From b349a321562014aa0c275b1293f8194cd1e7793a Mon Sep 17 00:00:00 2001
From: Marcin Baniowski <marcin.baniowski@gmail.com>
Date: Thu, 5 Jul 2018 00:46:23 +0200
Subject: [PATCH] Add Terraform templates (#316)

---
 contrib/terraform/NOTICE                      |   5 +
 contrib/terraform/README.md                   |  85 +++++++++++++
 contrib/terraform/modules/etcd/bastion.tf     |  51 ++++++++
 contrib/terraform/modules/etcd/certs.tf       |  95 +++++++++++++++
 contrib/terraform/modules/etcd/dns.tf         |  16 +++
 contrib/terraform/modules/etcd/ignition.tf    |  79 ++++++++++++
 contrib/terraform/modules/etcd/main.tf        |  86 +++++++++++++
 contrib/terraform/modules/etcd/output.tf      |   3 +
 .../resources/dropins/40-etcd-cluster.conf    |  17 +++
 contrib/terraform/modules/etcd/variables.tf   |  53 ++++++++
 .../terraform/modules/event-gateway/alb.tf    |  48 ++++++++
 .../terraform/modules/event-gateway/ecs.tf    | 114 ++++++++++++++++++
 .../terraform/modules/event-gateway/etcd.tf   |  18 +++
 .../terraform/modules/event-gateway/iam.tf    |  40 ++++++
 .../terraform/modules/event-gateway/output.tf |  14 +++
 .../modules/event-gateway/provider.tf         |   3 +
 .../modules/event-gateway/variables.tf        | 110 +++++++++++++++++
 .../terraform/modules/event-gateway/vpc.tf    |  18 +++
 18 files changed, 855 insertions(+)
 create mode 100644 contrib/terraform/NOTICE
 create mode 100644 contrib/terraform/README.md
 create mode 100644 contrib/terraform/modules/etcd/bastion.tf
 create mode 100644 contrib/terraform/modules/etcd/certs.tf
 create mode 100644 contrib/terraform/modules/etcd/dns.tf
 create mode 100644 contrib/terraform/modules/etcd/ignition.tf
 create mode 100644 contrib/terraform/modules/etcd/main.tf
 create mode 100644 contrib/terraform/modules/etcd/output.tf
 create mode 100644 contrib/terraform/modules/etcd/resources/dropins/40-etcd-cluster.conf
 create mode 100644 contrib/terraform/modules/etcd/variables.tf
 create mode 100644 contrib/terraform/modules/event-gateway/alb.tf
 create mode 100644 contrib/terraform/modules/event-gateway/ecs.tf
 create mode 100644 contrib/terraform/modules/event-gateway/etcd.tf
 create mode 100644 contrib/terraform/modules/event-gateway/iam.tf
 create mode 100644 contrib/terraform/modules/event-gateway/output.tf
 create mode 100644 contrib/terraform/modules/event-gateway/provider.tf
 create mode 100644 contrib/terraform/modules/event-gateway/variables.tf
 create mode 100644 contrib/terraform/modules/event-gateway/vpc.tf

diff --git a/contrib/terraform/NOTICE b/contrib/terraform/NOTICE
new file mode 100644
index 0000000..186d451
--- /dev/null
+++ b/contrib/terraform/NOTICE
@@ -0,0 +1,5 @@
+CoreOS Project
+Copyright 2017 CoreOS, Inc
+
+This product includes software developed at CoreOS, Inc.
+(http://www.coreos.com/).
\ No newline at end of file
diff --git a/contrib/terraform/README.md b/contrib/terraform/README.md
new file mode 100644
index 0000000..b8b98e1
--- /dev/null
+++ b/contrib/terraform/README.md
@@ -0,0 +1,85 @@
+# Event Gateway Terraform module
+
+This module creates Event Gateway running on ECS Fargate with a standalone etcd cluster.
+
+The module is an extract form the [Tectonic Installer repository](https://github.com/coreos/tectonic-installer).
