Merge branch 'rahul/provision-for-crossaccount' of https://github.com/infraspecdev/terraform-aws-kong into rahul/provision-for-crossaccount

rahul-infra · rahul-infra · commit 7543256ca2fa · 2025-11-28T18:18:47.000+05:30
diff --git a/README.md b/README.md
@@ -9,7 +9,7 @@ Terraform Module to setup Kong(OSS) in ECS with self managed EC2 instances.
 
 # Assumptions
 
-This setup assumes that the `ECS cluster` that has `Auto Scaling Group (ASG)` exist with the name `default`. If you are using different name, you can provide those in the variables section of your Terraform configuration.This module also have a provision that your hosted zone can be in same amazon account where your resources are going to create or in a different amazon account. So, if you are having hosted zone in a different account you need to pass IAM role ARN for cross-account Route53 access.
+This setup assumes that the `ECS cluster` that has `Auto Scaling Group (ASG)` exist with the name `default`. If you are using different name, you can provide those in the variables section of your Terraform configuration.
 
 ## Adding Parameters to AWS Systems Manager Parameter Store
 
@@ -29,24 +29,26 @@ aws ssm put-parameter --name "/rds/POSTGRES_DB_NAME" --value "value" --type "Sec
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.13.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.5.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.5.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.0 |
 
 ## Modules
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_ecs_kong"></a> [ecs\_kong](#module\_ecs\_kong) | infraspecdev/ecs-deployment/aws | ~> 4.3.4 |
+| <a name="module_ecs_kong"></a> [ecs\_kong](#module\_ecs\_kong) | infraspecdev/ecs-deployment/aws | 4.3.6 |
 | <a name="module_ecs_task_security_group"></a> [ecs\_task\_security\_group](#module\_ecs\_task\_security\_group) | terraform-aws-modules/security-group/aws | ~> 5.3.0 |
 | <a name="module_internal_alb_kong"></a> [internal\_alb\_kong](#module\_internal\_alb\_kong) | infraspecdev/ecs-deployment/aws//modules/alb | ~> 4.3.4 |
 | <a name="module_internal_alb_security_group"></a> [internal\_alb\_security\_group](#module\_internal\_alb\_security\_group) | terraform-aws-modules/security-group/aws | ~> 5.3.0 |
 | <a name="module_kong_internal_dns_record"></a> [kong\_internal\_dns\_record](#module\_kong\_internal\_dns\_record) | ./modules/route-53-record | n/a |
+| <a name="module_kong_internal_dns_record_same_account"></a> [kong\_internal\_dns\_record\_same\_account](#module\_kong\_internal\_dns\_record\_same\_account) | ./modules/route-53-record | n/a |
 | <a name="module_kong_public_dns_record"></a> [kong\_public\_dns\_record](#module\_kong\_public\_dns\_record) | ./modules/route-53-record | n/a |
+| <a name="module_kong_public_dns_record_same_account"></a> [kong\_public\_dns\_record\_same\_account](#module\_kong\_public\_dns\_record\_same\_account) | ./modules/route-53-record | n/a |
 | <a name="module_kong_rds"></a> [kong\_rds](#module\_kong\_rds) | terraform-aws-modules/rds/aws | ~> 6.13.0 |
 | <a name="module_postgres_security_group"></a> [postgres\_security\_group](#module\_postgres\_security\_group) | terraform-aws-modules/security-group/aws | ~> 5.3.0 |
 | <a name="module_public_alb_security_group"></a> [public\_alb\_security\_group](#module\_public\_alb\_security\_group) | terraform-aws-modules/security-group/aws | ~> 5.3.0 |
@@ -92,6 +94,7 @@ aws ssm put-parameter --name "/rds/POSTGRES_DB_NAME" --value "value" --type "Sec
 | <a name="input_public_subnet_ids"></a> [public\_subnet\_ids](#input\_public\_subnet\_ids) | List of public subnet IDs for public-facing load balancers | `list(string)` | n/a | yes |
 | <a name="input_rds_db_tags"></a> [rds\_db\_tags](#input\_rds\_db\_tags) | List of tags | `map(string)` | `{}` | no |
 | <a name="input_rds_instance_class"></a> [rds\_instance\_class](#input\_rds\_instance\_class) | The RDS instance class for Kong database (e.g., db.t3.micro, db.r5.large) | `string` | `"db.t3.micro"` | no |
+| <a name="input_route53_assume_role_arn"></a> [route53\_assume\_role\_arn](#input\_route53\_assume\_role\_arn) | ARN of the IAM role to assume in the hosted-zone account (should be null for same-account). | `string` | `null` | no |
 | <a name="input_ssl_policy"></a> [ssl\_policy](#input\_ssl\_policy) | Name of the SSL Policy for the listener. | `string` | `"ELBSecurityPolicy-2016-08"` | no |
 | <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | The ID of the VPC where Kong infrastructure will be deployed | `string` | n/a | yes |
 
