Merge pull request #52 from zama-ai/ghislain/chore/supporte-multiple-scenarios-for-aws-private-link

chore(mpc-party): improve AWS PrivateLink integration by including AZs in consumer config

Author: maxnovawind

examples/mpc-party/main.tf

@@ -11,7 +11,7 @@ module "mpc_party" {
   enable_region_validation = var.enable_region_validation
 
   # Party configuration
-  party_id     = var.party_id
+  party_id      = var.party_id
   party_name    = var.party_name
   bucket_prefix = var.bucket_prefix
 

examples/terragrunt-infra/kms-dev-v1/mpc-party/terraform.tfvars

@@ -30,12 +30,12 @@ tags = {
 }
 
 # RDS Configuration
-enable_rds              = false
-rds_prefix              = "zama" # Use your organization prefix here
-rds_db_name             = "kmsconnector"
-rds_username            = "kmsconnector"
-rds_enable_master_password_rotation = true # To change to 'false' on second apply only (there is a bug when initializing the value to 'false')
-rds_deletion_protection = false # Allow deletion of RDS instance
+enable_rds                          = false
+rds_prefix                          = "zama" # Use your organization prefix here
+rds_db_name                         = "kmsconnector"
+rds_username                        = "kmsconnector"
+rds_enable_master_password_rotation = true  # To change to 'false' on second apply only (there is a bug when initializing the value to 'false')
+rds_deletion_protection             = false # Allow deletion of RDS instance
 
 # Node Group Configuration
 create_nodegroup                         = true

examples/terragrunt-infra/zws-dev/mpc-party/terraform.tfvars

@@ -30,12 +30,12 @@ tags = {
 }
 
 # RDS Configuration
-enable_rds              = false
-rds_prefix              = "zama" # Use your organization prefix here
-rds_db_name             = "kmsconnector"
-rds_username            = "kmsconnector"
-rds_enable_master_password_rotation = true # To change to 'false' on second apply only (there is a bug when initializing the value to 'false')
-rds_deletion_protection = false # Allow deletion of RDS instance
+enable_rds                          = false
+rds_prefix                          = "zama" # Use your organization prefix here
+rds_db_name                         = "kmsconnector"
+rds_username                        = "kmsconnector"
+rds_enable_master_password_rotation = true  # To change to 'false' on second apply only (there is a bug when initializing the value to 'false')
+rds_deletion_protection             = false # Allow deletion of RDS instance
 
 # Node Group Configuration
 create_nodegroup                         = true

modules/mpc-party/README.md

@@ -426,7 +426,7 @@ The module can optionally create:
 | <a name="input_rds_k8s_secret_namespace"></a> [rds\_k8s\_secret\_namespace](#input\_rds\_k8s\_secret\_namespace) | n/a | `string` | `"default"` | no |
 | <a name="input_rds_maintenance_window"></a> [rds\_maintenance\_window](#input\_rds\_maintenance\_window) | n/a | `string` | `null` | no |
 | <a name="input_rds_manage_master_user_password"></a> [rds\_manage\_master\_user\_password](#input\_rds\_manage\_master\_user\_password) | If true, let AWS Secrets Manager manage the master user password. If false, a random\_password will be generated and stored to K8s secrets. | `bool` | `false` | no |
-| <a name="input_rds_master_password_rotation_days"></a> [rds\_master\_password\_rotation\_days](#input\_rds\_master\_password\_rotation\_days) | Number of days between automatic scheduled rotations of the secret, default is set to a large number not to rotate password if rotation is not desired but not yet disabled | `number` | `1000000000` | no |
+| <a name="input_rds_master_password_rotation_days"></a> [rds\_master\_password\_rotation\_days](#input\_rds\_master\_password\_rotation\_days) | Number of days between automatic scheduled rotations of the secret, default is set to the maximum allowed value of 1000 days | `number` | `1000` | no |
 | <a name="input_rds_max_allocated_storage"></a> [rds\_max\_allocated\_storage](#input\_rds\_max\_allocated\_storage) | Max autoscaled storage in GiB. | `number` | `100` | no |
 | <a name="input_rds_monitoring_interval"></a> [rds\_monitoring\_interval](#input\_rds\_monitoring\_interval) | n/a | `number` | `0` | no |
 | <a name="input_rds_monitoring_role_arn"></a> [rds\_monitoring\_role\_arn](#input\_rds\_monitoring\_role\_arn) | n/a | `string` | `null` | no |

