Kong Cluster Terraform Module for AWS

Kong API Gateway is an API gateway microservices management layer. Both Kong and Enterprise Edition are supported.

By default, the following resources will be provisioned:

  • RDS PostgreSQL database for Kong's configuration store
  • An Auto Scaling Group (ASG) and EC2 instances running Kong (Kong nodes)
  • An external load balancer (HTTPS only)
    • HTTPS:443 - Kong Proxy
  • An internal load balancer (HTTP and HTTPS)
    • HTTP:80 - Kong Proxy
    • HTTPS:443 - Kong Proxy
    • HTTPS:8444 - Kong Admin API (Enterprise Edition only)
    • HTTPS:8445 - Kong Manager (Enterprise Edition only)
    • HTTPS:8446 - Kong Dev Portal GUI (Enterprise Edition only)
    • HTTPS:8447 - Kong Dev Portal API (Enterprise Edition only)
  • Security groups granting least privilege access to resources
  • An IAM instance profile for access to Kong specific SSM Parameter Store metadata and secrets

Optionally, a Redis cluster can be provisioned for rate-limiting counters and caching, and most default resources can be disabled. See for a complete list and description of tunables.

The Kong nodes are based on Minimal Ubuntu. Using cloud-init, the following is provisioned on top of the AMI:

  • A kong service user
  • Minimal set of dependencies and debugging tools
  • decK for Kong declarative configuration management
  • Kong, running under runit process supervision
  • Log rotation of Kong log files


  • An AWS VPC
  • Private and public subnets tagged with a subnet_tag (default = 'Tier' tag)
  • Database subnet group
  • Cache subnet group (if enabling Redis)
  • An SSH Key
  • An SSL managed certificate to associate with HTTPS load balancers


No requirements.


Name Version
aws 4.11.0
cloudinit 2.2.0
random 3.1.3


Name Source Version
kong_external_lb_cw ./cw/lb n/a
kong_internal_lb_cw ./cw/lb n/a