+
+## Usage
+
+```hcl
+module "event-gateway" {
+  source = "github.com/serverless/event-gateway//contrib/terraform/modules/event-gateway"
+
+  aws_region = "us-east-1"
+  command_list = ["-db-hosts", "event-gateway-etcd-0.etcd:2379,event-gateway-etcd-1.etcd:2379,event-gateway-etcd-2.etcd:2379", "-log-level", "debug"]
+  tags = {
+    Application = "event-gateway"
+  }
+}
+
+output "config_url" {
+  value = "${module.event-gateway.config_url}"
+}
+
+output "events_url" {
+  value = "${module.event-gateway.events_url}"
+}
+```
+
+## Debugging etcd
+
+It's possible to enable SSH access via bastion instance, by adding parameters:
+
+```
+bastion_enabled = true
+ssh_key      = "eg-key"
+```
+
+Bastion IP can be distplayed by adding output:
+
+```
+output "bastion_ip" {
+  value = "${module.event-gateway.bastion_ip}"
+}
+```
+
+To connect to one of the etcd cluster hosts, run:
+
+```bash
+ssh -J ec2-user@<bastion_ip> core@<etcd_host_private_ip>
+```
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|:----:|:-----:|:-----:|
+| aws_region | AWS region for the stack | string | - | yes |
+| bastion_enabled | Set to true enables SSH access to etcd nodes in the private subnet | string | `false` | no |
+| command_list | List of parameters for the `event-gateway` command | list | `["-log-level", "debug"]` | no |
+| config_alb_name | Config ALB name | string | `alb-config` | no |
+| config_port | Port number of the Event Gateway Config API | string | `4001` | no |
+| eg_image | Event Gateway docker image | string | `serverless/event-gateway:latest` | no |
+| eg_vpc_name | Event Gateway VPC name | string | `eg-vpc` | no |
+| etcd_base_domain | Name of the base domain for the etcd cluster | string | `etcd` | no |
+| etcd_image | etcd Docker image | string | `quay.io/coreos/etcd:v3.1.8` | no |
+| etcd_instance_count | Number of nodes in the etcd cluster | string | `3` | no |
+| etcd_instance_type | Etcd node type | string | `t2.micro` | no |
+| etcd_root_volume_iops | Number of IOPS of the etcd cluster volumes | string | `100` | no |
+| etcd_root_volume_size | Size of the etcd cluster volumes (in GiB) | string | `30` | no |
+| etcd_root_volume_type | Type of the etcd cluster volumes | string | `gp2` | no |
+| etcd_ssh_key | (optional) Name of the preexisting SSH key | string | `` | no |
+| etcd_tls_enabled | Enable TLS for the etcd cluster | string | `false` | no |
+| events_alb_name | Events ALB name | string | `alb-events` | no |
+| events_port | Event Gateway Events API port number | string | `4000` | no |
+| fargate_cpu | Fargate instance CPU units | string | `256` | no |
+| fargate_memory | Fargate instance memory | string | `512` | no |
+| tags | Additional tags | map | `<map>` | no |
+| task_count | Number of Event Gateway Fargate tasks | string | `3` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| bastion_ip | Public IP of etcd bastion instance |
+| config_url | Event Gateway Config API URL |
+| events_url | Event Gateway Events API URL |
diff --git a/contrib/terraform/modules/etcd/bastion.tf b/contrib/terraform/modules/etcd/bastion.tf
new file mode 100644
index 0000000..6f2d9a8
--- /dev/null
+++ b/contrib/terraform/modules/etcd/bastion.tf
@@ -0,0 +1,51 @@
+data "aws_ami" "amazon-linux" {
+  most_recent = true
+
+  filter {
+    name   = "name"
+    values = ["amzn-ami-*-x86_64-gp2"]
+  }
+
+  filter {
+    name   = "virtualization-type"
+    values = ["hvm"]
+  }
+
+  filter {
+    name   = "owner-alias"
+    values = ["amazon"]
+  }
+}
+
+resource "aws_instance" "bastion" {
+  count = "${var.bastion_enabled ? 1 : 0}"
+
+  ami                    = "${data.aws_ami.amazon-linux.id}"
+  instance_type          = "t2.micro"
+  key_name               = "${var.ssh_key}"
+  subnet_id              = "${var.bastion_subnet}"
+  vpc_security_group_ids = ["${aws_security_group.bastion.id}"]
+
+  tags = "${merge(var.tags, map("Name", var.bastion_name))}"
+}
+
+resource "aws_security_group" "bastion" {
+  count = "${var.bastion_enabled ? 1 : 0}"
+
+  name   = "eg-bastion"
+  vpc_id = "${var.vpc_id}"
+
+  ingress {
+    protocol    = "tcp"
+    from_port   = "22"
+    to_port     = "22"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  egress {
+    protocol    = "-1"
+    from_port   = 0
+    to_port     = 0
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+}
diff --git a/contrib/terraform/modules/etcd/certs.tf b/contrib/terraform/modules/etcd/certs.tf
new file mode 100644
index 0000000..f136c88
--- /dev/null
+++ b/contrib/terraform/modules/etcd/certs.tf
@@ -0,0 +1,95 @@
+locals {
+  etcd_crt_id_list = [
+    "${data.ignition_file.etcd_ca.*.id}",
+    "${data.ignition_file.etcd_client_key.*.id}",
+    "${data.ignition_file.etcd_client_crt.*.id}",
+    "${data.ignition_file.etcd_server_key.*.id}",
+    "${data.ignition_file.etcd_server_crt.*.id}",
+    "${data.ignition_file.etcd_peer_key.*.id}",
+    "${data.ignition_file.etcd_peer_crt.*.id}",
+  ]
+}
+
+data "ignition_file" "etcd_ca" {
+  path       = "/etc/ssl/etcd/ca.crt"
+  mode       = 0644
+  uid        = 232
+  gid        = 232
+  filesystem = "root"
+
+  content {
+    content = "${module.etcd_certs.etcd_ca_crt_pem}"
+  }
+}
+
+data "ignition_file" "etcd_client_key" {
+  path       = "/etc/ssl/etcd/client.key"
+  mode       = 0400
+  uid        = 0
+  gid        = 0
+  filesystem = "root"
+
+  content {
+    content = "${module.etcd_certs.etcd_client_key_pem}"
+  }
+}
+
+data "ignition_file" "etcd_client_crt" {
+  path       = "/etc/ssl/etcd/client.crt"
+  mode       = 0400
+  uid        = 0
+  gid        = 0
+  filesystem = "root"
+
+  content {
+    content = "${module.etcd_certs.etcd_client_crt_pem}"
+  }
+}
+
+data "ignition_file" "etcd_server_key" {
+  path       = "/etc/ssl/etcd/server.key"
+  mode       = 0400
+  uid        = 232
+  gid        = 232
+  filesystem = "root"
+
+  content {
+    content = "${module.etcd_certs.etcd_server_key_pem}"
+  }
+}
+
+data "ignition_file" "etcd_server_crt" {
+  path       = "/etc/ssl/etcd/server.crt"
+  mode       = 0400
+  uid        = 232
+  gid        = 232
+  filesystem = "root"
+
+  content {
+    content = "${module.etcd_certs.etcd_server_crt_pem}"
+  }
+}
+
+data "ignition_file" "etcd_peer_key" {
+  path       = "/etc/ssl/etcd/peer.key"
+  mode       = 0400
+  uid        = 232
+  gid        = 232
+  filesystem = "root"
+
+  content {
+    content = "${module.etcd_certs.etcd_peer_key_pem}"
+  }
+}
+
+data "ignition_file" "etcd_peer_crt" {
+  path       = "/etc/ssl/etcd/peer.crt"
+  mode       = 0400
+  uid        = 232
+  gid        = 232
+  filesystem = "root"
+
+  content {
+    content = "${module.etcd_certs.etcd_peer_crt_pem}"
+  }
+}
diff --git a/contrib/terraform/modules/etcd/dns.tf b/contrib/terraform/modules/etcd/dns.tf
new file mode 100644
index 0000000..99446ea
--- /dev/null
+++ b/contrib/terraform/modules/etcd/dns.tf
@@ -0,0 +1,16 @@
+resource "aws_route53_zone" "etcd_priv" {
+  name    = "${var.base_domain}"
+  vpc_id  = "${var.vpc_id}"
+  comment = "Managed by Terraform"
+
+  tags = "${var.tags}"
+}
+
+resource "aws_route53_record" "etcd_a_nodes" {
+  count   = "${var.instance_count}"
+  type    = "A"
+  ttl     = "60"
+  zone_id = "${aws_route53_zone.etcd_priv.zone_id}"
+  name    = "${var.cluster_name}-etcd-${count.index}"
+  records = ["${module.etcd.ip_addresses[count.index]}"]
+}
diff --git a/contrib/terraform/modules/etcd/ignition.tf b/contrib/terraform/modules/etcd/ignition.tf
new file mode 100644
index 0000000..2258457
--- /dev/null
+++ b/contrib/terraform/modules/etcd/ignition.tf
@@ -0,0 +1,79 @@
+locals {
+  scheme = "${var.tls_enabled ? "https" : "http"}"
+
+  // see https://github.com/hashicorp/terraform/issues/9858
+  etcd_initial_cluster_list = "${concat(data.template_file.etcd_hostname_list.*.rendered, list("dummy"))}"
+
+  metadata_env = "EnvironmentFile=/run/metadata/coreos"
+
+  metadata_deps = <<EOF
+Requires=coreos-metadata.service
