git rev-parse --short HEAD)-${{ github.run_id }}-${{ github.run_attempt }}"
+          echo "azure-cluster-name=${AZURE_CLUSTER_NAME}" >> $GITHUB_OUTPUT
+          echo "region=${AZURE_REGION}" >> $GITHUB_OUTPUT
+
+          PROPS=''
+          echo "maven_properties=${PROPS}" >> $GITHUB_OUTPUT
+
+      - name: Parse subscriptionId from Azure credentials
+        id: parse-creds
+        shell: bash
+        run: |
+          SUBSCRIPTION=$(echo '${{ secrets.AZURE_CREDENTIALS }}' | jq -r '.subscriptionId')
+          if [[ -z "$SUBSCRIPTION" || "$SUBSCRIPTION" == "null" ]]; then
+            echo "ERROR: Failed to parse subscriptionId from AZURE_CREDENTIALS"
+            exit 1
+          fi
+          # Mask BEFORE outputting to ensure it's redacted in logs
+          echo "::add-mask::$SUBSCRIPTION"
+          echo "subscription=$SUBSCRIPTION" >> $GITHUB_OUTPUT
+
+      - name: Login to Azure
+        uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
+        with:
+          creds: ${{ secrets.AZURE_CREDENTIALS }}
+
+      - id: azure-create
+        name: Create Azure DB
+        uses: ./.github/actions/azure-create-database
+        with:
+          name: ${{ steps.azure-init.outputs.azure-cluster-name }}
+          region: ${{ steps.azure-init.outputs.region }}
+          subscription: ${{ steps.parse-creds.outputs.subscription }}
+          admin-user: ${{ vars.AZURE_ADMIN_USER }}
+          db-user: ${{ vars.AZURE_DB_USER }}
+          admin-password: ${{ secrets.AZURE_ADMIN_PASSWORD }}
+          db-password: ${{ secrets.AZURE_DB_PASSWORD }}
+        env:
+          AZURE_RG: ${{ steps.azure-init.outputs.azure-cluster-name }}
+
+      - id: vm-create
+        name: Create Azure VM and prepare runner
+        run: |
+          AZURE_REGION=${{ steps.azure-init.outputs.region }}
+          AZ_VM_CLUSTER_NAME=${{ steps.azure-init.outputs.azure-cluster-name }}
+          echo "az_vm_cluster=${AZ_VM_CLUSTER_NAME}" >> $GITHUB_OUTPUT
+
+          git archive --format=zip --output /tmp/keycloak.zip $GITHUB_REF
+          tar -C ~/ -czvf m2.tar.gz .m2 || true
+
+          cd .github/scripts/ansible
+          ./azure_vm_manager.sh create ${AZURE_REGION} ${AZ_VM_CLUSTER_NAME}
+
+          ./keycloak_remote_installer.sh ${AZURE_REGION} ${AZ_VM_CLUSTER_NAME} /tmp/keycloak.zip m2.tar.gz
+          ./mvn_remote_runner.sh ${AZURE_REGION} ${AZ_VM_CLUSTER_NAME} "clean install -B -DskipTests -Pdistribution -DskipProtoLock=true -Dmaven.build.cache.enabled=true"
+          ./mvn_remote_runner.sh ${AZURE_REGION} ${AZ_VM_CLUSTER_NAME} "clean install -B -DskipTests -pl testsuite/integration-arquillian/servers/auth-server/quarkus -Pdb-mssql-azure -Dmaven.build.cache.enabled=true"
+
+      - name: Build migration server module on Azure VM
+        id: azure-migration-build
+        env:
+          old-version: 24.0.4
+        run: |
+          AZ_VM_CLUSTER_NAME=${{ steps.vm-create.outputs.az_vm_cluster }}
+          AZURE_REGION=${{ steps.azure-init.outputs.region }}
+          
+          cd .github/scripts/ansible
