Migrated to https://github.coupang.net/coupang/couplay-kong-terraform-aws
Kong API Gateway is an API gateway microservices management layer. Both Kong and Enterprise Edition are supported.
By default, the following resources will be provisioned:
- RDS PostgreSQL database for Kong's configuration store
- An Auto Scaling Group (ASG) and EC2 instances running Kong (Kong nodes)
- An external load balancer (HTTPS only)
- HTTPS:443 - Kong Proxy
- An internal load balancer (HTTP and HTTPS)
- HTTP:80 - Kong Proxy
- HTTPS:443 - Kong Proxy
- HTTPS:8444 - Kong Admin API (Enterprise Edition only)
- HTTPS:8445 - Kong Manager (Enterprise Edition only)
- HTTPS:8446 - Kong Dev Portal GUI (Enterprise Edition only)
- HTTPS:8447 - Kong Dev Portal API (Enterprise Edition only)
- Security groups granting least privilege access to resources
- An IAM instance profile for access to Kong specific SSM Parameter Store metadata and secrets
Optionally, a redis cluster can be provisioned for rate-limiting counters and caching, and most default resources can be disabled. See variables.tf for a complete list and description of tunables.
The Kong nodes are based on Minimal Ubuntu. Using cloud-init, the following is provisioned on top of the AMI:
- A kong service user
- Minimal set of dependencies and debugging tools
- decK for Kong declarative configuration management
- Kong, running under runit process supervision
- Log rotation of Kong log files
Prerequisites:
- An AWS VPC
- Private and public subnets tagged with a subnet_tag (default = 'Tier' tag)
- Database subnet group
- Cache subnet group (if enabling Redis)
- An SSH Key
- An SSL managed certificate to associate with HTTPS load balancers
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| admin_cidr_blocks | Access to Kong Admin API (Enterprise Edition only) |
|
[
"0.0.0.0/0"
] |
no |
| asg_desired_capacity | The number of instances that should be running in the group |
|
|
no |
| asg_health_check_grace_period | Time in seconds after instance comes into service before checking health |
|
|
no |
| asg_max_size | The maximum size of the auto scale group |
|
|
no |
| asg_min_size | The minimum size of the auto scale group |
|
|
no |
| bastion_cidr_blocks | Bastion hosts allowed access to PostgreSQL and Kong Admin |
|
[
"127.0.0.1/32"
] |
no |
| ce_pkg | Filename of the Community Edition package |
|
|
no |
| cloudwatch_actions | List of cloudwatch actions for Alert/Ok |
|
|
no |
| db_backup_retention_period | The number of days to retain backups |
|
|
no |
| db_engine_mode | Engine mode for Aurora |
|
|
no |
| db_engine_version | Database engine version |
|
|
no |
| db_family | Database parameter group family |
|
|
no |
| db_instance_class | Database instance class |
|
|
no |
| db_instance_count | Number of database instances (0 to leverage an existing db) |
|
|
no |
| db_multi_az | Boolean to specify if RDS is multi-AZ |
|
|
no |
| db_storage_size | Size of the database storage in Gigabytes |
|
|
no |
| db_storage_type | Type of the database storage |
|
|
no |
| db_subnets | Database instance subnet group name |
|
|
no |
| db_username | Database master username |
|
|
no |
| deck_version | Version of decK to install |
|
|
no |
| default_security_group | Name of the default VPC security group for EC2 access |
|
|
no |
| deregistration_delay | Seconds to wait before changing the state of a deregistering target from draining to unused |
|
|
no |
| description | Resource description tag |
|
|
no |
| ec2_ami | Map of Ubuntu Minimal AMIs by region |
|
{
"us-east-1": "ami-7029320f",
"us-east-2": "ami-0350efe0754b8e179",
"us-west-1": "ami-657f9006",
"us-west-2": "ami-59694f21"
} |
no |
| ec2_instance_type | EC2 instance type |
|
|
no |
| ec2_key_name | AWS SSH Key |
|
n/a |
yes |
| ec2_root_volume_size | Size of the root volume (in Gigabytes) |
|
|
no |
| ec2_root_volume_type | Type of the root volume (standard, gp2, or io) |
|
|
no |
| ee_bintray_auth | Bintray authentication for the Enterprise Edition download (Format: username:apikey) |
|
|
no |
| ee_license | Enterprise Edition license key (JSON format) |
|
|
no |
| ee_pkg | Filename of the Enterprise Edition package |
|
|
no |
| enable_aurora | Boolean to enable Aurora |
|
|
no |
| enable_deletion_protection | Boolean to enable delete protection on the ALB |
|
|
no |
| enable_ee | Boolean to enable Kong Enterprise Edition settings |
|
|
no |
| enable_external_lb | Boolean to enable/create the external load balancer, exposing Kong to the Internet |
|
|
no |
| enable_internal_lb | Boolean to enable/create the internal load balancer for the forward proxy |
|
|
no |
| enable_redis | Boolean to enable redis AWS resource |
|
|
no |
