├── .github └── workflows │ └── terraform.yml ├── .gitignore ├── CHANGELOG.md ├── LICENSE.md ├── README.md ├── aurora.tf ├── cloud-init.cfg ├── cloud-init.sh ├── cloud-init.tf ├── cw.tf ├── cw └── lb │ ├── main.tf │ └── variables.tf ├── data.tf ├── ec2.tf ├── iam.tf ├── lb.tf ├── locals.tf ├── outputs.tf ├── passwords.tf ├── rds.tf ├── redis.tf ├── security.tf ├── ssm.tf └── variables.tf /.github/workflows/terraform.yml: -------------------------------------------------------------------------------- 1 | name: 'Terraform GitHub Actions' 2 | on: 3 | - pull_request 4 | jobs: 5 | terraform: 6 | name: 'Terraform' 7 | runs-on: ubuntu-latest 8 | steps: 9 | - name: 'Checkout' 10 | uses: actions/checkout@master 11 | - name: 'Terraform Format' 12 | uses: hashicorp/terraform-github-actions@master 13 | with: 14 | tf_actions_version: 0.12.13 15 | tf_actions_subcommand: 'fmt' 16 | env: 17 | GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} 18 | - name: 'Terraform Init' 19 | uses: hashicorp/terraform-github-actions@master 20 | with: 21 | tf_actions_version: 0.12.13 22 | tf_actions_subcommand: 'init' 23 | env: 24 | GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} 25 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Local .terraform directories 2 | **/.terraform/* 3 | 4 | # .tfstate files 5 | *.tfstate 6 | *.tfstate.* 7 | 8 | # Crash log files 9 | crash.log 10 | crash.*.log 11 | 12 | # Exclude all .tfvars files, which are likely to contain sensitive data, such as 13 | # password, private keys, and other secrets. These should not be part of version 14 | # control as they are data points which are potentially sensitive and subject 15 | # to change depending on the environment. 16 | *.tfvars 17 | *.tfvars.json 18 | 19 | # Ignore override files as they are usually used to override resources locally and so 20 | # are not checked in 21 | override.tf 22 | override.tf.json 23 | *_override.tf 24 | *_override.tf.json 25 | 26 | # Include override files you do wish to add to version control using negated pattern 27 | # !example_override.tf 28 | 29 | # Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan 30 | # example: *tfplan* 31 | 32 | # Ignore CLI configuration files 33 | .terraformrc 34 | terraform.rc 35 | 36 | # Ignore terraform lock 37 | .terraform.lock.hcl 38 | 39 | tmp/ 40 | -------------------------------------------------------------------------------- /CHANGELOG.md: -------------------------------------------------------------------------------- 1 | # Change Log 2 | 3 | ## [3.0] - 2019-09-23 4 | 5 | ### Added 6 | 7 | - RDS support (now the default over Aurora). 8 | - Dev Portal support in Enterprise Edition. 9 | - [decK: declarative Kong configuration](https://github.com/hbagdi/deck) support. 10 | - Use random provider to automatically generate passwords. 11 | 12 | ### Changed 13 | 14 | - Complete refactor for Terraform 0.12. Older versions are no longer supported. 15 | - Migrated to Kong 1.x. Older versions are no longer supported. 16 | - Removed kongfig in favor of decK (supports services and routes, and actively maintained). 17 | - Additional database and cache configuration. 18 | - Variable `vpc_name` renamed to simply `vpc`. 19 | 20 | ### Fixed 21 | 22 | - Removed unused variable `ec2_ebs_optimized` that was causing confusion and errors for some. 23 | 24 | ## [2.1] - 2018-09-18 25 | 26 | First public release. 