Ontotext-AD · viktor-ribchev · Jul 17, 2024 · Jul 16, 2024 · Jul 17, 2024
diff --git a/.terraform.lock.hcl b/.terraform.lock.hcl
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,14 @@
 # GraphDB AWS Terraform Module Changelog
 
+# 1.2.3
+
+* Removed unused resource "aws_ssm_parameter" named "graphdb_lb_dns_name"
+* Fixed `graphdb.properties` values for single node deployment:
+  * Changed `graphdb.external-url` to use `LB_DNS_RECORD` when single node is deployed.
+  * Added `graphdb.external-url.enforce.transactions=true`
+* Removed calculation of `lb_tls_enabled` in the LB module as it is calculated in the main.tf
+* Removed `monitoring_route53_healtcheck_fqdn_url` in favor of `graphdb_external_dns`.
+
 # 1.2.2
 
 * Fixed issues with variables in the backup user data script

diff --git a/README.md b/README.md
@@ -135,6 +135,7 @@ Before you begin using this Terraform module, ensure you meet the following prer
 | graphdb\_admin\_password | Password for the 'admin' user in GraphDB. | `string` | `null` | no |
 | graphdb\_cluster\_token | Cluster token used for authenticating the communication between the nodes. | `string` | `null` | no |
 | route53\_zone\_dns\_name | DNS name for the private hosted zone in Route 53 | `string` | `"graphdb.cluster"` | no |
+| graphdb\_external\_dns | External domain name where GraphDB will be accessed | `string` | `""` | no |
 | deploy\_monitoring | Enable or disable toggle for monitoring | `bool` | `false` | no |
 | monitoring\_route53\_measure\_latency | Enable or disable route53 function to measure latency | `bool` | `false` | no |
 | monitoring\_actions\_enabled | Enable or disable actions on alarms | `bool` | `false` | no |
@@ -146,7 +147,6 @@ Before you begin using this Terraform module, ensure you meet the following prer
 | monitoring\_route53\_health\_check\_aws\_region | Define the region in which you want the monitoring to be deployed. It is used to define where the Route53 Availability Check will be deployed, since if it is not specified it will deploy the check in us-east-1 and if you deploy in different region it will not find the dimensions. | `string` | `"us-east-1"` | no |
 | monitoring\_route53\_availability\_http\_port | Define the HTTP port for the Route53 availability check | `number` | `80` | no |
 | monitoring\_route53\_availability\_https\_port | Define the HTTPS port for the Route53 availability check | `number` | `443` | no |
-| monitoring\_route53\_healtcheck\_fqdn\_url | Define custom domain name for the Route53 Health check | `string` | n/a | yes |
 | graphdb\_properties\_path | Path to a local file containing GraphDB properties (graphdb.properties) that would be appended to the default in the VM. | `string` | `null` | no |
 | graphdb\_java\_options | GraphDB options to pass to GraphDB with GRAPHDB\_JAVA\_OPTS environment variable. | `string` | `null` | no |
 | deploy\_logging\_module | Enable or disable logging module | `bool` | `false` | no |

diff --git a/main.tf b/main.tf
@@ -165,6 +165,11 @@ module "backup_replication" {
   versioning_enabled        = var.s3_versioning_enabled
 }
 
+locals {
+  lb_tls_enabled      = var.lb_tls_certificate_arn != "" ? true : false
+  calculated_protocol = local.lb_tls_enabled == true ? "https" : "http"
+}
+
 module "load_balancer" {
   source = "./modules/load_balancer"
 
@@ -177,6 +182,7 @@ module "load_balancer" {
   lb_health_check_interval      = var.lb_health_check_interval
   lb_enable_deletion_protection = var.prevent_resource_deletion
   lb_tls_certificate_arn        = var.lb_tls_certificate_arn
+  lb_tls_enabled                = local.lb_tls_enabled
   lb_tls_policy                 = var.lb_tls_policy
   lb_access_logs_bucket_name    = var.lb_enable_access_logs && var.deploy_logging_module ? module.logging[0].graphdb_logging_bucket_name : null
   lb_enable_access_logs         = var.lb_enable_access_logs
@@ -189,11 +195,6 @@ locals {
   )
 }
 
