From fba89f20d0704609b64a7461af3c141fe88c01d5 Mon Sep 17 00:00:00 2001 From: Orla Dunlop <94905017+odunlop@users.noreply.github.com> Date: Thu, 23 May 2024 13:11:52 +0100 Subject: [PATCH] feat: upgrade module for kong v3 compatibility (#108) Signed-off-by: Orla Dunlop --- main.tf | 11 +++- modules/ec2/main.tf | 92 +++++++++++++++------------- modules/ec2/variables.tf | 13 ++++ modules/ecs/main.tf | 67 ++++++++++---------- modules/ecs/variables.tf | 12 ++++ templates/amazon-linux/cloud-init.sh | 6 +- templates/ecs/kong_control_plane.tpl | 8 ++- templates/ecs/kong_portal.tpl | 6 ++ templates/ubuntu/cloud-init.sh | 6 +- variables.tf | 22 +++++++ 10 files changed, 161 insertions(+), 82 deletions(-) diff --git a/main.tf b/main.tf index e237ce2..7eaeed9 100644 --- a/main.tf +++ b/main.tf @@ -64,6 +64,7 @@ module "kong_ec2" { instance_type = var.instance_type key_name = var.key_name user_data = var.user_data + kong_major_version = var.kong_major_version kong_clear_database = var.kong_clear_database kong_config = var.kong_config kong_database_config = var.kong_database_config @@ -97,6 +98,7 @@ module "kong_ec2" { kong_vitals_enabled = var.kong_vitals_enabled vitals_endpoint = var.vitals_endpoint vitals_tsdb_address = var.vitals_tsdb_address + portal_and_vitals_key_arn = var.portal_and_vitals_key_arn } @@ -104,6 +106,8 @@ module "kong_ecs" { count = var.deployment_type == "ecs" ? 1 : 0 source = "./modules/ecs" + kong_major_version = var.kong_major_version + environment = var.environment role = var.role ecs_cluster_arn = var.ecs_cluster_arn @@ -150,9 +154,10 @@ module "kong_ecs" { postgres_host = var.postgres_host db_password_arn = var.db_password_arn - kong_vitals_enabled = var.kong_vitals_enabled - kong_portal_enabled = var.kong_portal_enabled - kong_portal_api_enabled = var.kong_portal_api_enabled + kong_vitals_enabled = var.kong_vitals_enabled + kong_portal_enabled = var.kong_portal_enabled + kong_portal_api_enabled = var.kong_portal_api_enabled + portal_and_vitals_key_arn = var.portal_and_vitals_key_arn kong_admin_gui_session_conf = var.kong_admin_gui_session_conf diff --git a/modules/ec2/main.tf b/modules/ec2/main.tf index e1cd147..17fe90f 100644 --- a/modules/ec2/main.tf +++ b/modules/ec2/main.tf @@ -38,28 +38,30 @@ locals { } user_data_script = { amazon-linux = templatefile("${path.module}/../../templates/amazon-linux/cloud-init.sh", { - proxy_config = var.proxy_config - db_user = var.kong_database_config.user - db_host = local.db_info.endpoint - db_name = local.db_info.database_name - ce_pkg = var.ce_pkg - ee_pkg = var.ee_pkg - ee_creds_ssm_param = var.ee_creds_ssm_param - parameter_path = local.ssm_parameter_path - region = var.region - vpc_cidr_block = var.vpc_cidr_block - deck_version = var.deck_version - manager_host = var.manager_host - portal_host = var.portal_host - session_secret = random_string.session_secret.result - kong_config = var.kong_config - kong_ports = var.kong_ports - kong_ssl_uris = var.kong_ssl_uris - kong_hybrid_conf = var.kong_hybrid_conf - clear_database = var.kong_clear_database - kong_plugins = join(",", concat(["bundled"], var.kong_plugins)) - kong_vitals_enabled = var.kong_vitals_enabled - vitals_tsdb_address = var.vitals_tsdb_address + proxy_config = var.proxy_config + db_user = var.kong_database_config.user + db_host = local.db_info.endpoint + db_name = local.db_info.database_name + ce_pkg = var.ce_pkg + ee_pkg = var.ee_pkg + ee_creds_ssm_param = var.ee_creds_ssm_param + parameter_path = local.ssm_parameter_path + region = var.region + vpc_cidr_block = var.vpc_cidr_block + deck_version = var.deck_version + manager_host = var.manager_host + portal_host = var.portal_host + portal_and_vitals_key_arn = var.portal_and_vitals_key_arn + session_secret = random_string.session_secret.result + kong_config = var.kong_config + kong_ports = var.kong_ports + kong_ssl_uris = var.kong_ssl_uris + kong_hybrid_conf = var.kong_hybrid_conf + clear_database = var.kong_clear_database + api_uri_env_name = var.kong_major_version > 2 ? "KONG_ADMIN_GUI_API_URL" : "KONG_ADMIN_API_URI" + kong_plugins = join(",", concat(["bundled"], var.kong_plugins)) + kong_vitals_enabled = var.kong_vitals_enabled + vitals_tsdb_address = var.vitals_tsdb_address vitals_endpoint = var.vitals_endpoint != null ? format("%s:%g %s", var.vitals_endpoint.fqdn, var.vitals_endpoint.port, @@ -67,28 +69,30 @@ locals { ) : "" }) ubuntu = templatefile("${path.module}/../../templates/ubuntu/cloud-init.sh", { - proxy_config = var.proxy_config - db_user = var.kong_database_config.user - db_host = local.db_info.endpoint - db_name = local.db_info.database_name - ce_pkg = var.ce_pkg - ee_pkg = var.ee_pkg - ee_creds_ssm_param = var.ee_creds_ssm_param - parameter_path = local.ssm_parameter_path - region = var.region - vpc_cidr_block = var.vpc_cidr_block - deck_version = var.deck_version - manager_host = var.manager_host - portal_host = var.portal_host - session_secret = random_string.session_secret.result - kong_config = var.kong_config - kong_ports = var.kong_ports - kong_ssl_uris = var.kong_ssl_uris - kong_hybrid_conf = var.kong_hybrid_conf - clear_database = var.kong_clear_database - kong_plugins = join(",", concat(["bundled"], var.kong_plugins)) - kong_vitals_enabled = var.kong_vitals_enabled - vitals_tsdb_address = var.vitals_tsdb_address + proxy_config = var.proxy_config + db_user = var.kong_database_config.user + db_host = local.db_info.endpoint + db_name = local.db_info.database_name + ce_pkg = var.ce_pkg + ee_pkg = var.ee_pkg + ee_creds_ssm_param = var.ee_creds_ssm_param + parameter_path = local.ssm_parameter_path + region = var.region + vpc_cidr_block = var.vpc_cidr_block + deck_version = var.deck_version + manager_host = var.manager_host + portal_host = var.portal_host + portal_and_vitals_key_arn = var.portal_and_vitals_key_arn + session_secret = random_string.session_secret.result + kong_config = var.kong_config + kong_ports = var.kong_ports + kong_ssl_uris = var.kong_ssl_uris + kong_hybrid_conf = var.kong_hybrid_conf + clear_database = var.kong_clear_database + api_uri_env_name = var.kong_major_version > 2 ? "KONG_ADMIN_GUI_API_URL" : "KONG_ADMIN_API_URI" + kong_plugins = join(",", concat(["bundled"], var.kong_plugins)) + kong_vitals_enabled = var.kong_vitals_enabled + vitals_tsdb_address = var.vitals_tsdb_address vitals_endpoint = var.vitals_endpoint != null ? format("%s:%g %s", var.vitals_endpoint.fqdn, var.vitals_endpoint.port, diff --git a/modules/ec2/variables.tf b/modules/ec2/variables.tf index 2ef1ab5..f6c842a 100644 --- a/modules/ec2/variables.tf +++ b/modules/ec2/variables.tf @@ -194,6 +194,13 @@ variable "kong_clear_database" { default = false } +# V3 WIP +variable "kong_major_version" { + description = "(Optional) Used to define which Kong major version to use" + type = number + default = 2 # Eventually moved to 3 +} + variable "kong_config" { description = "(Optional) A map of key value pairs that describe the Kong GW config, used when constructing the userdata script" type = map(string) @@ -599,3 +606,9 @@ variable "vitals_tsdb_address" { description = "Time series database address for Vitals e.g. my-prometheus.net:9090" type = string } + +variable "portal_and_vitals_key_arn" { + description = "ARN of the secret which contains the token used to unlock portal and vitals in Kong V3" + type = string + default = "" +} diff --git a/modules/ecs/main.tf b/modules/ecs/main.tf index 764ff02..f20063f 100644 --- a/modules/ecs/main.tf +++ b/modules/ecs/main.tf @@ -52,11 +52,13 @@ resource "aws_ecs_task_definition" "kong" { error_log_format = var.error_log_format ssl_cert = var.ssl_cert ssl_key = var.ssl_key + api_uri_env_name = var.kong_major_version > 2 ? "KONG_ADMIN_GUI_API_URL" : "KONG_ADMIN_API_URI" kong_admin_api_uri = var.kong_admin_api_uri kong_admin_gui_url = var.kong_admin_gui_url admin_token = var.admin_token kong_vitals_enabled = var.kong_vitals_enabled kong_portal_enabled = var.kong_portal_enabled + portal_and_vitals_key_arn = var.portal_and_vitals_key_arn lua_ssl_cert = var.lua_ssl_cert kong_cluster_mtls = var.kong_cluster_mtls cluster_ca_cert = var.cluster_ca_cert @@ -107,38 +109,39 @@ resource "aws_ecs_task_definition" "kong" { ) : "" }) : var.role == "portal" ? templatefile("${path.module}/../../templates/ecs/kong_portal.tpl", { - name = local.name - group_name = local.name - cpu = var.fargate_cpu - image_url = var.image_url - memory = var.fargate_memory - user = "kong" - db_user = var.kong_database_config.user - db_host = local.db_info.endpoint - db_name = local.db_info.database_name - db_password_arn = var.db_password_arn - log_group = var.log_group - portal_gui_port = var.kong_ports.portal_gui - portal_api_port = var.kong_portal_api_enabled == "on" ? var.kong_ports.portal_api : "" - status_port = var.kong_ports.status - kong_portal_gui_host = var.kong_portal_gui_host - kong_portal_gui_protocol = var.kong_portal_gui_protocol - kong_portal_api_url = var.kong_portal_api_url - kong_portal_api_enabled = var.kong_portal_api_enabled - ports = jsonencode([for k, v in var.kong_ports : v]) - ulimits = jsonencode([4096]) - region = var.region - access_log_format = var.access_log_format - error_log_format = var.error_log_format - ssl_cert = var.ssl_cert - ssl_key = var.ssl_key - cluster_cert = var.cluster_cert - cluster_key = var.cluster_key - kong_log_level = var.kong_log_level - kong_plugins = join(",", concat(["bundled"], var.kong_plugins)) - entrypoint = var.entrypoint - nginx_custom_config = base64encode(var.nginx_custom_config) - environment = var.environment + name = local.name + group_name = local.name + cpu = var.fargate_cpu + image_url = var.image_url + memory = var.fargate_memory + user = "kong" + db_user = var.kong_database_config.user + db_host = local.db_info.endpoint + db_name = local.db_info.database_name + db_password_arn = var.db_password_arn + log_group = var.log_group + portal_gui_port = var.kong_ports.portal_gui + portal_api_port = var.kong_portal_api_enabled == "on" ? var.kong_ports.portal_api : "" + status_port = var.kong_ports.status + kong_portal_gui_host = var.kong_portal_gui_host + kong_portal_gui_protocol = var.kong_portal_gui_protocol + kong_portal_api_url = var.kong_portal_api_url + kong_portal_api_enabled = var.kong_portal_api_enabled + portal_and_vitals_key_arn = var.portal_and_vitals_key_arn + ports = jsonencode([for k, v in var.kong_ports : v]) + ulimits = jsonencode([4096]) + region = var.region + access_log_format = var.access_log_format + error_log_format = var.error_log_format + ssl_cert = var.ssl_cert + ssl_key = var.ssl_key + cluster_cert = var.cluster_cert + cluster_key = var.cluster_key + kong_log_level = var.kong_log_level + kong_plugins = join(",", concat(["bundled"], var.kong_plugins)) + entrypoint = var.entrypoint + nginx_custom_config = base64encode(var.nginx_custom_config) + environment = var.environment }) : null tags = { diff --git a/modules/ecs/variables.tf b/modules/ecs/variables.tf index 250208e..c3d600c 100644 --- a/modules/ecs/variables.tf +++ b/modules/ecs/variables.tf @@ -1,3 +1,9 @@ +variable "kong_major_version" { + description = "(Optional) Used to define which Kong major version to use" + type = number + default = 2 # Eventually changed to three +} + variable "private_subnets" { description = "(Optional) List of private subnet IDs, if not specified then the subnets listed in the private_subnets_to_create variable will be created and used" type = list(string) @@ -348,6 +354,12 @@ variable "kong_plugins" { default = [] } +variable "portal_and_vitals_key_arn" { + description = "ARN of the secret which contains the token used to unlock portal and vitals in Kong V3" + type = string + default = "" +} + variable "vitals_endpoint" { description = "(Optional) The DNS name for the Vitals endpoint that Gateways should send their metrics to" type = object({ diff --git a/templates/amazon-linux/cloud-init.sh b/templates/amazon-linux/cloud-init.sh index a5bbb6e..bda38c6 100644 --- a/templates/amazon-linux/cloud-init.sh +++ b/templates/amazon-linux/cloud-init.sh @@ -233,7 +233,7 @@ KONG_ADMIN_GUI_LISTEN="0.0.0.0:${kong_ports.admin_gui}%{ if kong_ssl_uris.protoc KONG_PORTAL_GUI_LISTEN="0.0.0.0:${kong_ports.portal_gui}%{ if kong_ssl_uris.protocol == "https"} ssl%{endif}" KONG_PORTAL_API_LISTEN="0.0.0.0:${kong_ports.portal_api}%{ if kong_ssl_uris.protocol == "https"} ssl%{endif}" -KONG_ADMIN_API_URI="${replace(kong_ssl_uris.admin_api_uri, "${kong_ssl_uris.protocol}://", "")}" +${api_uri_env_name}="${replace(kong_ssl_uris.admin_api_uri, "${kong_ssl_uris.protocol}://", "")}" KONG_ADMIN_GUI_URL="${kong_ssl_uris.admin_gui_url}" KONG_PORTAL_GUI_PROTOCOL="${kong_ssl_uris.protocol}" @@ -380,6 +380,10 @@ KONG_PORTAL_GUI_SSL_CERT="/etc/kong_clustering/cluster.crt" KONG_PORTAL_GUI_SSL_CERT_KEY="/etc/kong_clustering/cluster.key" %{ endif ~} +%{ if portal_and_vitals_key_arn != "" } +KONG_PORTAL_AND_VITALS_KEY="${portal_and_vitals_key_arn}" +%{ endif } + %{ if lookup(kong_config, "KONG_ROLE", null) == "data_plane" ~} KONG_CLUSTER_MTLS="${kong_hybrid_conf.mtls}" %{ if kong_hybrid_conf.ca_cert != "" ~} diff --git a/templates/ecs/kong_control_plane.tpl b/templates/ecs/kong_control_plane.tpl index f8d03f7..895a6b8 100644 --- a/templates/ecs/kong_control_plane.tpl +++ b/templates/ecs/kong_control_plane.tpl @@ -80,7 +80,7 @@ "value": "0.0.0.0:${admin_gui_port} ssl" }, { - "name": "KONG_ADMIN_API_URI", + "name": "${api_uri_env_name}", "value": "${kong_admin_api_uri}" }, { @@ -221,6 +221,12 @@ "name": "CLUSTER_KEY", "valueFrom": "${cluster_key}" } + %{ if portal_and_vitals_key_arn != "" } + ,{ + "name": "KONG_PORTAL_AND_VITALS_KEY", + "valueFrom": "${portal_and_vitals_key_arn}" + } + %{ endif } ], "entryPoint": ["${entrypoint}"], "healthCheck": { diff --git a/templates/ecs/kong_portal.tpl b/templates/ecs/kong_portal.tpl index 8a52fd7..6a297d6 100644 --- a/templates/ecs/kong_portal.tpl +++ b/templates/ecs/kong_portal.tpl @@ -177,6 +177,12 @@ "name": "CLUSTER_KEY", "valueFrom": "${cluster_key}" } + %{ if portal_and_vitals_key_arn != "" } + ,{ + "name": "KONG_PORTAL_AND_VITALS_KEY", + "valueFrom": "${portal_and_vitals_key_arn}" + } + %{ endif } ], "entryPoint": ["${entrypoint}"], "healthCheck": { diff --git a/templates/ubuntu/cloud-init.sh b/templates/ubuntu/cloud-init.sh index 0266f91..b1e7972 100644 --- a/templates/ubuntu/cloud-init.sh +++ b/templates/ubuntu/cloud-init.sh @@ -235,9 +235,13 @@ KONG_ADMIN_GUI_LISTEN="0.0.0.0:${kong_ports.admin_gui}%{ if kong_ssl_uris.protoc KONG_PORTAL_GUI_LISTEN="0.0.0.0:${kong_ports.portal_gui}%{ if kong_ssl_uris.protocol == "https"} ssl%{endif}" KONG_PORTAL_API_LISTEN="0.0.0.0:${kong_ports.portal_api}%{ if kong_ssl_uris.protocol == "https"} ssl%{endif}" -KONG_ADMIN_API_URI="${replace(kong_ssl_uris.admin_api_uri, "${kong_ssl_uris.protocol}://", "")}" +${api_uri_env_name}="${replace(kong_ssl_uris.admin_api_uri, "${kong_ssl_uris.protocol}://", "")}" KONG_ADMIN_GUI_URL="${kong_ssl_uris.admin_gui_url}" +%{ if portal_and_vitals_key_arn != "" } +KONG_PORTAL_AND_VITALS_KEY="${portal_and_vitals_key_arn}" +%{ endif } + KONG_PORTAL_GUI_PROTOCOL="${kong_ssl_uris.protocol}" KONG_PORTAL_GUI_HOST="${replace(kong_ssl_uris.portal_gui_host, "${kong_ssl_uris.protocol}://", "")}" KONG_PORTAL_API_URL="${kong_ssl_uris.portal_api_url}" diff --git a/variables.tf b/variables.tf index f27dfed..c30999c 100644 --- a/variables.tf +++ b/variables.tf @@ -241,6 +241,17 @@ variable "kong_hybrid_conf" { } } +variable "kong_major_version" { + description = "(Optional) Used to define which Kong major version to use" + type = number + default = 2 # Eventually moved to 3 + + validation { + condition = contains([2, 3], var.kong_major_version) + error_message = "Must be one of the following values: 2, 3." + } +} + variable "kong_ports" { description = "(Optional) An object defining the kong http ports" type = map(number) @@ -304,6 +315,17 @@ variable "postgres_host" { default = "" } +variable "portal_and_vitals_key_arn" { + description = "(Optional) ARN of the secret which contains the token used to unlock portal and vitals in Kong V3" + type = string + default = "" + + validation { + condition = var.portal_and_vitals_key_arn != "" ? can(startswith("arn:aws:", var.portal_and_vitals_key_arn)) : true + error_message = "Invalid format. Please provide a valid ARN." + } +} + variable "private_subnets" { description = "(Optional) List of private subnet IDs, if not specified then the subnets listed in the private_subnets_to_create variable will be created and used" type = list(string)