27 | -------------------------------------------------------------------------------- /LICENSE.md: -------------------------------------------------------------------------------- 1 | Copyright (c) Zillow Group 2018 2 | Copyright (c) Kong Inc. 2019 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Kong Cluster Terraform Module for AWS 2 | 3 | :warning: This terraform module serves as reference point for getting started. 4 | While it may work for certain scenarios, it is NOT intended to work with 5 | all setups. Please fork the repo or copy over code from here 6 | (liberal Apache-licensed). 7 | 8 | 9 | [Kong API Gateway](https://konghq.com/) is an API gateway microservices 10 | management layer. Both Kong and Enterprise Edition are supported. 11 | 12 | By default, the following resources will be provisioned: 13 | 14 | - RDS PostgreSQL database for Kong's configuration store 15 | - An Auto Scaling Group (ASG) and EC2 instances running Kong (Kong nodes) 16 | - An external load balancer (HTTPS only) 17 | - HTTPS:443 - Kong Proxy 18 | - An internal load balancer (HTTP and HTTPS) 19 | - HTTP:80 - Kong Proxy 20 | - HTTPS:443 - Kong Proxy 21 | - HTTPS:8444 - Kong Admin API (Enterprise Edition only) 22 | - HTTPS:8445 - Kong Manager (Enterprise Edition only) 23 | - HTTPS:8446 - Kong Dev Portal GUI (Enterprise Edition only) 24 | - HTTPS:8447 - Kong Dev Portal API (Enterprise Edition only) 25 | - Security groups granting least privilege access to resources 26 | - An IAM instance profile for access to Kong specific SSM Parameter Store 27 | metadata and secrets 28 | 29 | Optionally, a redis cluster can be provisioned for rate-limiting counters and 30 | caching, and most default resources can be disabled. See variables.tf for a 31 | complete list and description of tunables. 32 | 33 | The Kong nodes are based on [Minimal Ubuntu](https://wiki.ubuntu.com/Minimal). 34 | Using cloud-init, the following is provisioned on top of the AMI: 35 | 36 | - A kong service user 37 | - Minimal set of dependencies and debugging tools 38 | - decK for Kong declarative configuration management 39 | - Kong, running under runit process supervision 40 | - Log rotation of Kong log files 41 | 42 | Prerequisites: 43 | 44 | - An AWS VPC 45 | - Private and public subnets tagged with a subnet_tag (default = 'Tier' tag) 46 | - Database subnet group 47 | - Cache subnet group (if enabling Redis) 48 | - An SSH Key 49 | - An SSL managed certificate to associate with HTTPS load balancers 50 | 51 | ## Variables 52 | 53 |
Name | Description | Type | Default | Required |
---|---|---|---|---|
admin_cidr_blocks | 57 |Access to Kong Admin API (Enterprise Edition only) | 58 |59 | 60 | `list(string)` | 61 |62 | 63 | ```json 64 | [ 65 | "0.0.0.0/0" 66 | ] 67 | ``` 68 | | 69 |no | 70 |
asg_desired_capacity | 73 |The number of instances that should be running in the group | 74 |75 | 76 | `string` | 77 |78 | 79 | `2` | 80 |no | 81 |
asg_health_check_grace_period | 84 |Time in seconds after instance comes into service before checking health | 85 |86 | 87 | `string` | 88 |89 | 90 | `300` | 91 |no | 92 |
asg_max_size | 95 |The maximum size of the auto scale group | 96 |97 | 98 | `string` | 99 |100 | 101 | `3` | 102 |no | 103 |
