Skip to content
This repository has been archived by the owner on Aug 10, 2022. It is now read-only.

faros-ai/terraform-aws-kong

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

137 Commits

.github

.github

 
 

cw/lb

cw/lb

 
 

.gitignore

.gitignore

 
 

.pre-commit-config.yaml

.pre-commit-config.yaml

 
 

.terraform.lock.hcl

.terraform.lock.hcl

 
 

CHANGELOG.md

CHANGELOG.md

 
 

LICENSE.md

LICENSE.md

 
 

README.md

README.md

 
 

aurora.tf

aurora.tf

 
 

cloud-init.cfg

cloud-init.cfg

 
 

cloud-init.sh

cloud-init.sh

 
 

cloud-init.tf

cloud-init.tf

 
 

cw.tf

cw.tf

 
 

data.tf

data.tf

 
 

ec2.tf

ec2.tf

 
 

iam.tf

iam.tf

 
 

lb.tf

lb.tf

 
 

locals.tf

locals.tf

 
 

outputs.tf

outputs.tf

 
 

passwords.tf

passwords.tf

 
 

rds.tf

rds.tf

 
 

redis.tf

redis.tf

 
 

security.tf

security.tf

 
 

ssm.tf

ssm.tf

 
 

variables.tf

variables.tf

 
 

Repository files navigation

Kong Cluster Terraform Module for AWS

Originaly forked from https://github.com/kong/kong-terraform-aws

Kong API Gateway is an API gateway microservices management layer. Both Kong and Enterprise Edition are supported.

By default, the following resources will be provisioned:

  • RDS PostgreSQL database for Kong's configuration store
  • An Auto Scaling Group (ASG) and EC2 instances running Kong (Kong nodes)
  • An external load balancer (HTTPS only)
    • HTTPS:443 - Kong Proxy
  • An internal load balancer (HTTP and HTTPS)
    • HTTP:80 - Kong Proxy
    • HTTPS:443 - Kong Proxy
    • HTTPS:8444 - Kong Admin API (Enterprise Edition only)
    • HTTPS:8445 - Kong Manager (Enterprise Edition only)
    • HTTPS:8446 - Kong Dev Portal GUI (Enterprise Edition only)
    • HTTPS:8447 - Kong Dev Portal API (Enterprise Edition only)
  • Security groups granting least privilege access to resources
  • An IAM instance profile for access to Kong specific SSM Parameter Store metadata and secrets

Optionally, a Redis cluster can be provisioned for rate-limiting counters and caching, and most default resources can be disabled. See variables.tf for a complete list and description of tunables.

The Kong nodes are based on Minimal Ubuntu. Using cloud-init, the following is provisioned on top of the AMI:

  • A kong service user
  • Minimal set of dependencies and debugging tools
  • decK for Kong declarative configuration management
  • Kong, running under runit process supervision
  • Log rotation of Kong log files

Prerequisites:

  • An AWS VPC
  • Private and public subnets tagged with a subnet_tag (default = 'Tier' tag)
  • Database subnet group
  • Cache subnet group (if enabling Redis)
  • An SSH Key
  • An SSL managed certificate to associate with HTTPS load balancers

Requirements

No requirements.

Providers

Name Version
aws 4.11.0
cloudinit 2.2.0
random 3.1.3

Modules

Name Source Version
kong_external_lb_cw ./cw/lb n/a
kong_internal_lb_cw ./cw/lb n/a

