feat: add internal-alb for kong admin api

rohit-ng · rohit-ng · commit 7dcafac9e3d2 · 2024-07-22T18:52:40.000+05:30
diff --git a/README.md b/README.md
@@ -10,19 +10,22 @@
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.58.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.59.0 |
 
 ## Modules
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_alb_security_group"></a> [alb\_security\_group](#module\_alb\_security\_group) | terraform-aws-modules/security-group/aws | ~> 5.1.2 |
 | <a name="module_ecs_kong"></a> [ecs\_kong](#module\_ecs\_kong) | ../terraform-aws-ecs-deployment | n/a |
 | <a name="module_ecs_node_security_group"></a> [ecs\_node\_security\_group](#module\_ecs\_node\_security\_group) | terraform-aws-modules/security-group/aws | ~> 5.1.2 |
 | <a name="module_ecs_task_security_group"></a> [ecs\_task\_security\_group](#module\_ecs\_task\_security\_group) | terraform-aws-modules/security-group/aws | ~> 5.1.2 |
+| <a name="module_internal_alb_kong"></a> [internal\_alb\_kong](#module\_internal\_alb\_kong) | ../terraform-aws-ecs-deployment//modules/alb | n/a |
+| <a name="module_internal_alb_security_group"></a> [internal\_alb\_security\_group](#module\_internal\_alb\_security\_group) | terraform-aws-modules/security-group/aws | ~> 5.1.2 |
+| <a name="module_kong_internal_dns_record"></a> [kong\_internal\_dns\_record](#module\_kong\_internal\_dns\_record) | ./modules/route-53-record | n/a |
+| <a name="module_kong_public_dns_record"></a> [kong\_public\_dns\_record](#module\_kong\_public\_dns\_record) | ./modules/route-53-record | n/a |
 | <a name="module_kong_rds"></a> [kong\_rds](#module\_kong\_rds) | terraform-aws-modules/rds/aws | ~> 6.7.0 |
 | <a name="module_postgres_security_group"></a> [postgres\_security\_group](#module\_postgres\_security\_group) | terraform-aws-modules/security-group/aws | ~> 5.1.2 |
-| <a name="module_route53_record_kong_public_dns"></a> [route53\_record\_kong\_public\_dns](#module\_route53\_record\_kong\_public\_dns) | ./modules/route-53-record | n/a |
+| <a name="module_public_alb_security_group"></a> [public\_alb\_security\_group](#module\_public\_alb\_security\_group) | terraform-aws-modules/security-group/aws | ~> 5.1.2 |
 
 ## Resources
 
@@ -35,6 +38,7 @@
 | [aws_iam_policy_document.ecs_node_doc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.ecs_task_doc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_ssm_parameter.ecs_node_ami](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source |
+| [aws_vpc.vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source |
 
 ## Inputs
 
@@ -60,8 +64,9 @@
 | <a name="input_force_new_deployment"></a> [force\_new\_deployment](#input\_force\_new\_deployment) | Whether to force new deployment | `bool` | `true` | no |
 | <a name="input_instance_type_for_kong"></a> [instance\_type\_for\_kong](#input\_instance\_type\_for\_kong) | Instance type for kong | `string` | `"t2.micro"` | no |
 | <a name="input_key_name_for_kong"></a> [key\_name\_for\_kong](#input\_key\_name\_for\_kong) | Key name for to SSH into kong instance | `string` | `null` | no |
+| <a name="input_kong_admin_sub_domain_names"></a> [kong\_admin\_sub\_domain\_names](#input\_kong\_admin\_sub\_domain\_names) | List of kong admin sub domain names | `list(any)` | n/a | yes |
 | <a name="input_kong_public_sub_domain_names"></a> [kong\_public\_sub\_domain\_names](#input\_kong\_public\_sub\_domain\_names) | List of kong public sub domain names | `list(any)` | n/a | yes |
-| <a name="input_log_configuration_for_kong"></a> [log\_configuration\_for\_kong](#input\_log\_configuration\_for\_kong) | Log configuration for kong | `any` | `{}` | no |
+| <a name="input_log_configuration_for_kong"></a> [log\_configuration\_for\_kong](#input\_log\_configuration\_for\_kong) | Log configuration for kong | `any` | `null` | no |
 | <a name="input_maintenance_window"></a> [maintenance\_window](#input\_maintenance\_window) | The window to perform maintenance in.Syntax:ddd:hh24:mi-ddd:hh24:mi | `string` | `null` | no |
 | <a name="input_manage_master_user_password"></a> [manage\_master\_user\_password](#input\_manage\_master\_user\_password) | Whether to manage master user password | `bool` | `false` | no |
 | <a name="input_managed_scaling_status"></a> [managed\_scaling\_status](#input\_managed\_scaling\_status) | Mangaed scaling | `string` | `"ENABLED"` | no |
diff --git a/main.tf b/main.tf
@@ -45,10 +45,13 @@ locals {
       { containerPort = 8002, hostPort = 8002 }
     ]
 
