feat!: Add multi account support for dns and kong modules

* feat!: Add multi account support for dns and kong modules

BREAKING CHANGE: Kong module  now requires explicit provider aliases for cross-account DNS records.

* terraform-docs: automated action

* ci: added statuses permission for pr title check in terraform yaml.

---------

Co-authored-by: rahul-infra <rahul.sayam@infraspec.dev>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

Author: 3 people

.github/workflows/release-preview.yaml

@@ -0,0 +1,118 @@
+name: Release Preview
+
+on:
+  workflow_call:
+
+env:
+  SEMANTIC_RELEASE_VERSION: '24.2.0'
+  NODE_VERSION: '20.11.0'
+
+jobs:
+  preview:
+    name: Preview Release
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          ref: ${{ github.event.pull_request.head.ref }}
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: ${{ env.NODE_VERSION }}
+
+      - name: Run semantic-release (dry-run)
+        id: semantic
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GIT_COMMITTER_NAME: "github-actions[bot]"
+          GIT_COMMITTER_EMAIL: "github-actions[bot]@users.noreply.github.com"
+          GIT_AUTHOR_NAME: "github-actions[bot]"
+          GIT_AUTHOR_EMAIL: "github-actions[bot]@users.noreply.github.com"
+        run: |
+          # Unset GitHub Actions environment variables that interfere with semantic-release
+          unset GITHUB_REF
+          unset GITHUB_REF_NAME
+          unset GITHUB_HEAD_REF
+          unset GITHUB_BASE_REF
+
+          # Set them to what we want
+          export GITHUB_REF="refs/heads/${{ github.event.pull_request.head.ref }}"
+          export GITHUB_REF_NAME="${{ github.event.pull_request.head.ref }}"
+
+          # Run semantic-release with inline configuration using CLI options
+          OUTPUT=$(npx --package semantic-release@${{ env.SEMANTIC_RELEASE_VERSION }} \
+            --package @semantic-release/exec \
+            --package conventional-changelog-conventionalcommits \
+            semantic-release \
+            --dry-run \
+            --no-ci \
+            --debug \
+            --branches ${{ github.event.pull_request.head.ref }} 2>&1 || true)
+          echo "$OUTPUT"
+
+          # Extract version information
+          NEW_VERSION=$(echo "$OUTPUT" | grep -Eo "The next release version is [0-9]+\.[0-9]+\.[0-9]+" | grep -Eo "[0-9]+\.[0-9]+\.[0-9]+" || echo "")
+          RELEASE_TYPE=$(echo "$OUTPUT" | grep -Eo "Analysis of [0-9]+ commits complete: [a-z]+ release" | grep -Eo "(major|minor|patch) release" | sed 's/ release//' || echo "")
+
+          # Extract release notes (everything after "Release note for version")
+          RELEASE_NOTES=$(echo "$OUTPUT" | sed -n '/Release note for version/,$p' | tail -n +2 || echo "")
+
+          # Save to outputs
+          echo "new_version=$NEW_VERSION" >> $GITHUB_OUTPUT
+          echo "release_type=$RELEASE_TYPE" >> $GITHUB_OUTPUT
+
+          # Save release notes for comment
+          echo "release_notes<<EOF" >> $GITHUB_OUTPUT
+          echo "$RELEASE_NOTES" >> $GITHUB_OUTPUT
+          echo "EOF" >> $GITHUB_OUTPUT
+
+      - name: Display Preview
+        run: |
+          echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+          echo "          RELEASE PREVIEW"
+          echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+          echo ""
+          if [ -n "${{ steps.semantic.outputs.new_version }}" ]; then
+            echo "Version:      v${{ steps.semantic.outputs.new_version }}"
+            echo "Release Type: ${{ steps.semantic.outputs.release_type }}"
+            echo "Status:       Release will be published"
+          else
+            echo "Status:       No release will be published"
+            echo "Reason:       No relevant changes detected"
+          fi
+          echo ""
+          echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+
+      - name: Comment on PR
+        if: github.event_name == 'pull_request'
+        uses: mshick/add-pr-comment@v2
+        with:
+          message-id: release-preview
+          message: |
+            ## Release Preview
+
+            ${{ steps.semantic.outputs.new_version && format('**Version:** `v{0}`
+            **Release Type:** `{1}`
+            **Status:**  Release will be published when merged to main
+
+            ---
+
+            ### Release Notes
+
+            {2}
+
+            ---
+
+            *This preview is generated by semantic-release dry-run mode*', steps.semantic.outputs.new_version, steps.semantic.outputs.release_type, steps.semantic.outputs.release_notes) || '**Status:** No release will be published
+            **Reason:** No relevant changes detected
+
+            ---
+
+            *This preview is generated by semantic-release dry-run mode*' }}

