Support Amazon Linux 2 and RHEL (#48)

Signed-off-by: Daniel.Hill <[email protected]> Co-authored-by: Vikash <[email protected]>
dwp · Apr 28, 2021 · 8c651dc · 8c651dc
1 parent 12153fb
commit 8c651dc
Show file tree

Hide file tree

Showing 30 changed files with 1,698 additions and 44 deletions.
diff --git a/.githooks b/.githooks
diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml
@@ -30,6 +30,9 @@ jobs:
         uses: actions/checkout@v2
         with:
           path: 'repo'
+      - name: Remove Examples # KICS exclude_paths did not work
+        run: |
+          rm -rf repo/examples
       - name: KICS Github Action
         uses: checkmarx/kics-action@docker-runner
         with:
@@ -69,10 +72,10 @@ jobs:
     steps:
       - name: Checkout repo
         uses: actions/checkout@v2
-      - name: Kitchen Test hybrid-external-database
+      - name: Kitchen Test Ubuntu
         uses: dwp/[email protected]
         with:
-          kitchen-command: test hybrid-external-database --destroy=always
+          kitchen-command: test hybrid-http-proxy --destroy=always
           aws-account-number: ${{ secrets.AWS_ACCOUNT }}
         env:
           AWS_ACCESS_KEY_ID: ${{ secrets.ACTIONS_ACCESS_KEY_ID }}
@@ -81,10 +84,10 @@ jobs:
           TF_VAR_environment: GHA-${{ env.GITHUB_RUN_NUMBER }}
           TF_VAR_vpc_cidr_block: "10.0.0.0/16"
           TF_VAR_kong_database_password: ${{ secrets.KONG_DATABASE_PASSWORD }}
-      - name: Kitchen Test hybrid-http-proxy
+      - name: Kitchen Test Amazon Linux 2
         uses: dwp/[email protected]
         with:
-          kitchen-command: test hybrid-http-proxy --destroy=always
+          kitchen-command: test hybrid-amazon-linux --destroy=always
           aws-account-number: ${{ secrets.AWS_ACCOUNT }}
         env:
           AWS_ACCESS_KEY_ID: ${{ secrets.ACTIONS_ACCESS_KEY_ID }}

