feat: upgrade module for kong v3 compatibility

main.tf

@@ -64,6 +64,7 @@ module "kong_ec2" {
   instance_type                     = var.instance_type
   key_name                          = var.key_name
   user_data                         = var.user_data
+  kong_major_version                = var.kong_major_version
   kong_clear_database               = var.kong_clear_database
   kong_config                       = var.kong_config
   kong_database_config              = var.kong_database_config
@@ -97,13 +98,16 @@ module "kong_ec2" {
   kong_vitals_enabled               = var.kong_vitals_enabled
   vitals_endpoint                   = var.vitals_endpoint
   vitals_tsdb_address               = var.vitals_tsdb_address
+  portal_and_vitals_key_arn         = var.portal_and_vitals_key_arn
 }
 
 
 module "kong_ecs" {
   count  = var.deployment_type == "ecs" ? 1 : 0
   source = "./modules/ecs"
 
+  kong_major_version = var.kong_major_version
+
   environment            = var.environment
   role                   = var.role
   ecs_cluster_arn        = var.ecs_cluster_arn
@@ -150,9 +154,10 @@ module "kong_ecs" {
   postgres_host        = var.postgres_host
   db_password_arn      = var.db_password_arn
 
-  kong_vitals_enabled     = var.kong_vitals_enabled
-  kong_portal_enabled     = var.kong_portal_enabled
-  kong_portal_api_enabled = var.kong_portal_api_enabled
+  kong_vitals_enabled       = var.kong_vitals_enabled
+  kong_portal_enabled       = var.kong_portal_enabled
+  kong_portal_api_enabled   = var.kong_portal_api_enabled
+  portal_and_vitals_key_arn = var.portal_and_vitals_key_arn
 
