terraform, aws: comment instance_refresh on asg (#12)

Uncomment to allow ASG to replace the instance. It will take several minutes as the ASG will try to launch a replacement instance before ENIs have been released.

Author: clstokes

terraform/aws/aws-ec2-autoscaling-dual-subnet/README.md

@@ -19,6 +19,7 @@ This module creates the following:
 
 ## Considerations
 
+- The Auto Scaling Group does not define an `instance_refresh` policy as the ASG cannot do a rolling restart with externally manaaged network interfaces (ENIs) as required by this configuration. To update instances to the latest launch template, terminate instances in the ASG in the AWS Console or programmatically. This will release the ENI so the replacement instance can use it.
 - Any advertised routes and exit nodes must still be approved in the Tailscale Admin Console. The code can be updated to use [Auto Approvers for routes](https://tailscale.com/kb/1018/acls/#auto-approvers-for-routes-and-exit-nodes) if this is configured in your ACLs.
 
 ## To use

terraform/aws/aws-ec2-autoscaling/README.md

@@ -9,6 +9,7 @@ This example creates the following:
 
 ## Considerations
 
+- The Auto Scaling Group does not define an `instance_refresh` policy as the ASG cannot do a rolling restart with externally manaaged network interfaces (ENIs) as required by this configuration. To update instances to the latest launch template, terminate instances in the ASG in the AWS Console or programmatically. This will release the ENI so the replacement instance can use it.
 - Any advertised routes and exit nodes must still be approved in the Tailscale Admin Console. The code can be updated to use [Auto Approvers for routes](https://tailscale.com/kb/1018/acls/#auto-approvers-for-routes-and-exit-nodes) if this is configured in your ACLs.
 
 ## To use

terraform/aws/internal-modules/aws-ec2-autoscaling/main.tf

@@ -53,8 +53,11 @@ resource "aws_launch_template" "tailscale" {
   instance_type = var.instance_type
   key_name      = var.instance_key_name
 
-  iam_instance_profile {
-    name = var.instance_profile_name
+  dynamic "iam_instance_profile" {
+    for_each = var.instance_profile_name != "" ? [1] : []
+    content {
+      name = var.instance_profile_name
+    }
   }
 
   metadata_options {
@@ -63,6 +66,7 @@ resource "aws_launch_template" "tailscale" {
   }
 
   dynamic "network_interfaces" {
+    # https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/scenarios-enis.html#creating-dual-homed-instances-with-workloads-roles-on-distinct-subnets
     for_each = var.network_interfaces
     content {
       delete_on_termination = false
@@ -96,15 +100,20 @@ resource "aws_autoscaling_group" "tailscale" {
   availability_zones = [data.aws_network_interface.selected[0].availability_zone]
 
   desired_capacity = 1
-  min_size         = 1
-  max_size         = 2
+  min_size         = 0
+  max_size         = 1
+
+  /**
+   * Uncomment to allow ASG to replace the instance. It will take several minutes as the ASG 
+   * will try to launch a replacement instance before ENIs have been released.
 
   instance_refresh {
     strategy = "Rolling"
     preferences {
-      min_healthy_percentage = 50
+      min_healthy_percentage = 0
     }
   }
+  */
 
   health_check_grace_period = 300
   health_check_type         = "EC2"

terraform/aws/internal-modules/aws-ec2-autoscaling/variables.tf

@@ -20,7 +20,7 @@ variable "instance_key_name" {
 }
 variable "instance_profile_name" {
   type    = string
-  default = null
+  default = ""
 }
 variable "instance_metadata_options" {
   type = map(string)