GitHub actions check

.github/workflows/terraform-checks.yaml

@@ -12,10 +12,16 @@ jobs:
     name: Test
     runs-on: ubuntu-latest
     steps:
+      - name: Checkout
+        uses: actions/checkout@v5
+        with:
+          fetch-depth: 0
+          ref: ${{ github.event.pull_request.head.sha || github.sha }}
+
       - name: Setup Terraform
         uses: hashicorp/setup-terraform@v3
         with:
-          terraform_version: "1.13.1"
+          terraform_version: "1.13.0"
 
       - name: Initialize Terraform
         id: init
@@ -25,6 +31,27 @@ jobs:
         id: fmt
         run: terraform test
 
+  validateExamples:
+    name: Terraform Validate Examples
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: "1.13.0"
+
+      - name: Validate all example folders
+        run: |
+          for dir in examples/*/; do
+            echo "Validating $dir"
+            terraform -chdir="$dir" init -input=false > /dev/null
+            terraform -chdir="$dir" validate
+          done
+
   collectInputs:
     name: Collect workflow inputs
     needs: test
@@ -34,6 +61,9 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v5
+        with:
+          fetch-depth: 0
+          ref: ${{ github.event.pull_request.head.sha || github.sha }}
 
       - name: Get root directories
         id: dirs
@@ -46,8 +76,8 @@ jobs:
     strategy:
       matrix:
         directory: ${{ fromJson(needs.collectInputs.outputs.directories) }}
+
     steps:
-      # https://github.com/orgs/community/discussions/25678#discussioncomment-5242449
       - name: Delete huge unnecessary tools folder
         run: |
           rm -rf /opt/hostedtoolcache/CodeQL
@@ -57,25 +87,25 @@ jobs:
 
       - name: Checkout
         uses: actions/checkout@v5
+        with:
+          fetch-depth: 0
+          ref: ${{ github.event.pull_request.head.sha || github.sha }}
 
       - name: Terraform min/max versions
         id: minMax
         uses: clowdhaus/terraform-min-max@v2.1.0
         with:
           directory: ${{ matrix.directory }}
-
       - name: Pre-commit Terraform ${{ steps.minMax.outputs.minVersion }}
-        # Run only validate pre-commit check on min version supported
-        if: ${{ matrix.directory !=  '.' }}
+        if: ${{ matrix.directory != '.' }}
         uses: clowdhaus/terraform-composite-actions/pre-commit@v1.14.0
         with:
           terraform-version: ${{ steps.minMax.outputs.minVersion }}
           tflint-version: ${{ env.TFLINT_VERSION }}
           args: 'terraform_validate --color=always --show-diff-on-failure --files ${{ matrix.directory }}/*'
 
       - name: Pre-commit Terraform ${{ steps.minMax.outputs.minVersion }}
-        # Run only validate pre-commit check on min version supported
-        if: ${{ matrix.directory ==  '.' }}
+        if: ${{ matrix.directory == '.' }}
         uses: clowdhaus/terraform-composite-actions/pre-commit@v1.14.0
         with:
           terraform-version: ${{ steps.minMax.outputs.minVersion }}
@@ -87,7 +117,6 @@ jobs:
     runs-on: ubuntu-latest
     needs: collectInputs
     steps:
-      # https://github.com/orgs/community/discussions/25678#discussioncomment-5242449
       - name: Delete huge unnecessary tools folder
         run: |
           rm -rf /opt/hostedtoolcache/CodeQL
@@ -98,13 +127,12 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v5
         with:
-          ref: ${{ github.event_name == 'pull_request' && github.head_ref || github.ref }}
-          token: ${{ secrets.GITHUB_TOKEN }}
+          fetch-depth: 0
+          ref: ${{ github.event.pull_request.head.sha || github.sha }}
 
       - name: Terraform min/max versions
         id: minMax
         uses: clowdhaus/terraform-min-max@v2.1.0
-
       - name: Pre-commit Terraform ${{ steps.minMax.outputs.maxVersion }}
         uses: clowdhaus/terraform-composite-actions/pre-commit@v1.14.0
         with:

.github/workflows/terraform-docs.yaml

@@ -21,7 +21,7 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@v5
         with:
-          ref: ${{ github.event_name == 'pull_request' && github.head_ref || github.ref }}
+          ref: ${{ github.event_name == 'pull_request' && github.head_ref || github.event.pull_request.head.ref || github.ref }}
           token: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Render and Push terraform docs for main module

