[GDB-10116]-Added-Private-Link-Support

README.md

@@ -111,6 +111,10 @@ Before you begin using this Terraform module, ensure you meet the following prer
 | vpc\_dns\_support | Enable or disable the support of the DNS service | `bool` | `true` | no |
 | single\_nat\_gateway | Enable or disable the option to have single NAT Gateway. | `bool` | `false` | no |
 | enable\_nat\_gateway | Enable or disable the creation of the NAT Gateway | `bool` | `true` | no |
+| vpc\_endpoint\_service\_acceptance\_required | (Required) Whether or not VPC endpoint connection requests to the service must be accepted by the service owner - true or false. | `bool` | n/a | yes |
+| vpc\_endpoint\_service\_allowed\_principals | (Optional) The ARNs of one or more principals allowed to discover the endpoint service. | `list(string)` | n/a | yes |
+| network\_load\_balancer\_arns | Describe the ARN(s) of the load balancer(s) to which you want to have access. | `list(string)` | n/a | yes |
+| graphdb\_enable\_private\_access | Enable or disable the private access via PrivateLink to the GraphDB Cluster | `bool` | n/a | yes |
 | ami\_id | (Optional) User-provided AMI ID to use with GraphDB instances. If you provide this value, please ensure it will work with the default userdata script (assumes latest version of Ubuntu LTS). Otherwise, please provide your own userdata script using the user\_supplied\_userdata\_path variable. | `string` | `null` | no |
 | graphdb\_version | GraphDB version | `string` | `"10.6.2"` | no |
 | device\_name | The device to which EBS volumes for the GraphDB data directory will be mapped. | `string` | `"/dev/sdf"` | no |

main.tf

@@ -7,14 +7,18 @@ module "vpc" {
 
   count = var.create_vpc ? 1 : 0
 
-  resource_name_prefix     = var.resource_name_prefix
-  vpc_dns_hostnames        = var.vpc_dns_hostnames
-  vpc_dns_support          = var.vpc_dns_support
-  vpc_private_subnet_cidrs = var.vpc_private_subnet_cidrs
-  vpc_public_subnet_cidrs  = var.vpc_public_subnet_cidrs
-  vpc_cidr_block           = var.vpc_cidr_block
-  single_nat_gateway       = var.single_nat_gateway
-  enable_nat_gateway       = var.enable_nat_gateway
+  resource_name_prefix                     = var.resource_name_prefix
+  vpc_dns_hostnames                        = var.vpc_dns_hostnames
+  vpc_dns_support                          = var.vpc_dns_support
+  vpc_private_subnet_cidrs                 = var.vpc_private_subnet_cidrs
+  vpc_public_subnet_cidrs                  = var.vpc_public_subnet_cidrs
+  vpc_cidr_block                           = var.vpc_cidr_block
+  single_nat_gateway                       = var.single_nat_gateway
+  enable_nat_gateway                       = var.enable_nat_gateway
+  graphdb_enable_private_access            = var.graphdb_enable_private_access
+  network_load_balancer_arns               = [module.load_balancer.lb_arn]
+  vpc_endpoint_service_allowed_principals  = var.vpc_endpoint_service_allowed_principals
+  vpc_endpoint_service_acceptance_required = var.vpc_endpoint_service_acceptance_required
 }
 
 module "backup" {
@@ -72,21 +76,18 @@ module "monitoring" {
 module "graphdb" {
   source = "./modules/graphdb"
 
-  providers = {
-    aws.main = aws.main
-  }
-
   resource_name_prefix = var.resource_name_prefix
   aws_region           = data.aws_region.current.name
   aws_subscription_id  = data.aws_caller_identity.current.account_id
 
   # Networking
 
-  allowed_inbound_cidrs     = var.allowed_inbound_cidrs_lb
-  allowed_inbound_cidrs_ssh = var.allowed_inbound_cidrs_ssh
-  graphdb_subnets           = module.vpc[0].private_subnet_ids
-  graphdb_target_group_arns = local.graphdb_target_group_arns
-  vpc_id                    = module.vpc[0].vpc_id
+  allowed_inbound_cidrs         = var.allowed_inbound_cidrs_lb
+  allowed_inbound_cidrs_ssh     = var.allowed_inbound_cidrs_ssh
+  graphdb_subnets               = module.vpc[0].private_subnet_ids
+  graphdb_target_group_arns     = local.graphdb_target_group_arns
+  vpc_id                        = module.vpc[0].vpc_id
+  graphdb_enable_private_access = var.lb_internal ? var.graphdb_enable_private_access : false
 