asg_min_size | 106 |The minimum size of the auto scale group | 107 |108 | 109 | `string` | 110 |111 | 112 | `1` | 113 |no | 114 |
bastion_cidr_blocks | 117 |Bastion hosts allowed access to PostgreSQL and Kong Admin | 118 |119 | 120 | `list(string)` | 121 |122 | 123 | ```json 124 | [ 125 | "127.0.0.1/32" 126 | ] 127 | ``` 128 | | 129 |no | 130 |
ce_pkg | 133 |Filename of the Community Edition package | 134 |135 | 136 | `string` | 137 |138 | 139 | `"kong-1.3.0.bionic.amd64.deb"` | 140 |no | 141 |
cloudwatch_actions | 144 |List of cloudwatch actions for Alert/Ok | 145 |146 | 147 | `list(string)` | 148 |149 | 150 | `[]` | 151 |no | 152 |
db_backup_retention_period | 155 |The number of days to retain backups | 156 |157 | 158 | `string` | 159 |160 | 161 | `7` | 162 |no | 163 |
db_engine_mode | 166 |Engine mode for Aurora | 167 |168 | 169 | `string` | 170 |171 | 172 | `"provisioned"` | 173 |no | 174 |
db_engine_version | 177 |Database engine version | 178 |179 | 180 | `string` | 181 |182 | 183 | `"11.4"` | 184 |no | 185 |
db_family | 188 |Database parameter group family | 189 |190 | 191 | `string` | 192 |193 | 194 | `"postgres11"` | 195 |no | 196 |
db_instance_class | 199 |Database instance class | 200 |201 | 202 | `string` | 203 |204 | 205 | `"db.t2.micro"` | 206 |no | 207 |
db_instance_count | 210 |Number of database instances (0 to leverage an existing db) | 211 |212 | 213 | `string` | 214 |215 | 216 | `1` | 217 |no | 218 |
db_multi_az | 221 |Boolean to specify if RDS is multi-AZ | 222 |223 | 224 | `string` | 225 |226 | 227 | `false` | 228 |no | 229 |
db_storage_size | 232 |Size of the database storage in Gigabytes | 233 |234 | 235 | `string` | 236 |237 | 238 | `20` | 239 |no | 240 |
db_storage_type | 243 |Type of the database storage | 244 |245 | 246 | `string` | 247 |248 | 249 | `"gp2"` | 250 |no | 251 |
db_subnets | 254 |Database instance subnet group name | 255 |256 | 257 | `string` | 258 |259 | 260 | `"db-subnets"` | 261 |no | 262 |
db_username | 265 |Database master username | 266 |267 | 268 | `string` | 269 |270 | 271 | `"root"` | 272 |no | 273 |
deck_version | 276 |Version of decK to install | 277 |278 | 279 | `string` | 280 |281 | 282 | `"0.5.2"` | 283 |no | 284 |
additional_security_groups | 287 |IDs of the additional security groups attached to Kong EC2 instance | 288 |289 | 290 | `list(string)` | 291 |292 | 293 | `[]` | 294 |no | 295 |
deregistration_delay | 298 |Seconds to wait before changing the state of a deregistering target from draining to unused | 299 |300 | 301 | `string` | 302 |303 | 304 | `300` | 305 |no | 306 |
description | 309 |Resource description tag | 310 |311 | 312 | `string` | 313 |314 | 315 | `"Kong API Gateway"` | 316 |no | 317 |
ec2_ami | 320 |Map of Ubuntu Minimal AMIs by region | 321 |322 | 323 | `map(string)` | 324 |325 | 326 | ```json 327 | { 328 | "us-east-1": "ami-7029320f", 329 | "us-east-2": "ami-0350efe0754b8e179", 330 | "us-west-1": "ami-657f9006", 331 | "us-west-2": "ami-59694f21" 332 | } 333 | ``` 334 | | 335 |no | 336 |
ec2_instance_type | 339 |EC2 instance type | 340 |341 | 342 | `string` | 343 |344 | 345 | `"t2.micro"` | 346 |no | 347 |
ec2_key_name | 350 |AWS SSH Key | 351 |352 | 353 | `string` | 354 |355 | 356 | `""` | 357 |no | 358 |
ec2_root_volume_size | 361 |Size of the root volume (in Gigabytes) | 362 |363 | 364 | `string` | 365 |366 | 367 | `8` | 368 |no | 369 |