+          ./mvn_remote_runner.sh ${AZURE_REGION} ${AZ_VM_CLUSTER_NAME} 'clean install -B -DskipTests -pl testsuite/integration-arquillian/servers/migration -Pauth-server-migration -Dmigrated.auth.server.version=${{ env.old-version }} -Dmaven.build.cache.enabled=true -Pdb-mssql-azure -Dkeycloak.connectionsJpa.user=${{ steps.azure-create.outputs.username }} -Dkeycloak.connectionsJpa.password="${{ env.AZURE_DB_PASSWORD }}" -Dkeycloak.connectionsJpa.database=${{ steps.azure-create.outputs.db }} -Dkeycloak.connectionsJpa.url="jdbc:sqlserver://${{ steps.azure-create.outputs.endpoint }}:1433;databaseName=${{ steps.azure-create.outputs.db }};encrypt=true;trustServerCertificate=false;sendStringParametersAsUnicode=false" -Djdbc.driver.tmp.dir=target/unpacked/keycloak-${{ env.old-version }}/providers'
+
+      - name: Run Azure migration tests on VM
+        id: azure-migration-tests
+        env:
+          old-version: 24.0.4
+        run: |
+          AZ_VM_CLUSTER_NAME=${{ steps.vm-create.outputs.az_vm_cluster }}
+          AZURE_REGION=${{ steps.azure-init.outputs.region }}
+
+          cd .github/scripts/ansible
+          ./mvn_remote_runner.sh ${AZURE_REGION} ${AZ_VM_CLUSTER_NAME} 'test -B ${{ env.SUREFIRE_RETRY }} -Pauth-server-quarkus -Pdb-mssql-azure -Pauth-server-migration -Dkeycloak.connectionsJpa.user=${{ steps.azure-create.outputs.username }} -Dkeycloak.connectionsJpa.password="${{ env.AZURE_DB_PASSWORD }}" -Dkeycloak.connectionsJpa.database=${{ steps.azure-create.outputs.db }} -Dkeycloak.connectionsJpa.url="jdbc:sqlserver://${{ steps.azure-create.outputs.endpoint }}:1433;databaseName=${{ steps.azure-create.outputs.db }};encrypt=true;trustServerCertificate=false;sendStringParametersAsUnicode=false" -Djdbc.driver.tmp.dir=target/unpacked/keycloak-${{ env.old-version }}/providers -Dtest=MigrationTest -Dmigration.mode=auto -Dmigrated.auth.server.version=${{ env.old-version }} -Dmigration.import.file.name=migration-realm-${{ env.old-version }}.json -Dauth.server.ssl.required=false -pl testsuite/integration-arquillian/tests/base 2>&1 | misc/log/trimmer.sh'
+
+          # Copy returned surefire-report directories to workspace root to ensure they're discovered
+          results=(files/keycloak/results/*)
+          rsync -a $results/* ../../../
+
+      - name: Build integration test dependencies on Azure VM
+        id: azure-integration-build
+        env:
+          old-version: 24.0.4
+        run: |
+          AZ_VM_CLUSTER_NAME=${{ steps.vm-create.outputs.az_vm_cluster }}
+          AZURE_REGION=${{ steps.azure-init.outputs.region }}
+          
+          cd .github/scripts/ansible
+          ./mvn_remote_runner.sh ${AZURE_REGION} ${AZ_VM_CLUSTER_NAME} 'clean install -B -DskipTests -pl testsuite/integration-arquillian/servers/migration -Pauth-server-migration -Dmigrated.auth.server.version=${{ env.old-version }} -Dmaven.build.cache.enabled=true -Pdb-mssql-azure -Dkeycloak.connectionsJpa.user=${{ steps.azure-create.outputs.username }} -Dkeycloak.connectionsJpa.password="${{ env.AZURE_DB_PASSWORD }}" -Dkeycloak.connectionsJpa.database=${{ steps.azure-create.outputs.db }} -Dkeycloak.connectionsJpa.url="jdbc:sqlserver://${{ steps.azure-create.outputs.endpoint }}:1433;databaseName=${{ steps.azure-create.outputs.db }};encrypt=true;trustServerCertificate=false;sendStringParametersAsUnicode=false" -Djdbc.driver.tmp.dir=target/unpacked/keycloak-${{ env.old-version }}/providers'