.github/workflows/terraform.yaml

@@ -4,25 +4,14 @@ on:
   push:
     branches:
       - main
-  pull_request_target:
-    types:
-      - opened
-      - edited
-      - synchronize
   pull_request:
     branches:
       - main
-
-permissions:
-  contents: write
-  pull-requests: write
-  actions: read
-
 jobs:
-  prTitlecheck:
-    name: PR title check
-    if: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.base.ref == 'main' }}
-    uses: ./.github/workflows/pr-title.yaml
+  # prTitlecheck:
+  #   name: PR title check
+  #   if: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.base.ref == 'main' }}
+  #   uses: ./.github/workflows/pr-title.yaml
 
   preCommitCheck:
     name: Terraform Checks

.github/workflows/update-configs.yaml

@@ -3,9 +3,6 @@
     on:
       workflow_dispatch:
 
-    permissions:
-      contents: write
-
     jobs:
       update:
         runs-on: ubuntu-latest

.pre-commit-config.yaml

@@ -20,6 +20,9 @@ repos:
           - '--args=--only=terraform_workspace_remote'
           - '--args=--only=terraform_unused_required_providers'
       - id: terraform_validate
+        args:
+          - --hook-config=--retry-once-with-cleanup=true
+        files: ^examples/
   - repo: https://github.com/pre-commit/pre-commit-hooks
     rev: v6.0.0
     hooks:

README.md

@@ -29,24 +29,26 @@ aws ssm put-parameter --name "/rds/POSTGRES_DB_NAME" --value "value" --type "Sec
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.13.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.5.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.5.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.0 |
 
 ## Modules
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_ecs_kong"></a> [ecs\_kong](#module\_ecs\_kong) | infraspecdev/ecs-deployment/aws | ~> 4.3.4 |
+| <a name="module_ecs_kong"></a> [ecs\_kong](#module\_ecs\_kong) | infraspecdev/ecs-deployment/aws | 4.3.6 |
 | <a name="module_ecs_task_security_group"></a> [ecs\_task\_security\_group](#module\_ecs\_task\_security\_group) | terraform-aws-modules/security-group/aws | ~> 5.3.0 |
 | <a name="module_internal_alb_kong"></a> [internal\_alb\_kong](#module\_internal\_alb\_kong) | infraspecdev/ecs-deployment/aws//modules/alb | ~> 4.3.4 |
 | <a name="module_internal_alb_security_group"></a> [internal\_alb\_security\_group](#module\_internal\_alb\_security\_group) | terraform-aws-modules/security-group/aws | ~> 5.3.0 |
 | <a name="module_kong_internal_dns_record"></a> [kong\_internal\_dns\_record](#module\_kong\_internal\_dns\_record) | ./modules/route-53-record | n/a |
+| <a name="module_kong_internal_dns_record_same_account"></a> [kong\_internal\_dns\_record\_same\_account](#module\_kong\_internal\_dns\_record\_same\_account) | ./modules/route-53-record | n/a |
 | <a name="module_kong_public_dns_record"></a> [kong\_public\_dns\_record](#module\_kong\_public\_dns\_record) | ./modules/route-53-record | n/a |
+| <a name="module_kong_public_dns_record_same_account"></a> [kong\_public\_dns\_record\_same\_account](#module\_kong\_public\_dns\_record\_same\_account) | ./modules/route-53-record | n/a |
 | <a name="module_kong_rds"></a> [kong\_rds](#module\_kong\_rds) | terraform-aws-modules/rds/aws | ~> 6.13.0 |
 | <a name="module_postgres_security_group"></a> [postgres\_security\_group](#module\_postgres\_security\_group) | terraform-aws-modules/security-group/aws | ~> 5.3.0 |
 | <a name="module_public_alb_security_group"></a> [public\_alb\_security\_group](#module\_public\_alb\_security\_group) | terraform-aws-modules/security-group/aws | ~> 5.3.0 |
@@ -92,6 +94,7 @@ aws ssm put-parameter --name "/rds/POSTGRES_DB_NAME" --value "value" --type "Sec
 | <a name="input_public_subnet_ids"></a> [public\_subnet\_ids](#input\_public\_subnet\_ids) | List of public subnet IDs for public-facing load balancers | `list(string)` | n/a | yes |
 | <a name="input_rds_db_tags"></a> [rds\_db\_tags](#input\_rds\_db\_tags) | List of tags | `map(string)` | `{}` | no |
 | <a name="input_rds_instance_class"></a> [rds\_instance\_class](#input\_rds\_instance\_class) | The RDS instance class for Kong database (e.g., db.t3.micro, db.r5.large) | `string` | `"db.t3.micro"` | no |
+| <a name="input_route53_assume_role_arn"></a> [route53\_assume\_role\_arn](#input\_route53\_assume\_role\_arn) | ARN of the IAM role to assume in the hosted-zone account (should be null for same-account). | `string` | `null` | no |
 | <a name="input_ssl_policy"></a> [ssl\_policy](#input\_ssl\_policy) | Name of the SSL Policy for the listener. | `string` | `"ELBSecurityPolicy-2016-08"` | no |
 | <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | The ID of the VPC where Kong infrastructure will be deployed | `string` | n/a | yes |
 

