From 12153fb6c02bbb10315354ff5a81211434614bbf Mon Sep 17 00:00:00 2001 From: Daniel Hill Date: Mon, 26 Apr 2021 10:41:38 +0100 Subject: [PATCH] update http proxy example. Add squid proxy for testing. (#31) * update http proxy example. Add squid proxy for testing. configure Control plane to use proxy. Add scenario to pr.yml Signed-off-by: Daniel.Hill * add config to Squid to allow all traffic through. Add Squid port to to allowed egress rules on SGs Signed-off-by: Daniel.Hill * add Name tag to proxy for clarity in console Signed-off-by: Daniel.Hill * update kong hybrid conf following rebase Signed-off-by: Daniel.Hill --- .github/workflows/pr.yml | 12 + .kitchen.yml | 9 + examples/hybrid_http_proxy/iam.tf | 8 +- examples/hybrid_http_proxy/lb.tf | 208 ++++++++++++++++++ examples/hybrid_http_proxy/main.tf | 195 +++++++++++++--- examples/hybrid_http_proxy/outputs.tf | 22 ++ examples/hybrid_http_proxy/ssm.tf | 18 +- .../templates/{ => db}/cloud-init.cfg | 0 .../templates/{ => db}/cloud-init.sh | 0 .../templates/proxy/cloud-init.cfg | 32 +++ .../templates/proxy/cloud-init.sh | 27 +++ examples/hybrid_http_proxy/tls_shared.tf | 50 +++++ examples/hybrid_http_proxy/variables.tf | 156 ++++++++++++- test/integration/hybrid_http_proxy/attrs.yml | 1 + .../hybrid_http_proxy/controls/default.rb | 32 +++ test/integration/hybrid_http_proxy/inspec.yml | 7 + 16 files changed, 725 insertions(+), 52 deletions(-) create mode 100644 examples/hybrid_http_proxy/lb.tf create mode 100644 examples/hybrid_http_proxy/outputs.tf rename examples/hybrid_http_proxy/templates/{ => db}/cloud-init.cfg (100%) rename examples/hybrid_http_proxy/templates/{ => db}/cloud-init.sh (100%) create mode 100644 examples/hybrid_http_proxy/templates/proxy/cloud-init.cfg create mode 100644 examples/hybrid_http_proxy/templates/proxy/cloud-init.sh create mode 100644 examples/hybrid_http_proxy/tls_shared.tf create mode 100644 test/integration/hybrid_http_proxy/attrs.yml create mode 100644 test/integration/hybrid_http_proxy/controls/default.rb create mode 100644 test/integration/hybrid_http_proxy/inspec.yml diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index c76c271..aa423bb 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -81,6 +81,18 @@ jobs: TF_VAR_environment: GHA-${{ env.GITHUB_RUN_NUMBER }} TF_VAR_vpc_cidr_block: "10.0.0.0/16" TF_VAR_kong_database_password: ${{ secrets.KONG_DATABASE_PASSWORD }} + - name: Kitchen Test hybrid-http-proxy + uses: dwp/github-action-kitchen-terraform@0.14.7 + with: + kitchen-command: test hybrid-http-proxy --destroy=always + aws-account-number: ${{ secrets.AWS_ACCOUNT }} + env: + AWS_ACCESS_KEY_ID: ${{ secrets.ACTIONS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.ACTIONS_SECRET_ACCESS_KEY }} + TF_VAR_region: eu-west-1 + TF_VAR_environment: GHA-${{ env.GITHUB_RUN_NUMBER }} + TF_VAR_vpc_cidr_block: "10.0.0.0/16" + TF_VAR_kong_database_password: ${{ secrets.KONG_DATABASE_PASSWORD }} - name: Deactivate AWS Credentials if: ${{ always() }} uses: docker://amazon/aws-cli diff --git a/.kitchen.yml b/.kitchen.yml index a4d88b2..8d11784 100644 --- a/.kitchen.yml +++ b/.kitchen.yml @@ -30,3 +30,12 @@ suites: backend: local attrs: - test/integration/hybrid_external_database/attrs.yml + - name: hybrid_http_proxy + driver: + root_module_directory: examples/hybrid_http_proxy + verifier: + systems: + - name: default + backend: local + attrs: + - test/integration/hybrid_http_proxy/attrs.yml diff --git a/examples/hybrid_http_proxy/iam.tf b/examples/hybrid_http_proxy/iam.tf index 038add7..4c0cf44 100644 --- a/examples/hybrid_http_proxy/iam.tf +++ b/examples/hybrid_http_proxy/iam.tf @@ -6,7 +6,7 @@ data "aws_iam_policy_document" "kong-ssm" { statement { actions = ["ssm:GetParameter"] - resources = ["arn:aws:ssm:*:*:parameter/${var.service}/${var.environment}/*"] + resources = ["arn:aws:ssm:*:*:parameter/${var.service}/${local.environment}/*"] } statement { @@ -16,7 +16,7 @@ data "aws_iam_policy_document" "kong-ssm" { } resource "aws_iam_role_policy" "kong-ssm" { - name = format("%s-%s-ssm", var.service, var.environment) + name = format("%s-%s-ssm", var.service, local.environment) role = aws_iam_role.kong.id policy = data.aws_iam_policy_document.kong-ssm.json @@ -34,11 +34,11 @@ data "aws_iam_policy_document" "kong" { } resource "aws_iam_role" "kong" { - name = format("%s-%s", var.service, var.environment) + name = format("%s-%s", var.service, local.environment) assume_role_policy = data.aws_iam_policy_document.kong.json } resource "aws_iam_instance_profile" "kong" { - name = format("%s-%s", var.service, var.environment) + name = format("%s-%s", var.service, local.environment) role = aws_iam_role.kong.id } diff --git a/examples/hybrid_http_proxy/lb.tf b/examples/hybrid_http_proxy/lb.tf new file mode 100644 index 0000000..337c458 --- /dev/null +++ b/examples/hybrid_http_proxy/lb.tf @@ -0,0 +1,208 @@ +resource "aws_security_group" "external-lb" { + description = "Kong External Load Balancer" + name = "externl-lb-sg" + vpc_id = aws_vpc.vpc.id + tags = var.tags +} + +resource "aws_security_group_rule" "external-lb-ingress-proxy" { + security_group_id = aws_security_group.external-lb.id + + type = "ingress" + from_port = 8000 + to_port = 8000 + protocol = "tcp" + + cidr_blocks = var.external_cidr_blocks + +} + +resource "aws_security_group_rule" "external-lb-ingress-admin" { + security_group_id = aws_security_group.external-lb.id + + type = "ingress" + from_port = 8001 + to_port = 8001 + protocol = "tcp" + + cidr_blocks = var.external_cidr_blocks + +} + +resource "aws_security_group_rule" "external-lb-egress" { + security_group_id = aws_security_group.external-lb.id + + type = "egress" + from_port = 0 + to_port = 0 + protocol = "-1" + + cidr_blocks = var.external_cidr_blocks + +} + +resource "aws_lb" "external" { + + name = "external-lb" + internal = false + subnets = local.public_subnet_ids + + security_groups = [aws_security_group.external-lb.id] + + idle_timeout = 60 + + tags = var.tags +} + +resource "aws_lb_target_group" "external-proxy" { + name = "expernal-proxy-8000" + port = 8000 + protocol = "HTTP" + vpc_id = aws_vpc.vpc.id + health_check { + healthy_threshold = 5 + interval = 5 + path = "/status" + port = 8000 + timeout = 3 + unhealthy_threshold = 2 + } +} + +resource "aws_lb_target_group" "external-admin-api" { + name = "external-admin-api-8000" + port = 8001 + protocol = "HTTP" + vpc_id = aws_vpc.vpc.id + health_check { + healthy_threshold = 5 + interval = 5 + path = "/status" + port = 8000 + timeout = 3 + unhealthy_threshold = 2 + } +} + +locals { + target_group_cp = [ + aws_lb_target_group.external-admin-api.arn, + aws_lb_target_group.internal-cluster.arn, + aws_lb_target_group.internal-telemetry.arn, + aws_lb_target_group.internal-admin-api.arn + ] + target_group_dp = [ + aws_lb_target_group.external-proxy.arn + ] +} + +resource "aws_lb_listener" "external-proxy" { + + load_balancer_arn = aws_lb.external.arn + port = 8000 + + default_action { + target_group_arn = aws_lb_target_group.external-proxy.arn + type = "forward" + } +} + +resource "aws_lb_listener" "admin" { + + load_balancer_arn = aws_lb.external.arn + port = 8001 + + default_action { + target_group_arn = aws_lb_target_group.external-admin-api.arn + type = "forward" + } +} + +resource "aws_lb" "internal" { + + name = "kong-internal-lb" + internal = true + subnets = module.create_kong_dp.private_subnet_ids + load_balancer_type = "network" + idle_timeout = 60 + tags = var.tags +} + +resource "aws_lb_target_group" "internal-cluster" { + name = "internal-cluster-8005" + port = 8005 + protocol = "TCP" + vpc_id = aws_vpc.vpc.id + + health_check { + healthy_threshold = 5 + interval = 30 + port = 8005 + protocol = "TCP" + unhealthy_threshold = 5 + } +} + +resource "aws_lb_target_group" "internal-telemetry" { + name = "internal-telemetry-8006" + port = 8006 + protocol = "TCP" + vpc_id = aws_vpc.vpc.id + health_check { + healthy_threshold = 5 + interval = 30 + port = 8006 + protocol = "TCP" + unhealthy_threshold = 5 + } +} + +resource "aws_lb_target_group" "internal-admin-api" { + name = "internal-admin-api-8001" # FIX + port = 8001 + protocol = "TCP" + vpc_id = aws_vpc.vpc.id + health_check { + healthy_threshold = 5 + interval = 30 + port = 8001 + protocol = "TCP" + unhealthy_threshold = 5 + } +} + +resource "aws_lb_listener" "cluster" { + + load_balancer_arn = aws_lb.internal.arn + port = 8005 + protocol = "TCP" + + default_action { + target_group_arn = aws_lb_target_group.internal-cluster.arn + type = "forward" + } +} + +resource "aws_lb_listener" "telemetry" { + + load_balancer_arn = aws_lb.internal.arn + port = 8006 + protocol = "TCP" + + default_action { + target_group_arn = aws_lb_target_group.internal-telemetry.arn + type = "forward" + } +} + +resource "aws_lb_listener" "internal-admin" { + + load_balancer_arn = aws_lb.internal.arn + port = 8001 + protocol = "TCP" + + default_action { + target_group_arn = aws_lb_target_group.internal-admin-api.arn + type = "forward" + } +} diff --git a/examples/hybrid_http_proxy/main.tf b/examples/hybrid_http_proxy/main.tf index 1c4eee5..d47af85 100644 --- a/examples/hybrid_http_proxy/main.tf +++ b/examples/hybrid_http_proxy/main.tf @@ -32,13 +32,6 @@ resource "aws_eip" "nat_eip" { depends_on = [aws_internet_gateway.ig] } -resource "aws_subnet" "public_subnet" { - vpc_id = aws_vpc.vpc.id - cidr_block = "10.0.5.0/24" - availability_zone = "${var.region}c" - map_public_ip_on_launch = true -} - resource "aws_security_group" "allow_postgres" { name = "allow_postgres" description = "Allow postgres inbound traffic" @@ -70,9 +63,44 @@ resource "aws_security_group" "allow_postgres" { tags = var.tags } +resource "aws_security_group" "allow_proxy" { + name = "allow_proxy" + description = "Allow proxy inbound traffic" + vpc_id = aws_vpc.vpc.id + + ingress { + description = "proxy from VPC" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = [aws_vpc.vpc.cidr_block] + } + + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } + + tags = var.tags +} + +resource "aws_subnet" "public_subnets" { + count = length(module.create_kong_cp.private_subnet_azs) + vpc_id = aws_vpc.vpc.id + cidr_block = "10.0.${4 + count.index}.0/24" + availability_zone = module.create_kong_cp.private_subnet_azs[count.index] + map_public_ip_on_launch = true +} + +locals { + public_subnet_ids = aws_subnet.public_subnets.