Merge pull request #89 from worldcoin/feat/add-gateway-api-support

INFRA-6062: Add Gateway API support

Author: marcin-janas

datasources.tf

@@ -3,7 +3,13 @@ data "aws_vpc" "cluster_vpc" {
   id = var.vpc_config.vpc_id
 }
 
+data "cloudflare_ip_ranges" "cloudflare" {}
+
 locals {
+  effective_external_cert_arn = var.external_cert_arn != null ? var.external_cert_arn : var.traefik_cert_arn
+  effective_internal_cert_arn = var.internal_cert_arn != "" ? var.internal_cert_arn : (var.internal_nlb_acm_arn != "" ? var.internal_nlb_acm_arn : local.effective_external_cert_arn)
+  effective_nlb_service_ports = length(var.internal_nlb_service_ports) > 0 ? var.internal_nlb_service_ports : var.traefik_nlb_service_ports
+
   al2023_standard_ami = {
     amd64 = format("/aws/service/eks/optimized-ami/%s/amazon-linux-2023/x86_64/standard/recommended/image_id", var.cluster_version)
     arm64 = format("/aws/service/eks/optimized-ami/%s/amazon-linux-2023/arm64/standard/recommended/image_id", var.cluster_version)

kubernetes-gw-ext-alb.tf

@@ -0,0 +1,45 @@
+locals {
+  gateway_api_external_alb_name = "gw-ext-alb"
+
+  # Default is [] — the ALB module manages frontend SG ingress internally
+  # using open_to_all (Cloudflare IPs or 0.0.0.0/0). backend_ingress_rules
+  # only adds extra rules to the backend SG which has no ingress by default.
+  gateway_api_external_alb_sg_rules = var.gateway_api_external_alb_sg_rules != null ? var.gateway_api_external_alb_sg_rules : []
+}
+
+module "gateway_api_external_alb" {
+  source   = "git@github.com:worldcoin/terraform-aws-alb.git?ref=v1.4.2"
+  for_each = var.gateway_api_external_enabled ? toset([local.gateway_api_external_alb_name]) : []
+
+  name_suffix  = each.key
+  cluster_name = local.gateway_api_lb_name_prefix
+  tag_prefix   = "gateway.k8s.aws.alb"
+  tag_stack    = format("kube-system/%s", each.key)
+
+  tls_listener_version = var.external_tls_listener_version
+
+  internal    = false
+  application = each.key
+  namespace   = "kube-system"
+
+  create_default_listener = false
+
+  acm_arn        = local.effective_external_cert_arn
+  vpc_id         = var.vpc_config.vpc_id
+  public_subnets = var.vpc_config.public_subnets
+  open_to_all    = var.open_to_all
+
+  s3_logs_bucket_id = var.alb_logs_bucket_id
+  idle_timeout      = var.alb_idle_timeout
+
+  additional_open_ports      = var.additional_open_ports
+  drop_invalid_header_fields = var.drop_invalid_header_fields
+  backend_ingress_rules      = local.gateway_api_external_alb_sg_rules
+
+  mtls_enabled   = var.open_to_all ? false : var.mtls_enabled
+  mtls_s3_bucket = format("wld-mtls-ca-%s", var.region)
+
+  datadog = {
+    monitoring_notification_channel = var.monitoring_notification_channel
+  }
+}

