feat: Expose autoscaler VPC config to the root module (#160)

obabec · web-flow · commit a053478dd0ca · 2025-05-28T18:33:58.000+03:00
* feat: Expose autoscaler VPC config to the root module

* Add docs
diff --git a/.spacelift/config.yml b/.spacelift/config.yml
@@ -1,5 +1,5 @@
 version: 2
-module_version: 4.2.0
+module_version: 4.3.0
 
 tests:
   - name: AMD64-based workerpool
diff --git a/README.md b/README.md
@@ -237,6 +237,8 @@ This module is also available [on the OpenTofu registry](https://search.opentofu
 | `spacelift_api_credentials` | Spacelift API credentials used to authenticate the autoscaler and lifecycle manager with Spacelift. See definition for full details. | `object`<br/>(See definition) | `null` | [variables.tf:304-318](./variables.tf#L304-L318) |
 | `instance_refresh` | If this block is configured, start an Instance Refresh when this Auto Scaling Group is updated | `any`                         | `{}` | [variables.tf:217-221](./variables.tf#L217-L221) |
 | `instance_market_options` | The market (purchasing) option for the instance | `any`                         | `{}` | [variables.tf:223-227](./variables.tf#L223-L227) |
+| `autoscaling_vpc_sg_ids` | Security groups that should be assigned to autoscaling lambda | `null`                         | `[]` | [variables.tf:223-227](./variables.tf#L272-L276) |
+| `autoscaling_vpc_subnets` | Subnets that should be assigned to autoscaling lambda | `null`                         | `[]` | [variables.tf:223-227](./variables.tf#L278-L82) |
 
 ### Self-hosted Configuration
 
diff --git a/autoscaler/autoscaler.tf b/autoscaler/autoscaler.tf
@@ -47,10 +47,10 @@ resource "aws_lambda_function" "autoscaler" {
   timeout       = var.autoscaling_configuration.timeout != null ? var.autoscaling_configuration.timeout : 30
 
   dynamic "vpc_config" {
-    for_each = var.subnet_ids != null && var.security_group_ids != null ? ["USE_VPC_CONFIG"] : []
+    for_each = var.spacelift_vpc_subnet_ids != null && var.spacelift_vpc_security_group_ids != null ? ["USE_VPC_CONFIG"] : []
     content {
-      security_group_ids          = var.security_group_ids
-      subnet_ids                  = var.subnet_ids
+      security_group_ids          = var.spacelift_vpc_security_group_ids
+      subnet_ids                  = var.spacelift_vpc_subnet_ids
       ipv6_allowed_for_dual_stack = var.ipv6_allowed_for_dual_stack
     }
   }
diff --git a/autoscaler/iam.tf b/autoscaler/iam.tf
@@ -45,6 +45,19 @@ data "aws_iam_policy_document" "autoscaler" {
     resources = ["*"]
   }
 
+  # Allow the Lambda to take actions on NetworkInterfaces
+  statement {
+    effect = "Allow"
+    actions = [
+      "ec2:DescribeNetworkInterfaces",
+      "ec2:CreateNetworkInterface",
+      "ec2:DeleteNetworkInterface",
+      "ec2:DescribeInstances",
+      "ec2:AttachNetworkInterface"
+    ]
+    resources = ["*"]
+  }
+
   # Allow the Lambda to read the secret from SSM Parameter Store.
   statement {
     effect    = "Allow"
diff --git a/autoscaler/variables.tf b/autoscaler/variables.tf
@@ -74,13 +74,13 @@ variable "api_key_ssm_parameter_arn" {
   type = string
 }
 
-variable "subnet_ids" {
+variable "spacelift_vpc_subnet_ids" {
   description = "List of subnet IDs when the lambda function should run in a VPC."
   type        = list(string)
   default     = null
 }
 
-variable "security_group_ids" {
+variable "spacelift_vpc_security_group_ids" {
   description = "List of security group IDs when the lambda function should run in a VPC."
   type        = list(string)
   default     = null
diff --git a/examples/autoscaler/main.tf b/examples/autoscaler/main.tf
@@ -49,6 +49,10 @@ module "this" {
   vpc_subnets     = data.aws_subnets.this.ids
   worker_pool_id  = var.worker_pool_id
 
+  # Autoscaler VPC configuration
+  autoscaling_vpc_sg_ids = [data.aws_security_group.this.id]
+  autoscaling_vpc_subnets = data.aws_subnets.this.ids
+
   autoscaling_configuration = {
     max_create          = 5
     max_terminate       = 5
diff --git a/main.tf b/main.tf
@@ -23,18 +23,20 @@ module "autoscaler" {
   count  = local.autoscaling_enabled ? 1 : 0
   source = "./autoscaler"
 