-locals {
-  lb_tls_enabled              = var.lb_tls_certificate_arn != null ? true : false
-  calculated_http_string_type = local.lb_tls_enabled == true ? "HTTPS" : "HTTP"
-}
-
 module "monitoring" {
   source = "./modules/monitoring"
   providers = {
@@ -221,11 +222,11 @@ module "monitoring" {
   cmk_key_alias                          = var.sns_cmk_key_alias
   parameter_store_kms_key_arn            = local.calculated_parameter_store_kms_key_arn
   cloudwatch_log_group_retention_in_days = var.monitoring_log_group_retention_in_days
-  route53_availability_request_url       = var.monitoring_route53_healtcheck_fqdn_url
+  route53_availability_request_url       = var.graphdb_external_dns
   route53_availability_measure_latency   = var.monitoring_route53_measure_latency
   sns_kms_key_arn                        = local.calculated_sns_kms_key_arn
   graphdb_node_count                     = var.graphdb_node_count
-  route53_availability_http_string_type  = local.calculated_http_string_type
+  route53_availability_http_string_type  = upper(local.calculated_protocol)
   lb_tls_certificate_arn                 = var.lb_tls_certificate_arn
   lb_dns_name                            = module.load_balancer.lb_dns_name != "" ? module.load_balancer.lb_dns_name : null
 }
@@ -248,7 +249,7 @@ module "graphdb" {
   # Network Load Balancer
   lb_enable_private_access = var.lb_internal ? var.lb_enable_private_access : false
   lb_subnets               = local.lb_subnets
-  graphdb_lb_dns_name      = module.load_balancer.lb_dns_name
+  graphdb_lb_dns_name      = var.graphdb_external_dns != "" ? var.graphdb_external_dns : module.load_balancer.lb_dns_name
 
   # GraphDB Configurations
 
@@ -309,7 +310,8 @@ module "graphdb" {
 
   # User data scripts
 
-  deploy_monitoring = var.deploy_monitoring
+  deploy_monitoring         = var.deploy_monitoring
+  external_address_protocol = local.calculated_protocol
 
   # S3 Replication Logging Bucket Policy
 

diff --git a/modules/graphdb/config.tf b/modules/graphdb/config.tf
@@ -39,13 +39,6 @@ resource "aws_ssm_parameter" "graphdb_license" {
   key_id      = var.parameter_store_key_arn
 }
 
-resource "aws_ssm_parameter" "graphdb_lb_dns_name" {
-  name        = "/${var.resource_name_prefix}/graphdb/lb_dns_name"
-  description = "The DNS name of the load balancer for the GraphDB nodes."
-  type        = "String"
-  value       = var.graphdb_lb_dns_name
-}
-
 resource "aws_ssm_parameter" "graphdb_properties" {
   count = var.graphdb_properties_path != null ? 1 : 0
 

diff --git a/modules/graphdb/templates/04_gdb_conf_overrides.sh.tpl b/modules/graphdb/templates/04_gdb_conf_overrides.sh.tpl
@@ -22,7 +22,7 @@ echo "#######################################"
 
 LB_DNS_RECORD=${graphdb_lb_dns_name}
 NODE_DNS_RECORD=$(cat /var/opt/graphdb/node_dns)
-
+PROTOCOL=${external_address_protocol}
 # Get and store the GraphDB license
 aws --cli-connect-timeout 300 ssm get-parameter --region ${region} --name "/${name}/graphdb/license" --with-decryption | \
   jq -r .Parameter.Value | \
@@ -32,22 +32,34 @@ aws --cli-connect-timeout 300 ssm get-parameter --region ${region} --name "/${na
 GRAPHDB_CLUSTER_TOKEN="$(aws --cli-connect-timeout 300 ssm get-parameter --region ${region} --name "/${name}/graphdb/cluster_token" --with-decryption | jq -r .Parameter.Value | base64 -d)"
 # Get the NODE_DNS_RECORD value from the previous script
 SSM_PARAMETERS=$(aws ssm describe-parameters --cli-connect-timeout 300 --region ${region} --query "Parameters[?starts_with(Name, '/${name}/graphdb/')].Name" --output text)
+NODE_COUNT=$(aws autoscaling describe-auto-scaling-groups --auto-scaling-group-names ${name} --query "AutoScalingGroups[0].DesiredCapacity" --output text)
+
 