   kong_admin_gui_session_conf = var.kong_admin_gui_session_conf
 

modules/ec2/main.tf

@@ -38,57 +38,61 @@ locals {
   }
   user_data_script = {
     amazon-linux = templatefile("${path.module}/../../templates/amazon-linux/cloud-init.sh", {
-      proxy_config        = var.proxy_config
-      db_user             = var.kong_database_config.user
-      db_host             = local.db_info.endpoint
-      db_name             = local.db_info.database_name
-      ce_pkg              = var.ce_pkg
-      ee_pkg              = var.ee_pkg
-      ee_creds_ssm_param  = var.ee_creds_ssm_param
-      parameter_path      = local.ssm_parameter_path
-      region              = var.region
-      vpc_cidr_block      = var.vpc_cidr_block
-      deck_version        = var.deck_version
-      manager_host        = var.manager_host
-      portal_host         = var.portal_host
-      session_secret      = random_string.session_secret.result
-      kong_config         = var.kong_config
-      kong_ports          = var.kong_ports
-      kong_ssl_uris       = var.kong_ssl_uris
-      kong_hybrid_conf    = var.kong_hybrid_conf
-      clear_database      = var.kong_clear_database
-      kong_plugins        = join(",", concat(["bundled"], var.kong_plugins))
-      kong_vitals_enabled = var.kong_vitals_enabled
-      vitals_tsdb_address = var.vitals_tsdb_address
+      proxy_config              = var.proxy_config
+      db_user                   = var.kong_database_config.user
+      db_host                   = local.db_info.endpoint
+      db_name                   = local.db_info.database_name
+      ce_pkg                    = var.ce_pkg
+      ee_pkg                    = var.ee_pkg
+      ee_creds_ssm_param        = var.ee_creds_ssm_param
+      parameter_path            = local.ssm_parameter_path
+      region                    = var.region
+      vpc_cidr_block            = var.vpc_cidr_block
+      deck_version              = var.deck_version
+      manager_host              = var.manager_host
+      portal_host               = var.portal_host
+      portal_and_vitals_key_arn = var.portal_and_vitals_key_arn
+      session_secret            = random_string.session_secret.result
+      kong_config               = var.kong_config
+      kong_ports                = var.kong_ports
+      kong_ssl_uris             = var.kong_ssl_uris
+      kong_hybrid_conf          = var.kong_hybrid_conf
+      clear_database            = var.kong_clear_database
+      api_uri_env_name          = var.kong_major_version > 2 ? "KONG_ADMIN_GUI_API_URL" : "KONG_ADMIN_API_URI"
+      kong_plugins              = join(",", concat(["bundled"], var.kong_plugins))
+      kong_vitals_enabled       = var.kong_vitals_enabled
+      vitals_tsdb_address       = var.vitals_tsdb_address
       vitals_endpoint = var.vitals_endpoint != null ? format("%s:%g %s",
         var.vitals_endpoint.fqdn,
         var.vitals_endpoint.port,
         lower(var.vitals_endpoint.protocol)
       ) : ""
     })
     ubuntu = templatefile("${path.module}/../../templates/ubuntu/cloud-init.sh", {
-      proxy_config        = var.proxy_config
-      db_user             = var.kong_database_config.user
-      db_host             = local.db_info.endpoint
-      db_name             = local.db_info.database_name
-      ce_pkg              = var.ce_pkg
-      ee_pkg              = var.ee_pkg
-      ee_creds_ssm_param  = var.ee_creds_ssm_param
-      parameter_path      = local.ssm_parameter_path
-      region              = var.region
-      vpc_cidr_block      = var.vpc_cidr_block
-      deck_version        = var.deck_version
-      manager_host        = var.manager_host
-      portal_host         = var.portal_host
-      session_secret      = random_string.session_secret.result
-      kong_config         = var.kong_config
-      kong_ports          = var.kong_ports
-      kong_ssl_uris       = var.kong_ssl_uris
-      kong_hybrid_conf    = var.kong_hybrid_conf
-      clear_database      = var.kong_clear_database
-      kong_plugins        = join(",", concat(["bundled"], var.kong_plugins))
-      kong_vitals_enabled = var.kong_vitals_enabled
-      vitals_tsdb_address = var.vitals_tsdb_address
+      proxy_config              = var.proxy_config
+      db_user                   = var.kong_database_config.user
+      db_host                   = local.db_info.endpoint
+      db_name                   = local.db_info.database_name
+      ce_pkg                    = var.ce_pkg
+      ee_pkg                    = var.ee_pkg
+      ee_creds_ssm_param        = var.ee_creds_ssm_param
+      parameter_path            = local.ssm_parameter_path
+      region                    = var.region
+      vpc_cidr_block            = var.vpc_cidr_block
+      deck_version              = var.deck_version
+      manager_host              = var.manager_host
+      portal_host               = var.portal_host
+      portal_and_vitals_key_arn = var.portal_and_vitals_key_arn
+      session_secret            = random_string.session_secret.result
+      kong_config               = var.kong_config
+      kong_ports                = var.kong_ports
+      kong_ssl_uris             = var.kong_ssl_uris
+      kong_hybrid_conf          = var.kong_hybrid_conf
+      clear_database            = var.kong_clear_database
+      api_uri_env_name          = var.kong_major_version > 2 ? "KONG_ADMIN_GUI_API_URL" : "KONG_ADMIN_API_URI"
+      kong_plugins              = join(",", concat(["bundled"], var.kong_plugins))
+      kong_vitals_enabled       = var.kong_vitals_enabled
+      vitals_tsdb_address       = var.vitals_tsdb_address
       vitals_endpoint = var.vitals_endpoint != null ? format("%s:%g %s",
         var.vitals_endpoint.fqdn,
         var.vitals_endpoint.port,

