diff --git a/README.md b/README.md
index bb7924a..0355831 100644
--- a/README.md
+++ b/README.md
@@ -19,6 +19,11 @@ The running instances can be accessed via SSM for debugging purposes.
module "squid_proxy" {
source = "git@github.com:digorgonzola/squid_proxy.git?ref=v1.0.0"
+ allowed_domains = [
+ ".amazonaws.com",
+ "api.sendgrid.com",
+ ]
+ enable_eip = true
private_subnet_ids = ["subnet-10a214dfcd63a97a4", "subnet-c727b18850685046b"]
public_subnet_ids = ["subnet-37f911e98a8616eee", "subnet-233bfad11fdd81dfd"]
vpc_id = "vpc-1eb7bfbe312f068e1"
@@ -38,6 +43,7 @@ module "squid_proxy" {
|------|-------------|------|---------|:--------:|
| [allowed\_domains](#input\_allowed\_domains) | List of allowed domains. | `list(string)` | [
".amazonaws.com",
".amazon.com"
]
| no |
| [detailed\_monitoring](#input\_detailed\_monitoring) | Whether or not to enable detailed monitoring for the EC2 instance. | `bool` | `false` | no |
+| [enable\_eip](#input\_enable\_eip) | Whether or not to enable a consistent elastic IP for the EC2 instances. | `bool` | `false` | no |
| [instance\_type](#input\_instance\_type) | The instance type to use for the ASG. | `string` | `"t4g.small"` | no |
| [private\_subnet\_ids](#input\_private\_subnet\_ids) | List of private subnet ID's in the VPC. | `list(string)` | n/a | yes |
| [public\_subnet\_ids](#input\_public\_subnet\_ids) | List of public subnet ID's to deploy the ASG to. | `list(string)` | n/a | yes |
@@ -75,6 +81,7 @@ No outputs.
| [aws_cloudwatch_log_group.cache](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
| [aws_cloudwatch_log_group.lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
| [aws_cloudwatch_metric_alarm.squid](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_metric_alarm) | resource |
+| [aws_eip.squid](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eip) | resource |
| [aws_iam_instance_profile.instance](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_instance_profile) | resource |
| [aws_iam_policy.instance](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy.lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
diff --git a/main.tf b/main.tf
index bf48b21..31f4cc8 100644
--- a/main.tf
+++ b/main.tf
@@ -1,9 +1,10 @@
locals {
name = "squid"
userdata = templatefile("${path.module}/templates/cloud-init.tpl", {
- architecture = local.architecture
- aws_region = data.aws_region.current.name
- s3_bucket = module.config_bucket.s3_bucket_id
+ architecture = local.architecture
+ aws_region = data.aws_region.current.name
+ eip_allocation_id = var.enable_eip ? aws_eip.squid[0].id : ""
+ s3_bucket = module.config_bucket.s3_bucket_id
})
}
@@ -87,6 +88,7 @@ data "aws_iam_policy_document" "instance" {
statement {
sid = "EC2"
actions = [
+ "ec2:DescribeInstances",
"ec2:ModifyInstanceAttribute",
]
resources = [
@@ -94,6 +96,21 @@ data "aws_iam_policy_document" "instance" {
]
}
+ dynamic "statement" {
+ for_each = var.enable_eip ? ["true"] : []
+ content {
+ sid = "DescribeEIP"
+ actions = [
+ "ec2:AssociateAddress",
+ "ec2:DescribeAddresses",
+ ]
+ resources = [
+ "arn:aws:ec2:${data.aws_region.current.name}:${data.aws_caller_identity.this.account_id}:elastic-ip/*",
+ "arn:aws:ec2:${data.aws_region.current.name}:${data.aws_caller_identity.this.account_id}:network-interface/*",
+ ]
+ }
+ }
+
statement {
sid = "AsgLifecycle"
actions = [
@@ -108,6 +125,7 @@ data "aws_iam_policy_document" "instance" {
]),
]
}
+
statement {
sid = "S3"
actions = [
@@ -196,6 +214,14 @@ resource "aws_launch_template" "squid" {
}
}
+resource "aws_eip" "squid" {
+ count = var.enable_eip ? 1 : 0
+
+ tags = {
+ Name = "${local.name}-eip"
+ }
+}
+
resource "aws_autoscaling_group" "squid" {
name = "${local.name}-asg"
max_size = 1
@@ -248,6 +274,7 @@ resource "aws_autoscaling_group" "squid" {
module.whitelist,
aws_cloudwatch_log_group.access,
aws_cloudwatch_log_group.cache,
+ aws_eip.squid,
aws_lambda_function.squid,
aws_iam_role_policy_attachment.cloudwatch,
aws_iam_role_policy_attachment.custom,
diff --git a/templates/cloud-init.tpl b/templates/cloud-init.tpl
index 8bf2b2a..1119620 100644
--- a/templates/cloud-init.tpl
+++ b/templates/cloud-init.tpl
@@ -16,6 +16,28 @@ write_files:
instanceid=$(curl -H "X-aws-ec2-metadata-token: $TOKEN" -s http://169.254.169.254/latest/meta-data/instance-id)
aws ec2 modify-instance-attribute --no-source-dest-check --instance-id $instanceid --region $region
+ # Associate the Elastic IP with this instance if an allocation ID is provided
+ if [ -n "${eip_allocation_id}" ]; then
+ interface_id=$(curl -H "X-aws-ec2-metadata-token: $TOKEN" -s \
+ http://169.254.169.254/latest/meta-data/network/interfaces/macs/ | head -n1)
+
+ eni_id=$(curl -H "X-aws-ec2-metadata-token: $TOKEN" -s \
+ http://169.254.169.254/latest/meta-data/network/interfaces/macs/$${interface_id}interface-id)
+
+ private_ip=$(curl -H "X-aws-ec2-metadata-token: $TOKEN" -s \
+ http://169.254.169.254/latest/meta-data/network/interfaces/macs/$${interface_id}local-ipv4s)
+
+ echo "EIP: ${eip_allocation_id}"
+ echo "ENI: $eni_id"
+ echo "Private IP: $private_ip"
+
+ aws ec2 associate-address \
+ --allocation-id "${eip_allocation_id}" \
+ --network-interface-id "$eni_id" \
+ --private-ip-address "$private_ip" \
+ --region "$region"
+ fi
+
#Install iptables and cron
yum install cronie -y
systemctl enable crond.service
diff --git a/variables.tf b/variables.tf
index 5559675..a9a6a52 100644
--- a/variables.tf
+++ b/variables.tf
@@ -7,6 +7,12 @@ variable "allowed_domains" {
]
}
+variable "enable_eip" {
+ description = "Whether or not to enable a consistent elastic IP for the EC2 instances."
+ type = bool
+ default = false
+}
+
variable "instance_type" {
description = "The instance type to use for the ASG."
type = string