Added context path support

Author: simonzhekoff

CHANGELOG.md

@@ -1,6 +1,7 @@
 # GraphDB AWS Terraform Module Changelog
 
 ## 3.0.0
+* Added context path support. Now you can set a custom context path for GraphDB using the `lb_context_path` variable.
 * Upgraded terraform provider version to 6.27.0
 * Fixed AWS Cloudwatch alarm pattern and thresholds
 * Added support for deploying Regional NAT Gateway

README.md

@@ -738,7 +738,23 @@ To switch to ALB, set the following variable:
 lb_type = "application"
 ```
 
-💡 Note: ALBs support idle timeouts of up to [7 days](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/edit-load-balancer-attributes.html#http-client-keep-alive-duration), which is ideal for persistent connections and long-running operations over HTTP/HTTPS.
+#### Deploying GraphDB behind context path with Application Load Balancer
+
+If you want GraphDB to be accessible behind a context path (for example `https://example.com/graphdb/`), you can configure a context path on the Application Load Balancer (ALB).
+
+Requirements:
+- `lb_type = "application"`
+- `lb_context_path` must be non-empty (e.g. `"/graphdb"`)
+
+When both are set, the module will configure ALB listener rules so that:
+- Requests to `/<context>` and `/<context>/*` are routed to GraphDB
+
+Example:
+
+```hcl
+lb_type         = "application"
+lb_context_path = "/graphdb"
+```
 
 #### Transit Gateway Attachments
 

main.tf

@@ -136,26 +136,26 @@ module "load_balancer" {
 
   count = var.existing_lb_arn != "" ? 0 : 1
 
-  resource_name_prefix          = var.resource_name_prefix
-  vpc_id                        = var.vpc_id != "" ? var.vpc_id : module.vpc[0].vpc_id
-  lb_subnets                    = local.lb_subnets
-  lb_internal                   = var.lb_internal
-  lb_type                       = var.lb_type
-  lb_deregistration_delay       = var.lb_deregistration_delay
-  lb_health_check_path          = var.lb_health_check_path
-  lb_health_check_interval      = var.lb_health_check_interval
-  lb_enable_deletion_protection = var.prevent_resource_deletion
-  lb_tls_certificate_arn        = var.lb_tls_certificate_arn
-  lb_tls_enabled                = local.lb_tls_enabled
-  lb_tls_policy                 = var.lb_tls_policy
-  lb_access_logs_bucket_name    = var.lb_enable_access_logs && var.deploy_logging_module ? module.logging[0].graphdb_logging_bucket_name : null
-  lb_enable_access_logs         = var.lb_enable_access_logs
-  graphdb_node_count            = var.graphdb_node_count
-  allowed_inbound_cidrs_lb      = var.allowed_inbound_cidrs_lb
-  lb_idle_timeout               = var.lb_idle_timeout
-  lb_client_keep_alive_timeout  = var.lb_client_keep_alive_timeout
-  lb_enable_http2               = var.alb_enable_http2
-  lb_context_path               = var.lb_context_path
+  resource_name_prefix           = var.resource_name_prefix
+  vpc_id                         = var.vpc_id != "" ? var.vpc_id : module.vpc[0].vpc_id
+  lb_subnets                     = local.lb_subnets
+  lb_internal                    = var.lb_internal
+  lb_type                        = var.lb_type
+  lb_deregistration_delay        = var.lb_deregistration_delay
+  lb_health_check_path           = var.lb_health_check_path
+  lb_health_check_interval       = var.lb_health_check_interval
+  lb_enable_deletion_protection  = var.prevent_resource_deletion
+  lb_tls_certificate_arn         = var.lb_tls_certificate_arn
+  lb_tls_enabled                 = local.lb_tls_enabled
+  lb_tls_policy                  = var.lb_tls_policy