.github/workflows/terraform.yaml

@@ -17,13 +17,21 @@ permissions:
   contents: write
   pull-requests: write
   actions: read
+  statuses: write
 
 jobs:
   prTitlecheck:
     name: PR title check
     if: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.base.ref == 'main' }}
     uses: ./.github/workflows/pr-title.yaml
 
+  releasePreview:
+    name: Release Preview
+    uses: ./.github/workflows/release-preview.yaml
+    permissions:
+      contents: write
+      pull-requests: write
+
   preCommitCheck:
     name: Terraform Checks
     uses: ./.github/workflows/terraform-checks.yaml

.pre-commit-config.yaml

@@ -20,6 +20,9 @@ repos:
           - '--args=--only=terraform_workspace_remote'
           - '--args=--only=terraform_unused_required_providers'
       - id: terraform_validate
+        args:
+          - --hook-config=--retry-once-with-cleanup=true
+        files: ^examples/
   - repo: https://github.com/pre-commit/pre-commit-hooks
     rev: v6.0.0
     hooks:

README.md

@@ -29,24 +29,26 @@ aws ssm put-parameter --name "/rds/POSTGRES_DB_NAME" --value "value" --type "Sec
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.13.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.5.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.5.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.0 |
 
 ## Modules
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_ecs_kong"></a> [ecs\_kong](#module\_ecs\_kong) | infraspecdev/ecs-deployment/aws | ~> 4.3.4 |
+| <a name="module_ecs_kong"></a> [ecs\_kong](#module\_ecs\_kong) | infraspecdev/ecs-deployment/aws | ~> 5.0.0 |
 | <a name="module_ecs_task_security_group"></a> [ecs\_task\_security\_group](#module\_ecs\_task\_security\_group) | terraform-aws-modules/security-group/aws | ~> 5.3.0 |
-| <a name="module_internal_alb_kong"></a> [internal\_alb\_kong](#module\_internal\_alb\_kong) | infraspecdev/ecs-deployment/aws//modules/alb | ~> 4.3.4 |
+| <a name="module_internal_alb_kong"></a> [internal\_alb\_kong](#module\_internal\_alb\_kong) | infraspecdev/ecs-deployment/aws//modules/alb | ~> 5.0.0 |
 | <a name="module_internal_alb_security_group"></a> [internal\_alb\_security\_group](#module\_internal\_alb\_security\_group) | terraform-aws-modules/security-group/aws | ~> 5.3.0 |
 | <a name="module_kong_internal_dns_record"></a> [kong\_internal\_dns\_record](#module\_kong\_internal\_dns\_record) | ./modules/route-53-record | n/a |
+| <a name="module_kong_internal_dns_record_same_account"></a> [kong\_internal\_dns\_record\_same\_account](#module\_kong\_internal\_dns\_record\_same\_account) | ./modules/route-53-record | n/a |
 | <a name="module_kong_public_dns_record"></a> [kong\_public\_dns\_record](#module\_kong\_public\_dns\_record) | ./modules/route-53-record | n/a |
+| <a name="module_kong_public_dns_record_same_account"></a> [kong\_public\_dns\_record\_same\_account](#module\_kong\_public\_dns\_record\_same\_account) | ./modules/route-53-record | n/a |
 | <a name="module_kong_rds"></a> [kong\_rds](#module\_kong\_rds) | terraform-aws-modules/rds/aws | ~> 6.13.0 |
 | <a name="module_postgres_security_group"></a> [postgres\_security\_group](#module\_postgres\_security\_group) | terraform-aws-modules/security-group/aws | ~> 5.3.0 |
 | <a name="module_public_alb_security_group"></a> [public\_alb\_security\_group](#module\_public\_alb\_security\_group) | terraform-aws-modules/security-group/aws | ~> 5.3.0 |
@@ -92,6 +94,7 @@ aws ssm put-parameter --name "/rds/POSTGRES_DB_NAME" --value "value" --type "Sec
 | <a name="input_public_subnet_ids"></a> [public\_subnet\_ids](#input\_public\_subnet\_ids) | List of public subnet IDs for public-facing load balancers | `list(string)` | n/a | yes |
 | <a name="input_rds_db_tags"></a> [rds\_db\_tags](#input\_rds\_db\_tags) | List of tags | `map(string)` | `{}` | no |
 | <a name="input_rds_instance_class"></a> [rds\_instance\_class](#input\_rds\_instance\_class) | The RDS instance class for Kong database (e.g., db.t3.micro, db.r5.large) | `string` | `"db.t3.micro"` | no |
+| <a name="input_route53_assume_role_arn"></a> [route53\_assume\_role\_arn](#input\_route53\_assume\_role\_arn) | ARN of the IAM role to assume in the hosted-zone account (should be null for same-account). | `string` | `null` | no |
 | <a name="input_ssl_policy"></a> [ssl\_policy](#input\_ssl\_policy) | Name of the SSL Policy for the listener. | `string` | `"ELBSecurityPolicy-2016-08"` | no |
 | <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | The ID of the VPC where Kong infrastructure will be deployed | `string` | n/a | yes |
 