modules/mpc-party/main.tf

@@ -770,9 +770,9 @@ module "rds_instance" {
   username = var.rds_username
   port     = var.rds_port
 
-  password = var.rds_db_password
-  manage_master_user_password = var.rds_db_password != null ? false : true
-  manage_master_user_password_rotation = var.rds_enable_master_password_rotation
+  password                                               = var.rds_db_password
+  manage_master_user_password                            = var.rds_db_password != null ? false : true
+  manage_master_user_password_rotation                   = var.rds_enable_master_password_rotation
   master_user_password_rotation_automatically_after_days = var.rds_master_password_rotation_days
 
   iam_database_authentication_enabled = false

modules/mpc-party/variables.tf

@@ -504,20 +504,20 @@ variable "rds_deletion_protection" {
 
 variable "rds_db_password" {
   description = "RDS password to be set from inputs (must be longer than 8 chars), will disable RDS automatic SecretManager password"
-  type = string
-  default = null
+  type        = string
+  default     = null
 }
 
 variable "rds_enable_master_password_rotation" {
   description = "Whether to manage the master user password rotation. By default, false on creation, rotation is managed by RDS. There is not currently no way to disable this on initial creation even when set to false. Setting this value to false after previously having been set to true will disable automatic rotation."
-  type = bool
-  default = true
+  type        = bool
+  default     = true
 }
 
 variable "rds_master_password_rotation_days" {
   description = "Number of days between automatic scheduled rotations of the secret, default is set to the maximum allowed value of 1000 days"
-  type = number
-  default = 1000
+  type        = number
+  default     = 1000
 }
 
 variable "rds_delete_automated_backups" {
@@ -582,7 +582,7 @@ variable "rds_parameters" {
   description = "List of DB parameter maps for the parameter group."
   type        = list(map(string))
   # Required by KMS-Connector which currently lacks ssl certificates
-  default     = [{
+  default = [{
     name  = "rds.force_ssl"
     value = "0"
   }]

modules/vpc-endpoint-consumer/README.md

@@ -51,7 +51,7 @@ No modules.
 | <a name="input_name_prefix"></a> [name\_prefix](#input\_name\_prefix) | Prefix for naming VPC interface endpoint resources | `string` | `"mpc-partner"` | no |
 | <a name="input_namespace"></a> [namespace](#input\_namespace) | Kubernetes namespace where partner services will be created | `string` | `"mpc-partners"` | no |
 | <a name="input_network_environment"></a> [network\_environment](#input\_network\_environment) | MPC network environment that determines region constraints | `string` | `"testnet"` | no |
-| <a name="input_party_services"></a> [party\_services](#input\_party\_services) | List of partner MPC services to connect to via VPC interface endpoints | <pre>list(object({<br/>    name                      = string<br/>    region                    = string<br/>    party_id                  = string<br/>    account_id                = optional(string, null)<br/>    partner_name              = optional(string, null)<br/>    vpc_endpoint_service_name = string<br/>    ports = optional(list(object({<br/>      name        = string<br/>      port        = number<br/>      target_port = number<br/>      protocol    = string<br/>    })), null)<br/>    create_kube_service = optional(bool, true)<br/>    kube_service_config = optional(object({<br/>      additional_annotations = optional(map(string), {})<br/>      labels                 = optional(map(string), {})<br/>      session_affinity       = optional(string, "None")<br/>    }), {})<br/>  }))</pre> | n/a | yes |
+| <a name="input_party_services"></a> [party\_services](#input\_party\_services) | List of partner MPC services to connect to via VPC interface endpoints | <pre>list(object({<br/>    name                      = string<br/>    region                    = string<br/>    party_id                  = string<br/>    account_id                = optional(string, null)<br/>    partner_name              = optional(string, null)<br/>    vpc_endpoint_service_name = string<br/>    ports = optional(list(object({<br/>      name        = string<br/>      port        = number<br/>      target_port = number<br/>      protocol    = string<br/>    })), null)<br/>    availability_zones  = optional(list(string), null)<br/>    create_kube_service = optional(bool, true)<br/>    kube_service_config = optional(object({<br/>      additional_annotations = optional(map(string), {})<br/>      labels                 = optional(map(string), {})<br/>      session_affinity       = optional(string, "None")<br/>    }), {})<br/>  }))</pre> | n/a | yes |
 | <a name="input_private_dns_enabled"></a> [private\_dns\_enabled](#input\_private\_dns\_enabled) | Whether to enable private DNS for the VPC interface endpoints | `bool` | `false` | no |
 | <a name="input_private_zone_id"></a> [private\_zone\_id](#input\_private\_zone\_id) | Route53 private hosted zone ID for custom DNS records | `string` | `""` | no |
 | <a name="input_route_table_ids"></a> [route\_table\_ids](#input\_route\_table\_ids) | List of route table IDs to associate with the VPC interface endpoints | `list(string)` | `[]` | no |

