feat: Introduce cross-account provider configuration allowing Route53 records to be managed in a separate AWS account from the Kong deployment.

Author: rahul-infra

.pre-commit-config.yaml

@@ -20,6 +20,9 @@ repos:
           - '--args=--only=terraform_workspace_remote'
           - '--args=--only=terraform_unused_required_providers'
       - id: terraform_validate
+        args:
+          - --hook-config=--retry-once-with-cleanup=true
+        files: ^examples/
   - repo: https://github.com/pre-commit/pre-commit-hooks
     rev: v6.0.0
     hooks:

README.md

@@ -9,7 +9,7 @@ Terraform Module to setup Kong(OSS) in ECS with self managed EC2 instances.
 
 # Assumptions
 
-This setup assumes that the `ECS cluster` that has `Auto Scaling Group (ASG)` exist with the name `default`. If you are using different name, you can provide those in the variables section of your Terraform configuration.
+This setup assumes that the `ECS cluster` that has `Auto Scaling Group (ASG)` exist with the name `default`. If you are using different name, you can provide those in the variables section of your Terraform configuration.This module also have a provision that your hosted zone can be in same amazon account where your resources are going to create or in a different amazon account. So, if you are having hosted zone in a different account you need to pass IAM role ARN for cross-account Route53 access.
 