+After=coreos-metadata.service
+EOF
+
+  cert_options = <<EOF
+--cert-file=/etc/ssl/etcd/server.crt \
+  --client-cert-auth=true \
+  --key-file=/etc/ssl/etcd/server.key \
+  --peer-cert-file=/etc/ssl/etcd/peer.crt \
+  --peer-key-file=/etc/ssl/etcd/peer.key \
+  --peer-trusted-ca-file=/etc/ssl/etcd/ca.crt \
+  --peer-client-cert-auth=true \
+  --trusted-ca-file=/etc/ssl/etcd/ca.crtEOF
+}
+
+data "template_file" "etcd_hostname_list" {
+  count = "${var.instance_count}"
+
+  template = "${var.cluster_name}-etcd-${count.index}.${var.base_domain}"
+}
+
+data "template_file" "etcd_names" {
+  count    = "${var.instance_count}"
+  template = "${var.cluster_name}-etcd-${count.index}${var.base_domain == "" ? "" : ".${var.base_domain}"}"
+}
+
+data "template_file" "advertise_client_urls" {
+  count    = "${var.instance_count}"
+  template = "${local.scheme}://${data.template_file.etcd_hostname_list.*.rendered[count.index]}:2379"
+}
+
+data "template_file" "initial_advertise_peer_urls" {
+  count    = "${var.instance_count}"
+  template = "${local.scheme}://${data.template_file.etcd_hostname_list.*.rendered[count.index]}:2380"
+}
+
+data "template_file" "initial_cluster" {
+  count    = "${length(data.template_file.etcd_hostname_list.*.rendered) > 0 ? var.instance_count : 0}"
+  template = "${data.template_file.etcd_names.*.rendered[count.index]}=${local.scheme}://${local.etcd_initial_cluster_list[count.index]}:2380"
+}
+
+data "template_file" "etcd" {
+  count    = "${var.instance_count}"
+  template = "${file("${path.module}/resources/dropins/40-etcd-cluster.conf")}"
+
+  vars = {
+    advertise_client_urls       = "${data.template_file.advertise_client_urls.*.rendered[count.index]}"
+    cert_options                = "${var.tls_enabled ? local.cert_options : ""}"
+    container_image             = "${var.container_image}"
+    initial_advertise_peer_urls = "${data.template_file.initial_advertise_peer_urls.*.rendered[count.index]}"
+    initial_cluster             = "${length(data.template_file.etcd_hostname_list.*.rendered) > 0 ? format("--initial-cluster=%s", join(",", data.template_file.initial_cluster.*.rendered)) : ""}"
+    metadata_deps               = "${var.use_metadata ? local.metadata_deps : ""}"
+    metadata_env                = "${var.use_metadata ? local.metadata_env : ""}"
+    name                        = "${data.template_file.etcd_names.*.rendered[count.index]}"
+    scheme                      = "${local.scheme}"
+  }
+}
+
+data "ignition_systemd_unit" "etcd" {
+  count   = "${var.instance_count}"
+  name    = "etcd-member.service"
+  enabled = true
+
+  dropin = [
+    {
+      name    = "40-etcd-cluster.conf"
+      content = "${data.template_file.etcd.*.rendered[count.index]}"
+    },
+  ]
+}
diff --git a/contrib/terraform/modules/etcd/main.tf b/contrib/terraform/modules/etcd/main.tf
new file mode 100644
index 0000000..8acd9d8
--- /dev/null
+++ b/contrib/terraform/modules/etcd/main.tf
@@ -0,0 +1,86 @@
+data "aws_caller_identity" "current" {}
+
+locals {
+  container_linux_version = "${data.external.version.result["version"]}"
+}
+
+data "external" "version" {
+  program = ["sh", "-c", "curl https://${var.container_linux_channel}.release.core-os.net/amd64-usr/current/version.txt | sed -n 's/COREOS_VERSION=\\(.*\\)$/{\"version\": \"\\1\"}/p'"]
+}
+
+module "etcd" {
+  source = "github.com/coreos/tectonic-installer//modules/aws/etcd?ref=0a22c73d39f67ba4bb99106a9e72322a47179736"
+
+  base_domain             = "${var.base_domain}"
+  cluster_id              = "${var.cluster_name}"
+  cluster_name            = "${var.cluster_name}"
+  container_image         = "${var.container_image}"
+  container_linux_channel = "${var.container_linux_channel}"
+  container_linux_version = "${local.container_linux_version}"
+  ec2_type                = "${var.ec2_type}"
+  external_endpoints      = []
+  extra_tags              = "${var.tags}"
+  ign_etcd_crt_id_list    = "${local.etcd_crt_id_list}"
