fix: eip race condition when updating ASG

blackillzone · web-flow · commit bd95adb91cdd · 2025-08-07T19:25:46.000+02:00
Add a second EIP, when we decide to use EIP for the manager. This way, when we update the ASG, a free EIP is available to pick by the `aws-ec2-assign-elastic-ip` tool.

This fix the rolling update, and allow for a smoother transition (instead of trying to work around the removing of the EIP association).

The caveats is that we require two EIP for this use case, but I guess it's okay, as long the user is aware of it.
diff --git a/main.tf b/main.tf
@@ -359,7 +359,7 @@ resource "aws_iam_instance_profile" "instance" {
 
 resource "aws_eip" "gitlab_runner" {
   # checkov:skip=CKV2_AWS_19:We can't use NAT gateway here as we are contacted from the outside.
-  count = var.runner_instance.use_eip ? 1 : 0
+  count = var.runner_instance.use_eip ? 2 : 0
 
   tags = local.tags
 }

Original file line number	Diff line number	Diff line change
`@@ -359,7 +359,7 @@ resource "aws_iam_instance_profile" "instance" {`
`359`	`359`
`360`	`360`	`resource "aws_eip" "gitlab_runner" {`
`361`	`361`	`# checkov:skip=CKV2_AWS_19:We can't use NAT gateway here as we are contacted from the outside.`
`362`		`- count = var.runner_instance.use_eip ? 1 : 0`
	`362`	`+ count = var.runner_instance.use_eip ? 2 : 0`
`363`	`363`
`364`	`364`	`tags = local.tags`
`365`	`365`	`}`