*.id +} + resource "aws_nat_gateway" "nat" { allocation_id = aws_eip.nat_eip.id - subnet_id = aws_subnet.public_subnet.id + subnet_id = aws_subnet.public_subnets.0.id depends_on = [aws_internet_gateway.ig] } @@ -87,57 +115,123 @@ resource "aws_route" "public_internet_gateway" { } resource "aws_route_table_association" "public" { - subnet_id = aws_subnet.public_subnet.id + count = length(local.public_subnet_ids) + subnet_id = element(local.public_subnet_ids, count.index) route_table_id = aws_route_table.public.id } locals { - user_data = templatefile("${path.module}/templates/cloud-init.cfg", {}) - user_data_script = templatefile("${path.module}/templates/cloud-init.sh", { + db_user_data = templatefile("${path.module}/templates/db/cloud-init.cfg", {}) + db_user_data_script = templatefile("${path.module}/templates/db/cloud-init.sh", { db_master_pass = random_string.master_password.result db_master_user = var.postgres_master_user }) } -data "template_cloudinit_config" "cloud-init" { +data "template_cloudinit_config" "db_cloud_init" { gzip = true base64_encode = true part { filename = "init.cfg" content_type = "text/cloud-config" - content = local.user_data + content = local.db_user_data } part { content_type = "text/x-shellscript" - content = local.user_data_script + content = local.db_user_data_script } } resource "aws_instance" "external_postgres" { ami = data.aws_ami.ubuntu.id - instance_type = "t3.medium" + instance_type = "t3.small" key_name = var.key_name - subnet_id = aws_subnet.public_subnet.id + subnet_id = aws_subnet.public_subnets.0.id vpc_security_group_ids = [aws_security_group.allow_postgres.id] - user_data = data.template_cloudinit_config.cloud-init.rendered + user_data = data.template_cloudinit_config.db_cloud_init.rendered tags = var.tags } -module "create_kong_asg" { - source = "../../" +data "template_cloudinit_config" "proxy_cloud_init" { + gzip = true + base64_encode = true + + part { + filename = "init.cfg" + content_type = "text/cloud-config" + content = templatefile("${path.module}/templates/proxy/cloud-init.cfg", {}) + } + + part { + content_type = "text/x-shellscript" + content = templatefile("${path.module}/templates/proxy/cloud-init.sh", {}) + } +} + +resource "aws_instance" "external_proxy" { + ami = data.aws_ami.ubuntu.id + instance_type = "t3.small" + key_name = var.key_name + subnet_id = aws_subnet.public_subnets.0.id + vpc_security_group_ids = [aws_security_group.allow_proxy.id] + user_data = data.template_cloudinit_config.proxy_cloud_init.rendered + tags = merge( {Name = "proxy"}, var.tags) +} + +locals { + environment = "${var.environment}-${terraform.workspace}" + + kong_control_plane_config = { + "KONG_ROLE" = "control_plane" + "KONG_PROXY_LISTEN" = "off" + "KONG_ANONYMOUS_REPORTS" = "off" + "KONG_PORTAL" = "on" + "KONG_VITALS" = "on" + "KONG_AUDIT_LOG" = "on" + "KONG_LOG_LEVEL" = "debug" + } + + kong_data_plane_config = { + "KONG_ROLE" = "data_plane" + "KONG_DATABASE" = "off" + "KONG_LOG_LEVEL" = "debug" + "KONG_ANONYMOUS_REPORTS" = "off" + } + + kong_hybrid_conf = { + server_name = "" + cluster_cert = tls_locally_signed_cert.cert.cert_pem + cluster_key = tls_private_key.cert.private_key_pem + mtls = "shared" + ca_cert = "" + endpoint = aws_lb.internal.dns_name + } +} + +module "create_kong_cp" { + source = "../../" + + instance_type = var.instance_type vpc_id = aws_vpc.vpc.id ami_id = data.aws_ami.ubuntu.id key_name = var.key_name region = var.region vpc_cidr_block = aws_vpc.vpc.cidr_block - environment = var.environment - service = var.service - description = var.description iam_instance_profile_name = aws_iam_instance_profile.kong.name - asg_desired_capacity = var.asg_desired_capacity - proxy_config = var.proxy_config + + asg_desired_capacity = var.asg_desired_capacity + asg_max_size = var.asg_max_size + asg_min_size = var.asg_min_size + + proxy_config = { + http_proxy = "http://${aws_instance.external_proxy.private_ip}:3128" + https_proxy = "http://${aws_instance.external_proxy.private_ip}:3128" + no_proxy = "localhost,169.254.169.254,127.0.0.1" + } + + rules_with_source_cidr_blocks = var.rules_with_source_cidr_blocks postgres_config = { master_user = var.postgres_master_user @@ -152,8 +246,55 @@ module "create_kong_asg" { password = var.kong_database_password } + target_group_arns = local.target_group_cp + skip_rds_creation = true - tags = var.tags + kong_config = local.kong_control_plane_config + kong_hybrid_conf = local.kong_hybrid_conf + + environment = local.environment + service = var.service + description = var.description + tags = var.tags +} + +module "create_kong_dp" { + source = "../../" + + instance_type = var.instance_type + vpc_id = aws_vpc.vpc.id + ami_id = data.aws_ami.ubuntu.id + key_name = var.key_name + region = var.region + vpc_cidr_block = aws_vpc.vpc.cidr_block + + iam_instance_profile_name = aws_iam_instance_profile.kong.name + + asg_desired_capacity = var.asg_desired_capacity + asg_max_size = var.asg_max_size + asg_min_size = var.asg_min_size + + proxy_config = { + http_proxy = "http://${aws_instance.external_proxy.private_ip}:3128" + https_proxy = "http://${aws_instance.external_proxy.private_ip}:3128" + no_proxy = "localhost,169.254.169.254,127.0.0.1" + } + + rules_with_source_cidr_blocks = var.rules_with_source_cidr_blocks + + target_group_arns = local.target_group_dp + + skip_rds_creation = true + kong_config = local.kong_data_plane_config + kong_hybrid_conf = local.kong_hybrid_conf + + private_subnets = module.create_kong_cp.private_subnet_ids + availability_zones = module.create_kong_cp.private_subnet_azs + + environment = local.environment + service = var.service + description = var.description + tags = var.tags } resource "aws_route_table" "private" { @@ -167,7 +308,7 @@ resource "aws_route" "private_nat_gateway" { } resource "aws_route_table_association" "private" { - count = length(module.create_kong_asg.private_subnet_ids) - subnet_id = element(module.create_kong_asg.private_subnet_ids, count.index) + count = length(module.create_kong_cp.private_subnet_ids) + subnet_id = element(module.create_kong_cp.private_subnet_ids, count.index) route_table_id = aws_route_table.private.id } diff --git a/examples/hybrid_http_proxy/outputs.tf b/examples/hybrid_http_proxy/outputs.tf new file mode 100644 index 0000000..386a540 --- /dev/null +++ b/examples/hybrid_http_proxy/outputs.tf @@ -0,0 +1,22 @@ +locals { + proxy = "http://${aws_lb.external.dns_name}:8000" + admin_api = "http://${aws_lb.external.dns_name}:8001" + cluster = "http://${aws_lb.internal.dns_name}:8005" + telemetry = "http://${aws_lb.internal.dns_name}:8006" +} + +output "kong-proxy-endpoint" { + value = local.proxy +} + +output "kong-api-endpoint" { + value = local.admin_api +} + +output "kong-cluster-endpoint" { + value = local.cluster +} + +output "kong-telemetry-endpoint" { + value = local.telemetry +} diff --git a/examples/hybrid_http_proxy/ssm.tf b/examples/hybrid_http_proxy/ssm.tf index 95bbf94..171e6d1 100644 --- a/examples/hybrid_http_proxy/ssm.tf +++ b/examples/hybrid_http_proxy/ssm.tf @@ -1,10 +1,10 @@ resource "aws_kms_key" "kong" { - description = format("%s-%s", var.service, var.environment) + description = format("%s-%s", var.service, local.environment) tags = merge( { - "Name" = format("%s-%s", var.service, var.environment), - "Environment" = var.environment, + "Name" = format("%s-%s", var.service, local.environment), + "Environment" = local.environment, "Description" = var.description, "Service" = var.service, }, @@ -13,12 +13,12 @@ resource "aws_kms_key" "kong" { } resource "aws_kms_alias" "kong" { - name = format("alias/%s-%s", var.service, var.environment) + name = format("alias/%s-%s", var.service, local.environment) target_key_id = aws_kms_key.kong.key_id } resource "aws_ssm_parameter" "ee-bintray-auth" { - name = format("/%s/%s/ee/bintray-auth", var.service, var.environment) + name = format("/%s/%s/ee/bintray-auth", var.service, local.environment) type = "SecureString" value = var.ee_bintray_auth @@ -30,7 +30,7 @@ resource "aws_ssm_parameter" "ee-bintray-auth" { } resource "aws_ssm_parameter" "ee-license" { - name = format("/%s/%s/ee/license", var.service, var.environment) + name = format("/%s/%s/ee/license", var.service, local.environment) type = "SecureString" value = var.ee_license @@ -47,7 +47,7 @@ resource "random_string" "admin_token" { } resource "aws_ssm_parameter" "ee-admin-token" { - name = format("/%s/%s/ee/admin/token", var.service, var.environment) + name = format("/%s/%s/ee/admin/token", var.service, local.environment) type = "SecureString" value = random_string.admin_token.result @@ -59,7 +59,7 @@ resource "aws_ssm_parameter" "ee-admin-token" { } resource "aws_ssm_parameter" "db-password" { - name = format("/%s/%s/db/password", var.service, var.environment) + name = format("/%s/%s/db/password", var.service, local.environment) type = "SecureString" value = var.kong_database_password @@ -78,7 +78,7 @@ resource "random_string" "master_password" { } resource "aws_ssm_parameter" "db-master-password" { - name = format("/%s/%s/db/password/master", var.service, var.environment) + name = format("/%s/%s/db/password/master", var.service, local.environment) type = "SecureString" value = random_string.master_password.result diff --git a/examples/hybrid_http_proxy/templates/cloud-init.cfg b/examples/hybrid_http_proxy/templates/db/cloud-init.cfg similarity index 100% rename from examples/hybrid_http_proxy/templates/cloud-init.cfg rename to examples/hybrid_http_proxy/templates/db/cloud-init.cfg diff --git a/examples/hybrid_http_proxy/templates/cloud-init.sh b/examples/hybrid_http_proxy/templates/db/cloud-init.sh similarity index 100% rename from examples/hybrid_http_proxy/templates/cloud-init.sh rename to examples/hybrid_http_proxy/templates/db/cloud-init.sh diff --git a/examples/hybrid_http_proxy/templates/proxy/cloud-init.cfg b/examples/hybrid_http_proxy/templates/proxy/cloud-init.cfg new file mode 100644 index 0000000..4b50dd9 --- /dev/null +++ b/examples/hybrid_http_proxy/templates/proxy/cloud-init.cfg @@ -0,0 +1,32 @@ +#cloud-config + +users: + - default + +write_files: + - path: /etc/apt/apt.conf.d/00InstallRecommends + owner: root:root + permissions: '0644' + content: | + APT::Install-Recommends "false"; + + - path: /etc/squid/squid.conf + owner: root:root + permissions: '0644' + content: | + http_port 3128 + acl net src 0.0.0.0/0 + http_access allow net + http_access deny all + +# Package configuration +apt: + primary: + - arches: [default] + +apt_update: true +package_upgrade: true +packages: + - apt-listchanges + - unattended-upgrades + - dnsutils diff --git a/examples/hybrid_http_proxy/templates/proxy/cloud-init.sh b/examples/hybrid_http_proxy/templates/proxy/cloud-init.sh new file mode 100644 index 0000000..0394676 --- /dev/null +++ b/examples/hybrid_http_proxy/templates/proxy/cloud-init.sh @@ -0,0 +1,27 @@ +#!