Add support for Elastic IP pool in AWS deployments#524
Open
Conversation
Add support for using pre-allocated Elastic IP pools instead of randomly created EIPs. This allows CI/CD runners and external systems to whitelist specific IP addresses for SSH access, improving security by avoiding 0.0.0.0/0 firewall rules. Changes: Base Modules: - Add optional eip_allocation_id parameter to sonar-base-instance, dam-base-instance, ciphertrust-manager, cte-ddc-agent, and dra-admin - When eip_allocation_id is provided, use existing EIP instead of creating new - When null (default), create and manage new EIP (backward compatible) Wrapper Modules: - Add pass-through eip_allocation_id parameter to hub, mx, agentless-gw, and agent-gw modules Deployment Example: - Add use_eip_pool and eip_pool_tag variables - Add eip_pool.tf with pool query logic and allocation ID distribution - Add validation to ensure sufficient IPs are available in pool - Add time_sleep resource to handle CipherTrust provider timing with pooled EIPs - Update all module calls to pass allocation IDs when pooled mode enabled Benefits: - Predictable IP addresses for CI/CD firewall whitelisting - IPs survive terraform destroy and can be reused - Fully backward compatible (default behavior unchanged) - Deployment-level pool management (base modules stay simple) Co-Authored-By: Claude <noreply@anthropic.com>
elsegev
changed the title
roiklorin
reviewed
Feb 4, 2026
roiklorin
reviewed
Feb 4, 2026
| # Distribute allocation IDs to resources | ||
| # Use null if use_eip_pool is false (modules will create new EIPs) | ||
|
|
||
| # Index counter for distributing IPs |
Collaborator
There was a problem hiding this comment.
can we change the way we distribute the EIPs and make it more robust?
currently the calculated indices will shift whenever the deployment configuration changes.
this also applies to the CM agents map.
maybe we can keep a fixed and stable allocation.
roiklorin
reviewed
Feb 4, 2026
| data "aws_eips" "pool" { | ||
| count = var.use_eip_pool ? 1 : 0 | ||
|
|
||
| filter { |
Collaborator
There was a problem hiding this comment.
what happens if there are multiple deployment with the same eip_pool_tag competing for the same EIPs?
maybe we can document this limitation
roiklorin
reviewed
Feb 4, 2026
| } : {} | ||
| } | ||
|
|
||
| # Validation check |
Collaborator
There was a problem hiding this comment.
maybe we can check in here that the EIPs' availability and not just quantity, checking there are all unassociated and logging the result to the user.
- Use fixed slot positions for singleton resources (hub=0, hub-dr=1, mx=2, dra-admin=3) so enabling/disabling modules never shifts EIPs - Add secondary data source to query unassociated pool EIPs and validate that no pool EIPs are associated to non-managed resources - Sort allocation IDs for stable ordering across API calls - Sort agent map keys for consistent distribution - Update README with fixed-slot documentation - Update .gitignore with additional patterns
… naming convention
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.