diff --git a/examples/complete/README.md b/examples/complete/README.md
@@ -1,28 +1,4 @@
 <!-- BEGIN_TF_DOCS -->
-# Complete Example
-
-This example demonstrates a **production-ready Kong deployment** with all configurable options, including RDS settings, ECS task configuration, monitoring, and cross-account Route53 support.
-
-## Use Case
-
-Use this example when you need:
-- Full control over RDS database configuration (instance class, storage, backup retention, multi-AZ, etc.)
-- Custom ECS task settings (CPU, memory, logging)
-- Performance insights and monitoring
-- Production-grade setup with deletion protection and backups
-- Flexible Route53 DNS configuration (same-account or cross-account)
-
-## Key Features
-
-- Comprehensive RDS PostgreSQL configuration with performance insights
-- Multi-AZ deployment support for high availability
-- Customizable ECS task resources and logging
-- SSL/TLS configuration with custom SSL policies
-- Cross-account Route53 support via assume role
-- Production backup and maintenance windows
-
-## Usage
-
 ### Example Variable Values
 
 Here is an example of how to define the variable values in your `terraform.tfvars` file:
@@ -65,6 +41,10 @@ cpu_for_kong_task              = 512
 memory_for_kong_task           = 1024
 desired_count_for_kong_service = 2
 force_new_deployment           = true
+postgres_engine_version        = 16.3
+postgres_major_engine_version  = 16
+route53_assume_role_arn        = arn:aws:iam::aws-account-id:role/role-name
+region                         = us-east-1
 ```
 
 Place this `terraform.tfvars` file in the same directory as your Terraform configuration to automatically load these values. Adjust the values as needed to fit your specific environment and requirements.
@@ -74,6 +54,7 @@ Place this `terraform.tfvars` file in the same directory as your Terraform confi
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.13.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.0 |
 
 ## Providers
 
@@ -118,6 +99,8 @@ No resources.
 | <a name="input_public_subnet_ids"></a> [public\_subnet\_ids](#input\_public\_subnet\_ids) | List of public subnet IDs | `list(string)` | n/a | yes |
 | <a name="input_rds_db_tags"></a> [rds\_db\_tags](#input\_rds\_db\_tags) | List of tags | `map(string)` | n/a | yes |
 | <a name="input_rds_instance_class"></a> [rds\_instance\_class](#input\_rds\_instance\_class) | The instance class to use | `string` | n/a | yes |
+| <a name="input_region"></a> [region](#input\_region) | The AWS region | `string` | n/a | yes |
+| <a name="input_route53_assume_role_arn"></a> [route53\_assume\_role\_arn](#input\_route53\_assume\_role\_arn) | IAM role ARN for cross-account Route53 access. | `string` | n/a | yes |
 | <a name="input_ssl_policy"></a> [ssl\_policy](#input\_ssl\_policy) | (Optional) Name of the SSL Policy for the listener. | `string` | n/a | yes |
 | <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | The ID of the VPC | `string` | n/a | yes |
 
diff --git a/examples/cross-accout/README.md b/examples/cross-accout/README.md
@@ -1,63 +1,4 @@
 <!-- BEGIN_TF_DOCS -->
-# Cross-Account Example
-
-This example demonstrates Kong deployment with **Route53 hosted zone in a different AWS account** using cross-account IAM role assumption.
-
-## Use Case
-
-Use this example when:
-- Your Route53 hosted zone is managed in a separate AWS account (common in enterprise setups)
-- You have a centralized DNS management account
-- You need to manage DNS records across AWS accounts
-- You follow security best practices with separate accounts for different concerns
-
-## Key Features
-
-- Cross-account Route53 DNS record management
-- IAM role assumption for secure cross-account access