+  ign_etcd_dropin_id_list = "${data.ignition_systemd_unit.etcd.*.id}"
+  instance_count          = "${var.instance_count}"
+  root_volume_iops        = "${var.root_volume_iops}"
+  root_volume_size        = "${var.root_volume_size}"
+  root_volume_type        = "${var.root_volume_type}"
+  s3_bucket               = "${aws_s3_bucket.eg-etcd-ignition.id}"
+  sg_ids                  = "${aws_security_group.etcd.*.id}"
+  ssh_key                 = "${var.ssh_key}"
+  subnets                 = "${var.subnets}"
+  tls_enabled             = "${var.tls_enabled}"
+}
+
+module "etcd_certs" {
+  source = "github.com/coreos/tectonic-installer//modules/tls/etcd/signed?ref=0a22c73d39f67ba4bb99106a9e72322a47179736"
+
+  etcd_ca_cert_path     = "/dev/null"
+  etcd_cert_dns_names   = "${data.template_file.etcd_hostname_list.*.rendered}"
+  etcd_client_cert_path = "/dev/null"
+  etcd_client_key_path  = "/dev/null"
+  self_signed           = "true"
+  service_cidr          = "10.3.0.0/16"
+}
+
+resource "aws_s3_bucket" "eg-etcd-ignition" {
+  bucket = "${data.aws_caller_identity.current.account_id}-eg-etc-ignition"
+  acl    = "private"
+
+  tags = "${var.tags}"
+}
+
+resource "aws_security_group" "etcd" {
+  name   = "eg-etcd"
+  vpc_id = "${var.vpc_id}"
+
+  ingress {
+    protocol        = "tcp"
+    from_port       = "2379"
+    to_port         = "2380"
+    self            = true
+    security_groups = ["${var.security_groups}"]
+  }
+
+  egress {
+    protocol    = "-1"
+    from_port   = 0
+    to_port     = 0
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+}
+
+# If bastion instance is present in a public subnet
+resource "aws_security_group_rule" "allow_ssh" {
+  count = "${var.bastion_enabled ? 1 : 0}"
+
+  type      = "ingress"
+  from_port = 22
+  to_port   = 22
+  protocol  = "tcp"
+
+  cidr_blocks = ["0.0.0.0/0"]
+
+  security_group_id = "${aws_security_group.etcd.id}"
+}
diff --git a/contrib/terraform/modules/etcd/output.tf b/contrib/terraform/modules/etcd/output.tf
new file mode 100644
index 0000000..a111324
--- /dev/null
+++ b/contrib/terraform/modules/etcd/output.tf
@@ -0,0 +1,3 @@
+output "bastion_ip" {
+  value = "${element(concat(aws_instance.bastion.*.public_ip, list("")), 0)}"
+}
diff --git a/contrib/terraform/modules/etcd/resources/dropins/40-etcd-cluster.conf b/contrib/terraform/modules/etcd/resources/dropins/40-etcd-cluster.conf
new file mode 100644
index 0000000..078b761
--- /dev/null
+++ b/contrib/terraform/modules/etcd/resources/dropins/40-etcd-cluster.conf
@@ -0,0 +1,17 @@
+[Unit]
+${metadata_deps}
+
+[Service]
+Environment="ETCD_IMAGE=${container_image}"
+${metadata_env}
+Environment="RKT_RUN_ARGS=--volume etcd-ssl,kind=host,source=/etc/ssl/etcd \
+  --mount volume=etcd-ssl,target=/etc/ssl/etcd"
+ExecStart=
+ExecStart=/usr/lib/coreos/etcd-wrapper \
+  --name=${name} \
+  --advertise-client-urls=${advertise_client_urls} \
+  ${cert_options} \
+  ${initial_cluster} \
+  --initial-advertise-peer-urls=${initial_advertise_peer_urls} \
+  --listen-client-urls=${scheme}://0.0.0.0:2379 \
+  --listen-peer-urls=${scheme}://0.0.0.0:2380
diff --git a/contrib/terraform/modules/etcd/variables.tf b/contrib/terraform/modules/etcd/variables.tf
new file mode 100644
index 0000000..6e4aba4
--- /dev/null
+++ b/contrib/terraform/modules/etcd/variables.tf
@@ -0,0 +1,53 @@
+variable "cluster_name" {
+  default = "event-gateway"
+}
+
+variable "security_groups" {
+  type = "list"
+}
+
+variable "vpc_id" {}
+
+variable "base_domain" {}
+
+variable "instance_count" {}
+
+variable "ssh_key" {}
+
+variable "subnets" {
+  type = "list"
+}
+
+variable "container_linux_channel" {
+  default = "stable"
+}
+
+variable "ec2_type" {}
+
+variable "tls_enabled" {}
+
+variable "container_image" {}
+
+variable "root_volume_iops" {}
+
+variable "root_volume_size" {}
+
+variable "root_volume_type" {}
+
+variable "tags" {
+  type = "map"
+}
+
+variable "bastion_enabled" {}
+
+variable "bastion_subnet" {
+  default = 0
