add load balancers to hybrid and hybrid external db examples. Fix tes…

…ts to work without authentications, and wire terraform outputs up to inspec inputs (#18)
dwp · Feb 27, 2021 · 8c8db7e · 8c8db7e
1 parent fd28c68
commit 8c8db7e
Show file tree

Hide file tree

Showing 18 changed files with 401 additions and 55 deletions.
diff --git a/.kitchen.yml b/.kitchen.yml
@@ -20,4 +20,13 @@ suites:
         - name: default
           backend: local
           attrs:
-            - test/integration/attributes/default/attrs.yml
+            - test/integration/default/attrs.yml
+  - name: hybrid_external_database
+    driver:
+      root_module_directory: examples/hybrid_external_database
+    verifier:
+      systems:
+        - name: default
+          backend: local
+          attrs:
+            - test/integration/hybrid_external_database/attrs.yml
diff --git a/examples/hybrid/lb.tf b/examples/hybrid/lb.tf
@@ -0,0 +1,117 @@
+resource "aws_security_group" "external-lb" {
+  description = "Kong External Load Balancer"
+  name        = "externl-lb-sg"
+  vpc_id      = aws_vpc.vpc.id
+  tags        = var.tags
+}
+
+resource "aws_security_group_rule" "external-lb-ingress-proxy" {
+  security_group_id = aws_security_group.external-lb.id
+
+  type      = "ingress"
+  from_port = 8000
+  to_port   = 8000
+  protocol  = "tcp"
+
+  cidr_blocks = var.external_cidr_blocks
+
+}
+
+resource "aws_security_group_rule" "external-lb-ingress-admin" {
+  security_group_id = aws_security_group.external-lb.id
+
+  type      = "ingress"
+  from_port = 8001
+  to_port   = 8001
+  protocol  = "tcp"
+
+  cidr_blocks = var.external_cidr_blocks
+
+}
+
+resource "aws_security_group_rule" "external-lb-egress" {
+  security_group_id = aws_security_group.external-lb.id
+
+  type      = "egress"
+  from_port = 0
+  to_port   = 0
+  protocol  = "-1"
+
+  cidr_blocks = var.external_cidr_blocks
+
+}
+
+resource "aws_lb" "external" {
+
+  name     = "external-lb"
+  internal = false
+  subnets  = local.public_subnet_ids
+
+  security_groups = [aws_security_group.external-lb.id]
+
+  idle_timeout = 60
+
+  tags = var.tags
+}
+
+resource "aws_lb_target_group" "external-proxy" {
+  name     = "expernal-proxy-8000"
+  port     = 8000
+  protocol = "HTTP"
+  vpc_id   = aws_vpc.vpc.id
+
+  health_check {
+    healthy_threshold   = 5
+    interval            = 5
+    path                = "/status"
+    port                = 8000
+    timeout             = 3
+    unhealthy_threshold = 2
+  }
+}
+
+resource "aws_lb_target_group" "external-admin-api" {
+  name     = "external-admin-api-8000"
+  port     = 8001
+  protocol = "HTTP"
+  vpc_id   = aws_vpc.vpc.id
+
+  health_check {
+    healthy_threshold   = 5
+    interval            = 5
+    path                = "/status"
+    port                = 8000
+    timeout             = 3
+    unhealthy_threshold = 2
+  }
+}
+
+locals {
+  target_groups = [
+    aws_lb_target_group.external-admin-api.arn,
+    aws_lb_target_group.external-proxy.arn
+  ]
+}
+
+resource "aws_lb_listener" "external-proxy" {
+
+  load_balancer_arn = aws_lb.external.arn
+  port              = 8000
+
+  default_action {
+    target_group_arn = aws_lb_target_group.external-proxy.arn
+    type             = "forward"
+  }
+}
+
+resource "aws_lb_listener" "admin" {
+
+  load_balancer_arn = aws_lb.external.arn
+  port              = 8001
+
+  default_action {
+    target_group_arn = aws_lb_target_group.external-admin-api.arn
+    type             = "forward"
+  }
+}
+
diff --git a/examples/hybrid/main.tf b/examples/hybrid/main.tf
@@ -32,19 +32,40 @@ resource "aws_eip" "nat_eip" {
   depends_on = [aws_internet_gateway.ig]
 }
 
-resource "aws_subnet" "public_subnet" {
+resource "aws_subnet" "public_subnets" {
+  count                   = length(module.create_kong_asg.private_subnet_azs)
   vpc_id                  = aws_vpc.vpc.id
-  cidr_block              = "10.0.5.0/24"
-  availability_zone       = "${var.region}c"
+  cidr_block              = "10.0.${4 + count.index}.0/24"
+  availability_zone       = module.create_kong_asg.private_subnet_azs[count.index]
   map_public_ip_on_launch = true
 }
 
+locals {
+  public_subnet_ids = aws_subnet.public_subnets.*.id
+}
+
 resource "aws_nat_gateway" "nat" {
   allocation_id = aws_eip.nat_eip.id
-  subnet_id     = aws_subnet.public_subnet.id
+  subnet_id     = aws_subnet.public_subnets.0.id
   depends_on    = [aws_internet_gateway.ig]
 }
 
+resource "aws_route_table" "public" {
+  vpc_id = aws_vpc.vpc.id
+}
+
+resource "aws_route" "public_internet_gateway" {
+  route_table_id         = aws_route_table.public.id
+  destination_cidr_block = "0.0.0.0/0"
+  gateway_id             = aws_internet_gateway.ig.id
+}
+
+resource "aws_route_table_association" "public" {
+  count          = length(local.public_subnet_ids)
+  subnet_id      = element(local.public_subnet_ids, count.index)
+  route_table_id = aws_route_table.public.id
+}
+
 module "create_kong_asg" {
   source                    = "../../"
   vpc_id                    = aws_vpc.vpc.id
@@ -69,38 +90,21 @@ module "create_kong_asg" {
     password = var.kong_database_password
   }
 
