digorgonzola · digorgonzola · May 7, 2025 · May 7, 2025 · May 7, 2025
diff --git a/README.md b/README.md
@@ -19,6 +19,11 @@ The running instances can be accessed via SSM for debugging purposes.
 module "squid_proxy" {
   source = "git@github.com:digorgonzola/squid_proxy.git?ref=v1.0.0"
 
+  allowed_domains = [
+    ".amazonaws.com",
+    "api.sendgrid.com",
+  ]
+  enable_eip         = true
   private_subnet_ids = ["subnet-10a214dfcd63a97a4", "subnet-c727b18850685046b"]
   public_subnet_ids  = ["subnet-37f911e98a8616eee", "subnet-233bfad11fdd81dfd"]
   vpc_id             = "vpc-1eb7bfbe312f068e1"
@@ -38,6 +43,7 @@ module "squid_proxy" {
 |------|-------------|------|---------|:--------:|
 | <a name="input_allowed_domains"></a> [allowed\_domains](#input\_allowed\_domains) | List of allowed domains. | `list(string)` | <pre>[<br/>  ".amazonaws.com",<br/>  ".amazon.com"<br/>]</pre> | no |
 | <a name="input_detailed_monitoring"></a> [detailed\_monitoring](#input\_detailed\_monitoring) | Whether or not to enable detailed monitoring for the EC2 instance. | `bool` | `false` | no |
+| <a name="input_enable_eip"></a> [enable\_eip](#input\_enable\_eip) | Whether or not to enable a consistent elastic IP for the EC2 instances. | `bool` | `false` | no |
 | <a name="input_instance_type"></a> [instance\_type](#input\_instance\_type) | The instance type to use for the ASG. | `string` | `"t4g.small"` | no |
 | <a name="input_private_subnet_ids"></a> [private\_subnet\_ids](#input\_private\_subnet\_ids) | List of private subnet ID's in the VPC. | `list(string)` | n/a | yes |
 | <a name="input_public_subnet_ids"></a> [public\_subnet\_ids](#input\_public\_subnet\_ids) | List of public subnet ID's to deploy the ASG to. | `list(string)` | n/a | yes |
@@ -75,6 +81,7 @@ No outputs.
 | [aws_cloudwatch_log_group.cache](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
 | [aws_cloudwatch_log_group.lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
 | [aws_cloudwatch_metric_alarm.squid](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_metric_alarm) | resource |
+| [aws_eip.squid](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eip) | resource |
 | [aws_iam_instance_profile.instance](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_instance_profile) | resource |
 | [aws_iam_policy.instance](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |

diff --git a/main.tf b/main.tf
@@ -1,9 +1,10 @@
 locals {
   name = "squid"
   userdata = templatefile("${path.module}/templates/cloud-init.tpl", {
-    architecture = local.architecture
-    aws_region   = data.aws_region.current.name
-    s3_bucket    = module.config_bucket.s3_bucket_id
+    architecture      = local.architecture
+    aws_region        = data.aws_region.current.name
+    eip_allocation_id = var.enable_eip ? aws_eip.squid[0].id : ""
+    s3_bucket         = module.config_bucket.s3_bucket_id
   })
 }
 
@@ -87,13 +88,29 @@ data "aws_iam_policy_document" "instance" {
   statement {
     sid = "EC2"
     actions = [
+      "ec2:DescribeInstances",
       "ec2:ModifyInstanceAttribute",
     ]
     resources = [
       "arn:aws:ec2:${data.aws_region.current.name}:${data.aws_caller_identity.this.account_id}:instance/*"
     ]
   }
 
+  dynamic "statement" {
+    for_each = var.enable_eip ? ["true"] : []
+    content {
+      sid = "DescribeEIP"
+      actions = [
+        "ec2:AssociateAddress",
+        "ec2:DescribeAddresses",
+      ]
+      resources = [
+        "arn:aws:ec2:${data.aws_region.current.name}:${data.aws_caller_identity.this.account_id}:elastic-ip/*",
+        "arn:aws:ec2:${data.aws_region.current.name}:${data.aws_caller_identity.this.account_id}:network-interface/*",
+      ]
+    }
+  }
+
   statement {
     sid = "AsgLifecycle"
     actions = [
@@ -108,6 +125,7 @@ data "aws_iam_policy_document" "instance" {
       ]),
     ]
   }
+
   statement {
     sid = "S3"
     actions = [
@@ -196,6 +214,14 @@ resource "aws_launch_template" "squid" {
   }
 }
 
+resource "aws_eip" "squid" {
+  count = var.enable_eip ? 1 : 0
+
+  tags = {
+    Name = "${local.name}-eip"
+  }
+}
+
 resource "aws_autoscaling_group" "squid" {
   name                      = "${local.name}-asg"
   max_size                  = 1
@@ -248,6 +274,7 @@ resource "aws_autoscaling_group" "squid" {
     module.whitelist,
     aws_cloudwatch_log_group.access,
     aws_cloudwatch_log_group.cache,
+    aws_eip.squid,
     aws_lambda_function.squid,
     aws_iam_role_policy_attachment.cloudwatch,
     aws_iam_role_policy_attachment.custom,

diff --git a/templates/cloud-init.tpl b/templates/cloud-init.tpl
@@ -16,6 +16,28 @@ write_files:
       instanceid=$(curl -H "X-aws-ec2-metadata-token: $TOKEN" -s http://169.254.169.254/latest/meta-data/instance-id)
       aws ec2 modify-instance-attribute --no-source-dest-check --instance-id $instanceid --region $region
 
+      # Associate the Elastic IP with this instance if an allocation ID is provided
+      if [ -n "${eip_allocation_id}" ]; then
+        interface_id=$(curl -H "X-aws-ec2-metadata-token: $TOKEN" -s \
+          http://169.254.169.254/latest/meta-data/network/interfaces/macs/ | head -n1)
+
+        eni_id=$(curl -H "X-aws-ec2-metadata-token: $TOKEN" -s \
+          http://169.254.169.254/latest/meta-data/network/interfaces/macs/$${interface_id}interface-id)
+
+        private_ip=$(curl -H "X-aws-ec2-metadata-token: $TOKEN" -s \
+          http://169.254.169.254/latest/meta-data/network/interfaces/macs/$${interface_id}local-ipv4s)
+
+          echo "EIP: ${eip_allocation_id}"
+          echo "ENI: $eni_id"
+          echo "Private IP: $private_ip"
+
+        aws ec2 associate-address \
+          --allocation-id "${eip_allocation_id}" \
+          --network-interface-id "$eni_id" \
+          --private-ip-address "$private_ip" \
+          --region "$region"
+      fi
+
       #Install iptables and cron
       yum install cronie -y
       systemctl enable crond.service

diff --git a/variables.tf b/variables.tf
@@ -7,6 +7,12 @@ variable "allowed_domains" {
   ]
 }
 
+variable "enable_eip" {
+  description = "Whether or not to enable a consistent elastic IP for the EC2 instances."
+  type        = bool
+  default     = false
+}
+
 variable "instance_type" {
   description = "The instance type to use for the ASG."
   type        = string