-- Separate provider configuration for DNS operations
-- Minimal configuration with module defaults for other resources
-- Secure cross-account permissions model
-
-## Provider Configuration
-
-This example uses two providers:
-1. **Default provider** - For Kong infrastructure (VPC, ECS, RDS, ALB)
-2. **Cross-account provider** - For Route53 DNS records in a different account
-
-```hcl
-provider "aws" {
-  alias  = "cross_account_provider"
-  region = var.region
-  assume_role {
-    role_arn = var.route53_assume_role_arn  # IAM role in DNS account
-  }
-}
-```
-
-## Prerequisites
-
-1. An IAM role must exist in the Route53 account that allows the Kong account to assume it
-2. The role should have permissions to manage Route53 records
-3. Example trust policy for the IAM role in the DNS account:
-
-```json
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Effect": "Allow",
-      "Principal": {
-        "AWS": "arn:aws:iam::KONG_ACCOUNT_ID:root"
-      },
-      "Action": "sts:AssumeRole"
-    }
-  ]
-}
-```
-
-## Usage
-
 ### Example Variable Values
 
 Here is an example of how to define the variable values in your `terraform.tfvars` file:
@@ -68,12 +9,8 @@ public_subnet_ids       = ["subnet-abcdef01", "subnet-abcdef02"]
 private_subnet_ids      = ["subnet-abcdef03", "subnet-abcdef04"]
 kong_public_domain_name = "api.example.com"
 kong_admin_domain_name  = "admin-api.example.com"
-
-# Cross-account Route53 IAM role (in the DNS account)
-route53_assume_role_arn = "arn:aws:iam::DNS_ACCOUNT_ID:role/route53-cross-account-role"
-
-region         = "ap-south-1"
-cluster_name   = "default"
+region                  = "us-east-1"
+route53_assume_role_arn = "arn:aws:iam::account-id:role/role-id"
 ```
 
 Place this `terraform.tfvars` file in the same directory as your Terraform configuration to automatically load these values. Adjust the values as needed to fit your specific environment and requirements.
@@ -83,6 +20,7 @@ Place this `terraform.tfvars` file in the same directory as your Terraform confi
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.13.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.0 |
 
 ## Providers
 
@@ -102,10 +40,15 @@ No resources.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | Name of the cluster | `string` | n/a | yes |
 | <a name="input_kong_admin_domain_name"></a> [kong\_admin\_domain\_name](#input\_kong\_admin\_domain\_name) | The admin domain name for Kong | `string` | n/a | yes |
 | <a name="input_kong_public_domain_name"></a> [kong\_public\_domain\_name](#input\_kong\_public\_domain\_name) | The public domain name for Kong | `string` | n/a | yes |
+| <a name="input_postgres_engine_version"></a> [postgres\_engine\_version](#input\_postgres\_engine\_version) | The version of the Postgres engine | `number` | n/a | yes |
+| <a name="input_postgres_major_engine_version"></a> [postgres\_major\_engine\_version](#input\_postgres\_major\_engine\_version) | The major version of the Postgres engine | `number` | n/a | yes |
 | <a name="input_private_subnet_ids"></a> [private\_subnet\_ids](#input\_private\_subnet\_ids) | List of private subnet IDs | `list(string)` | n/a | yes |
 | <a name="input_public_subnet_ids"></a> [public\_subnet\_ids](#input\_public\_subnet\_ids) | List of public subnet IDs | `list(string)` | n/a | yes |
+| <a name="input_region"></a> [region](#input\_region) | The AWS region | `string` | n/a | yes |
+| <a name="input_route53_assume_role_arn"></a> [route53\_assume\_role\_arn](#input\_route53\_assume\_role\_arn) | The ARN of the DNS role | `string` | `null` | no |
 | <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | The ID of the VPC | `string` | n/a | yes |
 