 ## Adding Parameters to AWS Systems Manager Parameter Store
 

examples/complete/.header.md

@@ -40,6 +40,10 @@ cpu_for_kong_task              = 512
 memory_for_kong_task           = 1024
 desired_count_for_kong_service = 2
 force_new_deployment           = true
+postgres_engine_version        = 16.3
+postgres_major_engine_version  = 16
+route53_assume_role_arn        = arn:aws:iam::aws-account-id:role/role-name
+region                         = us-east-1
 ```
 
 Place this `terraform.tfvars` file in the same directory as your Terraform configuration to automatically load these values. Adjust the values as needed to fit your specific environment and requirements.

examples/complete/README.md

@@ -1,4 +1,28 @@
 <!-- BEGIN_TF_DOCS -->
+# Complete Example
+
+This example demonstrates a **production-ready Kong deployment** with all configurable options, including RDS settings, ECS task configuration, monitoring, and cross-account Route53 support.
+
+## Use Case
+
+Use this example when you need:
+- Full control over RDS database configuration (instance class, storage, backup retention, multi-AZ, etc.)
+- Custom ECS task settings (CPU, memory, logging)
+- Performance insights and monitoring
+- Production-grade setup with deletion protection and backups
+- Flexible Route53 DNS configuration (same-account or cross-account)
+
+## Key Features
+
+- Comprehensive RDS PostgreSQL configuration with performance insights
+- Multi-AZ deployment support for high availability
+- Customizable ECS task resources and logging
+- SSL/TLS configuration with custom SSL policies
+- Cross-account Route53 support via assume role
+- Production backup and maintenance windows
+
+## Usage
+
 ### Example Variable Values
 
 Here is an example of how to define the variable values in your `terraform.tfvars` file:

examples/complete/main.tf

@@ -1,6 +1,24 @@
+provider "aws" {
+  region = var.region
+}
+
+provider "aws" {
+  alias  = "cross_account_provider"
+  region = var.region
+  assume_role {
+    role_arn = var.route53_assume_role_arn
+  }
+}
+
+
 module "kong" {
   source = "../../"
 
+  providers = {
+    aws                        = aws
+    aws.cross_account_provider = aws.cross_account_provider
+  }
+
   vpc_id                  = var.vpc_id
   public_subnet_ids       = var.public_subnet_ids
   private_subnet_ids      = var.private_subnet_ids
@@ -30,4 +48,5 @@ module "kong" {
   force_new_deployment           = var.force_new_deployment
   postgres_engine_version        = var.postgres_engine_version
   postgres_major_engine_version  = var.postgres_major_engine_version
+  route53_assume_role_arn        = var.route53_assume_role_arn
 }

examples/complete/variables.tf

@@ -132,3 +132,13 @@ variable "postgres_major_engine_version" {
   description = "The major version of the Postgres engine"
   type        = number
 }
+
+variable "route53_assume_role_arn" {
+  description = "IAM role ARN for cross-account Route53 access."
+  type        = string
+}
+
+variable "region" {
+  description = "The AWS region"
+  type        = string
+}

examples/complete/versions.tf

@@ -1,3 +1,10 @@
 terraform {
   required_version = ">= 1.13.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 6.0"
+    }
+  }
 }

examples/cross-accout/.header.md

@@ -0,0 +1,15 @@
+### Example Variable Values
+
+Here is an example of how to define the variable values in your `terraform.tfvars` file:
+
+```hcl
+vpc_id                  = "vpc-12345678"
+public_subnet_ids       = ["subnet-abcdef01", "subnet-abcdef02"]
+private_subnet_ids      = ["subnet-abcdef03", "subnet-abcdef04"]
+kong_public_domain_name = "api.example.com"
+kong_admin_domain_name  = "admin-api.example.com"
+region                  = "us-east-1"
+route53_assume_role_arn = "arn:aws:iam::account-id:role/role-id"
+```
+
+Place this `terraform.tfvars` file in the same directory as your Terraform configuration to automatically load these values. Adjust the values as needed to fit your specific environment and requirements.

examples/cross-accout/README.md

@@ -0,0 +1,114 @@
+<!-- BEGIN_TF_DOCS -->
+# Cross-Account Example
+
+This example demonstrates Kong deployment with **Route53 hosted zone in a different AWS account** using cross-account IAM role assumption.
+
+## Use Case
+
+Use this example when:
+- Your Route53 hosted zone is managed in a separate AWS account (common in enterprise setups)
+- You have a centralized DNS management account
+- You need to manage DNS records across AWS accounts
+- You follow security best practices with separate accounts for different concerns
+
+## Key Features
+
+- Cross-account Route53 DNS record management
+- IAM role assumption for secure cross-account access
+- Separate provider configuration for DNS operations
+- Minimal configuration with module defaults for other resources
+- Secure cross-account permissions model
+
+## Provider Configuration
+
+This example uses two providers:
+1. **Default provider** - For Kong infrastructure (VPC, ECS, RDS, ALB)
+2. **Cross-account provider** - For Route53 DNS records in a different account
+
+```hcl
+provider "aws" {
+  alias  = "cross_account_provider"
+  region = var.region
+  assume_role {
+    role_arn = var.route53_assume_role_arn  # IAM role in DNS account
+  }
+}
+```
+
+## Prerequisites
+
+1. An IAM role must exist in the Route53 account that allows the Kong account to assume it
+2. The role should have permissions to manage Route53 records
+3. Example trust policy for the IAM role in the DNS account:
+
+```json
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": "arn:aws:iam::KONG_ACCOUNT_ID:root"
+      },
+      "Action": "sts:AssumeRole"
+    }
+  ]
+}
+```
+
+## Usage
+
+### Example Variable Values
+
+Here is an example of how to define the variable values in your `terraform.tfvars` file:
+
+```hcl
+vpc_id                  = "vpc-12345678"
+public_subnet_ids       = ["subnet-abcdef01", "subnet-abcdef02"]
+private_subnet_ids      = ["subnet-abcdef03", "subnet-abcdef04"]
+kong_public_domain_name = "api.example.com"
+kong_admin_domain_name  = "admin-api.example.com"
+
+# Cross-account Route53 IAM role (in the DNS account)
+route53_assume_role_arn = "arn:aws:iam::DNS_ACCOUNT_ID:role/route53-cross-account-role"
+
+region         = "ap-south-1"
+cluster_name   = "default"
+```
+
+Place this `terraform.tfvars` file in the same directory as your Terraform configuration to automatically load these values. Adjust the values as needed to fit your specific environment and requirements.
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.13.0 |
+
+## Providers
+
+No providers.
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_kong"></a> [kong](#module\_kong) | ../../ | n/a |
+
+## Resources
+
+No resources.
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_kong_admin_domain_name"></a> [kong\_admin\_domain\_name](#input\_kong\_admin\_domain\_name) | The admin domain name for Kong | `string` | n/a | yes |
+| <a name="input_kong_public_domain_name"></a> [kong\_public\_domain\_name](#input\_kong\_public\_domain\_name) | The public domain name for Kong | `string` | n/a | yes |
+| <a name="input_private_subnet_ids"></a> [private\_subnet\_ids](#input\_private\_subnet\_ids) | List of private subnet IDs | `list(string)` | n/a | yes |
+| <a name="input_public_subnet_ids"></a> [public\_subnet\_ids](#input\_public\_subnet\_ids) | List of public subnet IDs | `list(string)` | n/a | yes |
+| <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | The ID of the VPC | `string` | n/a | yes |
+
+## Outputs
+
+No outputs.
+<!-- END_TF_DOCS -->

examples/cross-accout/main.tf

@@ -0,0 +1,31 @@
+provider "aws" {
+  region = var.region
+}
+
+provider "aws" {
+  alias  = "cross_account_provider"
+  region = var.region
+  assume_role {
+    role_arn = var.route53_assume_role_arn
+  }
+}
+
+
+module "kong" {
+  source = "../../"
+
+  providers = {
+    aws                        = aws
+    aws.cross_account_provider = aws.cross_account_provider
+  }
+
+  vpc_id                        = var.vpc_id
+  public_subnet_ids             = var.public_subnet_ids
+  private_subnet_ids            = var.private_subnet_ids
+  kong_public_domain_name       = var.kong_public_domain_name
+  kong_admin_domain_name        = var.kong_admin_domain_name
+  cluster_name                  = var.cluster_name
+  postgres_engine_version       = var.postgres_engine_version
+  postgres_major_engine_version = var.postgres_major_engine_version
+  route53_assume_role_arn       = var.route53_assume_role_arn
+}