kubernetes-gw-ext-nlb.tf

@@ -0,0 +1,50 @@
+locals {
+  gateway_api_external_nlb_name = "gw-ext-nlb"
+
+  gateway_api_external_nlb_default_sg_rules = [
+    {
+      description = "allow http from Cloudflare"
+      port        = 80
+      cidr_blocks = data.cloudflare_ip_ranges.cloudflare.ipv4_cidrs
+    },
+    {
+      description      = "allow http from Cloudflare (IPv6)"
+      port             = 80
+      ipv6_cidr_blocks = data.cloudflare_ip_ranges.cloudflare.ipv6_cidrs
+    },
+    {
+      description = "allow https from Cloudflare"
+      port        = 443
+      cidr_blocks = data.cloudflare_ip_ranges.cloudflare.ipv4_cidrs
+    },
+    {
+      description      = "allow https from Cloudflare (IPv6)"
+      port             = 443
+      ipv6_cidr_blocks = data.cloudflare_ip_ranges.cloudflare.ipv6_cidrs
+    },
+  ]
+}
+
+module "gateway_api_external_nlb" {
+  source = "git@github.com:worldcoin/terraform-aws-nlb.git?ref=v1.3.0"
+
+  for_each = var.gateway_api_external_enabled ? toset([local.gateway_api_external_nlb_name]) : []
+
+  name_suffix  = each.key
+  cluster_name = local.gateway_api_lb_name_prefix
+  tag_prefix   = "gateway.k8s.aws.nlb"
+  tag_stack    = format("kube-system/%s", each.key)
+
+  tls_listener_version = var.external_tls_listener_version
+
+  internal    = false
+  application = each.key
+
+  create_default_listeners = false
+
+  acm_arn        = local.effective_external_cert_arn
+  vpc_id         = var.vpc_config.vpc_id
+  public_subnets = var.vpc_config.public_subnets
+
+  ingress_sg_rules = var.gateway_api_external_nlb_sg_rules != null ? var.gateway_api_external_nlb_sg_rules : local.gateway_api_external_nlb_default_sg_rules
+}

kubernetes-gw-int-alb.tf

@@ -0,0 +1,56 @@
+locals {
+  gateway_api_internal_alb_name = "gw-int-alb"
+
+  gateway_api_internal_alb_sg_rules = var.gateway_api_internal_alb_sg_rules != null ? var.gateway_api_internal_alb_sg_rules : concat(
+    [
+      {
+        description = "Allow HTTPS from VPC"
+        port        = 443
+        cidr_blocks = [data.aws_vpc.cluster_vpc.cidr_block]
+      },
+    ],
+    data.aws_vpc.cluster_vpc.ipv6_cidr_block != "" ? [
+      {
+        description      = "Allow HTTPS from VPC (IPv6)"
+        port             = 443
+        ipv6_cidr_blocks = [data.aws_vpc.cluster_vpc.ipv6_cidr_block]
+      },
+    ] : []
+  )
+}
+
+module "gateway_api_internal_alb" {
+  source   = "git@github.com:worldcoin/terraform-aws-alb.git?ref=v1.4.2"
+  for_each = var.gateway_api_internal_enabled ? toset([local.gateway_api_internal_alb_name]) : []
+
+  name_suffix  = each.key
+  cluster_name = local.gateway_api_lb_name_prefix
+  tag_prefix   = "gateway.k8s.aws.alb"
+  tag_stack    = format("kube-system/%s", each.key)
+
+  tls_listener_version = var.internal_tls_listener_version
+
+  internal    = true
+  application = each.key
+  namespace   = "kube-system"
+
+  create_default_listener = false
+
+  acm_arn        = local.effective_internal_cert_arn
+  vpc_id         = var.vpc_config.vpc_id
+  public_subnets = var.use_private_subnets_for_internal_nlb ? [] : var.vpc_config.public_subnets
+
+  backend_ingress_rules = local.gateway_api_internal_alb_sg_rules
+
+  s3_logs_bucket_id = var.alb_logs_bucket_id
+  idle_timeout      = var.alb_idle_timeout
+
+  drop_invalid_header_fields = var.drop_invalid_header_fields
+
+  # mTLS on the internal ALB should be disabled because we want to allow traffic within the VPC
+  mtls_enabled = false
+
+  datadog = {
+    monitoring_notification_channel = var.monitoring_notification_channel
+  }
+}