-  tags = var.tags
-}
+  target_group_arns = local.target_groups
 
-output "database" {
-  value = module.create_kong_asg.database
+  tags = var.tags
 }
 
 resource "aws_route_table" "private" {
   vpc_id = aws_vpc.vpc.id
 }
 
-resource "aws_route_table" "public" {
-  vpc_id = aws_vpc.vpc.id
-}
-
-resource "aws_route" "public_internet_gateway" {
-  route_table_id         = aws_route_table.public.id
-  destination_cidr_block = "0.0.0.0/0"
-  gateway_id             = aws_internet_gateway.ig.id
-}
-
 resource "aws_route" "private_nat_gateway" {
   route_table_id         = aws_route_table.private.id
   destination_cidr_block = "0.0.0.0/0"
   nat_gateway_id         = aws_nat_gateway.nat.id
 }
 
-resource "aws_route_table_association" "public" {
-  subnet_id      = aws_subnet.public_subnet.id
-  route_table_id = aws_route_table.public.id
-}
-
 resource "aws_route_table_association" "private" {
   count          = length(module.create_kong_asg.private_subnet_ids)
   subnet_id      = element(module.create_kong_asg.private_subnet_ids, count.index)

diff --git a/examples/hybrid/outputs.tf b/examples/hybrid/outputs.tf
@@ -0,0 +1,12 @@
+locals {
+  proxy     = "http://${aws_lb.external.dns_name}:8000"
+  admin_api = "http://${aws_lb.external.dns_name}:8001"
+}
+
+output "kong-proxy-endpoint" {
+  value = local.proxy
+}
+
+output "kong-api-endpoint" {
+  value = local.admin_api
+}
diff --git a/examples/hybrid/variables.tf b/examples/hybrid/variables.tf
@@ -73,6 +73,8 @@ variable "postgres_master_user" {
   default     = "root"
 }
 
+variable "external_cidr_blocks" { default = ["0.0.0.0/0"] }
+
 variable "tags" {
   default = {
     "Dept" = "Testing",

diff --git a/examples/hybrid_external_database/lb.tf b/examples/hybrid_external_database/lb.tf
@@ -0,0 +1,117 @@
+resource "aws_security_group" "external-lb" {
+  description = "Kong External Load Balancer"
+  name        = "externl-lb-sg"
+  vpc_id      = aws_vpc.vpc.id
+  tags        = var.tags
+}
+
+resource "aws_security_group_rule" "external-lb-ingress-proxy" {
+  security_group_id = aws_security_group.external-lb.id
+
+  type      = "ingress"
+  from_port = 8000
+  to_port   = 8000
+  protocol  = "tcp"
+
+  cidr_blocks = var.external_cidr_blocks
+
+}
+
+resource "aws_security_group_rule" "external-lb-ingress-admin" {
+  security_group_id = aws_security_group.external-lb.id
+
+  type      = "ingress"
+  from_port = 8001
+  to_port   = 8001
+  protocol  = "tcp"
+
+  cidr_blocks = var.external_cidr_blocks
+
+}
+
+resource "aws_security_group_rule" "external-lb-egress" {
+  security_group_id = aws_security_group.external-lb.id
+
+  type      = "egress"
+  from_port = 0
+  to_port   = 0
+  protocol  = "-1"
+
+  cidr_blocks = var.external_cidr_blocks
+
+}
+
+resource "aws_lb" "external" {
+
+  name     = "external-lb"
+  internal = false
+  subnets  = local.public_subnet_ids
+
+  security_groups = [aws_security_group.external-lb.id]
+
+  idle_timeout = 60
+
+  tags = var.tags
+}
+
+resource "aws_lb_target_group" "external-proxy" {
+  name     = "expernal-proxy-8000"
+  port     = 8000
+  protocol = "HTTP"
+  vpc_id   = aws_vpc.vpc.id
+
+  health_check {
+    healthy_threshold   = 5
+    interval            = 5
+    path                = "/status"
+    port                = 8000
+    timeout             = 3
+    unhealthy_threshold = 2
+  }
+}
+
+resource "aws_lb_target_group" "external-admin-api" {
+  name     = "external-admin-api-8000"
+  port     = 8001
+  protocol = "HTTP"
+  vpc_id   = aws_vpc.vpc.id
+
+  health_check {
+    healthy_threshold   = 5
+    interval            = 5
+    path                = "/status"
+    port                = 8000
+    timeout             = 3
+    unhealthy_threshold = 2
+  }
+}
+
+locals {
+  target_groups = [
+    aws_lb_target_group.external-admin-api.arn,
+    aws_lb_target_group.external-proxy.arn
+  ]
+}
+
+resource "aws_lb_listener" "external-proxy" {
+
+  load_balancer_arn = aws_lb.external.arn
+  port              = 8000
+
+  default_action {
+    target_group_arn = aws_lb_target_group.external-proxy.arn
+    type             = "forward"
+  }
+}
+
+resource "aws_lb_listener" "admin" {
+
+  load_balancer_arn = aws_lb.external.arn
+  port              = 8001
+
+  default_action {
+    target_group_arn = aws_lb_target_group.external-admin-api.arn
+    type             = "forward"
+  }
+}
+