ec2_root_volume_type | 372 |Type of the root volume (standard, gp2, or io) | 373 |374 | 375 | `string` | 376 |377 | 378 | `"gp2"` | 379 |no | 380 |
ee_license | 383 |Enterprise Edition license key (JSON format) | 384 |385 | 386 | `string` | 387 |388 | 389 | `"placeholder"` | 390 |no | 391 |
ee_pkg | 394 |Filename of the Enterprise Edition package | 395 |396 | 397 | `string` | 398 |399 | 400 | `"kong-enterprise-edition-0.36-2.bionic.all.deb"` | 401 |no | 402 |
enable_aurora | 405 |Boolean to enable Aurora | 406 |407 | 408 | `string` | 409 |410 | 411 | `"false"` | 412 |no | 413 |
enable_deletion_protection | 416 |Boolean to enable delete protection on the ALB | 417 |418 | 419 | `string` | 420 |421 | 422 | `true` | 423 |no | 424 |
enable_ee | 427 |Boolean to enable Kong Enterprise Edition settings | 428 |429 | 430 | `string` | 431 |432 | 433 | `false` | 434 |no | 435 |
enable_external_lb | 438 |Boolean to enable/create the external load balancer, exposing Kong to the Internet | 439 |440 | 441 | `string` | 442 |443 | 444 | `true` | 445 |no | 446 |
enable_internal_lb | 449 |Boolean to enable/create the internal load balancer for the forward proxy | 450 |451 | 452 | `string` | 453 |454 | 455 | `true` | 456 |no | 457 |
enable_redis | 460 |Boolean to enable redis AWS resource | 461 |462 | 463 | `string` | 464 |465 | 466 | `false` | 467 |no | 468 |
environment | 471 |Resource environment tag (i.e. dev, stage, prod) | 472 |473 | 474 | `string` | 475 |476 | 477 | n/a | 478 |yes | 479 |
external_cidr_blocks | 482 |External ingress access to Kong Proxy via the load balancer | 483 |484 | 485 | `list(string)` | 486 |487 | 488 | ```json 489 | [ 490 | "0.0.0.0/0" 491 | ] 492 | ``` 493 | | 494 |no | 495 |
health_check_healthy_threshold | 498 |Number of consecutives checks before a unhealthy target is considered healthy | 499 |500 | 501 | `string` | 502 |503 | 504 | `5` | 505 |no | 506 |
health_check_interval | 509 |Seconds between health checks | 510 |511 | 512 | `string` | 513 |514 | 515 | `5` | 516 |no | 517 |
health_check_matcher | 520 |HTTP Code(s) that result in a successful response from a target (comma delimited) | 521 |522 | 523 | `string` | 524 |525 | 526 | `200` | 527 |no | 528 |
health_check_timeout | 531 |Seconds waited before a health check fails | 532 |533 | 534 | `string` | 535 |536 | 537 | `3` | 538 |no | 539 |
health_check_unhealthy_threshold | 542 |Number of consecutive checks before considering a target unhealthy | 543 |544 | 545 | `string` | 546 |547 | 548 | `2` | 549 |no | 550 |
http_4xx_count | 553 |HTTP Code 4xx count threshhold | 554 |555 | 556 | `string` | 557 |558 | 559 | `50` | 560 |no | 561 |
http_5xx_count | 564 |HTTP Code 5xx count threshhold | 565 |566 | 567 | `string` | 568 |569 | 570 | `50` | 571 |no | 572 |
idle_timeout | 575 |Seconds a connection can idle before being disconnected | 576 |577 | 578 | `string` | 579 |580 | 581 | `60` | 582 |no | 583 |
internal_http_cidr_blocks | 586 |Internal ingress access to Kong Proxy via the load balancer (HTTP) | 587 |588 | 589 | `list(string)` | 590 |591 | 592 | ```json 593 | [ 594 | "0.0.0.0/0" 595 | ] 596 | ``` 597 | | 598 |no | 599 |
internal_https_cidr_blocks | 602 |Internal ingress access to Kong Proxy via the load balancer (HTTPS) | 603 |604 | 605 | `list(string)` | 606 |607 | 608 | ```json 609 | [ 610 | "0.0.0.0/0" 611 | ] 612 | ``` 613 | | 614 |no | 615 |