kubernetes-gw-int-nlb.tf

@@ -0,0 +1,55 @@
+locals {
+  gateway_api_internal_nlb_name = "gw-int-nlb"
+
+  gateway_api_internal_nlb_sg_rules = var.gateway_api_internal_nlb_sg_rules != null ? var.gateway_api_internal_nlb_sg_rules : concat(
+    [
+      {
+        description = "allow http from VPC"
+        port        = 80
+        cidr_blocks = [data.aws_vpc.cluster_vpc.cidr_block]
+      },
+      {
+        description = "allow https from VPC"
+        port        = 443
+        cidr_blocks = [data.aws_vpc.cluster_vpc.cidr_block]
+      },
+    ],
+    data.aws_vpc.cluster_vpc.ipv6_cidr_block != "" ? [
+      {
+        description      = "allow http from VPC (IPv6)"
+        port             = 80
+        ipv6_cidr_blocks = [data.aws_vpc.cluster_vpc.ipv6_cidr_block]
+      },
+      {
+        description      = "allow https from VPC (IPv6)"
+        port             = 443
+        ipv6_cidr_blocks = [data.aws_vpc.cluster_vpc.ipv6_cidr_block]
+      },
+    ] : []
+  )
+}
+
+module "gateway_api_internal_nlb" {
+  source = "git@github.com:worldcoin/terraform-aws-nlb.git?ref=v1.3.0"
+
+  for_each = var.gateway_api_internal_enabled ? toset([local.gateway_api_internal_nlb_name]) : []
+
+  name_suffix  = each.key
+  cluster_name = local.gateway_api_lb_name_prefix
+  tag_prefix   = "gateway.k8s.aws.nlb"
+  tag_stack    = format("kube-system/%s", each.key)
+
+  tls_listener_version = var.internal_tls_listener_version
+
+  internal    = true
+  application = each.key
+
+  create_default_listeners = false
+
+  acm_arn         = local.effective_internal_cert_arn
+  vpc_id          = var.vpc_config.vpc_id
+  public_subnets  = var.use_private_subnets_for_internal_nlb ? [] : var.vpc_config.public_subnets
+  private_subnets = var.use_private_subnets_for_internal_nlb ? var.vpc_config.private_subnets : []
+
+  ingress_sg_rules = local.gateway_api_internal_nlb_sg_rules
+}

kubernetes-traefik-external.tf

@@ -54,7 +54,7 @@ resource "kubernetes_ingress_v1" "treafik_ingress" {
 
     annotations = {
       "alb.ingress.kubernetes.io/scheme"                              = "internet-facing"
-      "alb.ingress.kubernetes.io/certificate-arn"                     = length(var.acm_extra_arns) != 0 ? join(",", var.acm_extra_arns, [var.traefik_cert_arn]) : var.traefik_cert_arn
+      "alb.ingress.kubernetes.io/certificate-arn"                     = length(var.acm_extra_arns) != 0 ? join(",", var.acm_extra_arns, [local.effective_external_cert_arn]) : local.effective_external_cert_arn
       "alb.ingress.kubernetes.io/group.name"                          = format("%s.%s", each.key, each.key)
       "alb.ingress.kubernetes.io/listen-ports"                        = "[{\"HTTPS\": 443}]"
       "alb.ingress.kubernetes.io/security-groups"                     = join(",", [for type, id in module.alb[each.key].sg_ids : id if id != null])
@@ -93,7 +93,7 @@ resource "kubernetes_ingress_v1" "treafik_ingress" {
 }
 
 module "alb" {
-  source   = "git@github.com:worldcoin/terraform-aws-alb.git?ref=v1.4.1"
+  source   = "git@github.com:worldcoin/terraform-aws-alb.git?ref=v1.4.2"
   for_each = var.external_alb_enabled ? toset([local.external_alb_name]) : []
 
   # because of lenght limitation of LB name we need to remove prefix treafik from internal NLB
@@ -106,7 +106,7 @@ module "alb" {
   application = each.key
   namespace   = each.key
 
-  acm_arn        = var.traefik_cert_arn
+  acm_arn        = local.effective_external_cert_arn
   vpc_id         = var.vpc_config.vpc_id
   public_subnets = var.vpc_config.public_subnets
   open_to_all    = var.open_to_all

kubernetes-traefik-internal.tf

@@ -15,7 +15,7 @@ resource "kubernetes_service_v1" "traefik_nlb" {
       "service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled"   = "true"
       "service.beta.kubernetes.io/aws-load-balancer-nlb-target-type"                     = "ip"
       "service.beta.kubernetes.io/aws-load-balancer-scheme"                              = "internal"
-      "service.beta.kubernetes.io/aws-load-balancer-ssl-cert"                            = var.internal_nlb_acm_arn != "" ? var.internal_nlb_acm_arn : var.traefik_cert_arn
+      "service.beta.kubernetes.io/aws-load-balancer-ssl-cert"                            = local.effective_internal_cert_arn
       "service.beta.kubernetes.io/aws-load-balancer-ssl-ports"                           = "443"
       "service.beta.kubernetes.io/aws-load-balancer-type"                                = "external"
       "service.beta.kubernetes.io/aws-load-balancer-ssl-negotiation-policy"              = module.nlb[each.key].ssl_policy
@@ -48,7 +48,7 @@ resource "kubernetes_service_v1" "traefik_nlb" {
     }
 