+}
+
+variable "bastion_name" {
+  default = "eg-etcd-bastion"
+}
+
+variable "use_metadata" {
+  default = false
+}
diff --git a/contrib/terraform/modules/event-gateway/alb.tf b/contrib/terraform/modules/event-gateway/alb.tf
new file mode 100644
index 0000000..0e104bd
--- /dev/null
+++ b/contrib/terraform/modules/event-gateway/alb.tf
@@ -0,0 +1,48 @@
+module "alb-events" {
+  source                   = "terraform-aws-modules/alb/aws"
+  load_balancer_name       = "${var.events_alb_name}"
+  security_groups          = ["${aws_security_group.alb.id}"]
+  logging_enabled          = "false"
+  subnets                  = ["${module.vpc.public_subnets}"]
+  tags                     = "${merge(var.tags, map("Name", var.events_alb_name))}"
+  vpc_id                   = "${module.vpc.vpc_id}"
+  http_tcp_listeners       = "${list(map("port", "80", "protocol", "HTTP"))}"
+  http_tcp_listeners_count = "1"
+  target_groups            = "${list(map("health_check_path", "/v1/status", "health_check_port", "4001", "name", "tg-events", "backend_protocol", "HTTP", "backend_port", "80", "target_type", "ip"))}"
+  target_groups_count      = "1"
+}
+
+module "alb-config" {
+  source                   = "terraform-aws-modules/alb/aws"
+  load_balancer_name       = "${var.config_alb_name}"
+  security_groups          = ["${aws_security_group.alb.id}"]
+  logging_enabled          = "false"
+  subnets                  = ["${module.vpc.public_subnets}"]
+  tags                     = "${merge(var.tags, map("Name", var.config_alb_name))}"
+  vpc_id                   = "${module.vpc.vpc_id}"
+  http_tcp_listeners       = "${list(map("port", "80", "protocol", "HTTP"))}"
+  http_tcp_listeners_count = "1"
+  target_groups            = "${list(map("health_check_path", "/v1/status", "name", "tg-config", "backend_protocol", "HTTP", "backend_port", "80", "target_type", "ip"))}"
+  target_groups_count      = "1"
+}
+
+resource "aws_security_group" "alb" {
+  name   = "eg-alb"
+  vpc_id = "${module.vpc.vpc_id}"
+
+  ingress {
+    protocol    = "tcp"
+    from_port   = 80
+    to_port     = 80
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = "${var.tags}"
+}
diff --git a/contrib/terraform/modules/event-gateway/ecs.tf b/contrib/terraform/modules/event-gateway/ecs.tf
new file mode 100644
index 0000000..8c62928
--- /dev/null
+++ b/contrib/terraform/modules/event-gateway/ecs.tf
@@ -0,0 +1,114 @@
+data "aws_caller_identity" "current" {}
+
+resource "aws_ecs_cluster" "event-gateway" {
+  name = "eg-ecs-cluster"
+}
+
+resource "aws_cloudwatch_log_group" "eg" {
+  name = "eg-ecs-group"
+  tags = "${var.tags}"
+}
+
+resource "aws_ecs_task_definition" "eg" {
+  family                   = "eg"
+  network_mode             = "awsvpc"
+  requires_compatibilities = ["FARGATE"]
+  cpu                      = "${var.fargate_cpu}"
+  memory                   = "${var.fargate_memory}"
+  execution_role_arn       = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/ecsTaskExecutionRole"
+
+  container_definitions = <<EOF
+[
+  {
+    "name": "event-gateway",
+    "image": "${var.eg_image}",
+    "command": ["${join("\",\"", var.command_list)}"],
+    "networkMode": "awsvpc",  
+    "portMappings": [
+      {
+        "containerPort": ${var.config_port}
+      },
+      {
+        "containerPort": ${var.events_port}
+      }
+    ],
+    "logConfiguration": {
+        "logDriver": "awslogs",
+        "options": {
+            "awslogs-group": "${aws_cloudwatch_log_group.eg.name}",
+            "awslogs-region": "${var.aws_region}",
+            "awslogs-stream-prefix": "ecs"
+        }
+    }
+  }
+]
+EOF
+}
+
+resource "aws_ecs_service" "config" {
+  name            = "eg-config"
+  cluster         = "${aws_ecs_cluster.event-gateway.id}"
+  task_definition = "${aws_ecs_task_definition.eg.arn}"
+  desired_count   = "${var.task_count}"
+  launch_type     = "FARGATE"
+
+  network_configuration {
+    security_groups = ["${aws_security_group.sg-container-ingress.id}"]