modules/ec2/variables.tf

@@ -194,6 +194,13 @@ variable "kong_clear_database" {
   default     = false
 }
 
+# V3 WIP
+variable "kong_major_version" {
+  description = "(Optional) Used to define which Kong major version to use"
+  type        = number
+  default     = 2 # Eventually moved to 3
+}
+
 variable "kong_config" {
   description = "(Optional) A map of key value pairs that describe the Kong GW config, used when constructing the userdata script"
   type        = map(string)
@@ -599,3 +606,9 @@ variable "vitals_tsdb_address" {
   description = "Time series database address for Vitals e.g. my-prometheus.net:9090"
   type        = string
 }
+
+variable "portal_and_vitals_key_arn" {
+  description = "ARN of the secret which contains the token used to unlock portal and vitals in Kong V3"
+  type        = string
+  default     = ""
+}

modules/ecs/main.tf

@@ -52,11 +52,13 @@ resource "aws_ecs_task_definition" "kong" {
       error_log_format            = var.error_log_format
       ssl_cert                    = var.ssl_cert
       ssl_key                     = var.ssl_key
+      api_uri_env_name            = var.kong_major_version > 2 ? "KONG_ADMIN_GUI_API_URL" : "KONG_ADMIN_API_URI"
       kong_admin_api_uri          = var.kong_admin_api_uri
       kong_admin_gui_url          = var.kong_admin_gui_url
       admin_token                 = var.admin_token
       kong_vitals_enabled         = var.kong_vitals_enabled
       kong_portal_enabled         = var.kong_portal_enabled
+      portal_and_vitals_key_arn   = var.portal_and_vitals_key_arn
       lua_ssl_cert                = var.lua_ssl_cert
       kong_cluster_mtls           = var.kong_cluster_mtls
       cluster_ca_cert             = var.cluster_ca_cert
@@ -107,38 +109,39 @@ resource "aws_ecs_task_definition" "kong" {
       ) : ""
     }) : var.role == "portal" ? templatefile("${path.module}/../../templates/ecs/kong_portal.tpl",
     {
-      name                     = local.name
-      group_name               = local.name
-      cpu                      = var.fargate_cpu
-      image_url                = var.image_url
-      memory                   = var.fargate_memory
-      user                     = "kong"
-      db_user                  = var.kong_database_config.user
-      db_host                  = local.db_info.endpoint
-      db_name                  = local.db_info.database_name
-      db_password_arn          = var.db_password_arn
-      log_group                = var.log_group
-      portal_gui_port          = var.kong_ports.portal_gui
-      portal_api_port          = var.kong_portal_api_enabled == "on" ? var.kong_ports.portal_api : ""
-      status_port              = var.kong_ports.status
-      kong_portal_gui_host     = var.kong_portal_gui_host
-      kong_portal_gui_protocol = var.kong_portal_gui_protocol
-      kong_portal_api_url      = var.kong_portal_api_url
-      kong_portal_api_enabled  = var.kong_portal_api_enabled
-      ports                    = jsonencode([for k, v in var.kong_ports : v])
-      ulimits                  = jsonencode([4096])
-      region                   = var.region
-      access_log_format        = var.access_log_format
-      error_log_format         = var.error_log_format
-      ssl_cert                 = var.ssl_cert
-      ssl_key                  = var.ssl_key
-      cluster_cert             = var.cluster_cert
-      cluster_key              = var.cluster_key
-      kong_log_level           = var.kong_log_level
-      kong_plugins             = join(",", concat(["bundled"], var.kong_plugins))
-      entrypoint               = var.entrypoint
-      nginx_custom_config      = base64encode(var.nginx_custom_config)
-      environment              = var.environment
+      name                      = local.name
+      group_name                = local.name
+      cpu                       = var.fargate_cpu
+      image_url                 = var.image_url
+      memory                    = var.fargate_memory
+      user                      = "kong"
+      db_user                   = var.kong_database_config.user
+      db_host                   = local.db_info.endpoint
+      db_name                   = local.db_info.database_name
+      db_password_arn           = var.db_password_arn
+      log_group                 = var.log_group
+      portal_gui_port           = var.kong_ports.portal_gui
+      portal_api_port           = var.kong_portal_api_enabled == "on" ? var.kong_ports.portal_api : ""
+      status_port               = var.kong_ports.status
+      kong_portal_gui_host      = var.kong_portal_gui_host
+      kong_portal_gui_protocol  = var.kong_portal_gui_protocol
+      kong_portal_api_url       = var.kong_portal_api_url
+      kong_portal_api_enabled   = var.kong_portal_api_enabled
+      portal_and_vitals_key_arn = var.portal_and_vitals_key_arn
+      ports                     = jsonencode([for k, v in var.kong_ports : v])
+      ulimits                   = jsonencode([4096])
+      region                    = var.region
+      access_log_format         = var.access_log_format
+      error_log_format          = var.error_log_format
+      ssl_cert                  = var.ssl_cert
+      ssl_key                   = var.ssl_key
+      cluster_cert              = var.cluster_cert
+      cluster_key               = var.cluster_key
+      kong_log_level            = var.kong_log_level
+      kong_plugins              = join(",", concat(["bundled"], var.kong_plugins))
+      entrypoint                = var.entrypoint
+      nginx_custom_config       = base64encode(var.nginx_custom_config)
+      environment               = var.environment
   }) : null
 