/bin/bash +set -x +exec &> /tmp/cloud-init.log + +apt-get update + +apt-get install -y apt-transport-https \ + ca-certificates curl gnupg-agent \ + software-properties-common + +curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add - + +add-apt-repository \ + "deb [arch=amd64] https://download.docker.com/linux/ubuntu \ + $(lsb_release -cs) \ + stable" + +apt-get update +apt-get install -y docker-ce docker-ce-cli containerd.io + +sleep 10 + +docker run -d \ + --restart=always \ + -p 3128:3128 \ + -v /etc/squid/squid.conf:/etc/squid/squid.conf \ + sameersbn/squid:3.5.27-2 diff --git a/examples/hybrid_http_proxy/tls_shared.tf b/examples/hybrid_http_proxy/tls_shared.tf new file mode 100644 index 0000000..f5c1820 --- /dev/null +++ b/examples/hybrid_http_proxy/tls_shared.tf @@ -0,0 +1,50 @@ +# generate certificates for Kong +resource "tls_private_key" "ca" { + algorithm = "ECDSA" + ecdsa_curve = "P384" +} + +resource "tls_self_signed_cert" "ca" { + key_algorithm = tls_private_key.ca.algorithm + private_key_pem = tls_private_key.ca.private_key_pem + is_ca_certificate = true + + validity_period_hours = "12" + allowed_uses = [ + "cert_signing", + "key_encipherment", + "digital_signature", + ] + + subject { + common_name = "kong_clustering" + } + +} + +resource "tls_private_key" "cert" { + algorithm = "ECDSA" + ecdsa_curve = "P384" +} + +resource "tls_cert_request" "cert" { + key_algorithm = tls_private_key.cert.algorithm + private_key_pem = tls_private_key.cert.private_key_pem + + subject { + common_name = "kong_clustering" + } +} + +resource "tls_locally_signed_cert" "cert" { + cert_request_pem = tls_cert_request.cert.cert_request_pem + + ca_key_algorithm = tls_private_key.ca.algorithm + ca_private_key_pem = tls_private_key.ca.private_key_pem + ca_cert_pem = tls_self_signed_cert.ca.cert_pem + + validity_period_hours = "12" + allowed_uses = [ + ] + +} diff --git a/examples/hybrid_http_proxy/variables.tf b/examples/hybrid_http_proxy/variables.tf index 2d8989d..3131429 100644 --- a/examples/hybrid_http_proxy/variables.tf +++ b/examples/hybrid_http_proxy/variables.tf @@ -3,6 +3,12 @@ variable "region" { type = string } +variable "instance_type" { + description = "The instance type to use for the kong deployments" + type = string + default = "t3.small" +} + variable "key_name" { description = "The name of an AWS ssh key pari to associate with the instances in the ASG" type = string @@ -49,10 +55,22 @@ variable "vpc_cidr_block" { type = string } +variable "asg_max_size" { + description = "The maximum size of the auto scale group" + type = string + default = 1 +} + +variable "asg_min_size" { + description = "The minimum size of the auto scale group" + type = string + default = 1 +} + variable "asg_desired_capacity" { description = "The size of the autoscaling group" type = string - default = 2 + default = 1 } variable "postgres_master_user" { @@ -73,22 +91,136 @@ variable "kong_database_user" { default = "kong" } +variable "external_cidr_blocks" { default = ["0.0.0.0/0"] } + variable "tags" { + type = map(string) default = { - "Dept" = "Testing", + "Dept" = "Testing" } } -variable "proxy_config" { - description = "(optional) Configure HTTP, HTTPS, and NO_PROXY" - type = object({ - http_proxy = string - https_proxy = string - no_proxy = string - }) +variable "rules_with_source_cidr_blocks" { + description = "Security rules for the Kong instance that have a cidr range for their source" + type = map(object({ + type = string, + from_port = number, + to_port = number, + protocol = string, + cidr_blocks = list(string) + })) default = { - http_proxy = null - https_proxy = null - no_proxy = null + "kong-ingress-proxy-http" = { + type = "ingress", + from_port = 8000, + to_port = 8000, + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + }, + "kong-ingress-api-http" = { + type = "ingress", + from_port = 8001, + to_port = 8001, + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + }, + "kong-ingress-manager-http" = { + type = "ingress", + from_port = 8002, + to_port = 