Inputs

Name Description Type Default Required
aws_private_subnet_ids Private subnet Ids list(string) n/a yes
aws_public_subnet_ids Private subnet Ids list(string) n/a yes
environment Resource environment tag (i.e. dev, stage, prod) string n/a yes
ssl_cert_admin_domain SSL certificate domain name for the Kong Admin API HTTPS listener string n/a yes
ssl_cert_external_arn SSL certificate ARN for the external Kong Proxy HTTPS listener string n/a yes
ssl_cert_internal_arn SSL certificate ARN for the internal Kong Proxy HTTPS listener string n/a yes
vpc_cidr_block VPC cidr block for the AWS account and region specified string n/a yes
vpc_id VPC Id for the AWS account and region specified string n/a yes
vpc_name VPC Name for the AWS account and region specified string n/a yes
admin_cidr_blocks Access to Kong Admin API (Enterprise Edition only) list(string) 
[
  "0.0.0.0/0"
]
 no
admin_user The user name for Kong admin user string "kong-admin" no
asg_desired_capacity The number of instances that should be running in the group string 2 no
asg_health_check_grace_period Time in seconds after instance comes into service before checking health string 300 no
asg_max_size The maximum size of the auto scale group string 3 no
asg_min_size The minimum size of the auto scale group string 1 no
bastion_cidr_blocks Bastion hosts allowed access to PostgreSQL and Kong Admin list(string) 
[
  "127.0.0.1/32"
]
 no
ce_pkg Url for Community Edition package matching the OS distro string "https://download.konghq.com/gateway-2.x-ubuntu-focal/pool/all/k/kong/kong_2.3.3_amd64.deb" no
cloudwatch_actions List of cloudwatch actions for Alert/Ok list(string) [] no
cloudwatch_agent_kong_config Cloudwatch Agent Config for Kong string "non-existent-parameter" no
cloudwatch_agent_system_config Cloudwatch Agent Config for system metrics string "non-existent-parameter" no
db_backup_retention_period The number of days to retain backups string 7 no
db_engine_mode Engine mode for Aurora string "provisioned" no
db_engine_version Database engine version string "11.4" no
db_family Database parameter group family string "postgres11" no
db_final_snapshot_identifier The final snapshot name of the RDS instance when it gets destroyed string "" no
db_instance_class Database instance class string "db.t2.micro" no
db_instance_count Number of database instances (0 to leverage an existing db) string 1 no
db_kms_key_id The ARN for the KMS encryption key. If creating an encrypted replica, set this to the destination KMS ARN. If db_storage_encrypted is set to true and kms_key_id is not specified the default KMS key created in your account will be used string "" no
db_multi_az Boolean to specify if RDS is multi-AZ string false no
db_storage_encrypted Specifies whether the database instance is encrypted string true no
db_storage_size Size of the database storage in Gigabytes string 100 no
db_storage_type Type of the database storage string "gp2" no
db_subnets Database instance subnet group name string "db-subnets" no
db_username Database master username string "root" no
deck_version Version of decK to install string "1.5.1" no
default_security_group_id Id of the default VPC security group for EC2 access string "default" no
default_security_group_name Name of the default VPC security group for EC2 access string "default" no
deregistration_delay Seconds to wait before changing the state of a deregistering target from draining to unused string 300 no
description Resource description tag string "Kong API Gateway" no
drop_invalid_header_fields Drop invalid headers in LB bool false no
ec2_ami Map of Ubuntu Minimal AMIs by region map(string) 
{
  "us-east-1": "ami-04cc2b0ad9e30a9c8"
}
 no
ec2_instance_type EC2 instance type string "t2.micro" no
ec2_key_name AWS SSH Key string "" no
ec2_root_volume_encryption Should encrypt ec2 root volume bool true no
ec2_root_volume_size Size of the root volume (in Gigabytes) string 8 no
ec2_root_volume_type Type of the root volume (standard, gp2, or io) string "gp2" no
ee_bintray_auth Bintray authentication for the Enterprise Edition download (Format: username:apikey) string "placeholder" no
ee_license Enterprise Edition license key (JSON format) string "placeholder" no
ee_pkg Url for Enterprise Edition package matching the OS distro string "https://download.konghq.com/gateway-2.x-ubuntu-focal/pool/all/k/kong-enterprise-edition/kong-enterprise-edition_2.3.3.0_all.deb" no
enable_aurora Boolean to enable Aurora string "false" no
enable_deletion_protection Boolean to enable delete protection on the ALB string true no
enable_ee Boolean to enable Kong Enterprise Edition settings string false no
enable_external_lb Boolean to enable/create the external load balancer, exposing Kong to the Internet string true no
enable_external_lb_alarms Boolean to enable/create the external load balancer alarms string true no
enable_internal_lb Boolean to enable/create the internal load balancer for the forward proxy string true no
enable_internal_lb_alarms Boolean to enable/create the internal load balancer alarms string true no
enable_redis Boolean to enable redis AWS resource string false no
external_cidr_blocks External ingress access to Kong Proxy via the load balancer list(string) 
[
  "0.0.0.0/0"
]
 no
external_lb_deny_methods List of methods to deny access from public internet (works together with external_lb_deny_paths) list(string) [] no
external_lb_deny_paths List of path to deny access from public internet (works together with external_lb_deny_methods) list(string) [] no
external_lb_logging_prefix s3 prefix for the external LB access logs string "" no
health_check_healthy_threshold Number of consecutives checks before a unhealthy target is considered healthy string 5 no
health_check_interval Seconds between health checks string 5 no
health_check_matcher HTTP Code(s) that result in a successful response from a target (comma delimited) string 200 no
health_check_timeout Seconds waited before a health check fails string 3 no
health_check_unhealthy_threshold Number of consecutive checks before considering a target unhealthy string 2 no
http_4xx_count HTTP Code 4xx count threshhold string 50 no
http_5xx_count HTTP Code 5xx count threshhold string 50 no
idle_timeout Seconds a connection can idle before being disconnected string 60 no
internal_http_cidr_blocks Internal ingress access to Kong Proxy via the load balancer (HTTP) list(string) 
[
  "0.0.0.0/0"
]
 no
internal_https_cidr_blocks Internal ingress access to Kong Proxy via the load balancer (HTTPS) list(string) 
[
  "0.0.0.0/0"
]
 no
lb_creation_timeout Timeout for creating load balancers string "20m" no
lb_deletion_timeout Timeout for deleting load balancers string "20m" no
lb_logging_bucket The s3 bucket which LB access logs should be stored to string "" no
manager_cidr_blocks Access to Kong Manager (Enterprise Edition only) list(string) 
[
  "0.0.0.0/0"
]
 no
manager_host Hostname to access Kong Manager (Enterprise Edition only) string "default" no
module_dependencies Variable to force the module to wait for other resources to finish creation any null no
portal_cidr_blocks Access to Portal (Enterprise Edition only) list(string) 
[
  "0.0.0.0/0"
]
 no
portal_host Hostname to access Portal (Enterprise Edition only) string "default" no
private_subnets Subnet tag on private subnets string "private" no
public_subnets Subnet tag on public subnets for external load balancers string "public" no
redis_engine_version Redis engine version string "5.0.5" no
redis_family Redis parameter group family string "redis5.0" no
redis_instance_count Number of redis nodes string 2 no
redis_instance_type Redis node instance type string "cache.t2.small" no
redis_subnets Redis cluster subnet group name string "cache-subnets" no
response_time_avg Response time average threshhold in milliseconds string 1000 no
service Resource service tag string "kong" no
ssl_policy SSL Policy for HTTPS Listeners string "ELBSecurityPolicy-TLS-1-2-2017-01" no
subnet_tag Tag used on subnets to define Tier string "Tier" no
tags Tags to apply to resources map(string) {} no