   tags = {

modules/ecs/variables.tf

@@ -1,3 +1,9 @@
+variable "kong_major_version" {
+  description = "(Optional) Used to define which Kong major version to use"
+  type        = number
+  default     = 2 # Eventually changed to three
+}
+
 variable "private_subnets" {
   description = "(Optional) List of private subnet IDs, if not specified then the subnets listed in the private_subnets_to_create variable will be created and used"
   type        = list(string)
@@ -348,6 +354,12 @@ variable "kong_plugins" {
   default     = []
 }
 
+variable "portal_and_vitals_key_arn" {
+  description = "ARN of the secret which contains the token used to unlock portal and vitals in Kong V3"
+  type        = string
+  default     = ""
+}
+
 variable "vitals_endpoint" {
   description = "(Optional) The DNS name for the Vitals endpoint that Gateways should send their metrics to"
   type = object({

templates/amazon-linux/cloud-init.sh

@@ -233,7 +233,7 @@ KONG_ADMIN_GUI_LISTEN="0.0.0.0:${kong_ports.admin_gui}%{ if kong_ssl_uris.protoc
 KONG_PORTAL_GUI_LISTEN="0.0.0.0:${kong_ports.portal_gui}%{ if kong_ssl_uris.protocol == "https"} ssl%{endif}"
 KONG_PORTAL_API_LISTEN="0.0.0.0:${kong_ports.portal_api}%{ if kong_ssl_uris.protocol == "https"} ssl%{endif}"
 
-KONG_ADMIN_API_URI="${replace(kong_ssl_uris.admin_api_uri, "${kong_ssl_uris.protocol}://", "")}"
+${api_uri_env_name}="${replace(kong_ssl_uris.admin_api_uri, "${kong_ssl_uris.protocol}://", "")}"
 KONG_ADMIN_GUI_URL="${kong_ssl_uris.admin_gui_url}"
 
 KONG_PORTAL_GUI_PROTOCOL="${kong_ssl_uris.protocol}"
@@ -380,6 +380,10 @@ KONG_PORTAL_GUI_SSL_CERT="/etc/kong_clustering/cluster.crt"
 KONG_PORTAL_GUI_SSL_CERT_KEY="/etc/kong_clustering/cluster.key"
 %{ endif ~}
 
+%{ if portal_and_vitals_key_arn != "" }
+KONG_PORTAL_AND_VITALS_KEY="${portal_and_vitals_key_arn}"
+%{ endif }
+
 %{ if lookup(kong_config, "KONG_ROLE", null) == "data_plane" ~}
 KONG_CLUSTER_MTLS="${kong_hybrid_conf.mtls}"
 %{ if kong_hybrid_conf.ca_cert != "" ~}

