terraform-aws-gitlab-runner icon indicating copy to clipboard operation
terraform-aws-gitlab-runner copied to clipboard

Published 20 hours ago verified publisher icon cattle-ops

Pass an EIP to the EC2 instance created

Open bsuv opened this issue 6 years ago • 10 comments
trafficstars

In some cases when using spot, I'd like to be able to provide an EIP and reuse them in case the spot is terminated.

This is useful to prevent changing inbound rules that uses the runner's public IP as a source in their inbound rule.

bsuv avatar Aug 21 '19 15:08 bsuv

@bsuv feel free to propose a PR. I use the runners in a private subnet, so no public ones are attached.

npalm avatar Aug 21 '19 21:08 npalm

I will work on a PR. The issue with having them in a private subnet is that the NAT Gateway costs can become prohibitive

bsuv avatar Aug 22 '19 07:08 bsuv

related issue #92

roock avatar Sep 30 '19 12:09 roock

I've started working on this issue: https://github.com/roock/terraform-aws-gitlab-runner/commit/c204e4ba3a0427eedb1386a214bda31d1c287306 ~i t is working when enabling the use of EIP, but for disabling the feature I need a way to reference a non existing object (aws_eip is only create if the flag is set)~ seems to work fine, tested with runner on public subnet with and without flag enabled @npalm what do you think?

roock avatar Oct 24 '19 10:10 roock

@roock do not hard code region and please do rebase from upstream and open PR

kostyrev avatar Dec 04 '19 17:12 kostyrev

@kostyrev ups, thx for the hint

roock avatar Dec 04 '19 20:12 roock

Assignment of EIP to the Runner server itself was added in #161 and #165. Not sure if it is possible to add support for EIPs for the docker-machine servers though.

roock avatar Sep 05 '20 15:09 roock

@roock seems not supported by the aws docker machine driver https://docs.docker.com/machine/drivers/aws/

npalm avatar Sep 06 '20 12:09 npalm

A possibility would be to use the user_data to assign an EIP to the docker-machine instances.

roock avatar Sep 06 '20 12:09 roock

Is it really necessary to expose the runners? You could also access your machines via AWS Console (SSM access). Seems to be easier to configure and less risky.

If we are talking about the agent: There should be an inbound rule which allows traffic from your Gitlab instance only. And the communicatin agent <-> runner should be safeguarded through the module itself using security groups.

We should be fine without an EIP at all or do I miss something? Any other use case?

kayman-mk avatar Oct 14 '21 07:10 kayman-mk

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 15 days.

github-actions[bot] avatar Mar 19 '23 02:03 github-actions[bot]

This issue was closed because it has been stalled for 15 days with no activity.

github-actions[bot] avatar Apr 04 '23 02:04 github-actions[bot]