     dynamic "port" {
-      for_each = var.traefik_nlb_service_ports
+      for_each = local.effective_nlb_service_ports
 
       content {
         name        = port.value["name"]
@@ -83,7 +83,7 @@ module "nlb" {
   internal    = true
   application = format("%s/%s", each.key, each.key)
 
-  acm_arn         = var.internal_nlb_acm_arn != "" ? var.internal_nlb_acm_arn : var.traefik_cert_arn
+  acm_arn         = local.effective_internal_cert_arn
   vpc_id          = var.vpc_config.vpc_id
   public_subnets  = var.use_private_subnets_for_internal_nlb ? [] : var.vpc_config.public_subnets
   private_subnets = var.use_private_subnets_for_internal_nlb ? var.vpc_config.private_subnets : []

kubernetes.tf

@@ -35,3 +35,18 @@ provider "kubernetes" {
     data.aws_eks_cluster_auth.default.token
   )
 }
+
+locals {
+  gateway_api_lb_name_prefix = coalesce(var.gateway_api_lb_name_prefix, var.cluster_name)
+}
+
+resource "terraform_data" "gateway_api_lb_name_validation" {
+  count = (var.gateway_api_external_enabled || var.gateway_api_internal_enabled) ? 1 : 0
+
+  lifecycle {
+    precondition {
+      condition     = length(local.gateway_api_lb_name_prefix) <= 21
+      error_message = "Resolved gateway_api_lb_name_prefix '${local.gateway_api_lb_name_prefix}' exceeds 21 characters (32-char LB name limit minus '-gw-ext-alb' suffix). Set gateway_api_lb_name_prefix explicitly when cluster_name is too long."
+    }
+  }
+}

outputs.tf

@@ -38,6 +38,47 @@ output "alb_arns" {
   value       = { for k, v in module.alb : k => v.arn }
 }
 
+# Gateway API load balancers
+output "gateway_api_external_alb_dns_name" {
+  description = "DNS name of the external Gateway API ALB"
+  value       = join("", [for k, v in module.gateway_api_external_alb : v.dns_name])
+}
+
+output "gateway_api_external_alb_arn" {
+  description = "ARN of the external Gateway API ALB"
+  value       = join("", [for k, v in module.gateway_api_external_alb : v.arn])
+}
+
+output "gateway_api_external_nlb_dns_name" {
+  description = "DNS name of the external Gateway API NLB"
+  value       = join("", [for k, v in module.gateway_api_external_nlb : v.dns_name])
+}
+
+output "gateway_api_external_nlb_arn" {
+  description = "ARN of the external Gateway API NLB"
+  value       = join("", [for k, v in module.gateway_api_external_nlb : v.arn])
+}
+
+output "gateway_api_internal_alb_dns_name" {
+  description = "DNS name of the internal Gateway API ALB"
+  value       = join("", [for k, v in module.gateway_api_internal_alb : v.dns_name])
+}
+
+output "gateway_api_internal_alb_arn" {
+  description = "ARN of the internal Gateway API ALB"
+  value       = join("", [for k, v in module.gateway_api_internal_alb : v.arn])
+}
+
+output "gateway_api_internal_nlb_dns_name" {
+  description = "DNS name of the internal Gateway API NLB"
+  value       = join("", [for k, v in module.gateway_api_internal_nlb : v.dns_name])
+}
+
+output "gateway_api_internal_nlb_arn" {
+  description = "ARN of the internal Gateway API NLB"
+  value       = join("", [for k, v in module.gateway_api_internal_nlb : v.arn])
+}
+
 output "cluster_oidc_issuer_url" {
   description = "The OIDC issuer URL for the EKS cluster"
   value       = local.oidc