examples/complete/.header.md

@@ -40,6 +40,10 @@ cpu_for_kong_task              = 512
 memory_for_kong_task           = 1024
 desired_count_for_kong_service = 2
 force_new_deployment           = true
+postgres_engine_version        = 16.3
+postgres_major_engine_version  = 16
+route53_assume_role_arn        = arn:aws:iam::aws-account-id:role/role-name
+region                         = us-east-1
 ```
 
 Place this `terraform.tfvars` file in the same directory as your Terraform configuration to automatically load these values. Adjust the values as needed to fit your specific environment and requirements.

examples/complete/README.md

@@ -41,6 +41,10 @@ cpu_for_kong_task              = 512
 memory_for_kong_task           = 1024
 desired_count_for_kong_service = 2
 force_new_deployment           = true
+postgres_engine_version        = 16.3
+postgres_major_engine_version  = 16
+route53_assume_role_arn        = arn:aws:iam::aws-account-id:role/role-name
+region                         = us-east-1
 ```
 
 Place this `terraform.tfvars` file in the same directory as your Terraform configuration to automatically load these values. Adjust the values as needed to fit your specific environment and requirements.
@@ -50,6 +54,7 @@ Place this `terraform.tfvars` file in the same directory as your Terraform confi
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.13.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.0 |
 
 ## Providers
 
@@ -94,6 +99,8 @@ No resources.
 | <a name="input_public_subnet_ids"></a> [public\_subnet\_ids](#input\_public\_subnet\_ids) | List of public subnet IDs | `list(string)` | n/a | yes |
 | <a name="input_rds_db_tags"></a> [rds\_db\_tags](#input\_rds\_db\_tags) | List of tags | `map(string)` | n/a | yes |
 | <a name="input_rds_instance_class"></a> [rds\_instance\_class](#input\_rds\_instance\_class) | The instance class to use | `string` | n/a | yes |
+| <a name="input_region"></a> [region](#input\_region) | The AWS region | `string` | n/a | yes |
+| <a name="input_route53_assume_role_arn"></a> [route53\_assume\_role\_arn](#input\_route53\_assume\_role\_arn) | IAM role ARN for cross-account Route53 access. | `string` | n/a | yes |
 | <a name="input_ssl_policy"></a> [ssl\_policy](#input\_ssl\_policy) | (Optional) Name of the SSL Policy for the listener. | `string` | n/a | yes |
 | <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | The ID of the VPC | `string` | n/a | yes |
 

examples/complete/main.tf

@@ -1,6 +1,24 @@
+provider "aws" {
+  region = var.region
+}
+
+provider "aws" {
+  alias  = "cross_account_provider"
+  region = var.region
+  assume_role {
+    role_arn = var.route53_assume_role_arn
+  }
+}
+
+
 module "kong" {
   source = "../../"
 
