Merge pull request #37 from Ontotext-AD/GDB-10116/Implement-PrivateLi…

…nk-AWS-Terraform-Module

[GDB-10116]-Added-Private-Link-Support

README.md

@@ -112,6 +112,9 @@ Before you begin using this Terraform module, ensure you meet the following prer
 | vpc\_dns\_support | Enable or disable the support of the DNS service | `bool` | `true` | no |
 | single\_nat\_gateway | Enable or disable the option to have single NAT Gateway. | `bool` | `false` | no |
 | enable\_nat\_gateway | Enable or disable the creation of the NAT Gateway | `bool` | `true` | no |
+| vpc\_endpoint\_service\_accept\_connection\_requests | (Required) Whether or not VPC endpoint connection requests to the service must be accepted by the service owner - true or false. | `bool` | `true` | no |
+| vpc\_endpoint\_service\_allowed\_principals | (Optional) The ARNs of one or more principals allowed to discover the endpoint service. | `list(string)` | `null` | no |
+| lb\_enable\_private\_access | Enable or disable the private access via PrivateLink to the GraphDB Cluster | `bool` | `false` | no |
 | ami\_id | (Optional) User-provided AMI ID to use with GraphDB instances. If you provide this value, please ensure it will work with the default userdata script (assumes latest version of Ubuntu LTS). Otherwise, please provide your own userdata script using the user\_supplied\_userdata\_path variable. | `string` | `null` | no |
 | graphdb\_version | GraphDB version | `string` | `"10.6.3"` | no |
 | device\_name | The device to which EBS volumes for the GraphDB data directory will be mapped. | `string` | `"/dev/sdf"` | no |
@@ -237,6 +240,17 @@ deploy_monitoring = true
 lb_tls_certificate_arn = "arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012"
 ```
 
+**Private Deployment**
+
+To ensure access to GraphDB exclusively through a private network, you must set the following variables to `true`:
+```hcl
+# Enable creation of a private service endpoint
+lb_enable_private_access = true
+# Enable private access to the Network Load Balancer and disable public access
+lb_internal = true
+```
+By configuring these variables accordingly you enforce GraphDB accessibility solely via a private network, enhancing security and control over network traffic.
+
 ## Updating configurations on an active deployment
 
 In case your license has expired, and you need to renew it, or you need to make some changes to the `graphdb.properties`

main.tf

@@ -7,14 +7,18 @@ module "vpc" {
 
   count = var.create_vpc ? 1 : 0
 
-  resource_name_prefix     = var.resource_name_prefix
-  vpc_dns_hostnames        = var.vpc_dns_hostnames
-  vpc_dns_support          = var.vpc_dns_support
-  vpc_private_subnet_cidrs = var.vpc_private_subnet_cidrs
-  vpc_public_subnet_cidrs  = var.vpc_public_subnet_cidrs
-  vpc_cidr_block           = var.vpc_cidr_block
-  single_nat_gateway       = var.single_nat_gateway
-  enable_nat_gateway       = var.enable_nat_gateway
+  resource_name_prefix                            = var.resource_name_prefix
+  vpc_dns_hostnames                               = var.vpc_dns_hostnames
+  vpc_dns_support                                 = var.vpc_dns_support
+  vpc_private_subnet_cidrs                        = var.vpc_private_subnet_cidrs
+  vpc_public_subnet_cidrs                         = var.vpc_public_subnet_cidrs
+  vpc_cidr_block                                  = var.vpc_cidr_block
+  single_nat_gateway                              = var.single_nat_gateway
+  enable_nat_gateway                              = var.enable_nat_gateway
+  lb_enable_private_access                        = var.lb_enable_private_access
+  network_load_balancer_arns                      = [module.load_balancer.lb_arn]
+  vpc_endpoint_service_allowed_principals         = var.vpc_endpoint_service_allowed_principals
+  vpc_endpoint_service_accept_connection_requests = var.vpc_endpoint_service_accept_connection_requests
 }
 
 module "backup" {
@@ -83,9 +87,9 @@ module "graphdb" {
   vpc_id                    = module.vpc[0].vpc_id
 
   # Network Load Balancer
-
-  lb_subnets          = var.lb_internal ? module.vpc[0].private_subnet_ids : module.vpc[0].public_subnet_ids
-  graphdb_lb_dns_name = module.load_balancer.lb_dns_name
+  lb_enable_private_access = var.lb_internal ? var.lb_enable_private_access : false
+  lb_subnets               = var.lb_internal ? module.vpc[0].private_subnet_ids : module.vpc[0].public_subnet_ids
+  graphdb_lb_dns_name      = module.load_balancer.lb_dns_name
 
   # Identity
 

modules/graphdb/main.tf

@@ -4,6 +4,8 @@ data "aws_ec2_instance_type" "graphdb" {
   instance_type = var.ec2_instance_type
 }
 
+data "aws_default_tags" "current" {}
+
 data "aws_ami" "graphdb" {
   count = var.ami_id != null ? 0 : 1
 
@@ -28,9 +30,6 @@ data "aws_ami" "graphdb" {
   }
 }
 
-data "aws_default_tags" "current" {
-}
-
 data "aws_subnet" "subnet" {
   count = length(var.graphdb_subnets)
   id    = var.graphdb_subnets[count.index]

modules/graphdb/nsg.tf

@@ -58,6 +58,9 @@ resource "aws_security_group_rule" "graphdb_network_lb_ingress" {
 }
 
 resource "aws_security_group_rule" "graphdb_lb_healthchecks" {
+  # Since it creates duplicated rule if lb_internal is true we need to have a toggle to enable/disable this rule based on the type of the access to the LB
