Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Handle cycles for AWS EIPs #62

Closed
hashibot opened this issue Jun 13, 2017 · 3 comments
Closed

Handle cycles for AWS EIPs #62

hashibot opened this issue Jun 13, 2017 · 3 comments
Labels
bug Addresses a defect in current functionality. service/ec2 Issues and PRs that pertain to the ec2 service.

Comments

@hashibot
Copy link

This issue was originally opened by @davidhoyt as hashicorp/terraform#4644. It was migrated here as part of the provider split. The original body of the issue is below.


Am attempting to setup a cross-region VPN and need to create EIPs in both regions and then use the public IPs in each when provisioning a new EC2 instance in each region. When I do so, there is a complaint about cycles and it fails. It seems that the cycle can be removed if both EIPs are created before the instances. Here's a dumbed-down example of what I am looking to do:

variable "aws-access-key" { default = "access-key-12345" }
variable "aws-secret-key" { default = "secret-key-12345" }

variable "vpc-1-aws-region" { default = "us-east-1" }
variable "vpc-1-aws-az" { default = "us-east-1a" }
variable "vpc-1-aws-subnet-id" { default = "subnet-us-east-12345" }

variable "vpc-2-aws-region" { default = "us-west-2" }
variable "vpc-2-aws-az" { default = "us-west-2a" }
variable "vpc-2-aws-subnet-id" { default = "subnet-us-west-12345" }

// Ubuntu 14.04 LTS (HVM)
variable "aws-vpn-ami" {
  default = {
    us-east-1 = "ami-d05e75b8"
    us-west-2 = "ami-5189a661"
    eu-west-1 = "ami-47a23a30"
  }
}

provider "aws" {
  region     = "${var.vpc-1-aws-region}"
  access_key = "${var.aws-access-key}"
  secret_key = "${var.aws-secret-key}"
}

provider "aws" {
  alias  = "vpc-1"
  region = "${var.vpc-1-aws-region}"
}

provider "aws" {
  alias  = "vpc-2"
  region = "${var.vpc-2-aws-region}"
}

resource "aws_eip" "vpc-1" {
  provider = "aws.vpc-1"
  lifecycle { create_before_destroy = true }
  instance = "${aws_instance.vpc-1.id}"
  vpc = true
}

resource "aws_eip" "vpc-2" {
  provider = "aws.vpc-2"
  lifecycle { create_before_destroy = true }
  instance = "${aws_instance.vpc-2.id}"
  vpc = true
}

resource "aws_instance" "vpc-1" {
  provider = "aws.vpc-1"
  instance_type = "t2.micro"

  ami = "${lookup(var.aws-vpn-ami, var.vpc-1-aws-region)}"

  lifecycle { create_before_destroy = true }

  source_dest_check = false
  availability_zone = "${var.vpc-1-aws-az}"
  subnet_id         = "${var.vpc-1-aws-subnet-id}"
  private_ip        = "10.0.0.4"

  provisioner "remote-exec" {
    inline = [
      "sudo tee /tmp/foo.conf > /dev/null <<'EOF'",
      "${aws_eip.vpc-2.public_ip}",
      "EOF"
    ]
  }
}

resource "aws_instance" "vpc-2" {
  provider = "aws.vpc-2"
  instance_type = "t2.micro"

  lifecycle { create_before_destroy = true }

  ami = "${lookup(var.aws-vpn-ami, var.vpc-2-aws-region)}"

  source_dest_check = false
  availability_zone = "${var.vpc-2-aws-az}"
  subnet_id         = "${var.vpc-2-aws-subnet-id}"
  private_ip        = "10.1.0.4"

  provisioner "remote-exec" {
    inline = [
      "sudo tee /tmp/foo.conf > /dev/null <<'EOF'",
      "${aws_eip.vpc-1.public_ip}",
      "EOF"
    ]
  }
}

I will need to later add security groups that include rules for ingress that only allow traffic from the EIP of the other region. Would love to hear alternative ways of achieving the same btw. Thanks ahead for any help!

@hashibot hashibot added the bug Addresses a defect in current functionality. label Jun 13, 2017
@radeksimko radeksimko added the service/ec2 Issues and PRs that pertain to the ec2 service. label Jan 25, 2018
@ewbankkit
Copy link
Contributor

@davidhoyt You should try using the aws_eip_association resource. It should break the EIP <-> Instance ID cycle.

@bflad
Copy link
Contributor

bflad commented Jul 2, 2018

The correct implementation should be noted above. If the documentation (website/docs/r/eip.html.markdown) needs updates or to be clearer about this situation, we'll happily accept a pull request!

@bflad bflad closed this as completed Jul 2, 2018
@ghost
Copy link

ghost commented Apr 4, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

@ghost ghost locked and limited conversation to collaborators Apr 4, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
bug Addresses a defect in current functionality. service/ec2 Issues and PRs that pertain to the ec2 service.
Projects
None yet
Development

No branches or pull requests

4 participants