fix: add private address (#76)

Signed-off-by: matttrach <matt.trachier@suse.com>
2024-05-30 15:34:18 -05:00 · 2024-05-30 15:34:18 -05:00 · 6bb4328c5c
parent eecdc7138c
commit 6bb4328c5c
8 changed files with 51 additions and 38 deletions
--- a/flake.lock
+++ b/flake.lock
@ -20,11 +20,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1715316543,
-        "narHash": "sha256-4XOPcWmyH77Gd+cvVr2Hp7PHAlNAesvsLtHHbqy8xfA=",
+        "lastModified": 1716977081,
+        "narHash": "sha256-pFe5jLeIPlKEln5n2h998d7cpzXFdbrBMRe3suz4K1o=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "c669412a552f31c45adad47894e7fd6a8698e53f",
+        "rev": "ac82a513e55582291805d6f09d35b6d8b60637a1",
        "type": "github"
      },
      "original": {
--- a/main.tf
+++ b/main.tf
@ -44,7 +44,7 @@ locals {

  # vpc
  vpc_name = var.vpc_name
-  vpc_cidr = (var.vpc_cidr == "" ? "10.0.255.0/24" : var.vpc_cidr)
+  vpc_cidr = var.vpc_cidr

  # subnet
  subnets                    = var.subnets
@ -122,7 +122,7 @@ module "network_load_balancer" {
  name              = local.load_balancer_name
  vpc_id            = module.vpc[0].id
  security_group_id = module.security_group[0].id
-  subnet_ids        = [for subnet in module.subnet : subnet.id]
+  subnets           = { for s in keys(local.subnets) : s => { id = module.subnet[s].id, cidr = module.subnet[s].cidr } }
  access_info       = local.load_balancer_access_cidrs
 }

@ -138,5 +138,5 @@ module "domain" {
  use               = local.domain_use_strategy
  cert_use_strategy = local.cert_use_strategy
  content           = lower(local.domain)
-  ip                = module.network_load_balancer[0].public_ip
+  ips               = module.network_load_balancer[0].public_ips
 }
--- a/modules/domain/main.tf
+++ b/modules/domain/main.tf
@ -2,7 +2,7 @@ locals {
  use      = var.use
  cert_use = var.cert_use_strategy
  content  = lower(var.content)
-  ip       = var.ip
+  ips      = var.ips

  content_parts = split(".", local.content)
  top_level_domain = join(".", [
@ -48,7 +48,7 @@ resource "aws_route53_record" "new" {
  name    = local.content
  type    = "A"
  ttl     = 30
-  records = [local.ip]
+  records = local.ips
 }

 # cert generation
--- a/modules/domain/variables.tf
+++ b/modules/domain/variables.tf
@ -30,11 +30,11 @@ variable "content" {
  EOT
 }

-variable "ip" {
-  type        = string
+variable "ips" {
+  type        = list(string)
  description = <<-EOT
-    The ip address to attach to the domain.
-    When selecting a domain we won't generate any domain objects, we won't create a cert.
+    The ip addresses to attach to the domain.
+    When selecting a domain we won't generate any domain objects and we won't create a cert.
  EOT
-  default     = ""
+  default     = []
 }
--- a/modules/network_load_balancer/main.tf
+++ b/modules/network_load_balancer/main.tf
@ -3,12 +3,12 @@ locals {
  name              = var.name
  vpc_id            = var.vpc_id
  security_group_id = var.security_group_id
-  subnet_ids        = var.subnet_ids
+  subnets           = var.subnets
  access_info       = (var.access_info == null ? {} : var.access_info)
  create            = (local.use == "create" ? 1 : 0)
  select            = (local.use == "select" ? 1 : 0)
-  eip               = (local.select == 1 ? data.aws_eip.selected[0] : aws_eip.created[0])
-  public_ip         = (local.select == 1 ? data.aws_eip.selected[0].public_ip : aws_eip.created[0].public_ip)
+  eips              = (local.select == 1 ? data.aws_eip.selected : aws_eip.created)
+  public_ips        = (local.select == 1 ? [for e in data.aws_eip.selected : e.public_ip if can(e.public_ip)] : [for e in aws_eip.created : e.public_ip if can(e.public_ip)])
 }