-    admin_port          = 8001
-    proxy_port          = 8000
-    public_target_group = "kong_public"
-    public_domains      = [for subdomain in var.kong_public_sub_domain_names : "${subdomain}.${var.base_domain}"]
+
+    admin_port            = 8001
+    proxy_port            = 8000
+    public_target_group   = "kong_public"
+    internal_target_group = "kong_internal"
+    public_domains        = [for subdomain in var.kong_public_sub_domain_names : "${subdomain}.${var.base_domain}"]
+    admin_domains         = [for subdomain in var.kong_admin_sub_domain_names : "${subdomain}.${var.base_domain}"]
   }
 
   kong_parameters = {
@@ -161,7 +164,33 @@ module "ecs_node_security_group" {
   tags = local.default_tags
 }
 
-module "alb_security_group" {
+data "aws_vpc" "vpc" {
+  id = var.vpc_id
+}
+
+module "internal_alb_security_group" {
+  source  = "terraform-aws-modules/security-group/aws"
+  version = "~> 5.1.2"
+
+  name   = local.kong.alb_sg_name
+  vpc_id = var.vpc_id
+
+  ingress_with_cidr_blocks = [{
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = data.aws_vpc.vpc.cidr_block
+  }]
+  egress_with_cidr_blocks = [{
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = "0.0.0.0/0"
+  }, ]
+  tags = local.default_tags
+}
+
+module "public_alb_security_group" {
   source  = "terraform-aws-modules/security-group/aws"
   version = "~> 5.1.2"
 
@@ -221,6 +250,11 @@ module "ecs_kong" {
     desired_count        = var.desired_count_for_kong_service
     force_new_deployment = var.force_new_deployment
     load_balancer = [
+      {
+        target_group_arn = module.internal_alb_kong.target_groups_arns[local.kong.internal_target_group]
+        container_name   = local.kong.name
+        container_port   = local.kong.admin_port
+      },
       {
         target_group   = local.kong.public_target_group
         container_name = local.kong.name
@@ -303,14 +337,14 @@ module "ecs_kong" {
   ]
 
   load_balancer = {
-    name                       = local.kong.name
+    name                       = "${local.kong.name}-public"
     internal                   = false
     subnets_ids                = var.public_subnet_ids
-    security_groups_ids        = [module.alb_security_group.security_group_id]
+    security_groups_ids        = [module.public_alb_security_group.security_group_id]
     enable_deletion_protection = false
     target_groups = {
       (local.kong.public_target_group) = {
-        name        = "kong-public"
+        name        = "${local.kong.name}-public"
         port        = 8000
         protocol    = "HTTP"
         target_type = "ip"
@@ -330,7 +364,7 @@ module "ecs_kong" {
       kong_https = {
         port            = 443
         protocol        = "HTTPS"
-        certificate_arn = module.route53_record_kong_public_dns.certificate_arn
+        certificate_arn = module.kong_public_dns_record.certificate_arn
         ssl_policy      = var.ssl_policy
 
         default_action = [
@@ -352,11 +386,67 @@ module "ecs_kong" {
   depends_on = [module.kong_rds]
 }
 
-module "route53_record_kong_public_dns" {
+module "internal_alb_kong" {
+  source                     = "../terraform-aws-ecs-deployment//modules/alb"
+  name                       = "${local.kong.name}-internal"
+  internal                   = true
+  subnets_ids                = var.private_subnet_ids
+  security_groups_ids        = [module.internal_alb_security_group.security_group_id]
+  enable_deletion_protection = false
+  target_groups = {
+    (local.kong.internal_target_group) = {
+      name        = "${local.kong.name}-internal"
+      port        = 8001
+      protocol    = "HTTP"
+      target_type = "ip"
+      vpc_id      = var.vpc_id
+      health_check = {
+        enabled             = true
+        path                = "/status"
+        port                = local.kong.admin_port
+        matcher             = 200
+        interval            = 120
+        timeout             = 5
+        healthy_threshold   = 2
+        unhealthy_threshold = 3
+      }
+    }
+  }
+  listeners = {
+    kong_http = {
+      port     = 80
+      protocol = "HTTP"
+
+      default_action = [
+        {
+          type         = "forward"
+          target_group = local.kong.internal_target_group
+          conditions = [
+            {
+              field  = "host-header"
+              values = local.kong.admin_domains
+            }
+          ]
+        },
+      ]
+    }
+  }
+}
+
+module "kong_public_dns_record" {
   source = "./modules/route-53-record"
 
   base_domain  = var.base_domain
   endpoints    = var.kong_public_sub_domain_names
   alb_dns_name = module.ecs_kong.alb_dns_name
   alb_zone_id  = module.ecs_kong.alb_zone_id
 }
+
+module "kong_internal_dns_record" {
+  source = "./modules/route-53-record"
+
+  base_domain  = var.base_domain
+  endpoints    = var.kong_admin_sub_domain_names
+  alb_dns_name = module.internal_alb_kong.dns_name
+  alb_zone_id  = module.ecs_kong.alb_zone_id
+}
diff --git a/variables.tf b/variables.tf
@@ -125,6 +125,11 @@ variable "kong_public_sub_domain_names" {
   type        = list(any)
 }
 
+variable "kong_admin_sub_domain_names" {
+  description = "List of kong admin sub domain names"
+  type        = list(any)
+}
+
 variable "base_domain" {
   type        = string
   description = "Base domain"
@@ -205,7 +210,7 @@ variable "container_image" {
 variable "log_configuration_for_kong" {
   description = "Log configuration for kong"
   type        = any
-  default     = {}
+  default     = null
 }
 
 variable "cpu_for_kong_task" {