   # Network Load Balancer
 
@@ -141,4 +142,8 @@ module "graphdb" {
 
   # User data scripts
   deploy_monitoring = var.deploy_monitoring
+
+  providers = {
+    aws.main = aws.main
+  }
 }

modules/graphdb/nsg.tf

@@ -58,6 +58,8 @@ resource "aws_security_group_rule" "graphdb_network_lb_ingress" {
 }
 
 resource "aws_security_group_rule" "graphdb_lb_healthchecks" {
+  count = var.graphdb_enable_private_access ? 0 : 1
+
   description       = "Allow the load balancer to healthcheck the GraphDB nodes and access the proxies."
   security_group_id = aws_security_group.graphdb_security_group.id
   type              = "ingress"

modules/graphdb/variables.tf

@@ -221,3 +221,8 @@ variable "ec2_userdata_script" {
   description = "Userdata script for EC2 instance"
   type        = string
 }
+
+variable "graphdb_enable_private_access" {
+  description = "value"
+  type        = bool
+}

modules/load_balancer/variables.tf

@@ -83,4 +83,4 @@ variable "lb_tls_policy" {
   description = "TLS security policy on the listener."
   type        = string
   default     = "ELBSecurityPolicy-TLS13-1-2-2021-06"
-}
+}

modules/vpc/main.tf

@@ -17,10 +17,11 @@ locals {
 # GraphDB VPC
 
 resource "aws_vpc" "graphdb_vpc" {
-
   cidr_block           = var.vpc_cidr_block
   enable_dns_hostnames = var.vpc_dns_hostnames
   enable_dns_support   = var.vpc_dns_support
+
+  tags = local.tags
 }
 
 # GraphDB Internet Gateway
@@ -127,3 +128,13 @@ resource "aws_route_table_association" "graphdb_private_route_table_association"
   route_table_id = aws_route_table.graphdb_private_route_table[count.index].id
   subnet_id      = aws_subnet.graphdb_private_subnet[count.index].id
 }
+
+# GraphDB Private Link Service
+
+resource "aws_vpc_endpoint_service" "graphdb_vpc_endpoint_service" {
+  count = var.graphdb_enable_private_access ? 1 : 0
+
+  network_load_balancer_arns = var.network_load_balancer_arns
+  acceptance_required        = var.vpc_endpoint_service_acceptance_required
+  allowed_principals         = var.vpc_endpoint_service_allowed_principals
+}

modules/vpc/variables.tf

@@ -38,4 +38,24 @@ variable "single_nat_gateway" {
 variable "enable_nat_gateway" {
   description = "Enalbe or disable the creation of the NAT Gateway"
   type        = bool
-}
+}
+
+variable "vpc_endpoint_service_acceptance_required" {
+  description = "(Required) Whether or not VPC endpoint connection requests to the service must be accepted by the service owner - true or false."
+  type        = bool
+}
+
+variable "vpc_endpoint_service_allowed_principals" {
+  description = "(Optional) The ARNs of one or more principals allowed to discover the endpoint service."
+  type        = list(string)
+}
+
+variable "network_load_balancer_arns" {
+  description = "Describe the ARN(s) of the load balancer(s) to which you want to have access."
+  type        = list(string)
+}
+
+variable "graphdb_enable_private_access" {
+  description = "Enable or disable the private access via PrivateLink to the GraphDB Cluster"
+  type        = bool
+}

variables.tf

@@ -160,6 +160,24 @@ variable "enable_nat_gateway" {
   default     = true
 }
 
+variable "vpc_endpoint_service_acceptance_required" {
+  description = "(Required) Whether or not VPC endpoint connection requests to the service must be accepted by the service owner - true or false."
+  type        = bool
+  default     = true
+}
+
+variable "vpc_endpoint_service_allowed_principals" {
+  description = "(Optional) The ARNs of one or more principals allowed to discover the endpoint service."
+  type        = list(string)
+  default     = null
+}
+
+variable "graphdb_enable_private_access" {
+  description = "Enable or disable the private access via PrivateLink to the GraphDB Cluster"
+  type        = bool
+  default     = false
+}
+
 variable "ami_id" {
   description = "(Optional) User-provided AMI ID to use with GraphDB instances. If you provide this value, please ensure it will work with the default userdata script (assumes latest version of Ubuntu LTS). Otherwise, please provide your own userdata script using the user_supplied_userdata_path variable."
   type        = string