diff --git a/.kitchen.yml b/.kitchen.yml
@@ -39,3 +39,12 @@ suites:
           backend: local
           attrs:
             - test/integration/hybrid_http_proxy/attrs.yml
+  - name: hybrid_amazon_linux
+    driver:
+      root_module_directory: examples/hybrid_amazon_linux
+    verifier:
+      systems:
+        - name: default
+          backend: local
+          attrs:
+            - test/integration/hybrid_amazon_linux/attrs.yml
diff --git a/examples/hybrid_amazon_linux/README.md b/examples/hybrid_amazon_linux/README.md
@@ -0,0 +1,9 @@
+# Hybrid Example With External Database
+
+![architecture-diagram](https://raw.githubusercontent.com/dwp/terraform-aws-kong-gateway/main/examples/hybrid_external_database/hybrid_external_amazon_linux.png)
+
+## Description
+
+This code will act as an example of how to call the terraform-aws-kong-gw module.
+It should highlight the required inputs to get the module to deploy kong in hybrid
+mode using Amazon Linux 2 (should also apply to RHEL). Internet access is via a proxy server. Database is being provided from outside of the module.
diff --git a/examples/hybrid_amazon_linux/hybrid_amazon_linux.png b/examples/hybrid_amazon_linux/hybrid_amazon_linux.png
diff --git a/examples/hybrid_amazon_linux/iam.tf b/examples/hybrid_amazon_linux/iam.tf
@@ -0,0 +1,54 @@
+data "aws_iam_policy_document" "kong-ssm" {
+  statement {
+    actions   = ["ssm:DescribeParameters"]
+    resources = ["*"]
+  }
+
+  statement {
+    actions   = ["ssm:GetParameter"]
+    resources = ["arn:aws:ssm:*:*:parameter/${var.service}/${local.environment}/*"]
+  }
+
+  statement {
+    actions   = ["kms:Decrypt"]
+    resources = [aws_kms_alias.kong.target_key_arn]
+  }
+}
+
+resource "aws_iam_role_policy" "kong-ssm" {
+  name = format("%s-%s-ssm", var.service, local.environment)
+  role = aws_iam_role.kong.id
+
+  policy = data.aws_iam_policy_document.kong-ssm.json
+}
+
+data "aws_iam_policy_document" "kong" {
+  statement {
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["ec2.amazonaws.com"]
+    }
+  }
+}
+
+resource "aws_iam_role" "kong" {
+  name               = format("%s-%s", var.service, local.environment)
+  assume_role_policy = data.aws_iam_policy_document.kong.json
+}
+
+resource "aws_iam_instance_profile" "kong" {
+  name = format("%s-%s", var.service, local.environment)
+  role = aws_iam_role.kong.id
+}
+
+resource "aws_iam_role_policy_attachment" "ingestion_ecs_ssm" {
+  role       = aws_iam_role.kong.name
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM"
+}
+
+resource "aws_iam_role_policy_attachment" "ingestion_ssm_managed" {
+  role       = aws_iam_role.kong.name
+  policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
+}
diff --git a/examples/hybrid_amazon_linux/lb.tf b/examples/hybrid_amazon_linux/lb.tf
@@ -0,0 +1,208 @@
+resource "aws_security_group" "external-lb" {
+  description = "Kong External Load Balancer"
+  name        = "externl-lb-sg"
+  vpc_id      = aws_vpc.vpc.id
+  tags        = var.tags
+}
+
+resource "aws_security_group_rule" "external-lb-ingress-proxy" {
+  security_group_id = aws_security_group.external-lb.id
+
+  type      = "ingress"
+  from_port = 8000
+  to_port   = 8000
+  protocol  = "tcp"
+
+  cidr_blocks = var.external_cidr_blocks
+
+}
+
+resource "aws_security_group_rule" "external-lb-ingress-admin" {
+  security_group_id = aws_security_group.external-lb.id
+
+  type      = "ingress"
+  from_port = 8001
+  to_port   = 8001
+  protocol  = "tcp"
+
+  cidr_blocks = var.external_cidr_blocks
+
+}
+
+resource "aws_security_group_rule" "external-lb-egress" {
+  security_group_id = aws_security_group.external-lb.id
+
+  type      = "egress"
+  from_port = 0
+  to_port   = 0
+  protocol  = "-1"
+
+  cidr_blocks = var.external_cidr_blocks
+
+}
+
+resource "aws_lb" "external" {
+
+  name     = "external-lb"
+  internal = false
+  subnets  = local.public_subnet_ids
+
+  security_groups = [aws_security_group.external-lb.id]
+
+  idle_timeout = 60
+
+  tags = var.tags
+}
+
+resource "aws_lb_target_group" "external-proxy" {
+  name     = "expernal-proxy-8000"
+  port     = 8000
+  protocol = "HTTP"
+  vpc_id   = aws_vpc.vpc.id
+  health_check {
+    healthy_threshold   = 5
+    interval            = 5
+    path                = "/status"
+    port                = 8000
+    timeout             = 3
+    unhealthy_threshold = 2
+  }
+}
+
+resource "aws_lb_target_group" "external-admin-api" {
+  name     = "external-admin-api-8000"
+  port     = 8001
+  protocol = "HTTP"
+  vpc_id   = aws_vpc.vpc.id
+  health_check {
+    healthy_threshold   = 5
+    interval            = 5
+    path                = "/status"
+    port                = 8000
+    timeout             = 3
+    unhealthy_threshold = 2
+  }
+}
+
+locals {
+  target_group_cp = [
+    aws_lb_target_group.external-admin-api.arn,
+    aws_lb_target_group.internal-cluster.arn,
+    aws_lb_target_group.internal-telemetry.arn,
+    aws_lb_target_group.internal-admin-api.arn
+  ]
+  target_group_dp = [
+    aws_lb_target_group.external-proxy.arn
+  ]
+}
+
+resource "aws_lb_listener" "external-proxy" {
+
+  load_balancer_arn = aws_lb.external.arn
+  port              = 8000
+
+  default_action {
+    target_group_arn = aws_lb_target_group.external-proxy.arn
+    type             = "forward"
+  }
+}
+
+resource "aws_lb_listener" "admin" {
+
+  load_balancer_arn = aws_lb.external.arn
+  port              = 8001
+
+  default_action {
+    target_group_arn = aws_lb_target_group.external-admin-api.arn
+    type             = "forward"
+  }
+}
+
+resource "aws_lb" "internal" {
+
+  name               = "kong-internal-lb"
+  internal           = true
+  subnets            = module.create_kong_dp.private_subnet_ids
+  load_balancer_type = "network"
+  idle_timeout       = 60
+  tags               = var.tags
+}
+
+resource "aws_lb_target_group" "internal-cluster" {
+  name     = "internal-cluster-8005"
+  port     = 8005
+  protocol = "TCP"
+  vpc_id   = aws_vpc.vpc.id
+
+  health_check {
+    healthy_threshold   = 5
+    interval            = 30
+    port                = 8005
+    protocol            = "TCP"
+    unhealthy_threshold = 5
+  }
+}
+
+resource "aws_lb_target_group" "internal-telemetry" {
+  name     = "internal-telemetry-8006"
+  port     = 8006
+  protocol = "TCP"
+  vpc_id   = aws_vpc.vpc.id
+  health_check {
+    healthy_threshold   = 5
+    interval            = 30
+    port                = 8006
+    protocol            = "TCP"
+    unhealthy_threshold = 5
+  }
+}
+
+resource "aws_lb_target_group" "internal-admin-api" {
+  name     = "internal-admin-api-8001" # FIX
+  port     = 8001
+  protocol = "TCP"
+  vpc_id   = aws_vpc.vpc.id
+  health_check {
+    healthy_threshold   = 5
+    interval            = 30
+    port                = 8001
+    protocol            = "TCP"
+    unhealthy_threshold = 5
+  }
+}
+
+resource "aws_lb_listener" "cluster" {
+
+  load_balancer_arn = aws_lb.internal.arn
+  port              = 8005
+  protocol          = "TCP"
+
+  default_action {
+    target_group_arn = aws_lb_target_group.internal-cluster.arn
+    type             = "forward"
+  }
+}
+
+resource "aws_lb_listener" "telemetry" {
+
+  load_balancer_arn = aws_lb.internal.arn
+  port              = 8006
+  protocol          = "TCP"
+
+  default_action {
+    target_group_arn = aws_lb_target_group.internal-telemetry.arn
+    type             = "forward"
+  }
+}
+
+resource "aws_lb_listener" "internal-admin" {
+
+  load_balancer_arn = aws_lb.internal.arn
+  port              = 8001
+  protocol          = "TCP"
+
+  default_action {
+    target_group_arn = aws_lb_target_group.internal-admin-api.arn
+    type             = "forward"
+  }
+}