Initial commit

Author: int128

README.md

@@ -3,3 +3,16 @@
 This is a Terraform module which provisions a NAT instance using an auto scaling group and spot request.
 
 
+## How it works
+
+This provisions an EC2 instance for NAT.
+
+The instance does the following things on startup:
+
+1. Attach the ENI to `eth1`.
+1. Enable IP forwarding.
+1. Set to ignore ICMP redirect packets.
+1. Enable IP masquerade.
+1. Tear down `eth0`.
+
+See [init.sh](data/init.sh) for more.

data/init.sh

@@ -0,0 +1,20 @@
+#!/bin/bash -x
+
+# Attach the ENI
+region="$(/opt/aws/bin/ec2-metadata -z | sed 's/placement: \(.*\).$/\1/')"
+instance_id="$(/opt/aws/bin/ec2-metadata -i | cut -d' ' -f2)"
+aws --region "$region" ec2 attach-network-interface \
+    --instance-id "$instance_id" \
+    --device-index 1 \
+    --network-interface-id "${eni_id}"
+
+# Wait for network initialization
+sleep 10
+
+# Enable IP forwarding and NAT
+sysctl -q -w net.ipv4.ip_forward=1
+sysctl -q -w net.ipv4.conf.eth1.send_redirects=0
+iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
+
+# Switch the default route to eth1
+ip route del default dev eth0

main.tf

@@ -1,9 +1,13 @@
 resource "aws_security_group" "this" {
   name_prefix = var.name
   vpc_id      = var.vpc_id
+  description = "Security group for NAT instance ${var.name}"
+  tags = {
+    Name = "nat-instance-${var.name}"
+  }
 }
 
-resource "aws_security_group_rule" "this_egress" {
+resource "aws_security_group_rule" "egress" {
   security_group_id = aws_security_group.this.id
   type              = "egress"
   cidr_blocks       = ["0.0.0.0/0"]
@@ -12,7 +16,7 @@ resource "aws_security_group_rule" "this_egress" {
   protocol          = "tcp"
 }
 
-resource "aws_security_group_rule" "this_ingress" {
+resource "aws_security_group_rule" "ingress" {
   security_group_id = aws_security_group.this.id
   type              = "ingress"
   cidr_blocks       = var.private_subnets_cidr_blocks
@@ -21,15 +25,64 @@ resource "aws_security_group_rule" "this_ingress" {
   protocol          = "tcp"
 }
 
+resource "aws_security_group_rule" "ssh" {
+  count             = var.key_name == "" ? 0 : 1
+  security_group_id = aws_security_group.this.id
+  type              = "ingress"
+  cidr_blocks       = ["0.0.0.0/0"]
+  from_port         = 22
+  to_port           = 22
+  protocol          = "tcp"
+}
+
+resource "aws_network_interface" "this" {
+  security_groups   = [aws_security_group.this.id]
+  subnet_id         = var.public_subnet
+  source_dest_check = false
+  description       = "ENI for NAT instance ${var.name}"
+  tags = {
+    Name = "nat-instance-${var.name}"
+  }
+}
+
+resource "aws_eip" "this" {
+  network_interface = aws_network_interface.this.id
+  tags = {
+    Name = "nat-instance-${var.name}"
+  }
+}
+
+resource "aws_route" "this" {
+  count                  = length(var.private_route_table_ids)
+  route_table_id         = var.private_route_table_ids[count.index]
+  destination_cidr_block = "0.0.0.0/0"
+  network_interface_id   = aws_network_interface.this.id
+}
+
 resource "aws_launch_template" "this" {
   name_prefix = var.name
   image_id    = var.image_id
+  key_name    = var.key_name
+
   iam_instance_profile {
     arn = aws_iam_instance_profile.this.arn
   }
+
   network_interfaces {
     associate_public_ip_address = true
     security_groups             = [aws_security_group.this.id]
+    delete_on_termination       = true
+  }
+
+  user_data = base64encode(
+    templatefile("${path.module}/data/init.sh", {
+      eni_id = aws_network_interface.this.id
+    })
+  )
+
+  description = "Launch template for NAT instance ${var.name}"
+  tags = {
+    Name = "nat-instance-${var.name}"
   }
 }
 
@@ -38,7 +91,7 @@ resource "aws_autoscaling_group" "this" {
   desired_capacity    = 1
   min_size            = 1
   max_size            = 1
-  vpc_zone_identifier = var.public_subnets
+  vpc_zone_identifier = [var.public_subnet]
 
   mixed_instances_policy {
     instances_distribution {
@@ -58,6 +111,12 @@ resource "aws_autoscaling_group" "this" {
     }
   }
 
+  tag {
+    key                 = "Name"
+    value               = "nat-instance-${var.name}"
+    propagate_at_launch = true
+  }
+
   lifecycle {
     create_before_destroy = true
   }
@@ -86,7 +145,26 @@ resource "aws_iam_role" "this" {
 EOF
 }
 
-resource "aws_iam_role_policy_attachment" "this_ssm" {
+resource "aws_iam_role_policy_attachment" "ssm" {
   policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
   role       = aws_iam_role.this.name
 }
+
+resource "aws_iam_role_policy" "eni" {
+  role        = aws_iam_role.this.name
+  name_prefix = var.name
+  policy      = <<EOF
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": [
+                "ec2:AttachNetworkInterface"
+            ],
+            "Resource": "*"
+        }
+    ]
+}
+EOF
+}

variables.tf

@@ -6,29 +6,30 @@ variable "vpc_id" {
   description = "ID of the VPC"
 }
 
-variable "public_subnets" {
-  description = "List of ID of the public subnets"
+variable "public_subnet" {
+  description = "ID of the public subnet for the NAT instance"
 }
 
 variable "private_subnets_cidr_blocks" {
   description = "List of CIDR blocks of the private subnets"
 }
 
+variable "private_route_table_ids" {
+  default = []
+}
+
 variable "image_id" {
   description = "AMI of the NAT instance"
   # amzn-ami-vpc-nat-hvm-2018.03.0.20181116-x86_64-ebs
-  default = "ami-0b840e8a1ce4cdf15"
+  #default = "ami-0b840e8a1ce4cdf15"
+  # Amazon Linux 2 AMI (HVM), SSD Volume Type
+  default = "ami-04b762b4289fba92b"
 }
 
 variable "instance_types" {
   description = "Candidates of instance type of the NAT instance"
   default     = ["t3.nano", "t3a.nano"]
 }
 
-variable "volume_size" {
-  default = "8"
-}
-
-variable "volume_type" {
-  default = "gp2"
+variable "key_name" {
 }