-cat << EOF > /etc/graphdb/graphdb.properties
+# graphdb.external-url.enforce.transactions: determines whether it is necessary to rewrite the Location header when no proxy is configured.
+# This is required because when working with the GDB transaction endpoint it returns an erroneous URL with HTTP protocol instead of HTTPS
+if [ "$NODE_COUNT" -eq 1 ]; then
+  cat << EOF > /etc/graphdb/graphdb.properties
+graphdb.connector.port=7201
+graphdb.external-url=$${PROTOCOL}://$${LB_DNS_RECORD}
+graphdb.external-url.enforce.transactions=true
+EOF
+else
+  cat << EOF > /etc/graphdb/graphdb.properties
 graphdb.auth.token.secret=$GRAPHDB_CLUSTER_TOKEN
 graphdb.connector.port=7201
-graphdb.external-url=http://$${NODE_DNS_RECORD}:7201
+graphdb.external-url=$${PROTOCOL}://$${NODE_DNS_RECORD}:7201
 graphdb.rpc.address=$${NODE_DNS_RECORD}:7301
 EOF
 
-cat << EOF > /etc/graphdb-cluster-proxy/graphdb.properties
+  cat << EOF > /etc/graphdb-cluster-proxy/graphdb.properties
 graphdb.auth.token.secret=$GRAPHDB_CLUSTER_TOKEN
 graphdb.connector.port=7200
 graphdb.external-url=http://$${LB_DNS_RECORD}
 graphdb.vhosts=http://$${LB_DNS_RECORD},http://$${NODE_DNS_RECORD}:7200
 graphdb.rpc.address=$${NODE_DNS_RECORD}:7300
 graphdb.proxy.hosts=$${NODE_DNS_RECORD}:7301
 EOF
+fi
 
 mkdir -p /etc/systemd/system/graphdb.service.d/
 

diff --git a/modules/graphdb/user_data.tf b/modules/graphdb/user_data.tf
@@ -61,6 +61,7 @@ data "cloudinit_config" "graphdb_user_data" {
     content = templatefile("${path.module}/templates/04_gdb_conf_overrides.sh.tpl", {
       name : var.resource_name_prefix
       region : var.aws_region
+      external_address_protocol : var.external_address_protocol
       graphdb_lb_dns_name : var.graphdb_lb_dns_name
     })
   }

diff --git a/modules/graphdb/variables.tf b/modules/graphdb/variables.tf
@@ -168,6 +168,13 @@ variable "route53_zone_dns_name" {
   type        = string
 }
 
+# User Data Parameters
+
+variable "external_address_protocol" {
+  description = "External address HTTP string type"
+  type        = string
+}
+
 # Optional Parameters
 
 variable "backup_retention_count" {

diff --git a/modules/load_balancer/main.tf b/modules/load_balancer/main.tf
@@ -11,7 +11,6 @@ resource "random_id" "tg_name_suffix" {
 locals {
   lb_name           = var.resource_name_prefix
   target_group_name = "${var.resource_name_prefix}-tg-${random_id.tg_name_suffix.hex}"
-  lb_tls_enabled    = var.lb_tls_certificate_arn != null ? true : false
 }
 
 resource "aws_lb" "graphdb_lb" {
@@ -55,7 +54,7 @@ resource "aws_lb_target_group" "graphdb_lb_target_group" {
 }
 
 resource "aws_lb_listener" "graphdb_listener" {
-  count = local.lb_tls_enabled ? 0 : 1
+  count = var.lb_tls_enabled ? 0 : 1
 
   load_balancer_arn = aws_lb.graphdb_lb.id
   port              = 80
@@ -68,7 +67,7 @@ resource "aws_lb_listener" "graphdb_listener" {
 }
 
 resource "aws_lb_listener" "graphdb_tls" {
-  count = local.lb_tls_enabled ? 1 : 0
+  count = var.lb_tls_enabled ? 1 : 0
 
   load_balancer_arn = aws_lb.graphdb_lb.id
   port              = 443

diff --git a/modules/load_balancer/variables.tf b/modules/load_balancer/variables.tf
@@ -89,3 +89,8 @@ variable "graphdb_node_count" {
   description = "Number of GraphDB nodes to deploy in ASG"
   type        = number
 }
+
+variable "lb_tls_enabled" {
+  description = "Is TLS enabled for the LB"
+  type        = bool
+}
diff --git a/variables.tf b/variables.tf
@@ -306,6 +306,12 @@ variable "route53_zone_dns_name" {
   }
 }
 
+variable "graphdb_external_dns" {
+  description = "External domain name where GraphDB will be accessed"
+  type        = string
+  default     = ""
+}
+
 # Monitoring
 
 variable "deploy_monitoring" {
@@ -374,11 +380,6 @@ variable "monitoring_route53_availability_https_port" {
   default     = 443
 }
 
-variable "monitoring_route53_healtcheck_fqdn_url" {
-  description = "Define custom domain name for the Route53 Health check"
-  type        = string
-}
-
 # GraphDB overrides
 
 variable "graphdb_properties_path" {