Setting up AWS Privatelink with T

Ops and Admin
1

Hi!

I am currently trying to connect our AWS ECS services to our MongoDB Atlas via Private Endpoint. And tried setting up AWS Privatelink using Terraform

I am currently using the ff terraform modules:

  1. hashicorp/aws
  2. terraform-aws-modules/vpc/aws
  3. mongodb/mongodbatlas

Our VPC and AWS ECS are already working as expected, but we are still using 0.0.0.0/0 for network access on our MongoDB server.

Already followed lots of tutorial and still am not able to make this one work. Below is our terraform code

module "vpc" {
  source  = "terraform-aws-modules/vpc/aws"
  version = "~> 4.0.0"

  name = "${local.name_prefix}-vpc"

  cidr = "10.70.0.0/20"

  azs                 = ["ap-southeast-1a", "ap-southeast-1b"]
  public_subnets      = ["10.70.1.0/24", "10.70.2.0/24"]
  private_subnets     = ["10.70.3.0/24", "10.70.4.0/24"]
  database_subnets    = ["10.70.5.0/24", "10.70.6.0/24"]
  elasticache_subnets = ["10.70.7.0/24", "10.70.8.0/24"]

  create_elasticache_subnet_group = true

  enable_dns_hostnames = true
  enable_dns_support   = true

  enable_nat_gateway = true
  single_nat_gateway = true
  # one_nat_gateway_per_az = true

  # VPC Flow Logs (Cloudwatch log group and IAM role will be created)
  enable_flow_log                                 = true
  create_flow_log_cloudwatch_log_group            = true
  create_flow_log_cloudwatch_iam_role             = true
  flow_log_max_aggregation_interval               = 60
  flow_log_cloudwatch_log_group_retention_in_days = 1
}

module "database_sg" {
  source  = "terraform-aws-modules/security-group/aws"
  version = "~> 4.16.2"

  name        = "${local.name_prefix}-main-auroradb-sg"
  description = "Security group for main auroradb"
  vpc_id      = module.vpc.vpc_id

  ingress_with_source_security_group_id = [{
    rule                     = "postgresql-tcp",
    source_security_group_id = module.private_services_sg.security_group_id
    },
    {
      rule                     = "postgresql-tcp",
      source_security_group_id = module.load_balancer_sg.security_group_id
    },
    {
      rule                     = "postgresql-tcp",
      source_security_group_id = module.bastion.security_group_id
  }]
}

...

module "private_services_sg" {
  source = "terraform-aws-modules/security-group/aws"

  name        = "${local.name_prefix}-private-services-sg"
  description = "Security group for private services"
  vpc_id      = module.vpc.vpc_id

  ingress_cidr_blocks = ["0.0.0.0/0"]
  ingress_rules       = ["https-443-tcp", "http-80-tcp"]

  egress_cidr_blocks = ["0.0.0.0/0"]
  egress_rules       = ["https-443-tcp", "http-80-tcp"]

  ingress_with_source_security_group_id = [
    {
      from_port                = 8080
      to_port                  = 8080
      protocol                 = "tcp"
      description              = "Allow all incoming traffic from ALB security group to container service."
      source_security_group_id = module.load_balancer_sg.security_group_id
    }
  ]

  ingress_with_self = [
    {
      from_port   = 8080
      to_port     = 8080
      protocol    = "tcp"
      description = "Allow all incoming traffic from same security group to container service."
      # source_security_group_id = module.load_balancer_sg.security_group_id
      self = true
    }
  ]

  egress_with_source_security_group_id = [
    {
      rule                     = "redis-tcp",
      source_security_group_id = module.redis_sg.security_group_id
    },
    {
      rule                     = "postgresql-tcp",
      source_security_group_id = module.database_sg.security_group_id
    },
    {
      rule                     = "nfs-tcp",
      source_security_group_id = module.efs_sg.security_group_id
    }
  ]

  egress_with_self = [
    {
      from_port   = 8080
      to_port     = 8080
      protocol    = "tcp"
      description = "Allow all outgoing traffic on port"
      self        = true
    }
  ]

  egress_with_cidr_blocks = [{
    from_port   = 587
    to_port     = 587
    protocol    = "tcp"
    description = "Allow mail service"
    cidr_blocks = "0.0.0.0/0"
    },
    {
      from_port   = 7687
      to_port     = 7687
      protocol    = "tcp"
      description = "Allow Neo4j service"
      cidr_blocks = "0.0.0.0/0"
    },
    {
      from_port   = 27017
      to_port     = 27017
      protocol    = "tcp"
      description = "Allow MongoDB service"
      cidr_blocks = "0.0.0.0/0"
    }
  ]
}

...

resource "mongodbatlas_privatelink_endpoint" "main" {
  project_id    = var.mongo_atlas_project_id
  provider_name = "AWS"
  region        = "AP_SOUTHEAST_1"
}

resource "aws_vpc_endpoint" "mongo" {
  vpc_id             = module.vpc.vpc_id
  service_name       = mongodbatlas_privatelink_endpoint.main.endpoint_service_name
  vpc_endpoint_type  = "Interface"
  subnet_ids         = module.vpc.private_subnets
  security_group_ids = [module.private_services_sg.security_group_id]
}

resource "mongodbatlas_privatelink_endpoint_service" "main" {
  project_id          = mongodbatlas_privatelink_endpoint.main.project_id
  private_link_id     = mongodbatlas_privatelink_endpoint.main.private_link_id
  endpoint_service_id = aws_vpc_endpoint.mongo.id
  provider_name       = "AWS"
}

Hope someone could shed some light as I am stuck here.

Thanks!