+  lb_access_logs_bucket_name     = var.lb_enable_access_logs && var.deploy_logging_module ? module.logging[0].graphdb_logging_bucket_name : null
+  lb_enable_access_logs          = var.lb_enable_access_logs
+  graphdb_node_count             = var.graphdb_node_count
+  allowed_inbound_cidrs_lb       = var.allowed_inbound_cidrs_lb
+  lb_idle_timeout                = var.lb_idle_timeout
+  lb_client_keep_alive_timeout   = var.lb_client_keep_alive_timeout
+  lb_enable_http2                = var.alb_enable_http2
+  lb_context_path                = var.lb_context_path
   lb_enable_context_path_rewrite = var.lb_enable_context_path_rewrite
 }
 

modules/graphdb/templates/04_gdb_conf_overrides.sh.tpl

@@ -22,6 +22,15 @@ echo "#######################################"
 
 LB_DNS_RECORD=${graphdb_lb_dns_name}
 PROTOCOL=${external_address_protocol}
+CONTEXT_PATH="${lb_context_path}"
+
+# Construct the external URL with context path only if provided
+if [ -n "$CONTEXT_PATH" ]; then
+  EXTERNAL_URL="$${PROTOCOL}://$${LB_DNS_RECORD}$${CONTEXT_PATH}"
+else
+  EXTERNAL_URL="$${PROTOCOL}://$${LB_DNS_RECORD}"
+fi
+
 # Get and store the GraphDB license
 aws --cli-connect-timeout 300 ssm get-parameter --region ${region} --name "/${name}/graphdb/license" --with-decryption | \
   jq -r .Parameter.Value | \
@@ -36,7 +45,7 @@ NODE_COUNT=$(aws autoscaling describe-auto-scaling-groups --auto-scaling-group-n
 if [ "$NODE_COUNT" -eq 1 ]; then
   cat << EOF > /etc/graphdb/graphdb.properties
 graphdb.connector.port=7201
-graphdb.external-url=$${PROTOCOL}://$${LB_DNS_RECORD}
+graphdb.external-url=$${EXTERNAL_URL}
 graphdb.external-url.enforce.transactions=true
 EOF
 else
@@ -46,16 +55,18 @@ else
 graphdb.auth.token.secret=$GRAPHDB_CLUSTER_TOKEN
 graphdb.connector.port=7201
 graphdb.external-url=http://$${NODE_DNS_RECORD}:7201
+graphdb.vhosts=$${EXTERNAL_URL},http://$${NODE_DNS_RECORD}:7201
 graphdb.rpc.address=$${NODE_DNS_RECORD}:7301
 EOF
 
   cat << EOF > /etc/graphdb-cluster-proxy/graphdb.properties
 graphdb.auth.token.secret=$GRAPHDB_CLUSTER_TOKEN
 graphdb.connector.port=7200
-graphdb.external-url=$${PROTOCOL}://$${LB_DNS_RECORD}
-graphdb.vhosts=$${PROTOCOL}://$${LB_DNS_RECORD},http://$${NODE_DNS_RECORD}:7200
+graphdb.external-url=$${EXTERNAL_URL}
+graphdb.vhosts=$${EXTERNAL_URL},http://$${NODE_DNS_RECORD}:7200
 graphdb.rpc.address=$${NODE_DNS_RECORD}:7300
 graphdb.proxy.hosts=$${NODE_DNS_RECORD}:7301
+
 EOF
 fi
 

modules/load_balancer/alb.tf

@@ -45,7 +45,6 @@ resource "aws_lb" "graphdb_alb" {
 
   dynamic "access_logs" {
     for_each = var.lb_enable_access_logs ? [1] : []
-
     content {
       bucket  = var.lb_access_logs_bucket_name
       enabled = true
@@ -69,6 +68,7 @@ resource "aws_lb_target_group" "graphdb_alb_tg" {
     interval            = var.lb_health_check_interval
     healthy_threshold   = var.lb_healthy_threshold
     unhealthy_threshold = var.lb_unhealthy_threshold
+
     # Prepend context path only if configured
     path = var.lb_context_path != "" ? "${var.lb_context_path}${var.lb_health_check_path}" : (var.graphdb_node_count > 1 ? var.lb_health_check_path : "/protocol")
   }
@@ -85,40 +85,44 @@ resource "aws_lb_listener" "graphdb_alb_http" {
   port              = 80
   protocol          = "HTTP"
 
+  # 1) HTTP -> HTTPS redirect (when TLS enabled)
   dynamic "default_action" {
-    for_each = var.lb_tls_enabled ? ["redirect"] : (var.lb_context_path != "" ? ["fixed-response"] : ["forward"])
-
+    for_each = var.lb_tls_enabled ? [1] : []
     content {
-      type = default_action.value == "redirect" ? "redirect" : (default_action.value == "fixed-response" ? "fixed-response" : "forward")