manager_cidr_blocks | 618 |Access to Kong Manager (Enterprise Edition only) | 619 |620 | 621 | `list(string)` | 622 |623 | 624 | ```json 625 | [ 626 | "0.0.0.0/0" 627 | ] 628 | ``` 629 | | 630 |no | 631 |
manager_host | 634 |Hostname to access Kong Manager (Enterprise Edition only) | 635 |636 | 637 | `string` 638 | | 639 |640 | 641 | `"default`" 642 | | 643 |no | 644 |
portal_cidr_blocks | 647 |Access to Portal (Enterprise Edition only) | 648 |649 | 650 | `list(string)` | 651 |652 | 653 | ```json 654 | [ 655 | "0.0.0.0/0" 656 | ] 657 | ``` 658 | | 659 |no | 660 |
portal_host | 663 |Hostname to access Portal (Enterprise Edition only) | 664 |665 | 666 | `string` 667 | | 668 |669 | 670 | `"default`" 671 | | 672 |no | 673 |
private_subnets | 676 |Subnet tag on private subnets | 677 |678 | 679 | `string` | 680 |681 | 682 | `"private"` | 683 |no | 684 |
public_subnets | 687 |Subnet tag on public subnets for external load balancers | 688 |689 | 690 | `string` | 691 |692 | 693 | `"public"` | 694 |no | 695 |
redis_engine_version | 698 |Redis engine version | 699 |700 | 701 | `string` | 702 |703 | 704 | `"5.0.5"` | 705 |no | 706 |
redis_family | 709 |Redis parameter group family | 710 |711 | 712 | `string` | 713 |714 | 715 | `"redis5.0"` | 716 |no | 717 |
redis_instance_count | 720 |Number of redis nodes | 721 |722 | 723 | `string` | 724 |725 | 726 | `2` | 727 |no | 728 |
redis_instance_type | 731 |Redis node instance type | 732 |733 | 734 | `string` | 735 |736 | 737 | `"cache.t2.small"` | 738 |no | 739 |
redis_subnets | 742 |Redis cluster subnet group name | 743 |744 | 745 | `string` | 746 |747 | 748 | `"cache-subnets"` | 749 |no | 750 |
service | 753 |Resource service tag | 754 |755 | 756 | `string` | 757 |758 | 759 | `"kong"` | 760 |no | 761 |
ssl_cert_admin | 764 |SSL certificate domain name for the Kong Admin API HTTPS listener | 765 |766 | 767 | `string` | 768 |769 | 770 | n/a | 771 |yes | 772 |
ssl_cert_external | 775 |SSL certificate domain name for the external Kong Proxy HTTPS listener | 776 |777 | 778 | `string` | 779 |780 | 781 | n/a | 782 |yes | 783 |
ssl_cert_internal | 786 |SSL certificate domain name for the internal Kong Proxy HTTPS listener | 787 |788 | 789 | `string` | 790 |791 | 792 | n/a | 793 |yes | 794 |
ssl_cert_manager | 797 |SSL certificate domain name for the Kong Manager HTTPS listener | 798 |799 | 800 | `string` | 801 |802 | 803 | n/a | 804 |yes | 805 |
ssl_cert_portal | 808 |SSL certificate domain name for the Dev Portal listener | 809 |810 | 811 | `string` | 812 |813 | 814 | n/a | 815 |yes | 816 |
ssl_policy | 819 |SSL Policy for HTTPS Listeners | 820 |821 | 822 | `string` | 823 |824 | 825 | `"ELBSecurityPolicy-TLS-1-2-2017-01"` | 826 |no | 827 |
subnet_tag | 830 |Tag used on subnets to define Tier | 831 |832 | 833 | `string` | 834 |835 | 836 | `"Tier"` | 837 |no | 838 |
tags | 841 |Tags to apply to resources | 842 |843 | 844 | `map` | 845 |846 | 847 | `{}` | 848 |no | 849 |
vpc_id | 852 |VPC ID for the AWS account and region specified | 853 |854 | 855 | `string` | 856 |857 | 858 | n/a | 859 |yes | 860 |
db_final_snapshot_identifier | 863 |If specified a final snapshot will be made of the RDS/Aurora instance. If left blank, the finalsnapshot will be skipped | 864 |865 | 866 | `string` | 867 |868 | 869 | "" | 870 |no | 871 |