 data "aws_lb" "selected" {
@ -19,21 +19,25 @@ data "aws_lb" "selected" {
 }

 data "aws_eip" "selected" {
-  count = local.select
+  for_each = (local.select == 1 ? local.subnets : {})
  filter {
-    name   = "description"
-    values = ["ELB net/${data.aws_lb.selected[0].name}/*"]
+    name   = "name"
+    values = [local.name]
  }
 }

 resource "aws_eip" "created" {
-  count  = local.create
-  domain = "vpc"
+  for_each                  = (local.create == 1 ? local.subnets : {})
+  domain                    = "vpc"
+  associate_with_private_ip = cidrhost(each.value.cidr, -2) # map the eip to the last available ip of the private subnet
+  tags = {
+    Name = local.name
+  }
 }

 resource "aws_security_group" "load_balancer" {
  count       = local.create
-  name        = "${local.name}-lb"
+  name        = local.name
  description = "Security group for load balancer ${local.name}"
  vpc_id      = local.vpc_id
  tags = {
@ -52,16 +56,17 @@ resource "aws_security_group_rule" "external_ingress" {
 }

 resource "aws_lb" "new" {
-  count              = local.create
-  name               = local.name
-  internal           = false
-  load_balancer_type = "network"
-  security_groups    = [local.security_group_id]
+  count                            = local.create
+  name                             = local.name
+  internal                         = false
+  load_balancer_type               = "network"
+  security_groups                  = [local.security_group_id]
+  enable_cross_zone_load_balancing = true
  dynamic "subnet_mapping" {
-    for_each = toset(local.subnet_ids)
+    for_each = local.subnets
    content {
-      subnet_id     = subnet_mapping.key
-      allocation_id = local.eip.id
+      subnet_id     = subnet_mapping.value.id
+      allocation_id = local.eips[subnet_mapping.key].id
    }
  }
  tags = {
--- a/modules/network_load_balancer/outputs.tf
+++ b/modules/network_load_balancer/outputs.tf
@ -7,12 +7,12 @@ output "dns_name" {
 output "load_balancer" {
  value = (local.select == 1 ? data.aws_lb.selected[0] : aws_lb.new[0])
 }
-output "public_ip" {
-  value = local.public_ip
+output "public_ips" {
+  value = local.public_ips
 }
 output "listeners" {
  value = (local.create == 1 ? aws_lb_listener.created : {})
 }
 output "target_groups" {
  value = aws_lb_target_group.created
-}
+}
--- a/modules/network_load_balancer/variables.tf
+++ b/modules/network_load_balancer/variables.tf
@ -30,12 +30,20 @@ variable "security_group_id" {
  EOT
  default     = ""
 }
-variable "subnet_ids" {
-  type        = list(string)
+variable "subnets" {
+  type = map(object({
+    id   = string
+    cidr = string
+  }))
  description = <<-EOT
-    The subnet ids to attach to the Load Balancer.
+    Map of subnets to attach to the Load Balancer.
  EOT
-  default     = []
+  default = {
+    "dummy" = {
+      id   = ""
+      cidr = ""
+    }
+  }
 }
 variable "access_info" {
  type = map(object({
--- a/variables.tf
+++ b/variables.tf
@ -32,7 +32,7 @@ variable "vpc_cidr" {
    If you attempt to generate a VPC that has no usable addresses you will get an "invalid CIDR" error from AWS.
    If you attempt to generate a subnet that uses one of the addresses reserved by AWS in the VPC's CIDR, you will get an "invalid CIDR" error from AWS.
  EOT
-  default     = ""
+  default     = "10.0.0.0/16"
 }

 # subnet