+  providers = {
+    aws                        = aws
+    aws.cross_account_provider = aws.cross_account_provider
+  }
+
   vpc_id                  = var.vpc_id
   public_subnet_ids       = var.public_subnet_ids
   private_subnet_ids      = var.private_subnet_ids
@@ -30,4 +48,5 @@ module "kong" {
   force_new_deployment           = var.force_new_deployment
   postgres_engine_version        = var.postgres_engine_version
   postgres_major_engine_version  = var.postgres_major_engine_version
+  route53_assume_role_arn        = var.route53_assume_role_arn
 }

examples/complete/variables.tf

@@ -132,3 +132,13 @@ variable "postgres_major_engine_version" {
   description = "The major version of the Postgres engine"
   type        = number
 }
+
+variable "route53_assume_role_arn" {
+  description = "IAM role ARN for cross-account Route53 access."
+  type        = string
+}
+
+variable "region" {
+  description = "The AWS region"
+  type        = string
+}

examples/complete/versions.tf

@@ -1,3 +1,10 @@
 terraform {
   required_version = ">= 1.13.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 6.0"
+    }
+  }
 }

examples/cross-accout/.header.md

@@ -0,0 +1,15 @@
+### Example Variable Values
+
+Here is an example of how to define the variable values in your `terraform.tfvars` file:
+
+```hcl
+vpc_id                  = "vpc-12345678"
+public_subnet_ids       = ["subnet-abcdef01", "subnet-abcdef02"]
+private_subnet_ids      = ["subnet-abcdef03", "subnet-abcdef04"]
+kong_public_domain_name = "api.example.com"
+kong_admin_domain_name  = "admin-api.example.com"
+region                  = "us-east-1"
+route53_assume_role_arn = "arn:aws:iam::account-id:role/role-id"
+```
+
+Place this `terraform.tfvars` file in the same directory as your Terraform configuration to automatically load these values. Adjust the values as needed to fit your specific environment and requirements.

examples/cross-accout/README.md

@@ -0,0 +1,57 @@
+<!-- BEGIN_TF_DOCS -->
+### Example Variable Values
+
+Here is an example of how to define the variable values in your `terraform.tfvars` file:
+
+```hcl
+vpc_id                  = "vpc-12345678"
+public_subnet_ids       = ["subnet-abcdef01", "subnet-abcdef02"]
+private_subnet_ids      = ["subnet-abcdef03", "subnet-abcdef04"]
+kong_public_domain_name = "api.example.com"
+kong_admin_domain_name  = "admin-api.example.com"
+region                  = "us-east-1"
+route53_assume_role_arn = "arn:aws:iam::account-id:role/role-id"
+```
+
+Place this `terraform.tfvars` file in the same directory as your Terraform configuration to automatically load these values. Adjust the values as needed to fit your specific environment and requirements.
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.13.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.0 |
+
+## Providers
+
+No providers.
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_kong"></a> [kong](#module\_kong) | ../../ | n/a |
+
+## Resources
+
+No resources.
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | Name of the cluster | `string` | n/a | yes |
+| <a name="input_kong_admin_domain_name"></a> [kong\_admin\_domain\_name](#input\_kong\_admin\_domain\_name) | The admin domain name for Kong | `string` | n/a | yes |
+| <a name="input_kong_public_domain_name"></a> [kong\_public\_domain\_name](#input\_kong\_public\_domain\_name) | The public domain name for Kong | `string` | n/a | yes |
+| <a name="input_postgres_engine_version"></a> [postgres\_engine\_version](#input\_postgres\_engine\_version) | The version of the Postgres engine | `number` | n/a | yes |
+| <a name="input_postgres_major_engine_version"></a> [postgres\_major\_engine\_version](#input\_postgres\_major\_engine\_version) | The major version of the Postgres engine | `number` | n/a | yes |
+| <a name="input_private_subnet_ids"></a> [private\_subnet\_ids](#input\_private\_subnet\_ids) | List of private subnet IDs | `list(string)` | n/a | yes |
+| <a name="input_public_subnet_ids"></a> [public\_subnet\_ids](#input\_public\_subnet\_ids) | List of public subnet IDs | `list(string)` | n/a | yes |
+| <a name="input_region"></a> [region](#input\_region) | The AWS region | `string` | n/a | yes |
+| <a name="input_route53_assume_role_arn"></a> [route53\_assume\_role\_arn](#input\_route53\_assume\_role\_arn) | The ARN of the DNS role | `string` | `null` | no |
+| <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | The ID of the VPC | `string` | n/a | yes |
+
+## Outputs
+
+No outputs.
+<!-- END_TF_DOCS -->