Skip to content

Commit 7dcafac

Browse files
author
rohit-ng
committed
feat: add internal-alb for kong admin api
1 parent 84b5aa1 commit 7dcafac

File tree

3 files changed

+115
-15
lines changed

3 files changed

+115
-15
lines changed

README.md

Lines changed: 9 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -10,19 +10,22 @@
1010

1111
| Name | Version |
1212
|------|---------|
13-
| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.58.0 |
13+
| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.59.0 |
1414

1515
## Modules
1616

1717
| Name | Source | Version |
1818
|------|--------|---------|
19-
| <a name="module_alb_security_group"></a> [alb\_security\_group](#module\_alb\_security\_group) | terraform-aws-modules/security-group/aws | ~> 5.1.2 |
2019
| <a name="module_ecs_kong"></a> [ecs\_kong](#module\_ecs\_kong) | ../terraform-aws-ecs-deployment | n/a |
2120
| <a name="module_ecs_node_security_group"></a> [ecs\_node\_security\_group](#module\_ecs\_node\_security\_group) | terraform-aws-modules/security-group/aws | ~> 5.1.2 |
2221
| <a name="module_ecs_task_security_group"></a> [ecs\_task\_security\_group](#module\_ecs\_task\_security\_group) | terraform-aws-modules/security-group/aws | ~> 5.1.2 |
22+
| <a name="module_internal_alb_kong"></a> [internal\_alb\_kong](#module\_internal\_alb\_kong) | ../terraform-aws-ecs-deployment//modules/alb | n/a |
23+
| <a name="module_internal_alb_security_group"></a> [internal\_alb\_security\_group](#module\_internal\_alb\_security\_group) | terraform-aws-modules/security-group/aws | ~> 5.1.2 |
24+
| <a name="module_kong_internal_dns_record"></a> [kong\_internal\_dns\_record](#module\_kong\_internal\_dns\_record) | ./modules/route-53-record | n/a |
25+
| <a name="module_kong_public_dns_record"></a> [kong\_public\_dns\_record](#module\_kong\_public\_dns\_record) | ./modules/route-53-record | n/a |
2326
| <a name="module_kong_rds"></a> [kong\_rds](#module\_kong\_rds) | terraform-aws-modules/rds/aws | ~> 6.7.0 |
2427
| <a name="module_postgres_security_group"></a> [postgres\_security\_group](#module\_postgres\_security\_group) | terraform-aws-modules/security-group/aws | ~> 5.1.2 |
25-
| <a name="module_route53_record_kong_public_dns"></a> [route53\_record\_kong\_public\_dns](#module\_route53\_record\_kong\_public\_dns) | ./modules/route-53-record | n/a |
28+
| <a name="module_public_alb_security_group"></a> [public\_alb\_security\_group](#module\_public\_alb\_security\_group) | terraform-aws-modules/security-group/aws | ~> 5.1.2 |
2629

2730
## Resources
2831

@@ -35,6 +38,7 @@
3538
| [aws_iam_policy_document.ecs_node_doc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
3639
| [aws_iam_policy_document.ecs_task_doc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
3740
| [aws_ssm_parameter.ecs_node_ami](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source |
41+
| [aws_vpc.vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source |
3842