Name Description Type Default Required
aws_private_subnet_ids Private subnet Ids list(string) n/a yes
aws_public_subnet_ids Private subnet Ids list(string) n/a yes
environment Resource environment tag (i.e. dev, stage, prod) string n/a yes
ssl_cert_admin_domain SSL certificate domain name for the Kong Admin API HTTPS listener string n/a yes
ssl_cert_external_arn SSL certificate ARN for the external Kong Proxy HTTPS listener string n/a yes
ssl_cert_internal_arn SSL certificate ARN for the internal Kong Proxy HTTPS listener string n/a yes
vpc_cidr_block VPC cidr block for the AWS account and region specified string n/a yes
vpc_id VPC Id for the AWS account and region specified string n/a yes
vpc_name VPC Name for the AWS account and region specified string n/a yes
admin_cidr_blocks Access to Kong Admin API (Enterprise Edition only) list(string)
admin_user The user name for Kong admin user string "kong-admin" no
asg_desired_capacity The number of instances that should be running in the group string 2 no
asg_health_check_grace_period Time in seconds after instance comes into service before checking health string 300 no
asg_max_size The maximum size of the auto scale group string 3 no
asg_min_size The minimum size of the auto scale group string 1 no
bastion_cidr_blocks Bastion hosts allowed access to PostgreSQL and Kong Admin list(string)
ce_pkg Url for Community Edition package matching the OS distro string "" no
cloudwatch_actions List of cloudwatch actions for Alert/Ok list(string) [] no
cloudwatch_agent_kong_config Cloudwatch Agent Config for Kong string "non-existent-parameter" no
cloudwatch_agent_system_config Cloudwatch Agent Config for system metrics string "non-existent-parameter" no
db_backup_retention_period The number of days to retain backups string 7 no
db_engine_mode Engine mode for Aurora string "provisioned" no
db_engine_version Database engine version string "11.4" no
db_family Database parameter group family string "postgres11" no
db_final_snapshot_identifier The final snapshot name of the RDS instance when it gets destroyed string "" no
db_instance_class Database instance class string "db.t2.micro" no
db_instance_count Number of database instances (0 to leverage an existing db) string 1 no
db_kms_key_id The ARN for the KMS encryption key. If creating an encrypted replica, set this to the destination KMS ARN. If db_storage_encrypted is set to true and kms_key_id is not specified the default KMS key created in your account will be used string "" no
db_multi_az Boolean to specify if RDS is multi-AZ string false no
db_storage_encrypted Specifies whether the database instance is encrypted string true no
db_storage_size Size of the database storage in Gigabytes string 100 no
db_storage_type Type of the database storage string "gp2" no
db_subnets Database instance subnet group name string "db-subnets" no
db_username Database master username string "root" no
deck_version Version of decK to install string "1.5.1" no
default_security_group_id Id of the default VPC security group for EC2 access string "default" no
default_security_group_name Name of the default VPC security group for EC2 access string "default" no
deregistration_delay Seconds to wait before changing the state of a deregistering target from draining to unused string 300 no
description Resource description tag string "Kong API Gateway" no
drop_invalid_header_fields Drop invalid headers in LB bool false no
ec2_ami Map of Ubuntu Minimal AMIs by region map(string)
"us-east-1": "ami-04cc2b0ad9e30a9c8"
ec2_instance_type EC2 instance type string "t2.micro" no
ec2_key_name AWS SSH Key string "" no
ec2_root_volume_encryption Should encrypt ec2 root volume bool true no
ec2_root_volume_size Size of the root volume (in Gigabytes) string 8 no
ec2_root_volume_type Type of the root volume (standard, gp2, or io) string "gp2" no
ee_bintray_auth Bintray authentication for the Enterprise Edition download (Format: username:apikey) string "placeholder" no
ee_license Enterprise Edition license key (JSON format) string "placeholder" no
ee_pkg Url for Enterprise Edition package matching the OS distro string "" no
enable_aurora Boolean to enable Aurora string "false" no
enable_deletion_protection Boolean to enable delete protection on the ALB string true no
enable_ee Boolean to enable Kong Enterprise Edition settings string false no
enable_external_lb Boolean to enable/create the external load balancer, exposing Kong to the Internet string true no
enable_external_lb_alarms Boolean to enable/create the external load balancer alarms string true no
enable_internal_lb Boolean to enable/create the internal load balancer for the forward proxy string true no
enable_internal_lb_alarms Boolean to enable/create the internal load balancer alarms string true no
enable_redis Boolean to enable redis AWS resource string false no
external_cidr_blocks External ingress access to Kong Proxy via the load balancer list(string)
external_lb_deny_methods List of methods to deny access from public internet (works together with external_lb_deny_paths) list(string) [] no
external_lb_deny_paths List of path to deny access from public internet (works together with external_lb_deny_methods) list(string) [] no
external_lb_logging_prefix s3 prefix for the external LB access logs string "" no
health_check_healthy_threshold Number of consecutives checks before a unhealthy target is considered healthy string 5 no
health_check_interval Seconds between health checks string 5 no
health_check_matcher HTTP Code(s) that result in a successful response from a target (comma delimited) string 200 no
health_check_timeout Seconds waited before a health check fails string 3 no
health_check_unhealthy_threshold Number of consecutive checks before considering a target unhealthy string 2 no
http_4xx_count HTTP Code 4xx count threshhold string 50 no
http_5xx_count HTTP Code 5xx count threshhold string 50 no
idle_timeout Seconds a connection can idle before being disconnected string 60 no
internal_http_cidr_blocks Internal ingress access to Kong Proxy via the load balancer (HTTP) list(string)
internal_https_cidr_blocks Internal ingress access to Kong Proxy via the load balancer (HTTPS) list(string)
lb_creation_timeout Timeout for creating load balancers string "20m" no
lb_deletion_timeout Timeout for deleting load balancers string "20m" no
lb_logging_bucket The s3 bucket which LB access logs should be stored to string "" no
manager_cidr_blocks Access to Kong Manager (Enterprise Edition only) list(string)
manager_host Hostname to access Kong Manager (Enterprise Edition only) string "default" no
module_dependencies Variable to force the module to wait for other resources to finish creation any null no
portal_cidr_blocks Access to Portal (Enterprise Edition only) list(string)
portal_host Hostname to access Portal (Enterprise Edition only) string "default" no
private_subnets Subnet tag on private subnets string "private" no
public_subnets Subnet tag on public subnets for external load balancers string "public" no
redis_engine_version Redis engine version string "5.0.5" no
redis_family Redis parameter group family string "redis5.0" no
redis_instance_count Number of redis nodes string 2 no
redis_instance_type Redis node instance type string "cache.t2.small" no
redis_subnets Redis cluster subnet group name string "cache-subnets" no
response_time_avg Response time average threshhold in milliseconds string 1000 no
service Resource service tag string "kong" no
ssl_policy SSL Policy for HTTPS Listeners string "ELBSecurityPolicy-TLS-1-2-2017-01" no
subnet_tag Tag used on subnets to define Tier string "Tier" no
tags Tags to apply to resources map(string) {} no


Name Description
admin_password_key_name The SSM key name for admin password for Kong
admin_token The admin token for Kong
autoscaling_group The autoscaling group
lb_endpoint_external The external load balancer endpoint
lb_endpoint_internal The internal load balancer endpoint
master_password The master password for Kong
rds_arn ARN of the Kong database
rds_endpoint The endpoint for the Kong database
rds_id ID of the Kong database
rds_password The database password for Kong



provider "aws" {
  region  = "us-west-2"
  profile = "dev"

module "kong" {
  source = "faros-ai/kong/aws"
  version = "3.4.30"

  vpc                   = "my-vpc"
  environment           = "dev"
  ec2_key_name          = "my-key"
  ssl_cert_external_arn = aws_acm_certificate.cert.arn
  ssl_cert_internal_arn = aws_acm_certificate.cert.arn
  ssl_cert_admin_domain = "*"

  tags = {
     Owner = ""
     Team = "DevOps"

Create the resources in AWS:

terraform init
terraform plan -out kong.plan
terraform apply kong.plan

If installing Enterprise Edition, while resources are being provisioned login to the AWS console and navigate to:

Systems Manager -> Parameter Store

Update the license key by editing the parameter (default value is "placeholder"):


Update the Bintray authentication paramater (default value is "placeholder", format is "username:apikey")" for downloads:


Alternatively, if your terraform files and state are secure, you can pass them as variables to the module for a completely hands-off installation.

To login to the EC2 instance(s):

ssh -i [/path/to/key/specified/in/ec2_key_name] ubuntu@[ec2-instance]

You are now ready to manage APIs!