:warning: This terraform module serves as reference point for getting started. While it may work for certain scenarios, it is NOT intended to work with all setups. Please fork the repo or copy over code from here (liberal Apache-licensed).
Kong API Gateway is an API gateway microservices management layer. Both Kong and Enterprise Edition are supported.
By default, the following resources will be provisioned:
Optionally, a redis cluster can be provisioned for rate-limiting counters and caching, and most default resources can be disabled. See variables.tf for a complete list and description of tunables.
The Kong nodes are based on Minimal Ubuntu. Using cloud-init, the following is provisioned on top of the AMI:
Prerequisites:
Name | Description | Type | Default | Required |
---|---|---|---|---|
admin_cidr_blocks | Access to Kong Admin API (Enterprise Edition only) | `list(string)` | ```json [ "0.0.0.0/0" ] ``` | no |
asg_desired_capacity | The number of instances that should be running in the group | `string` | `2` | no |
asg_health_check_grace_period | Time in seconds after instance comes into service before checking health | `string` | `300` | no |
asg_max_size | The maximum size of the auto scale group | `string` | `3` | no |
asg_min_size | The minimum size of the auto scale group | `string` | `1` | no |
bastion_cidr_blocks | Bastion hosts allowed access to PostgreSQL and Kong Admin | `list(string)` | ```json [ "127.0.0.1/32" ] ``` | no |
ce_pkg | Filename of the Community Edition package | `string` | `"kong-1.3.0.bionic.amd64.deb"` | no |
cloudwatch_actions | List of cloudwatch actions for Alert/Ok | `list(string)` | `[]` | no |
db_backup_retention_period | The number of days to retain backups | `string` | `7` | no |
db_engine_mode | Engine mode for Aurora | `string` | `"provisioned"` | no |
db_engine_version | Database engine version | `string` | `"11.4"` | no |
db_family | Database parameter group family | `string` | `"postgres11"` | no |
db_instance_class | Database instance class | `string` | `"db.t2.micro"` | no |
db_instance_count | Number of database instances (0 to leverage an existing db) | `string` | `1` | no |
db_multi_az | Boolean to specify if RDS is multi-AZ | `string` | `false` | no |
db_storage_size | Size of the database storage in Gigabytes | `string` | `20` | no |
db_storage_type | Type of the database storage | `string` | `"gp2"` | no |
db_subnets | Database instance subnet group name | `string` | `"db-subnets"` | no |
db_username | Database master username | `string` | `"root"` | no |
deck_version | Version of decK to install | `string` | `"0.5.2"` | no |
additional_security_groups | IDs of the additional security groups attached to Kong EC2 instance | `list(string)` | `[]` | no |
deregistration_delay | Seconds to wait before changing the state of a deregistering target from draining to unused | `string` | `300` | no |
description | Resource description tag | `string` | `"Kong API Gateway"` | no |
ec2_ami | Map of Ubuntu Minimal AMIs by region | `map(string)` | ```json { "us-east-1": "ami-7029320f", "us-east-2": "ami-0350efe0754b8e179", "us-west-1": "ami-657f9006", "us-west-2": "ami-59694f21" } ``` | no |
ec2_instance_type | EC2 instance type | `string` | `"t2.micro"` | no |
ec2_key_name | AWS SSH Key | `string` | `""` | no |
ec2_root_volume_size | Size of the root volume (in Gigabytes) | `string` | `8` | no |
ec2_root_volume_type | Type of the root volume (standard, gp2, or io) | `string` | `"gp2"` | no |
ee_license | Enterprise Edition license key (JSON format) | `string` | `"placeholder"` | no |
ee_pkg | Filename of the Enterprise Edition package | `string` | `"kong-enterprise-edition-0.36-2.bionic.all.deb"` | no |
enable_aurora | Boolean to enable Aurora | `string` | `"false"` | no |
enable_deletion_protection | Boolean to enable delete protection on the ALB | `string` | `true` | no |
enable_ee | Boolean to enable Kong Enterprise Edition settings | `string` | `false` | no |
enable_external_lb | Boolean to enable/create the external load balancer, exposing Kong to the Internet | `string` | `true` | no |
enable_internal_lb | Boolean to enable/create the internal load balancer for the forward proxy | `string` | `true` | no |
enable_redis | Boolean to enable redis AWS resource | `string` | `false` | no |
environment | Resource environment tag (i.e. dev, stage, prod) | `string` | n/a | yes |
external_cidr_blocks | External ingress access to Kong Proxy via the load balancer | `list(string)` | ```json [ "0.0.0.0/0" ] ``` | no |
health_check_healthy_threshold | Number of consecutives checks before a unhealthy target is considered healthy | `string` | `5` | no |