3943
## Inputs
4044

@@ -60,8 +64,9 @@
6064
| <a name="input_force_new_deployment"></a> [force\_new\_deployment](#input\_force\_new\_deployment) | Whether to force new deployment | `bool` | `true` | no |
6165
| <a name="input_instance_type_for_kong"></a> [instance\_type\_for\_kong](#input\_instance\_type\_for\_kong) | Instance type for kong | `string` | `"t2.micro"` | no |
6266
| <a name="input_key_name_for_kong"></a> [key\_name\_for\_kong](#input\_key\_name\_for\_kong) | Key name for to SSH into kong instance | `string` | `null` | no |
67+
| <a name="input_kong_admin_sub_domain_names"></a> [kong\_admin\_sub\_domain\_names](#input\_kong\_admin\_sub\_domain\_names) | List of kong admin sub domain names | `list(any)` | n/a | yes |
6368
| <a name="input_kong_public_sub_domain_names"></a> [kong\_public\_sub\_domain\_names](#input\_kong\_public\_sub\_domain\_names) | List of kong public sub domain names | `list(any)` | n/a | yes |
64-
| <a name="input_log_configuration_for_kong"></a> [log\_configuration\_for\_kong](#input\_log\_configuration\_for\_kong) | Log configuration for kong | `any` | `{}` | no |
69+
| <a name="input_log_configuration_for_kong"></a> [log\_configuration\_for\_kong](#input\_log\_configuration\_for\_kong) | Log configuration for kong | `any` | `null` | no |
6570
| <a name="input_maintenance_window"></a> [maintenance\_window](#input\_maintenance\_window) | The window to perform maintenance in.Syntax:ddd:hh24:mi-ddd:hh24:mi | `string` | `null` | no |
6671
| <a name="input_manage_master_user_password"></a> [manage\_master\_user\_password](#input\_manage\_master\_user\_password) | Whether to manage master user password | `bool` | `false` | no |
6772
| <a name="input_managed_scaling_status"></a> [managed\_scaling\_status](#input\_managed\_scaling\_status) | Mangaed scaling | `string` | `"ENABLED"` | no |

main.tf

Lines changed: 100 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -45,10 +45,13 @@ locals {
4545
{ containerPort = 8002, hostPort = 8002 }
4646
]
4747

48-
admin_port = 8001
49-
proxy_port = 8000
50-
public_target_group = "kong_public"
51-
public_domains = [for subdomain in var.kong_public_sub_domain_names : "${subdomain}.${var.base_domain}"]
48+
49+
admin_port = 8001
50+
proxy_port = 8000
51+
public_target_group = "kong_public"
52+
internal_target_group = "kong_internal"
53+
public_domains = [for subdomain in var.kong_public_sub_domain_names : "${subdomain}.${var.base_domain}"]
54+
admin_domains = [for subdomain in var.kong_admin_sub_domain_names : "${subdomain}.${var.base_domain}"]
5255
}
5356

5457
kong_parameters = {
@@ -161,7 +164,33 @@ module "ecs_node_security_group" {
161164
tags = local.default_tags
162165
}
163166

164-
module "alb_security_group" {
167+
data "aws_vpc" "vpc" {
168+
id = var.vpc_id
169+
}
170+
171+
module "internal_alb_security_group" {
172+
source = "terraform-aws-modules/security-group/aws"
173+
version = "~> 5.1.2"
174+
175+
name = local.kong.alb_sg_name
176+
vpc_id = var.vpc_id
177+
178+
ingress_with_cidr_blocks = [{
179+
from_port = 0
180+
to_port = 0
181+
protocol = "-1"
182+
cidr_blocks = data.aws_vpc.vpc.cidr_block
183+
}]
184+
egress_with_cidr_blocks = [{
185+
from_port = 0
186+
to_port = 0
187+
protocol = "-1"
188+
cidr_blocks = "0.0.0.0/0"
189+
}, ]
190+
tags = local.default_tags
191+
}
192+
193+
module "public_alb_security_group" {
165194
source = "terraform-aws-modules/security-group/aws"
166195
version = "~> 5.1.2"
167196

@@ -221,6 +250,11 @@ module "ecs_kong" {
221250
desired_count = var.desired_count_for_kong_service
222251
force_new_deployment = var.force_new_deployment
223252
load_balancer = [
253+
{
254+
target_group_arn = module.internal_alb_kong.target_groups_arns[local.kong.internal_target_group]
255+
container_name = local.kong.name
256+
container_port = local.kong.admin_port
257+
},
224258
{
225259
target_group = local.kong.public_target_group
226260
container_name = local.kong.name
@@ -303,14 +337,14 @@ module "ecs_kong" {
303337
]
304338

