Configuring Private Worker Pools to Use Specific Elastic IP Addresses

If you need your Spacelift private worker pool connections to originate from a specific IP address (for example, to maintain secure access to EKS clusters), you can achieve this by configuring your workers to use an Elastic IP through a NAT Gateway setup.

How to Configure Elastic IP for Private Workers

The terraform-aws-spacelift-workerpool-on-ec2 module doesn't directly manage NAT Gateways or Elastic IPs, but you can control outbound traffic IP addresses through your VPC configuration:

1. Create a NAT Gateway in a public subnet with a pre-allocated Elastic IP

2. Update your private subnet route tables to send traffic to the NAT Gateway

3. Pass the private subnet IDs to the module via the vpc_subnets variable

This setup ensures that all outbound traffic from your worker EC2 instances goes through the NAT Gateway, giving you a consistent source IP address.

Worker Connectivity Architecture

You might wonder how workers in private subnets can communicate with Spacelift. The key point is that Spacelift workers use a pull-based architecture:

• Workers don't wait for incoming connections from the Spacelift Mothership

• Instead, workers actively check in with the Mothership to pull their tasks

• The communication uses MQTT subscriptions in a pub-sub architecture

• The Mothership publishes messages and workers subscribe to those topics

This means placing workers in private subnets with NAT Gateway access will not cause any noticeable delays in plan or apply execution.

Module Version Considerations

It's recommended to use the latest version of the terraform-aws-spacelift-workerpool-on-ec2 module for compatibility and the most recent features. If you're using an older version, you may need to update and reapply the configuration to leverage the latest improvements.