aws/publicIpv4Pool: terraform - allocate byoip from eips

Terraform support for user-specified Public IPv4 Pool ID
feature (BYOIPv4).

Terraform will allocate EIPs for resources in public subnets
when installing a cluster with publish strategy External.

The EIPs will be claimed from a Public IPv4 Pool ID, and EIPs will
be associated to resousces: Nat Gateways, Public Network LBs, and
EC2 for Bootstrap node.

Author: mtulio

data/data/aws/bootstrap/main.tf

@@ -249,3 +249,11 @@ resource "aws_security_group_rule" "bootstrap_journald_gateway" {
   from_port   = 19531
   to_port     = 19531
 }
+
+resource "aws_eip" "bootstrap" {
+  domain           = "vpc"
+  instance         = aws_instance.bootstrap.id
+  public_ipv4_pool = var.aws_public_ipv4_pool == "" ? null : var.aws_public_ipv4_pool
+
+  depends_on = [aws_instance.bootstrap]
+}

data/data/aws/cluster/main.tf

@@ -109,6 +109,8 @@ module "vpc" {
   edge_parent_gw_map = var.aws_edge_parent_zones_index
   edge_zones_type    = var.aws_edge_zones_type
 
+  public_ipv4_pool = var.aws_public_ipv4_pool
+
   tags = local.tags
 }
 

data/data/aws/cluster/vpc/master-elb.tf

@@ -24,10 +24,18 @@ resource "aws_lb" "api_external" {
 
   name                             = "${var.cluster_id}-ext"
   load_balancer_type               = "network"
-  subnets                          = data.aws_subnet.public.*.id
   internal                         = false
   enable_cross_zone_load_balancing = true
 
+  dynamic "subnet_mapping" {
+    for_each = range(length(data.aws_subnet.public))
+
+    content {
+      subnet_id     = data.aws_subnet.public[subnet_mapping.key].id
+      allocation_id = aws_eip.api_nlb_public[subnet_mapping.key].id
+    }
+  }
+
   tags = merge(
     {
       "Name" = "${var.cluster_id}-ext"
@@ -38,7 +46,24 @@ resource "aws_lb" "api_external" {
   timeouts {
     create = "20m"
   }
+}
+
+resource "aws_eip" "api_nlb_public" {
+  count  = length(var.availability_zones)
+  domain = "vpc"
+
+  public_ipv4_pool = var.public_ipv4_pool == "" ? null : var.public_ipv4_pool
+
+  tags = merge(
+    {
+      "Name" = "${var.cluster_id}-eip-${var.availability_zones[count.index]}-lb-api"
+    },
+    var.tags,
+  )
 
+  # Terraform does not declare an explicit dependency towards the internet gateway.
+  # this can cause the internet gateway to be deleted/detached before the EIPs.
+  # https://github.com/coreos/tectonic-installer/issues/1017#issuecomment-307780549
   depends_on = [aws_internet_gateway.igw]
 }
 

data/data/aws/cluster/vpc/variables.tf

@@ -59,4 +59,9 @@ variable "public_subnets" {
 variable "private_subnets" {
   type        = list(string)
   description = "Existing private subnets into which the cluster should be installed."
+}
+
+variable "public_ipv4_pool" {
+  type        = string
+  description = "An Public IPv4 Pool"
 }

data/data/aws/cluster/vpc/vpc-public.tf

@@ -95,6 +95,8 @@ resource "aws_eip" "nat_eip" {
   count = var.public_subnets == null ? length(var.availability_zones) : 0
   vpc   = true
 
+  public_ipv4_pool = var.public_ipv4_pool == "" ? null : var.public_ipv4_pool
+
   tags = merge(
     {
       "Name" = "${var.cluster_id}-eip-${var.availability_zones[count.index]}"

data/data/aws/variables-aws.tf

@@ -226,4 +226,16 @@ a Public Route Table and the default route entry pointing to the carrier gateway
 
 Example: `{ "us-east-1-nyc-1a"=local-zone, "us-east-1-wl1-nyc-wlz-1"=wavelength-zone }`
 EOF
-}
+}
+
+variable "aws_public_ipv4_pool" {
+  type = string
+
+  description = <<EOF
+(optional) Indicates the installation process to use Public IPv4 address
+that you bring to your AWS account with BYOIP to create resources which consumes
+Elastic IPs when the publish strategy is External.
+EOF
+
+  default = ""
+}

pkg/asset/cluster/tfvars/tfvars.go

@@ -333,6 +333,7 @@ func (t *TerraformVariables) Generate(parents asset.Parents) error {
 			Proxy:                     installConfig.Config.Proxy,
 			PreserveBootstrapIgnition: installConfig.Config.AWS.PreserveBootstrapIgnition,
 			MasterSecurityGroups:      securityGroups,
+			PublicIpv4Pool:            installConfig.Config.AWS.PublicIpv4Pool,
 		})
 		if err != nil {
 			return errors.Wrapf(err, "failed to get %s Terraform variables", platform)

pkg/tfvars/aws/aws.go

@@ -49,6 +49,7 @@ type Config struct {
 	BootstrapMetadataAuthentication string            `json:"aws_bootstrap_instance_metadata_authentication,omitempty"`
 	PreserveBootstrapIgnition       bool              `json:"aws_preserve_bootstrap_ignition"`
 	MasterSecurityGroups            []string          `json:"aws_master_security_groups,omitempty"`
+	PublicIpv4Pool                  string            `json:"aws_public_ipv4_pool"`
 }
 
 // TFVarsSources contains the parameters to be converted into Terraform variables
@@ -80,6 +81,8 @@ type TFVarsSources struct {
 	PreserveBootstrapIgnition bool
 
 	MasterSecurityGroups []string
+
+	PublicIpv4Pool string
 }
 
 // TFVars generates AWS-specific Terraform variables launching the cluster.
@@ -207,6 +210,7 @@ func TFVars(sources TFVarsSources) ([]byte, error) {
 		WorkerIAMRoleName:         sources.WorkerIAMRoleName,
 		PreserveBootstrapIgnition: sources.PreserveBootstrapIgnition,
 		MasterSecurityGroups:      sources.MasterSecurityGroups,
+		PublicIpv4Pool:            sources.PublicIpv4Pool,
 	}
 
 	stubIgn, err := bootstrap.GenerateIgnitionShimWithCertBundleAndProxy(sources.IgnitionPresignedURL, sources.AdditionalTrustBundle, sources.Proxy)