+    subnets         = ["${module.vpc.private_subnets}"]
+  }
+
+  load_balancer {
+    target_group_arn = "${module.alb-config.target_group_arns[0]}"
+    container_name   = "event-gateway"
+    container_port   = "${var.config_port}"
+  }
+
+  depends_on = [
+    "module.alb-config",
+  ]
+}
+
+resource "aws_ecs_service" "events" {
+  name            = "eg-events"
+  cluster         = "${aws_ecs_cluster.event-gateway.id}"
+  task_definition = "${aws_ecs_task_definition.eg.arn}"
+  desired_count   = "${var.task_count}"
+  launch_type     = "FARGATE"
+
+  network_configuration {
+    security_groups = ["${aws_security_group.sg-container-ingress.id}"]
+    subnets         = ["${module.vpc.private_subnets}"]
+  }
+
+  load_balancer {
+    target_group_arn = "${module.alb-events.target_group_arns[0]}"
+    container_name   = "event-gateway"
+    container_port   = "${var.events_port}"
+  }
+
+  depends_on = [
+    "module.alb-events",
+  ]
+}
+
+resource "aws_security_group" "sg-container-ingress" {
+  name        = "eg-event-service"
+  description = "Allow only into events API"
+  vpc_id      = "${module.vpc.vpc_id}"
+
+  ingress {
+    protocol        = "tcp"
+    from_port       = "${var.events_port}"
+    to_port         = "${var.config_port}"
+    security_groups = ["${aws_security_group.alb.id}"]
+  }
+
+  egress {
+    protocol    = "-1"
+    from_port   = 0
+    to_port     = 0
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = "${var.tags}"
+}
diff --git a/contrib/terraform/modules/event-gateway/etcd.tf b/contrib/terraform/modules/event-gateway/etcd.tf
new file mode 100644
index 0000000..ba3e43b
--- /dev/null
+++ b/contrib/terraform/modules/event-gateway/etcd.tf
@@ -0,0 +1,18 @@
+module "etcd" {
+  source           = "../../modules/etcd"
+  subnets          = "${module.vpc.private_subnets}"
+  bastion_enabled  = "${var.bastion_enabled}"
+  bastion_subnet   = "${module.vpc.public_subnets[0]}"
+  security_groups  = "${aws_security_group.sg-container-ingress.*.id}"
+  ec2_type         = "${var.etcd_instance_type}"
+  root_volume_iops = "${var.etcd_root_volume_iops}"
+  root_volume_size = "${var.etcd_root_volume_size}"
+  root_volume_type = "${var.etcd_root_volume_type}"
+  ssh_key          = "${var.etcd_ssh_key}"
+  vpc_id           = "${module.vpc.vpc_id}"
+  tags             = "${var.tags}"
+  tls_enabled      = "${var.etcd_tls_enabled}"
+  instance_count   = "${var.etcd_instance_count}"
+  container_image  = "${var.etcd_image}"
+  base_domain      = "${var.etcd_base_domain}"
+}
diff --git a/contrib/terraform/modules/event-gateway/iam.tf b/contrib/terraform/modules/event-gateway/iam.tf
new file mode 100644
index 0000000..c37ab85
--- /dev/null
+++ b/contrib/terraform/modules/event-gateway/iam.tf
@@ -0,0 +1,40 @@
+resource "aws_iam_role" "ecsTaskExecutionRole" {
+  name = "ecsTaskExecutionRole"
+
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": "sts:AssumeRole",
+      "Principal": {
+        "Service": "ecs-tasks.amazonaws.com"
+      },
+      "Effect": "Allow",
+      "Sid": ""
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_role_policy" "AmazonECSTaskExecutionRolePolicy" {
+  name = "AmazonECSTaskExecutionRolePolicy"
+  role = "${aws_iam_role.ecsTaskExecutionRole.id}"
+
+  policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": [
+        "logs:CreateLogStream",
+        "logs:PutLogEvents"
+      ],
+      "Effect": "Allow",
+      "Resource": "*"
+    }
+  ]
+}
+EOF
+}
diff --git a/contrib/terraform/modules/event-gateway/output.tf b/contrib/terraform/modules/event-gateway/output.tf
new file mode 100644
index 0000000..5582396
--- /dev/null
+++ b/contrib/terraform/modules/event-gateway/output.tf
@@ -0,0 +1,14 @@
+output "config_url" {
+  description = "Event Gateway Config API URL"
+  value       = "${module.alb-config.dns_name}"
+}
+
+output "events_url" {
+  description = "Event Gateway Events API URL"
+  value       = "${module.alb-events.dns_name}"