-
-      dynamic "redirect" {
-        for_each = default_action.value == "redirect" ? [1] : []
-        content {
-          port        = "443"
-          protocol    = "HTTPS"
-          status_code = "HTTP_301"
-          host        = "#{host}"
-          path        = "/#{path}"
-          query       = "#{query}"
-        }
+      type = "redirect"
+      redirect {
+        port        = "443"
+        protocol    = "HTTPS"
+        status_code = "HTTP_301"
+        host        = "#{host}"
+        path        = "/#{path}"
+        query       = "#{query}"
       }
+    }
+  }
 
-      dynamic "fixed_response" {
-        for_each = default_action.value == "fixed-response" ? [1] : []
-        content {
-          content_type = "text/plain"
-          message_body = "Not Found"
-          status_code  = "404"
-        }
+  # 2) Fixed 404 (when context path is set and TLS is NOT enabled)
+  dynamic "default_action" {
+    for_each = (!var.lb_tls_enabled && var.lb_context_path != "") ? [1] : []
+    content {
+      type = "fixed-response"
+      fixed_response {
+        content_type = "text/plain"
+        message_body = "Not Found"
+        status_code  = "404"
       }
+    }
+  }
 
-      dynamic "forward" {
-        for_each = default_action.value == "forward" ? [1] : []
-        content {
-          target_group {
-            arn    = aws_lb_target_group.graphdb_alb_tg[0].arn
-            weight = 1
-          }
+  # 3) Forward (when no TLS and no context path)
+  dynamic "default_action" {
+    for_each = (!var.lb_tls_enabled && var.lb_context_path == "") ? [1] : []
+    content {
+      type = "forward"
+      forward {
+        target_group {
+          arn    = aws_lb_target_group.graphdb_alb_tg[0].arn
+          weight = 1
         }
       }
     }
@@ -129,22 +133,25 @@ resource "aws_lb_listener" "graphdb_alb_http" {
   }
 }
 
+# -------------------------
+# HTTP (no TLS) context path rule
+# -------------------------
 resource "aws_lb_listener_rule" "graphdb_path_based_http" {
   count = local.is_alb && !var.lb_tls_enabled && var.lb_context_path != "" ? 1 : 0
 
   listener_arn = aws_lb_listener.graphdb_alb_http[0].arn
   priority     = 100
 
-  dynamic "transform" {
-    for_each = var.lb_enable_context_path_rewrite ? [1] : []
-    content {
-      type = "url-rewrite"
+  transform {
+    type = "url-rewrite"
 
-      url_rewrite {
-        rewrites = [
-          { regex = "^${var.lb_context_path}/(.*)$", replace = "/$1" },
-          { regex = "^${var.lb_context_path}$",      replace = "/" }
-        ]
+    url_rewrite_config {
+      rewrite {
+        # /graphdb
+        # /graphdb/
+        # /graphdb/anything
+        regex   = "^${var.lb_context_path}(/(.*))?$"
+        replace = "/$2"
       }
     }
   }
@@ -161,6 +168,78 @@ resource "aws_lb_listener_rule" "graphdb_path_based_http" {
   }
 }
 
+resource "aws_lb_listener_rule" "graphdb_root_redirect_http" {
+  count = local.is_alb && !var.lb_tls_enabled && var.lb_context_path != "" ? 1 : 0
+
+  listener_arn = aws_lb_listener.graphdb_alb_http[0].arn
+  priority     = 10
+
+  transform {
+    type = "url-rewrite"
+
+    url_rewrite_config {
+      rewrite {
+        regex   = "^${var.lb_context_path}(/(.*))?$"
+        replace = "/$2"
+      }
+    }
+  }
+
+  action {
+    type = "redirect"
+    redirect {
+      protocol    = "HTTP"
+      port        = "80"
+      status_code = "HTTP_301"
+      host        = "#{host}"
+      path        = "/${trim(var.lb_context_path, "/")}/"