examples/complete/.header.md

@@ -40,6 +40,10 @@ cpu_for_kong_task              = 512
 memory_for_kong_task           = 1024
 desired_count_for_kong_service = 2
 force_new_deployment           = true
+postgres_engine_version        = 16.3
+postgres_major_engine_version  = 16
+route53_assume_role_arn        = arn:aws:iam::aws-account-id:role/role-name
+region                         = us-east-1
 ```
 
 Place this `terraform.tfvars` file in the same directory as your Terraform configuration to automatically load these values. Adjust the values as needed to fit your specific environment and requirements.

examples/complete/README.md

@@ -41,6 +41,10 @@ cpu_for_kong_task              = 512
 memory_for_kong_task           = 1024
 desired_count_for_kong_service = 2
 force_new_deployment           = true
+postgres_engine_version        = 16.3
+postgres_major_engine_version  = 16
+route53_assume_role_arn        = arn:aws:iam::aws-account-id:role/role-name
+region                         = us-east-1
 ```
 
 Place this `terraform.tfvars` file in the same directory as your Terraform configuration to automatically load these values. Adjust the values as needed to fit your specific environment and requirements.
@@ -50,6 +54,7 @@ Place this `terraform.tfvars` file in the same directory as your Terraform confi
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.13.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.0 |
 
 ## Providers
 
@@ -94,6 +99,8 @@ No resources.
 | <a name="input_public_subnet_ids"></a> [public\_subnet\_ids](#input\_public\_subnet\_ids) | List of public subnet IDs | `list(string)` | n/a | yes |
 | <a name="input_rds_db_tags"></a> [rds\_db\_tags](#input\_rds\_db\_tags) | List of tags | `map(string)` | n/a | yes |
 | <a name="input_rds_instance_class"></a> [rds\_instance\_class](#input\_rds\_instance\_class) | The instance class to use | `string` | n/a | yes |
+| <a name="input_region"></a> [region](#input\_region) | The AWS region | `string` | n/a | yes |
+| <a name="input_route53_assume_role_arn"></a> [route53\_assume\_role\_arn](#input\_route53\_assume\_role\_arn) | IAM role ARN for cross-account Route53 access. | `string` | n/a | yes |
 | <a name="input_ssl_policy"></a> [ssl\_policy](#input\_ssl\_policy) | (Optional) Name of the SSL Policy for the listener. | `string` | n/a | yes |
 | <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | The ID of the VPC | `string` | n/a | yes |
 

examples/complete/main.tf

@@ -1,6 +1,24 @@
+provider "aws" {
+  region = var.region
+}
+
+provider "aws" {
+  alias  = "cross_account_provider"
+  region = var.region
+  assume_role {
+    role_arn = var.route53_assume_role_arn
+  }
+}
+
+
 module "kong" {
   source = "../../"
 
+  providers = {
+    aws                        = aws
+    aws.cross_account_provider = aws.cross_account_provider
+  }
+
   vpc_id                  = var.vpc_id
   public_subnet_ids       = var.public_subnet_ids
   private_subnet_ids      = var.private_subnet_ids
@@ -30,4 +48,5 @@ module "kong" {
   force_new_deployment           = var.force_new_deployment
   postgres_engine_version        = var.postgres_engine_version
   postgres_major_engine_version  = var.postgres_major_engine_version
+  route53_assume_role_arn        = var.route53_assume_role_arn
 }

examples/complete/variables.tf

@@ -132,3 +132,13 @@ variable "postgres_major_engine_version" {
   description = "The major version of the Postgres engine"
   type        = number
 }
+
+variable "route53_assume_role_arn" {
+  description = "IAM role ARN for cross-account Route53 access."
+  type        = string
+}
+
+variable "region" {
+  description = "The AWS region"
+  type        = string
+}

examples/complete/versions.tf

@@ -1,3 +1,10 @@
 terraform {
   required_version = ">= 1.13.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 6.0"
+    }
+  }
 }

examples/cross-account/.header.md

@@ -0,0 +1,15 @@
+### Example Variable Values
+
+Here is an example of how to define the variable values in your `terraform.tfvars` file:
+
+```hcl
+vpc_id                  = "vpc-12345678"
+public_subnet_ids       = ["subnet-abcdef01", "subnet-abcdef02"]
+private_subnet_ids      = ["subnet-abcdef03", "subnet-abcdef04"]
+kong_public_domain_name = "api.example.com"
+kong_admin_domain_name  = "admin-api.example.com"
+region                  = "us-east-1"
+route53_assume_role_arn = "arn:aws:iam::account-id:role/role-id"
+```
+
+Place this `terraform.tfvars` file in the same directory as your Terraform configuration to automatically load these values. Adjust the values as needed to fit your specific environment and requirements.