Outputs

Name Description
admin_password_key_name The SSM key name for admin password for Kong
admin_token The admin token for Kong
autoscaling_group The autoscaling group
lb_endpoint_external The external load balancer endpoint
lb_endpoint_internal The internal load balancer endpoint
master_password The master password for Kong
rds_arn ARN of the Kong database
rds_endpoint The endpoint for the Kong database
rds_id ID of the Kong database
rds_password The database password for Kong

Examples

Example main.tf:

provider "aws" {
  region  = "us-west-2"
  profile = "dev"
}

module "kong" {
  source = "faros-ai/kong/aws"
  version = "3.4.30"

  vpc                   = "my-vpc"
  environment           = "dev"
  ec2_key_name          = "my-key"
  ssl_cert_external_arn = aws_acm_certificate.cert.arn
  ssl_cert_internal_arn = aws_acm_certificate.cert.arn
  ssl_cert_admin_domain = "*.domain.name"

  tags = {
     Owner = "devops@domain.name"
     Team = "DevOps"
  }
}

Create the resources in AWS:

terraform init
terraform plan -out kong.plan
terraform apply kong.plan

If installing Enterprise Edition, while resources are being provisioned login to the AWS console and navigate to:

Systems Manager -> Parameter Store

Update the license key by editing the parameter (default value is "placeholder"):

/[service]/[environment]/ee/license

Update the Bintray authentication paramater (default value is "placeholder", format is "username:apikey")" for downloads:

/[service]/[environment]/ee/bintray-auth

Alternatively, if your terraform files and state are secure, you can pass them as variables to the module for a completely hands-off installation.

To login to the EC2 instance(s):

ssh -i [/path/to/key/specified/in/ec2_key_name] ubuntu@[ec2-instance]

You are now ready to manage APIs!

About

Kong Terraform Module for AWS

registry.terraform.io/modules/faros-ai/kong/aws

Topics

aws terraform kong terraform-module

Resources

Readme

License

View license

Security policy

Security policy
Activity
Custom properties

Stars

2 stars

Watchers

5 watching

Forks

2 forks
Report repository

Releases 71

v4.9.6 Latest
Jun 18, 2022
+ 70 releases

Packages

No packages published

Contributors 10

Languages