templates/ecs/kong_control_plane.tpl

@@ -80,7 +80,7 @@
       "value": "0.0.0.0:${admin_gui_port} ssl"
     },
     {
-      "name": "KONG_ADMIN_API_URI",
+      "name": "${api_uri_env_name}",
       "value": "${kong_admin_api_uri}"
     },
     {
@@ -221,6 +221,12 @@
     "name": "CLUSTER_KEY",
     "valueFrom": "${cluster_key}"
     }
+    %{ if portal_and_vitals_key_arn != "" }
+    ,{
+    "name": "KONG_PORTAL_AND_VITALS_KEY",
+    "valueFrom": "${portal_and_vitals_key_arn}"
+    }
+    %{ endif }
   ],
   "entryPoint": ["${entrypoint}"],
   "healthCheck": {

templates/ecs/kong_portal.tpl

@@ -177,6 +177,12 @@
     "name": "CLUSTER_KEY",
     "valueFrom": "${cluster_key}"
     }
+    %{ if portal_and_vitals_key_arn != "" }
+    ,{
+    "name": "KONG_PORTAL_AND_VITALS_KEY",
+    "valueFrom": "${portal_and_vitals_key_arn}"
+    }
+    %{ endif }
   ],
   "entryPoint": ["${entrypoint}"],
   "healthCheck": {

templates/ubuntu/cloud-init.sh

@@ -235,9 +235,13 @@ KONG_ADMIN_GUI_LISTEN="0.0.0.0:${kong_ports.admin_gui}%{ if kong_ssl_uris.protoc
 KONG_PORTAL_GUI_LISTEN="0.0.0.0:${kong_ports.portal_gui}%{ if kong_ssl_uris.protocol == "https"} ssl%{endif}"
 KONG_PORTAL_API_LISTEN="0.0.0.0:${kong_ports.portal_api}%{ if kong_ssl_uris.protocol == "https"} ssl%{endif}"
 
-KONG_ADMIN_API_URI="${replace(kong_ssl_uris.admin_api_uri, "${kong_ssl_uris.protocol}://", "")}"
+${api_uri_env_name}="${replace(kong_ssl_uris.admin_api_uri, "${kong_ssl_uris.protocol}://", "")}"
 KONG_ADMIN_GUI_URL="${kong_ssl_uris.admin_gui_url}"
 
+%{ if portal_and_vitals_key_arn != "" }
+KONG_PORTAL_AND_VITALS_KEY="${portal_and_vitals_key_arn}"
+%{ endif }
+
 KONG_PORTAL_GUI_PROTOCOL="${kong_ssl_uris.protocol}"
 KONG_PORTAL_GUI_HOST="${replace(kong_ssl_uris.portal_gui_host, "${kong_ssl_uris.protocol}://", "")}"
 KONG_PORTAL_API_URL="${kong_ssl_uris.portal_api_url}"

variables.tf

@@ -241,6 +241,17 @@ variable "kong_hybrid_conf" {
   }
 }
 
+variable "kong_major_version" {
+  description = "(Optional) Used to define which Kong major version to use"
+  type        = number
+  default     = 2 # Eventually moved to 3
+
+  validation {
+    condition     = contains([2, 3], var.kong_major_version)
+    error_message = "Must be one of the following values: 2, 3."
+  }
+}
+
 variable "kong_ports" {
   description = "(Optional) An object defining the kong http ports"
   type        = map(number)
@@ -304,6 +315,17 @@ variable "postgres_host" {
   default     = ""
 }
 
+variable "portal_and_vitals_key_arn" {
+  description = "(Optional) ARN of the secret which contains the token used to unlock portal and vitals in Kong V3"
+  type        = string
+  default     = ""
+
+  validation {
+    condition     = var.portal_and_vitals_key_arn != "" ? can(startswith("arn:aws:", var.portal_and_vitals_key_arn)) : true
+    error_message = "Invalid format. Please provide a valid ARN."
+  }
+}
+
 variable "private_subnets" {
   description = "(Optional) List of private subnet IDs, if not specified then the subnets listed in the private_subnets_to_create variable will be created and used"
   type        = list(string)