8002, + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + }, + "kong-ingress-portal-gui-http" = { + type = "ingress", + from_port = 8003, + to_port = 8003, + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + }, + "kong-ingress-portal-http" = { + type = "ingress", + from_port = 8004, + to_port = 8004, + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + }, + "kong-ingress-ssh" = { + type = "ingress", + from_port = 22, + to_port = 22, + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + }, + "kong-ingress-8005" = { + type = "ingress", + from_port = 8005, + to_port = 8005, + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + }, + "kong-ingress-8006" = { + type = "ingress", + from_port = 8006, + to_port = 8006, + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + }, + "kong-egress-80" = { + type = "egress", + from_port = 80, + to_port = 80, + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + }, + "kong-egress-443" = { + type = "egress", + from_port = 443, + to_port = 443, + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + }, + "kong-egress-8000" = { + type = "egress", + from_port = 8000, + to_port = 8000, + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + }, + "kong-egress-8001" = { + type = "egress", + from_port = 8001, + to_port = 8001, + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + }, + "kong-egress-8005" = { + type = "egress", + from_port = 8005, + to_port = 8005, + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + }, + "kong-egress-8006" = { + type = "egress", + from_port = 8006, + to_port = 8006, + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + }, + "kong-egress-postgresq" = { + type = "egress", + from_port = 5432, + to_port = 5432, + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + }, + "kong-egress-proxy" = { + type = "egress", + from_port = 3128, + to_port = 3128, + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + } } } diff --git a/test/integration/hybrid_http_proxy/attrs.yml b/test/integration/hybrid_http_proxy/attrs.yml new file mode 100644 index 0000000..ed97d53 --- /dev/null +++ b/test/integration/hybrid_http_proxy/attrs.yml @@ -0,0 +1 @@ +--- diff --git a/test/integration/hybrid_http_proxy/controls/default.rb b/test/integration/hybrid_http_proxy/controls/default.rb new file mode 100644 index 0000000..46ba403 --- /dev/null +++ b/test/integration/hybrid_http_proxy/controls/default.rb @@ -0,0 +1,32 @@ +api = input('kong-api-endpoint') +proxy = input('kong-proxy-endpoint') + +require_relative '../../libraries/kong_util' + +wait("#{api}/clustering/status") + +post("#{api}/services", { 'name' => 'test', 'url' => 'http://httpbin.org' }) + +post("#{api}/services/test/routes", { 'name' => 'testRoute', 'paths' => '/test' }) + +cluster_members = JSON.parse(http("#{api}/clustering/status", method: 'GET').body) + +describe cluster_members do + it { should_not be_empty } +end + +describe http("#{api}/services/test", + method: 'GET') do + its('status') { should cmp 200 } + end + +describe http("#{api}/services/test/routes/testRoute", + method: 'GET') do + its('status') { should cmp 200 } + end + +sleep(10) # wait for route to propergate +describe http("#{proxy}/test/get", + method: 'GET') do + its('status') { should cmp 200 } + end diff --git a/test/integration/hybrid_http_proxy/inspec.yml b/test/integration/hybrid_http_proxy/inspec.yml new file mode 100644 index 0000000..8a98bca --- /dev/null +++ b/test/integration/hybrid_http_proxy/inspec.yml @@ -0,0 +1,7 @@ +--- +name: hybrid_external_database +inputs: +- name: kong-api-endpoint + type: string +- name: kong-proxy-endpoint + type: string