health_check_interval | Seconds between health checks | `string` | `5` | no |
health_check_matcher | HTTP Code(s) that result in a successful response from a target (comma delimited) | `string` | `200` | no |
health_check_timeout | Seconds waited before a health check fails | `string` | `3` | no |
health_check_unhealthy_threshold | Number of consecutive checks before considering a target unhealthy | `string` | `2` | no |
http_4xx_count | HTTP Code 4xx count threshhold | `string` | `50` | no |
http_5xx_count | HTTP Code 5xx count threshhold | `string` | `50` | no |
idle_timeout | Seconds a connection can idle before being disconnected | `string` | `60` | no |
internal_http_cidr_blocks | Internal ingress access to Kong Proxy via the load balancer (HTTP) | `list(string)` | ```json [ "0.0.0.0/0" ] ``` | no |
internal_https_cidr_blocks | Internal ingress access to Kong Proxy via the load balancer (HTTPS) | `list(string)` | ```json [ "0.0.0.0/0" ] ``` | no |
manager_cidr_blocks | Access to Kong Manager (Enterprise Edition only) | `list(string)` | ```json [ "0.0.0.0/0" ] ``` | no |
manager_host | Hostname to access Kong Manager (Enterprise Edition only) | `string` | `"default`" | no |
portal_cidr_blocks | Access to Portal (Enterprise Edition only) | `list(string)` | ```json [ "0.0.0.0/0" ] ``` | no |
portal_host | Hostname to access Portal (Enterprise Edition only) | `string` | `"default`" | no |
private_subnets | Subnet tag on private subnets | `string` | `"private"` | no |
public_subnets | Subnet tag on public subnets for external load balancers | `string` | `"public"` | no |
redis_engine_version | Redis engine version | `string` | `"5.0.5"` | no |
redis_family | Redis parameter group family | `string` | `"redis5.0"` | no |
redis_instance_count | Number of redis nodes | `string` | `2` | no |
redis_instance_type | Redis node instance type | `string` | `"cache.t2.small"` | no |
redis_subnets | Redis cluster subnet group name | `string` | `"cache-subnets"` | no |
service | Resource service tag | `string` | `"kong"` | no |
ssl_cert_admin | SSL certificate domain name for the Kong Admin API HTTPS listener | `string` | n/a | yes |
ssl_cert_external | SSL certificate domain name for the external Kong Proxy HTTPS listener | `string` | n/a | yes |
ssl_cert_internal | SSL certificate domain name for the internal Kong Proxy HTTPS listener | `string` | n/a | yes |
ssl_cert_manager | SSL certificate domain name for the Kong Manager HTTPS listener | `string` | n/a | yes |
ssl_cert_portal | SSL certificate domain name for the Dev Portal listener | `string` | n/a | yes |
ssl_policy | SSL Policy for HTTPS Listeners | `string` | `"ELBSecurityPolicy-TLS-1-2-2017-01"` | no |
subnet_tag | Tag used on subnets to define Tier | `string` | `"Tier"` | no |
tags | Tags to apply to resources | `map` | `{}` | no |
vpc_id | VPC ID for the AWS account and region specified | `string` | n/a | yes |
db_final_snapshot_identifier | If specified a final snapshot will be made of the RDS/Aurora instance. If left blank, the finalsnapshot will be skipped | `string` | "" | no |
Note: Admin, manager, and portal are Enterprise features. While the SSL certificate needs to be defined, it can be the same as the external and/or internal; however, no resources associated with it are created unless enabled.
Name | Description |
---|---|
admin_token | The admin token for Kong |
lb_endpoint_external | The external load balancer endpoint |
lb_endpoint_internal | The internal load balancer endpoint |
master_password | The master password for Kong |
rds_endpoint | The endpoint for the Kong database |
rds_password | The database password for Kong |
Example main.tf:
provider "aws" {
region = "us-west-2"
profile = "dev"
}
module "kong" {
source = "github.com/kong/kong-terraform-aws?ref=v3.3"
vpc = "my-vpc"
environment = "dev"
ec2_key_name = "my-key"
ssl_cert_external = "*.domain.name"
ssl_cert_internal = "*.domain.name"
ssl_cert_admin = "*.domain.name"
ssl_cert_manager = "*.domain.name"
ssl_cert_portal = "*.domain.name"
tags = {
Owner = "devops@domain.name"
Team = "DevOps"
}
}
Create the resources in AWS:
terraform init
terraform plan -out kong.plan
terraform apply kong.plan
If installing Enterprise Edition, while resources are being provisioned login to the AWS console and navigate to:
Systems Manager -> Parameter Store
Update the license key by editing the parameter (default value is "placeholder"):
/[service]/[environment]/ee/license
Alternatively, if your terraform files and state are secure, you can pass them as variables to the module for a completely hands-off installation.
To login to the EC2 instance(s):
ssh -i [/path/to/key/specified/in/ec2_key_name] ubuntu@[ec2-instance]
You are now ready to manage APIs!