-  additional_tags                = var.additional_tags
-  api_key_ssm_parameter_arn      = local.ssm_arn
-  api_key_ssm_parameter_name     = local.ssm_name
-  auto_scaling_group_arn         = module.asg.autoscaling_group_arn
-  autoscaling_configuration      = var.autoscaling_configuration
-  aws_partition_dns_suffix       = data.aws_partition.current.dns_suffix
-  aws_region                     = data.aws_region.this.name
-  base_name                      = local.base_name
-  cloudwatch_log_group_retention = var.cloudwatch_log_group_retention
-  spacelift_api_credentials      = var.spacelift_api_credentials
-  iam_permissions_boundary       = var.iam_permissions_boundary
-  worker_pool_id                 = var.worker_pool_id
+  additional_tags                  = var.additional_tags
+  api_key_ssm_parameter_arn        = local.ssm_arn
+  api_key_ssm_parameter_name       = local.ssm_name
+  auto_scaling_group_arn           = module.asg.autoscaling_group_arn
+  autoscaling_configuration        = var.autoscaling_configuration
+  aws_partition_dns_suffix         = data.aws_partition.current.dns_suffix
+  aws_region                       = data.aws_region.this.name
+  base_name                        = local.base_name
+  cloudwatch_log_group_retention   = var.cloudwatch_log_group_retention
+  spacelift_api_credentials        = var.spacelift_api_credentials
+  iam_permissions_boundary         = var.iam_permissions_boundary
+  worker_pool_id                   = var.worker_pool_id
+  spacelift_vpc_subnet_ids         = var.autoscaling_vpc_subnets
+  spacelift_vpc_security_group_ids = var.autoscaling_vpc_sg_ids
 }
 
 module "lifecycle_manager" {
diff --git a/variables.tf b/variables.tf
@@ -269,6 +269,18 @@ variable "autoscaling_configuration" {
   default = null
 }
 
+variable "autoscaling_vpc_subnets" {
+  description = "List of VPC subnets to use for the autoscaler Lambda function."
+  type        = list(string)
+  default     = null
+}
+
+variable "autoscaling_vpc_sg_ids" {
+  description = "values of the security group to use for the autoscaler Lambda function."
+  type        = list(string)
+  default     = null
+}
+
 variable "selfhosted_configuration" {
   description = <<EOF
   Configuration for selfhosted launcher. Configuration options are:
@@ -321,4 +333,4 @@ variable "cloudwatch_log_group_retention" {
   description = "Retention period for the autoscaler and lifecycle manager cloudwatch log group."
   type        = number
   default     = 7
-}
+}

Original file line number	Diff line number	Diff line change
`@@ -47,10 +47,10 @@ resource "aws_lambda_function" "autoscaler" {`
`47`	`47`	`timeout = var.autoscaling_configuration.timeout != null ? var.autoscaling_configuration.timeout : 30`
`48`	`48`
`49`	`49`	`dynamic "vpc_config" {`
`50`		`- for_each = var.subnet_ids != null && var.security_group_ids != null ? ["USE_VPC_CONFIG"] : []`
	`50`	`+ for_each = var.spacelift_vpc_subnet_ids != null && var.spacelift_vpc_security_group_ids != null ? ["USE_VPC_CONFIG"] : []`
`51`	`51`	`content {`
`52`		`- security_group_ids = var.security_group_ids`
`53`		`- subnet_ids = var.subnet_ids`
	`52`	`+ security_group_ids = var.spacelift_vpc_security_group_ids`
	`53`	`+ subnet_ids = var.spacelift_vpc_subnet_ids`
`54`	`54`	`ipv6_allowed_for_dual_stack = var.ipv6_allowed_for_dual_stack`
`55`	`55`	`}`
`56`	`56`	`}`
Original file line number	Diff line number	Diff line change
`@@ -74,13 +74,13 @@ variable "api_key_ssm_parameter_arn" {`
`74`	`74`	`type = string`
`75`	`75`	`}`
`76`	`76`
`77`		`-variable "subnet_ids" {`
	`77`	`+variable "spacelift_vpc_subnet_ids" {`
`78`	`78`	`description = "List of subnet IDs when the lambda function should run in a VPC."`
`79`	`79`	`type = list(string)`
`80`	`80`	`default = null`
`81`	`81`	`}`
`82`	`82`
`83`		`-variable "security_group_ids" {`
	`83`	`+variable "spacelift_vpc_security_group_ids" {`
`84`	`84`	`description = "List of security group IDs when the lambda function should run in a VPC."`
`85`	`85`	`type = list(string)`
`86`	`86`	`default = null`