+      query       = "#{query}"
+    }
+  }
+
+  condition {
+    path_pattern {
+      values = ["/"]
+    }
+  }
+}
+
+resource "aws_lb_listener_rule" "graphdb_root_redirect_https" {
+  count = local.is_alb && var.lb_tls_enabled && var.lb_context_path != "" ? 1 : 0
+
+  listener_arn = aws_lb_listener.graphdb_alb_https[0].arn
+  priority     = 10
+
+  transform {
+    type = "url-rewrite"
+
+    url_rewrite_config {
+      rewrite {
+        regex   = "^${var.lb_context_path}(/(.*))?$"
+        replace = "/$2"
+      }
+    }
+  }
+
+  action {
+    type = "redirect"
+    redirect {
+      protocol    = "HTTPS"
+      port        = "443"
+      status_code = "HTTP_301"
+      host        = "#{host}"
+      path        = "/${trim(var.lb_context_path, "/")}/"
+      query       = "#{query}"
+    }
+  }
+
+  condition {
+    path_pattern {
+      values = ["/"]
+    }
+  }
+}
+
 resource "aws_lb_listener" "graphdb_alb_https" {
   count = local.is_alb && var.lb_tls_enabled ? 1 : 0
 
@@ -170,7 +249,8 @@ resource "aws_lb_listener" "graphdb_alb_https" {
   certificate_arn   = var.lb_tls_certificate_arn
   ssl_policy        = var.lb_tls_policy
 
-
+  # If context path is set -> default 404 (rules will handle),
+  # else -> default forward
   default_action {
     type = var.lb_context_path != "" ? "fixed-response" : "forward"
 
@@ -183,20 +263,42 @@ resource "aws_lb_listener" "graphdb_alb_https" {
       }
     }
 
-    target_group_arn = var.lb_context_path == "" ? aws_lb_target_group.graphdb_alb_tg[0].arn : null
+    dynamic "forward" {
+      for_each = var.lb_context_path == "" ? [1] : []
+      content {
+        target_group {
+          arn    = aws_lb_target_group.graphdb_alb_tg[0].arn
+          weight = 1
+        }
+      }
+    }
   }
 
   lifecycle {
     create_before_destroy = true
   }
 }
 
+# -------------------------
+# HTTPS context path rule
+# -------------------------
 resource "aws_lb_listener_rule" "graphdb_path_based_https" {
   count = local.is_alb && var.lb_tls_enabled && var.lb_context_path != "" ? 1 : 0
 
   listener_arn = aws_lb_listener.graphdb_alb_https[0].arn
   priority     = 100
 
+  transform {
+    type = "url-rewrite"
+
+    url_rewrite_config {
+      rewrite {
+        regex   = "^${var.lb_context_path}(/(.*))?$"
+        replace = "/$2"
+      }
+    }
+  }
+
   action {
     type             = "forward"
     target_group_arn = aws_lb_target_group.graphdb_alb_tg[0].arn

modules/load_balancer/main.tf

@@ -2,10 +2,12 @@ locals {
   is_alb = var.lb_type == "application"
   is_nlb = var.lb_type == "network"
 
-  lb_name           = "${var.resource_name_prefix}-${local.lb_flavor}"
-  lb_flavor         = local.is_alb ? "alb" : "nlb"
-  target_group_name = "${var.resource_name_prefix}-tg-${local.lb_flavor}-${random_id.tg_name_suffix.hex}"
+  lb_name                     = "${var.resource_name_prefix}-${local.lb_flavor}"
+  lb_flavor                   = local.is_alb ? "alb" : "nlb"
+  target_group_name           = "${var.resource_name_prefix}-tg-${local.lb_flavor}-${random_id.tg_name_suffix.hex}"
   graphdb_backend_health_path = var.graphdb_node_count > 1 ? var.lb_health_check_path : "/protocol"
+  lb_context_path_norm        = "/${trim(var.lb_context_path, "/")}"
+  lb_context_path_slash       = "/${trim(var.lb_context_path, "/")}/"
 
   effective_health_check_path = (var.lb_context_path != "" && var.lb_enable_context_path_rewrite) ? local.graphdb_backend_health_path : (var.lb_context_path != "" ? "${var.lb_context_path}${local.graphdb_backend_health_path}" : local.graphdb_backend_health_path)
 }