+  count = var.lb_enable_private_access ? 0 : 1
+
   description       = "Allow the load balancer to healthcheck the GraphDB nodes and access the proxies."
   security_group_id = aws_security_group.graphdb_security_group.id
   type              = "ingress"

modules/graphdb/variables.tf

@@ -221,3 +221,8 @@ variable "ec2_userdata_script" {
   description = "Userdata script for EC2 instance"
   type        = string
 }
+
+variable "lb_enable_private_access" {
+  description = "Enable or disable the private access via PrivateLink to the GraphDB Cluster"
+  type        = bool
+}

modules/load_balancer/variables.tf

@@ -83,4 +83,4 @@ variable "lb_tls_policy" {
   description = "TLS security policy on the listener."
   type        = string
   default     = "ELBSecurityPolicy-TLS13-1-2-2021-06"
-}
+}

modules/vpc/main.tf

@@ -2,10 +2,6 @@
 data "aws_availability_zones" "available" {}
 
 locals {
-  tags = {
-    Name = "${var.resource_name_prefix}"
-  }
-
   azs                = slice(data.aws_availability_zones.available.names, 0, 3)
   len_public_subnets = max(length(var.vpc_private_subnet_cidrs))
 
@@ -17,7 +13,6 @@ locals {
 # GraphDB VPC
 
 resource "aws_vpc" "graphdb_vpc" {
-
   cidr_block           = var.vpc_cidr_block
   enable_dns_hostnames = var.vpc_dns_hostnames
   enable_dns_support   = var.vpc_dns_support
@@ -40,7 +35,7 @@ resource "aws_subnet" "graphdb_public_subnet" {
   cidr_block        = var.vpc_public_subnet_cidrs[count.index]
   availability_zone = local.azs[count.index]
 
-  tags = { "Name" = "${local.tags.Name}-public-subnet-${count.index}" }
+  tags = { "Name" = "${var.resource_name_prefix}-public-subnet-${count.index}" }
 }
 
 # GraphDB Private Subnet
@@ -53,7 +48,7 @@ resource "aws_subnet" "graphdb_private_subnet" {
   availability_zone = local.azs[count.index]
 
   tags = {
-    "Name" = "${local.tags.Name}-private-subnet-${count.index}"
+    "Name" = "${var.resource_name_prefix}-private-subnet-${count.index}"
   }
 }
 
@@ -89,7 +84,7 @@ resource "aws_route_table" "graphdb_public_route_table" {
   }
 
   tags = {
-    Name = "${local.tags.Name}-public-route-table-${count.index}"
+    Name = "${var.resource_name_prefix}-public-route-table-${count.index}"
   }
 }
 
@@ -108,7 +103,7 @@ resource "aws_route_table" "graphdb_private_route_table" {
   vpc_id = aws_vpc.graphdb_vpc.id
 
   tags = {
-    Name = "${local.tags.Name}-private-route-table-${count.index}"
+    Name = "${var.resource_name_prefix}-private-route-table-${count.index}"
   }
 
   dynamic "route" {
@@ -127,3 +122,13 @@ resource "aws_route_table_association" "graphdb_private_route_table_association"
   route_table_id = aws_route_table.graphdb_private_route_table[count.index].id
   subnet_id      = aws_subnet.graphdb_private_subnet[count.index].id
 }
+
+# GraphDB Private Link Service
+
+resource "aws_vpc_endpoint_service" "graphdb_vpc_endpoint_service" {
+  count = var.lb_enable_private_access ? 1 : 0
+
+  network_load_balancer_arns = var.network_load_balancer_arns
+  acceptance_required        = var.vpc_endpoint_service_accept_connection_requests
+  allowed_principals         = var.vpc_endpoint_service_allowed_principals
+}

modules/vpc/variables.tf

@@ -38,4 +38,24 @@ variable "single_nat_gateway" {
 variable "enable_nat_gateway" {
   description = "Enalbe or disable the creation of the NAT Gateway"
   type        = bool
-}
+}
+
+variable "vpc_endpoint_service_accept_connection_requests" {
+  description = "(Required) Whether or not VPC endpoint connection requests to the service must be accepted by the service owner - true or false."
+  type        = bool
+}
+
+variable "vpc_endpoint_service_allowed_principals" {
+  description = "(Optional) The ARNs of one or more principals allowed to discover the endpoint service."
+  type        = list(string)
+}
+
+variable "network_load_balancer_arns" {
+  description = "Describe the ARN(s) of the load balancer(s) to which you want to have access."
+  type        = list(string)
+}
+
+variable "lb_enable_private_access" {
+  description = "Enable or disable the private access via PrivateLink to the GraphDB Cluster"
+  type        = bool
+}

variables.tf

@@ -160,6 +160,24 @@ variable "enable_nat_gateway" {
   default     = true
 }
 
+variable "vpc_endpoint_service_accept_connection_requests" {
+  description = "(Required) Whether or not VPC endpoint connection requests to the service must be accepted by the service owner - true or false."
+  type        = bool
+  default     = true
+}
+
+variable "vpc_endpoint_service_allowed_principals" {
+  description = "(Optional) The ARNs of one or more principals allowed to discover the endpoint service."
+  type        = list(string)
+  default     = null
+}
+
+variable "lb_enable_private_access" {
+  description = "Enable or disable the private access via PrivateLink to the GraphDB Cluster"
+  type        = bool
+  default     = false
+}
+
 variable "ami_id" {
   description = "(Optional) User-provided AMI ID to use with GraphDB instances. If you provide this value, please ensure it will work with the default userdata script (assumes latest version of Ubuntu LTS). Otherwise, please provide your own userdata script using the user_supplied_userdata_path variable."
   type        = string