+
+      - name: Run Azure integration tests on VM
+        id: azure-integration-tests
+        env:
+          old-version: 24.0.4
+        run: |
+          AZ_VM_CLUSTER_NAME=${{ steps.vm-create.outputs.az_vm_cluster }}
+          AZURE_REGION=${{ steps.azure-init.outputs.region }}
+
+          TESTS=`testsuite/integration-arquillian/tests/base/testsuites/suite.sh database`
+          echo "Tests: $TESTS"
+
+          cd .github/scripts/ansible
+          ./mvn_remote_runner.sh ${AZURE_REGION} ${AZ_VM_CLUSTER_NAME} "test -B ${{ env.SUREFIRE_RETRY }} -Pauth-server-quarkus -Pdb-mssql-azure -DskipQuarkus=true -Dkeycloak.connectionsJpa.user=${{ steps.azure-create.outputs.username }} -Dkeycloak.connectionsJpa.database=${{ steps.azure-create.outputs.db }} -Dkeycloak.connectionsJpa.password=\"${{ env.AZURE_DB_PASSWORD }}\" -Dkeycloak.connectionsJpa.url=\"jdbc:sqlserver://${{ steps.azure-create.outputs.endpoint }}:1433;databaseName=${{ steps.azure-create.outputs.db }};encrypt=true;trustServerCertificate=false;sendStringParametersAsUnicode=false\" -Dkeycloak.connectionsJpa.jdbcParameters=\"?encrypt=true&trustServerCertificate=false\" -Djdbc.driver.tmp.dir=target/unpacked/keycloak-${{ env.old-version }}/providers -Dtest=$TESTS -Dmaven.build.cache.enabled=true -pl testsuite/integration-arquillian/tests/base 2>&1 | misc/log/trimmer.sh"
+
+          # Copy returned surefire-report directories to workspace root to ensure they're discovered
+          results=(files/keycloak/results/*)
+          rsync -a $results/* ../../../
+
+      - uses: ./.github/actions/upload-flaky-tests
+        name: Upload flaky tests
+        env:
+          GH_TOKEN: ${{ github.token }}
+        with:
+          job-name: AzureDB IT
+
+      - name: Delete all Azure resources (resource group)
+        if: always()
+        working-directory: .github/scripts/ansible
+        run: |
+          ./azure_vm_manager.sh delete ${{ steps.azure-init.outputs.region }} ${{ steps.azure-init.outputs.azure-cluster-name }}
+
   store-integration-tests:
     name: Store IT
     needs: build

testsuite/integration-arquillian/pom.xml

@@ -548,6 +548,17 @@
                 <jdbc.mvn.version>${mssql-jdbc.version}</jdbc.mvn.version>
             </properties>
         </profile>
+        <profile>
+            <id>db-mssql-azure</id>
+            <properties>
+                <keycloak.storage.connections.vendor>mssql</keycloak.storage.connections.vendor>
+                <keycloak.connectionsJpa.driver>com.microsoft.sqlserver.jdbc.SQLServerDriver</keycloak.connectionsJpa.driver>
+                <docker.database.skip>true</docker.database.skip>
+                <jdbc.mvn.groupId>com.microsoft.sqlserver</jdbc.mvn.groupId>
+                <jdbc.mvn.artifactId>mssql-jdbc</jdbc.mvn.artifactId>
+                <jdbc.mvn.version>${mssql-jdbc.version}</jdbc.mvn.version>
+            </properties>
+        </profile>
         <profile>
             <id>db-oracle</id>
             <properties>