305339
load_balancer = {
306-
name = local.kong.name
340+
name = "${local.kong.name}-public"
307341
internal = false
308342
subnets_ids = var.public_subnet_ids
309-
security_groups_ids = [module.alb_security_group.security_group_id]
343+
security_groups_ids = [module.public_alb_security_group.security_group_id]
310344
enable_deletion_protection = false
311345
target_groups = {
312346
(local.kong.public_target_group) = {
313-
name = "kong-public"
347+
name = "${local.kong.name}-public"
314348
port = 8000
315349
protocol = "HTTP"
316350
target_type = "ip"
@@ -330,7 +364,7 @@ module "ecs_kong" {
330364
kong_https = {
331365
port = 443
332366
protocol = "HTTPS"
333-
certificate_arn = module.route53_record_kong_public_dns.certificate_arn
367+
certificate_arn = module.kong_public_dns_record.certificate_arn
334368
ssl_policy = var.ssl_policy
335369

336370
default_action = [
@@ -352,11 +386,67 @@ module "ecs_kong" {
352386
depends_on = [module.kong_rds]
353387
}
354388

355-
module "route53_record_kong_public_dns" {
389+
module "internal_alb_kong" {
390+
source = "../terraform-aws-ecs-deployment//modules/alb"
391+
name = "${local.kong.name}-internal"
392+
internal = true
393+
subnets_ids = var.private_subnet_ids
394+
security_groups_ids = [module.internal_alb_security_group.security_group_id]
395+
enable_deletion_protection = false
396+
target_groups = {
397+
(local.kong.internal_target_group) = {
398+
name = "${local.kong.name}-internal"
399+
port = 8001
400+
protocol = "HTTP"
401+
target_type = "ip"
402+
vpc_id = var.vpc_id
403+
health_check = {
404+
enabled = true
405+
path = "/status"
406+
port = local.kong.admin_port
407+
matcher = 200
408+
interval = 120
409+
timeout = 5
410+
healthy_threshold = 2
411+
unhealthy_threshold = 3
412+
}
413+
}
414+
}
415+
listeners = {
416+
kong_http = {
417+
port = 80
418+
protocol = "HTTP"
419+
420+
default_action = [
421+
{
422+
type = "forward"
423+
target_group = local.kong.internal_target_group
424+
conditions = [
425+
{
426+
field = "host-header"
427+
values = local.kong.admin_domains
428+
}
429+
]
430+
},
431+
]
432+
}
433+
}
434+
}
435+
436+
module "kong_public_dns_record" {
356437
source = "./modules/route-53-record"
357438

358439
base_domain = var.base_domain
359440
endpoints = var.kong_public_sub_domain_names
360441
alb_dns_name = module.ecs_kong.alb_dns_name
361442
alb_zone_id = module.ecs_kong.alb_zone_id
362443
}
444+
445+
module "kong_internal_dns_record" {
446+
source = "./modules/route-53-record"
447+
448+
base_domain = var.base_domain
449+
endpoints = var.kong_admin_sub_domain_names
450+
alb_dns_name = module.internal_alb_kong.dns_name
451+
alb_zone_id = module.ecs_kong.alb_zone_id
452+
}

variables.tf

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -125,6 +125,11 @@ variable "kong_public_sub_domain_names" {
125125
type = list(any)
126126
}
127127

128+
variable "kong_admin_sub_domain_names" {
129+
description = "List of kong admin sub domain names"
130+
type = list(any)
131+
}
132+
128133
variable "base_domain" {
129134
type = string
130135
description = "Base domain"
@@ -205,7 +210,7 @@ variable "container_image" {
205210
variable "log_configuration_for_kong" {
206211
description = "Log configuration for kong"
207212
type = any
208-
default = {}
213+
default = null
209214
}
210215

211216
variable "cpu_for_kong_task" {

0 commit comments

Comments
 (0)