modules/vpc-endpoint-consumer/main.tf

@@ -44,7 +44,6 @@ locals {
     for service in var.party_services : service.vpc_endpoint_service_name
   ]
 
-
   # Create a map for easy reference with default ports fallback
   partner_service_map = {
     for i, service in var.party_services : "${service.name}-${i}" => {
@@ -70,10 +69,13 @@ locals {
 resource "aws_vpc_endpoint" "party_interface_endpoints" {
   count = length(var.party_services)
 
-  vpc_id             = local.vpc_id
-  service_name       = local.vpc_endpoint_service_names[count.index]
-  vpc_endpoint_type  = "Interface"
-  subnet_ids         = local.subnet_ids
+  vpc_id            = local.vpc_id
+  service_name      = local.vpc_endpoint_service_names[count.index]
+  vpc_endpoint_type = "Interface"
+  subnet_ids = length(coalesce(var.party_services[count.index].availability_zones, [])) > 0 && var.cluster_name != null ? [
+    for subnet_id, subnet in data.aws_subnet.cluster_subnets : subnet_id
+    if subnet.map_public_ip_on_launch == false && contains(var.party_services[count.index].availability_zones, subnet.availability_zone)
+  ] : local.subnet_ids
   security_group_ids = local.security_group_ids
   service_region     = var.party_services[count.index].region
 

modules/vpc-endpoint-consumer/variables.tf

@@ -68,6 +68,7 @@ variable "party_services" {
       target_port = number
       protocol    = string
     })), null)
+    availability_zones  = optional(list(string), null)
     create_kube_service = optional(bool, true)
     kube_service_config = optional(object({
       additional_annotations = optional(map(string), {})

modules/vpc-endpoint-provider/README.md

@@ -7,14 +7,15 @@
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
 | <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.0 |
+| <a name="requirement_kubernetes"></a> [kubernetes](#requirement\_kubernetes) | >= 2.23 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
 | <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.0 |
 | <a name="provider_external"></a> [external](#provider\_external) | n/a |
-| <a name="provider_kubernetes"></a> [kubernetes](#provider\_kubernetes) | n/a |
+| <a name="provider_kubernetes"></a> [kubernetes](#provider\_kubernetes) | >= 2.23 |
 
 ## Modules
 
@@ -30,6 +31,7 @@ No modules.
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_lb.kubernetes_nlb](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/lb) | data source |
 | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+| [aws_subnet.nlb_subnet](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet) | data source |
 | [external_external.wait_nlb](https://registry.terraform.io/providers/hashicorp/external/latest/docs/data-sources/external) | data source |
 
 ## Inputs