+}
+
+output "bastion_ip" {
+  description = "Public IP of etcd bastion instance"
+  value       = "${module.etcd.bastion_ip}"
+}
diff --git a/contrib/terraform/modules/event-gateway/provider.tf b/contrib/terraform/modules/event-gateway/provider.tf
new file mode 100644
index 0000000..b54eb94
--- /dev/null
+++ b/contrib/terraform/modules/event-gateway/provider.tf
@@ -0,0 +1,3 @@
+provider "aws" {
+  region = "${var.aws_region}"
+}
diff --git a/contrib/terraform/modules/event-gateway/variables.tf b/contrib/terraform/modules/event-gateway/variables.tf
new file mode 100644
index 0000000..be9d554
--- /dev/null
+++ b/contrib/terraform/modules/event-gateway/variables.tf
@@ -0,0 +1,110 @@
+variable "aws_region" {
+  description = "AWS region for the stack"
+}
+
+variable "command_list" {
+  description = "List of parameters for the `event-gateway` command"
+  type        = "list"
+  default     = ["-log-level", "debug"]
+}
+
+variable "eg_image" {
+  description = "Event Gateway docker image"
+  default     = "serverless/event-gateway:latest"
+}
+
+variable "events_port" {
+  description = "Event Gateway Events API port number"
+  default     = 4000
+}
+
+variable "config_port" {
+  description = "Port number of the Event Gateway Config API"
+  default     = 4001
+}
+
+variable "task_count" {
+  description = "Number of Event Gateway Fargate tasks"
+  default     = 3
+}
+
+variable "fargate_cpu" {
+  description = "Fargate instance CPU units"
+  default     = 256
+}
+
+variable "fargate_memory" {
+  description = "Fargate instance memory"
+  default     = 512
+}
+
+variable "etcd_instance_type" {
+  description = "Etcd node type"
+  default     = "t2.micro"
+}
+
+variable "tags" {
+  description = "Additional tags"
+  type        = "map"
+  default     = {}
+}
+
+variable "events_alb_name" {
+  description = "Events ALB name"
+  default     = "alb-events"
+}
+
+variable "config_alb_name" {
+  description = "Config ALB name"
+  default     = "alb-config"
+}
+
+variable "eg_vpc_name" {
+  description = "Event Gateway VPC name"
+  default     = "eg-vpc"
+}
+
+variable "bastion_enabled" {
+  description = "Set to true enables SSH access to etcd nodes in the private subnet"
+  default     = false
+}
+
+variable "etcd_root_volume_iops" {
+  description = "Number of IOPS of the etcd cluster volumes"
+  default     = "100"
+}
+
+variable "etcd_root_volume_size" {
+  description = "Size of the etcd cluster volumes (in GiB)"
+  default     = "30"
+}
+
+variable "etcd_root_volume_type" {
+  description = "Type of the etcd cluster volumes"
+  default     = "gp2"
+}
+
+variable "etcd_ssh_key" {
+  description = "(optional) Name of the preexisting SSH key"
+  default     = ""
+}
+
+variable "etcd_tls_enabled" {
+  description = "Enable TLS for the etcd cluster"
+  default     = false
+}
+
+variable "etcd_image" {
+  description = "etcd Docker image"
+  default     = "quay.io/coreos/etcd:v3.1.8"
+}
+
+variable "etcd_instance_count" {
+  description = "Number of nodes in the etcd cluster"
+  default     = 3
+}
+
+variable "etcd_base_domain" {
+  description = "Name of the base domain for the etcd cluster"
+  default     = "etcd"
+}
diff --git a/contrib/terraform/modules/event-gateway/vpc.tf b/contrib/terraform/modules/event-gateway/vpc.tf
new file mode 100644
index 0000000..e2c6bf0
--- /dev/null
+++ b/contrib/terraform/modules/event-gateway/vpc.tf
@@ -0,0 +1,18 @@
+data "aws_availability_zones" "available" {}
+
+module "vpc" {
+  source = "terraform-aws-modules/vpc/aws"
+
+  name = "${var.eg_vpc_name}"
+  cidr = "10.0.0.0/16"
+
+  azs             = "${data.aws_availability_zones.available.names}"
+  private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]
+  public_subnets  = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"]
+
+  enable_dns_hostnames = true
+  enable_nat_gateway   = true
+  single_nat_gateway   = true
+
+  tags = "${merge(var.tags, map("Name", var.eg_vpc_name))}"
+}