So by "attaching an Elastic IP", do you mean the EIP is pre-existing (allocated), or it should be allocated by this module, or we should support both cases?

That is a great question @Magicloud. I hope this helps to explain:

Terraform is used to create the EIP resource itself. With an ASG, Terraform creates the LC and ASG, but AWS creates the EC2 instances, so Terraform cannot associate/attach the EIP to an EC2 instance created by AWS ASG. That EIP created by Terraform is then floating and not attached to an EC2 instance, but in this design, we have a "single node ASG" - there is only one EC2 instance, and the EC2 instance can be provided init/shell/etc to attach specific resources. In the existing module design, we create an EBS volume to attach. The purpose of this issue is to add support for an EIP that is attached in the same way the EBS volume it attached.

Thanks. So the EIP is pre-existing (by Terraform).

Yes, you want to use aws_eip and not the _association resource, and during EC2 init, we use aws tools to associate the EIP with the EC2 instance.

@Magicloud, also make sure the ASG does not have a public IP, there is a module variable for that.

To confirm, you meant another requirement? I mean it is configurable now. Did you mean I should set it to false when associate the EIP?

Associating address via awscli gives me UnauthorizedOperation.

One more thing to change, I guess, subnets module, need to pass false to its public attribute.

And, have not figured this out, passing false to associate_public_ip_address of aws_launch_configuration does not set the launch conf in AWS to not associate, but default (Only assign a public IP address to instances launched in the default VPC and subnet).

Still digging.

After my testing, it is as expected, without public network accessing, aws cannot attach EBS or associate EIP.

So we cannot do "ASG does not have a public IP". At least a NAT for the whole group.