diff --git a/.terraform.lock.hcl b/.terraform.lock.hcl index 73c54f0..f29f71c 100644 --- a/.terraform.lock.hcl +++ b/.terraform.lock.hcl @@ -7,6 +7,7 @@ provider "registry.terraform.io/hashicorp/aws" { hashes = [ "h1:3c0jJCaLRgXrOZoGMAOjH+omtHUo96AkukUF4/h9gaE=", "h1:LRmSNnudFVTkMSnEXJSKCojpknVVYEnls2UTeoxCxtc=", + "h1:jmBhlwcMmbnLpk+2s22uFAxuSXABCOfryxrUzKV38eY=", "zh:0fff674596251d3f46b5a9e242220871d6c634f7cf69f2741d1c3c8f4baa708c", "zh:1495d0f71bbd849ad286e7afa9d531a45217e6af7e3d165a447809dab364bd9b", "zh:3eab136bd5b6c58a99f5cb588220819c70061b48da98f2b40061ebabfcbe1957", @@ -50,6 +51,7 @@ provider "registry.terraform.io/hashicorp/random" { version = "3.6.2" constraints = "~> 3.6.0" hashes = [ + "h1:Gd3WitYIzSYo/Suo+PMxpZpIGpRPrwl0JU0+DhxycFM=", "h1:VavG5unYCa3SYISMKF9pzc3718M0bhPlcbUZZGl7wuo=", "h1:wmG0QFjQ2OfyPy6BB7mQ57WtoZZGGV07uAPQeDmIrAE=", "zh:0ef01a4f81147b32c1bea3429974d4d104bbc4be2ba3cfa667031a8183ef88ec", diff --git a/CHANGELOG.md b/CHANGELOG.md index bbfa9e5..c12fe08 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,14 @@ # GraphDB AWS Terraform Module Changelog +# 1.2.3 + +* Removed unused resource "aws_ssm_parameter" named "graphdb_lb_dns_name" +* Fixed `graphdb.properties` values for single node deployment: + * Changed `graphdb.external-url` to use `LB_DNS_RECORD` when single node is deployed. + * Added `graphdb.external-url.enforce.transactions=true` +* Removed calculation of `lb_tls_enabled` in the LB module as it is calculated in the main.tf +* Removed `monitoring_route53_healtcheck_fqdn_url` in favor of `graphdb_external_dns`. + # 1.2.2 * Fixed issues with variables in the backup user data script diff --git a/main.tf b/main.tf index 0556ca9..5f6f95c 100644 --- a/main.tf +++ b/main.tf @@ -165,6 +165,11 @@ module "backup_replication" { versioning_enabled = var.s3_versioning_enabled } +locals { + lb_tls_enabled = var.lb_tls_certificate_arn != "" ? true : false + calculated_protocol = local.lb_tls_enabled == true ? "https" : "http" +} + module "load_balancer" { source = "./modules/load_balancer" @@ -177,6 +182,7 @@ module "load_balancer" { lb_health_check_interval = var.lb_health_check_interval lb_enable_deletion_protection = var.prevent_resource_deletion lb_tls_certificate_arn = var.lb_tls_certificate_arn + lb_tls_enabled = local.lb_tls_enabled lb_tls_policy = var.lb_tls_policy lb_access_logs_bucket_name = var.lb_enable_access_logs && var.deploy_logging_module ? module.logging[0].graphdb_logging_bucket_name : null lb_enable_access_logs = var.lb_enable_access_logs @@ -189,11 +195,6 @@ locals { ) } -locals { - lb_tls_enabled = var.lb_tls_certificate_arn != null ? true : false - calculated_http_string_type = local.lb_tls_enabled == true ? "HTTPS" : "HTTP" -} - module "monitoring" { source = "./modules/monitoring" providers = { @@ -221,11 +222,11 @@ module "monitoring" { cmk_key_alias = var.sns_cmk_key_alias parameter_store_kms_key_arn = local.calculated_parameter_store_kms_key_arn cloudwatch_log_group_retention_in_days = var.monitoring_log_group_retention_in_days - route53_availability_request_url = var.monitoring_route53_healtcheck_fqdn_url + route53_availability_request_url = var.graphdb_external_dns route53_availability_measure_latency = var.monitoring_route53_measure_latency sns_kms_key_arn = local.calculated_sns_kms_key_arn graphdb_node_count = var.graphdb_node_count - route53_availability_http_string_type = local.calculated_http_string_type + route53_availability_http_string_type = upper(local.calculated_protocol) lb_tls_certificate_arn = var.lb_tls_certificate_arn lb_dns_name = module.load_balancer.lb_dns_name != "" ? module.load_balancer.lb_dns_name : null } @@ -248,7 +249,7 @@ module "graphdb" { # Network Load Balancer lb_enable_private_access = var.lb_internal ? var.lb_enable_private_access : false lb_subnets = local.lb_subnets - graphdb_lb_dns_name = module.load_balancer.lb_dns_name + graphdb_lb_dns_name = var.graphdb_external_dns != "" ? var.graphdb_external_dns : module.load_balancer.lb_dns_name # GraphDB Configurations @@ -309,7 +310,8 @@ module "graphdb" { # User data scripts - deploy_monitoring = var.deploy_monitoring + deploy_monitoring = var.deploy_monitoring + external_address_protocol = local.calculated_protocol # S3 Replication Logging Bucket Policy diff --git a/modules/graphdb/config.tf b/modules/graphdb/config.tf index fafea71..7daedf9 100644 --- a/modules/graphdb/config.tf +++ b/modules/graphdb/config.tf @@ -39,13 +39,6 @@ resource "aws_ssm_parameter" "graphdb_license" { key_id = var.parameter_store_key_arn } -resource "aws_ssm_parameter" "graphdb_lb_dns_name" { - name = "/${var.resource_name_prefix}/graphdb/lb_dns_name" - description = "The DNS name of the load balancer for the GraphDB nodes." - type = "String" - value = var.graphdb_lb_dns_name -} - resource "aws_ssm_parameter" "graphdb_properties" { count = var.graphdb_properties_path != null ? 1 : 0 diff --git a/modules/graphdb/templates/04_gdb_conf_overrides.sh.tpl b/modules/graphdb/templates/04_gdb_conf_overrides.sh.tpl index 7c99ff6..3c5fa58 100644 --- a/modules/graphdb/templates/04_gdb_conf_overrides.sh.tpl +++ b/modules/graphdb/templates/04_gdb_conf_overrides.sh.tpl @@ -22,7 +22,7 @@ echo "#######################################" LB_DNS_RECORD=${graphdb_lb_dns_name} NODE_DNS_RECORD=$(cat /var/opt/graphdb/node_dns) - +PROTOCOL=${external_address_protocol} # Get and store the GraphDB license aws --cli-connect-timeout 300 ssm get-parameter --region ${region} --name "/${name}/graphdb/license" --with-decryption | \ jq -r .Parameter.Value | \ @@ -32,15 +32,26 @@ aws --cli-connect-timeout 300 ssm get-parameter --region ${region} --name "/${na GRAPHDB_CLUSTER_TOKEN="$(aws --cli-connect-timeout 300 ssm get-parameter --region ${region} --name "/${name}/graphdb/cluster_token" --with-decryption | jq -r .Parameter.Value | base64 -d)" # Get the NODE_DNS_RECORD value from the previous script SSM_PARAMETERS=$(aws ssm describe-parameters --cli-connect-timeout 300 --region ${region} --query "Parameters[?starts_with(Name, '/${name}/graphdb/')].Name" --output text) +NODE_COUNT=$(aws autoscaling describe-auto-scaling-groups --auto-scaling-group-names ${name} --query "AutoScalingGroups[0].DesiredCapacity" --output text) + -cat << EOF > /etc/graphdb/graphdb.properties +# graphdb.external-url.enforce.transactions: determines whether it is necessary to rewrite the Location header when no proxy is configured. +# This is required because when working with the GDB transaction endpoint it returns an erroneous URL with HTTP protocol instead of HTTPS +if [ "$NODE_COUNT" -eq 1 ]; then + cat << EOF > /etc/graphdb/graphdb.properties +graphdb.connector.port=7201 +graphdb.external-url=$${PROTOCOL}://$${LB_DNS_RECORD} +graphdb.external-url.enforce.transactions=true +EOF +else + cat << EOF > /etc/graphdb/graphdb.properties graphdb.auth.token.secret=$GRAPHDB_CLUSTER_TOKEN graphdb.connector.port=7201 -graphdb.external-url=http://$${NODE_DNS_RECORD}:7201 +graphdb.external-url=$${PROTOCOL}://$${NODE_DNS_RECORD}:7201 