New function: single-node-asg module supports binding EIP by itself.

Since it is single node, binding an EIP to the instance is possible. And
it eases other things since the public interface is constant.

Add assign_eip variable to single-node-asg. If turns it on, an EIP will
be allocated, and assocated with the instance.

CHANGELOG.md

@@ -2,12 +2,27 @@
 
 ### Summary
 
+### Modules
+
+### Examples
+
+
+# v0.9.9
+
+### Summary
+
+New feature for `asg` module and bugfix for `tf-cloud-credentials` module.
 
 ### Modules
 
+* `asg`: Allow ASG instances to have additional EBS block devices
+* `tf-cloud-credentials`: Switch the module to use a datasource to lookup an
+  existing TF Cloud workspace instead of trying to create one.
 
 ### Examples
 
+* No changes.
+
 
 # v0.9.8
 
@@ -20,7 +35,8 @@
 * `iam-users`: fixed error from zipmap in outputs when a user gets deleted
   from user list
 * `tf-cloud-credential`: minor interpolation cleanup, added module to tests
-* `setup-meta-infrastructure`: Parameterize password length and age for iam password policy.
+* `setup-meta-infrastructure`: Parameterize password length and age for iam
+  password policy.
 * `iam-instance-profile`: Add role ID ouput for IAM instance profile module.
 
 ### Examples
@@ -87,7 +103,6 @@
   You will need to _manually_ remove the conflicting route (which was created
   by the old inline route), for example in the AWS console, and then re-apply
   to add it back.
-* `tf-cloud-credentials`: Switches the module to use a datasource to lookup an existing TF Cloud workspace instead of trying to create one.
 
 ### Examples
 

modules/single-node-asg/main.tf

@@ -52,35 +52,63 @@ module "service-data" {
   iam_instance_profile_role_name = module.instance_profile.iam_role_name
 }
 
+resource "aws_eip" "eip" {
+  count = var.assign_eip ? 1 : 0
+}
+
+resource "aws_iam_role_policy_attachment" "associate_eip" {
+  role       = module.instance_profile.iam_role_name
+  policy_arn = aws_iam_policy.associate_eip_policy.arn
+}
+
+resource "aws_iam_policy" "associate_eip_policy" {
+  name   = "associate_address"
+  policy = data.aws_iam_policy_document.associate_eip_policy_doc.json
+}
+
+data "aws_iam_policy_document" "associate_eip_policy_doc" {
+  statement {
+    sid    = ""
+    effect = "Allow"
+    actions = [
+      "ec2:AssociateAddress"
+    ]
+    resources = ["*"]
+  }
+}
+
 # Create an ASG with just 1 EC2 instance
 module "server" {
   source = "../asg"
 
-  ami       = var.ami
-  azs       = [local.az]
-  elb_names = var.load_balancers
-  key_name  = var.key_name
+  ami                = var.ami
+  elb_names          = var.load_balancers
+  key_name           = var.key_name
   # The IAM Instance Profile w/ attach_ebs role
-  iam_profile   = module.instance_profile.iam_profile_id
-  instance_type = var.instance_type
-  # 1 EC2 instance <> 1 EBS volume 
-  max_nodes       = 1
-  min_nodes       = 1
-  placement_group = var.placement_group
-  public_ip       = var.public_ip
+  iam_profile        = module.instance_profile.iam_profile_id
+  instance_type      = var.instance_type
+  # 1 EC2 instance <> 1 EBS volume
+  max_nodes          = 1
+  min_nodes          = 1
+  placement_group    = var.placement_group
+  public_ip          = var.public_ip
   # the prefix and suffix names are combined in
   # the `asg` module to create the full name
-  name_prefix = var.name_prefix
-  name_suffix = "${var.name_suffix}-${local.az}"
-
+  name_prefix        = var.name_prefix
+  name_suffix        = "${var.name_suffix}-${local.az}"
   root_volume_type   = var.root_volume_type
   root_volume_size   = var.root_volume_size
   security_group_ids = var.security_group_ids
   subnet_ids         = [var.subnet_id]
 
   user_data = <<END_INIT
 #!/bin/bash
+apt update
 ${var.init_prefix}
+${module.init-install-awscli.init_snippet}
+while ! ${var.assign_eip ? "aws ec2 associate-address --instance-id \"$(ec2metadata --instance-id)\" --region \"${var.region}\" --allocation-id \"${element(aws_eip.eip.*.id, 0)}\"" : "true"}; do
+  sleep 1
+done
 ${module.init-attach-ebs.init_snippet}
 ${var.init_suffix}
 END_INIT
@@ -89,7 +117,13 @@ END_INIT
 
 # Render init snippet - boxed module to attach the EBS volume to the node
 module "init-attach-ebs" {
-  source = "../init-snippet-attach-ebs-volume"
-  region = var.region
+  source    = "../init-snippet-attach-ebs-volume"
+  region    = var.region
   volume_id = module.service-data.volume_id
 }
+
+module "init-install-awscli" {
+  source = "../init-snippet-install-awscli"
+}
+
+

modules/single-node-asg/outputs.tf

@@ -7,3 +7,7 @@ output "asg_iam_role_name" {
   value       = module.instance_profile.iam_role_name
   description = "`name` exported from the Service Data `aws_iam_role`"
 }
+
+output "eip_address" {
+	value = var.assign_eip ? aws_eip.eip.*[0].public_ip : ""
+}

modules/single-node-asg/variables.tf

@@ -56,7 +56,7 @@ variable "data_volume_size" {
 variable "data_volume_encrypted" {
   default     = true
   description = "Boolean, whether or not to encrypt the EBS block device"
-  type        = string
+  type        = bool
 }
 
 variable "data_volume_kms_key_id" {
@@ -92,7 +92,7 @@ variable "init_suffix" {
 variable "public_ip" {
   default     = true
   description = "Boolean flag to enable/disable `map_public_ip_on_launch` in the launch configuration"
-  type        = string
+  type        = bool
 }
 
 variable "subnet_id" {
@@ -116,3 +116,8 @@ variable "load_balancers" {
   type        = list(string)
 }
 
+variable "assign_eip" {
+  default     = false
+  description = "Whether or not associating an EIP with the node."
+  type        = bool
+}