| environment | Resource environment tag (i.e. dev, stage, prod) |
|
n/a |
yes |
| external_cidr_blocks | External ingress access to Kong Proxy via the load balancer |
|
[
"0.0.0.0/0"
] |
no |
| health_check_healthy_threshold | Number of consecutives checks before a unhealthy target is considered healthy |
|
|
no |
| health_check_interval | Seconds between health checks |
|
|
no |
| health_check_matcher | HTTP Code(s) that result in a successful response from a target (comma delimited) |
|
|
no |
| health_check_timeout | Seconds waited before a health check fails |
|
|
no |
| health_check_unhealthy_threshold | Number of consecutive checks before considering a target unhealthy |
|
|
no |
| http_4xx_count | HTTP Code 4xx count threshhold |
|
|
no |
| http_5xx_count | HTTP Code 5xx count threshhold |
|
|
no |
| idle_timeout | Seconds a connection can idle before being disconnected |
|
|
no |
| internal_http_cidr_blocks | Internal ingress access to Kong Proxy via the load balancer (HTTP) |
|
[
"0.0.0.0/0"
] |
no |
| internal_https_cidr_blocks | Internal ingress access to Kong Proxy via the load balancer (HTTPS) |
|
[
"0.0.0.0/0"
] |
no |
| manager_cidr_blocks | Access to Kong Manager (Enterprise Edition only) |
|
[
"0.0.0.0/0"
] |
no |
| manager_host | Hostname to access Kong Manager (Enterprise Edition only) |
|
|
no |
| portal_cidr_blocks | Access to Portal (Enterprise Edition only) |
|
[
"0.0.0.0/0"
] |
no |
| portal_host | Hostname to access Portal (Enterprise Edition only) |
|
|
no |
| private_subnets | Subnet tag on private subnets |
|
|
no |
| public_subnets | Subnet tag on public subnets for external load balancers |
|
|
no |
| redis_engine_version | Redis engine version |
|
|
no |
| redis_family | Redis parameter group family |
|
|
no |
| redis_instance_count | Number of redis nodes |
|
|
no |
| redis_instance_type | Redis node instance type |
|
|
no |
| redis_subnets | Redis cluster subnet group name |
|
|
no |
| service | Resource service tag |
|
|
no |
| ssl_cert_admin | SSL certificate domain name for the Kong Admin API HTTPS listener |
|
n/a |
yes |
| ssl_cert_external | SSL certificate domain name for the external Kong Proxy HTTPS listener |
|
n/a |
yes |
| ssl_cert_internal | SSL certificate domain name for the internal Kong Proxy HTTPS listener |
|
n/a |
yes |
| ssl_cert_manager | SSL certificate domain name for the Kong Manager HTTPS listener |
|
n/a |
yes |
| ssl_cert_portal | SSL certificate domain name for the Dev Portal listener |
|
n/a |
yes |
| ssl_policy | SSL Policy for HTTPS Listeners |
|
|
no |
| subnet_tag | Tag used on subnets to define Tier |
|
|
no |
| tags | Tags to apply to resources |
|
|
no |
| vpc | VPC Name for the AWS account and region specified |
|
n/a |
yes |
| db_final_snapshot_identifier | If specified a final snapshot will be made of the RDS instance. If left blank, the finalsnapshot will be skipped |
|
"" |
no |
Note: Admin, manager, and portal are Enterprise features. While the SSL certificate needs to be defined, it can be the same as the external and/or internal; however, no resources associated with it are created unless enabled.
| Name | Description |
|---|---|
| admin_token | The admin token for Kong |
| lb_endpoint_external | The external load balancer endpoint |
| lb_endpoint_internal | The internal load balancer endpoint |
| master_password | The master password for Kong |
| rds_endpoint | The endpoint for the Kong database |
| rds_password | The database password for Kong |
Example main.tf:
provider "aws" {
region = "us-west-2"
profile = "dev"
}
module "kong" {
source = "github.com/kong/kong-terraform-aws?ref=v3.3"
vpc = "my-vpc"
environment = "dev"
ec2_key_name = "my-key"
ssl_cert_external = "*.domain.name"
ssl_cert_internal = "*.domain.name"
ssl_cert_admin = "*.domain.name"
ssl_cert_manager = "*.domain.name"
ssl_cert_portal = "*.domain.name"
tags = {
Owner = "devops@domain.name"
Team = "DevOps"
}
}
Create the resources in AWS:
terraform init
terraform plan -out kong.plan
terraform apply kong.plan
If installing Enterprise Edition, while resources are being provisioned login to the AWS console and navigate to:
Systems Manager -> Parameter Store
Update the license key by editing the parameter (default value is "placeholder"):
/[service]/[environment]/ee/license
Update the Bintray authentication paramater (default value is "placeholder", format is "username:apikey")" for downloads:
/[service]/[environment]/ee/bintray-auth
Alternatively, if your terraform files and state are secure, you can pass them as variables to the module for a completely hands-off installation.
To login to the EC2 instance(s):
ssh -i [/path/to/key/specified/in/ec2_key_name] ubuntu@[ec2-instance]
You are now ready to manage APIs!