graphdb.rpc.address=$${NODE_DNS_RECORD}:7301 EOF -cat << EOF > /etc/graphdb-cluster-proxy/graphdb.properties + cat << EOF > /etc/graphdb-cluster-proxy/graphdb.properties graphdb.auth.token.secret=$GRAPHDB_CLUSTER_TOKEN graphdb.connector.port=7200 graphdb.external-url=http://$${LB_DNS_RECORD} @@ -48,6 +59,7 @@ graphdb.vhosts=http://$${LB_DNS_RECORD},http://$${NODE_DNS_RECORD}:7200 graphdb.rpc.address=$${NODE_DNS_RECORD}:7300 graphdb.proxy.hosts=$${NODE_DNS_RECORD}:7301 EOF +fi mkdir -p /etc/systemd/system/graphdb.service.d/ diff --git a/modules/graphdb/user_data.tf b/modules/graphdb/user_data.tf index 0932bee..cfc1dba 100644 --- a/modules/graphdb/user_data.tf +++ b/modules/graphdb/user_data.tf @@ -61,6 +61,7 @@ data "cloudinit_config" "graphdb_user_data" { content = templatefile("${path.module}/templates/04_gdb_conf_overrides.sh.tpl", { name : var.resource_name_prefix region : var.aws_region + external_address_http_string_type : var.external_address_protocol graphdb_lb_dns_name : var.graphdb_lb_dns_name }) } diff --git a/modules/graphdb/variables.tf b/modules/graphdb/variables.tf index f7b68f6..c6f894c 100644 --- a/modules/graphdb/variables.tf +++ b/modules/graphdb/variables.tf @@ -168,6 +168,13 @@ variable "route53_zone_dns_name" { type = string } +# User Data Parameters + +variable "external_address_protocol" { + description = "External address HTTP string type" + type = string +} + # Optional Parameters variable "backup_retention_count" { diff --git a/modules/load_balancer/main.tf b/modules/load_balancer/main.tf index 1b9adb0..7c68e04 100644 --- a/modules/load_balancer/main.tf +++ b/modules/load_balancer/main.tf @@ -11,7 +11,6 @@ resource "random_id" "tg_name_suffix" { locals { lb_name = var.resource_name_prefix target_group_name = "${var.resource_name_prefix}-tg-${random_id.tg_name_suffix.hex}" - lb_tls_enabled = var.lb_tls_certificate_arn != null ? true : false } resource "aws_lb" "graphdb_lb" { @@ -55,7 +54,7 @@ resource "aws_lb_target_group" "graphdb_lb_target_group" { } resource "aws_lb_listener" "graphdb_listener" { - count = local.lb_tls_enabled ? 0 : 1 + count = var.lb_tls_enabled ? 0 : 1 load_balancer_arn = aws_lb.graphdb_lb.id port = 80 @@ -68,7 +67,7 @@ resource "aws_lb_listener" "graphdb_listener" { } resource "aws_lb_listener" "graphdb_tls" { - count = local.lb_tls_enabled ? 1 : 0 + count = var.lb_tls_enabled ? 1 : 0 load_balancer_arn = aws_lb.graphdb_lb.id port = 443 diff --git a/modules/load_balancer/variables.tf b/modules/load_balancer/variables.tf index 5055211..68b9504 100644 --- a/modules/load_balancer/variables.tf +++ b/modules/load_balancer/variables.tf @@ -89,3 +89,8 @@ variable "graphdb_node_count" { description = "Number of GraphDB nodes to deploy in ASG" type = number } + +variable "lb_tls_enabled" { + description = "Is TLS enabled for the LB" + type = bool +} diff --git a/variables.tf b/variables.tf index b113692..761951b 100644 --- a/variables.tf +++ b/variables.tf @@ -306,6 +306,12 @@ variable "route53_zone_dns_name" { } } +variable "graphdb_external_dns" { + description = "External domain name where GraphDB will be accessed" + type = string + default = "" +} + # Monitoring variable "deploy_monitoring" { @@ -374,11 +380,6 @@ variable "monitoring_route53_availability_https_port" { default = 443 } -variable "monitoring_route53_healtcheck_fqdn_url" { - description = "Define custom domain name for the Route53 Health check" - type = string -} - # GraphDB overrides variable "graphdb_properties_path" {