 ## Outputs
diff --git a/examples/same-account/README.md b/examples/same-account/README.md
@@ -1,37 +1,4 @@
 <!-- BEGIN_TF_DOCS -->
-# Same Account Example
-
-This example demonstrates a **minimal Kong deployment** where all AWS resources, including the Route53 hosted zone, are in the **same AWS account**.
-
-## Use Case
-
-Use this example when:
-- Your Route53 hosted zone is in the same AWS account as your Kong infrastructure
-- You want a simple deployment without cross-account complexity
-- You're setting up development, staging, or testing environments
-- You need minimal configuration with sensible defaults
-
-## Key Features
-
-- Single AWS account setup (no cross-account assume role required)
-- Minimal required variables (VPC, subnets, domain names)
-- Uses module defaults for RDS and ECS configuration
-- Simplified provider configuration
-- Quick setup for non-production environments
-
-## Provider Configuration
-
-Note that `cross_account_provider` points to the same default AWS provider:
-
-```hcl
-providers = {
-  aws                        = aws
-  aws.cross_account_provider = aws  # Same account
-}
-```
-
-## Usage
-
 ### Example Variable Values
 
 Here is an example of how to define the variable values in your `terraform.tfvars` file:
@@ -42,12 +9,7 @@ public_subnet_ids       = ["subnet-abcdef01", "subnet-abcdef02"]
 private_subnet_ids      = ["subnet-abcdef03", "subnet-abcdef04"]
 kong_public_domain_name = "api.example.com"
 kong_admin_domain_name  = "admin-api.example.com"
-
-# Same-account setup - no cross-account role needed
-route53_assume_role_arn = null
-
-region       = "ap-south-1"
-cluster_name = "default"
+region                  = "us-east-1"
 ```
 
 Place this `terraform.tfvars` file in the same directory as your Terraform configuration to automatically load these values. Adjust the values as needed to fit your specific environment and requirements.
@@ -57,6 +19,7 @@ Place this `terraform.tfvars` file in the same directory as your Terraform confi
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.13.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.0 |
 
 ## Providers
 
@@ -76,10 +39,15 @@ No resources.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | Name of the cluster | `string` | n/a | yes |
 | <a name="input_kong_admin_domain_name"></a> [kong\_admin\_domain\_name](#input\_kong\_admin\_domain\_name) | The admin domain name for Kong | `string` | n/a | yes |
 | <a name="input_kong_public_domain_name"></a> [kong\_public\_domain\_name](#input\_kong\_public\_domain\_name) | The public domain name for Kong | `string` | n/a | yes |
+| <a name="input_postgres_engine_version"></a> [postgres\_engine\_version](#input\_postgres\_engine\_version) | The version of the Postgres engine | `number` | n/a | yes |
+| <a name="input_postgres_major_engine_version"></a> [postgres\_major\_engine\_version](#input\_postgres\_major\_engine\_version) | The major version of the Postgres engine | `number` | n/a | yes |
 | <a name="input_private_subnet_ids"></a> [private\_subnet\_ids](#input\_private\_subnet\_ids) | List of private subnet IDs | `list(string)` | n/a | yes |
 | <a name="input_public_subnet_ids"></a> [public\_subnet\_ids](#input\_public\_subnet\_ids) | List of public subnet IDs | `list(string)` | n/a | yes |
+| <a name="input_region"></a> [region](#input\_region) | The AWS region | `string` | n/a | yes |
+| <a name="input_route53_assume_role_arn"></a> [route53\_assume\_role\_arn](#input\_route53\_assume\_role\_arn) | The ARN of the DNS role | `string` | `null` | no |
 | <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | The ID of the VPC | `string` | n/a | yes |
 
 ## Outputs
