Skip to content

[Feature Request]: Terraform Module - β€œmcp-gateway-aws” supporting both EKS and ECS Fargate targetsΒ #273

New issue
New issue
Open
Feature
Open
[Feature Request]: Terraform Module - β€œmcp-gateway-aws” supporting both EKS and ECS Fargate targets#273
Feature
Labels
devopsDevOps activities (containers, automation, deployment, makefiles, etc)enhancementNew feature or requesttriageIssues / Features awaiting triage
Milestone
Release 0.6.0
@crivetimihai

Description

@crivetimihai
crivetimihai
opened on Jul 6, 2025

🧭 Epic

Title: Terraform Module – "mcp-gateway-aws"

Goal

Publish an official Terraform module (terraform-aws-mcpgateway) that lets operators spin up a production-ready MCP Gateway on AWS with one terraform apply.
The module must support both EKS and ECS Fargate targets, offer opinionated defaults, and remain 100 % optionalβ€”no vendor lock-in for non-AWS users.

Registry target: registry.terraform.io/ibm-mcp-gateways/mcpgateway/aws

🧭 Type of Feature

  • Infrastructure-as-Code
  • Operator tooling

πŸ›  Module Features & Inputs

Variable Type / Default Description
cluster_type "eks" | "ecs" | "none" EKS with managed node-groups or ECS Fargate.
gateway_version string (default "latest") Container tag to deploy.
replicas number (default 2) Desired replica count (ECS service or K8s Deployment).
db_engine "aurora-postgresql" | "rds-mysql" | "sqlite" Choose managed DB or in-pod SQLite.
enable_redis bool (default true) Provision ElastiCache Redis for rate-limiting & sessions.
custom_domain string Route 53 domain; provisions ACM & ALB HTTPS.
policy_bundle_s3_key string (optional) S3 path to Rego bundle for Policy-as-Code engine.
observability object Toggles and config for CloudWatch / Grafana Cloud / self-host Loki.
tags map(string) Resource tags.

Outputs: ALB URL, API Gateway ID (if using ALB+WAF), RDS endpoint, IAM Role ARNs.

πŸ™‹β€β™‚οΈ User Stories & Acceptance Criteria

Story 1 – Minimal EKS Deploy

Scenario: Spin up Gateway on EKS with defaults
Given AWS credentials are configured
When I write:
  module "gateway" {
    source           = "ibm-mcp-gateways/mcpgateway/aws"
    cluster_type     = "eks"
    custom_domain    = "api.demo.example.com"
    tags             = {env="demo", team="platform"}
  }
And run "terraform apply"
Then an HTTPS ALB is reachable at https://api.demo.example.com/health
And GET /version returns the deployed gateway_version

Story 2 – ECS Fargate with Aurora & Redis

Scenario: ECS + Aurora
Given I set cluster_type="ecs" db_engine="aurora-postgresql"
When apply completes
Then an Aurora cluster is Healthy
And ECS Service task logs show "Connected to DB βœ”"

Story 3 – Policy Bundle from S3

Scenario: Attach Rego bundle
Given S3 object s3://mybucket/policies/bundle.tar.gz exists
And I set policy_bundle_s3_key="mybucket/policies/bundle.tar.gz"
When tasks start
Then gateway logs "Loaded policy bundle (v1)" within 60 s

Story 4 – Teardown Leaves VPC Intact (optional flag)

Scenario: Preserve existing VPC
Given variable create_vpc=false
When apply then destroy
Then my pre-existing VPC vpc-123 remains

πŸ“ Reference Architecture (PlantUML)

@startuml
skinparam componentStyle rectangle
package "AWS" {
  [ALB] --> [EKS Deployment] : 443
  [ALB] --> [ECS Service] : 443
  [EKS Deployment] --> [RDS/Aurora]
  [ECS Service] --> [RDS/Aurora]
  [EKS Deployment] --> [ElastiCache Redis]
  [ECS Service] --> [ElastiCache Redis]
}
note left of ALB
 Optionally fronted
 by AWS WAF
end note
@enduml

πŸ“‚ Repository Layout

terraform-aws-mcpgateway/
β”œβ”€β”€ main.tf
β”œβ”€β”€ variables.tf
β”œβ”€β”€ outputs.tf
β”œβ”€β”€ versions.tf
β”œβ”€β”€ modules/
β”‚   β”œβ”€β”€ eks/
β”‚   β”œβ”€β”€ ecs/
β”‚   └── rds/
β”œβ”€β”€ examples/
β”‚   β”œβ”€β”€ eks_minimal/
β”‚   └── ecs_full/
└── docs/
    β”œβ”€β”€ README.md
    β”œβ”€β”€ advanced.md
    └── architecture.puml

πŸ“‹ Global Acceptance Checklist

  • terraform validate passes; tflint clean; checkov no high/critical.
  • Examples deploy cleanly in us-east-1; ALB /health returns 200.
  • Module published to Terraform Registry with docs & inputs table.
  • CI GitHub Action runs terraform init -backend=false && terraform validate on PRs.
  • README includes β€œGetting Started”, diagram PNG (rendered from PlantUML), and cost estimate table.
  • Supports Terraform β‰₯ 1.6 and AWS provider β‰₯ 5.0.
  • Rego bundle fetched from S3 if policy_bundle_s3_key set.
  • Optional CloudWatch LogGroup retention & metric alerts outputs.

πŸ”„ Roll-Out Plan

  1. Phase 0: scaffold repo under terraform-aws-mcpgateway.
  2. Implement main.tf for ECS; add RDS sub-module.
  3. Port to EKS using managed node-groups.
  4. Write examples/ and CI validate workflow.
  5. Add Helm chart hook for observability side-cars (optional).
  6. Publish to Terraform Registry; tag v0.1.0.
  7. Record demo GIF + docs; link in main MCP Gateway README.

Metadata

Metadata

Assignees

No one assigned

    Labels

    devopsDevOps activities (containers, automation, deployment, makefiles, etc)enhancementNew feature or requesttriageIssues / Features awaiting triage

    Type

    Feature

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions