A Terraform module for deploying NAT Instances using fck-nat. The (f)easible (c)ost (k)onfigurable NAT! The following is a list of features available with this module:
- High-availability mode achieved through a floating internal ENI automatically attached to instances being started by an ASG
- Optional consistent static IP via EIP re-attachment to the internet facing ENI
- Cloudwatch metrics reported similar to those available with the managed NAT Gateway
- Use of spot instances instead of on-demand for reduced costs
module "fck-nat" {
source = "git::https://github.com/RaJiska/terraform-aws-fck-nat.git"
name = "my-fck-nat"
vpc_id = "vpc-abc1234"
subnet_id = "subnet-abc1234"
# ha_mode = true # Enables high-availability mode
# eip_allocation_ids = ["eipalloc-abc1234"] # Allocation ID of an existing EIP
# use_cloudwatch_agent = true # Enables Cloudwatch agent and have metrics reported
update_route_tables = true
route_tables_ids = {
"your-rtb-name-A" = "rtb-abc1234Foo"
"your-rtb-name-B" = "rtb-abc1234Bar"
}
}
Name | Version |
---|---|
terraform | ~> 1.3 |
aws | >= 4.0 |
Name | Version |
---|---|
aws | >= 4.0 |
Name | Type |
---|---|
aws_autoscaling_group.main | resource |
aws_iam_instance_profile.main | resource |
aws_iam_policy.main | resource |
aws_iam_role.main | resource |
aws_iam_role_policy_attachment.main | resource |
aws_instance.main | resource |
aws_launch_template.main | resource |
aws_network_interface.main | resource |
aws_route.main | resource |
aws_security_group.main | resource |
aws_ssm_parameter.cloudwatch_agent_config | resource |
aws_ami.main | data source |
aws_arn.ssm_param | data source |
aws_caller_identity.current | data source |
aws_iam_policy_document.instance_assume_role_policy | data source |
aws_iam_policy_document.main | data source |
aws_region.current | data source |
aws_vpc.main | data source |
Name | Description | Type | Default | Required |
---|---|---|---|---|
additional_security_group_ids | A list of identifiers of security groups to be added for the NAT instance | list(string) |
[] |
no |
ami_id | AMI to use for the NAT instance. Uses fck-nat latest AMI in the region if none provided | string |
null |
no |
attach_ssm_policy | Whether to attach the minimum required IAM permissions to connect to the instance via SSM. | bool |
true |
no |
cloudwatch_agent_configuration | CloudWatch configuration for the NAT instance | object({ |
{ |
no |
cloudwatch_agent_configuration_param_arn | ARN of the SSM parameter containing the CloudWatch agent configuration. If none provided, creates one | string |
null |
no |
ebs_root_volume_size | Size of the EBS root volume in GB | number |
8 |
no |
eip_allocation_ids | EIP allocation IDs to use for the NAT instance. Automatically assign a public IP if none is provided. Note: Currently only supports at most one EIP allocation. | list(string) |
[] |
no |
encryption | Whether or not to encrypt the EBS volume | bool |
true |
no |
ha_mode | Whether or not high-availability mode should be enabled via autoscaling group | bool |
true |
no |
instance_type | Instance type to use for the NAT instance | string |
"t4g.micro" |
no |
kms_key_id | Will use the provided KMS key ID to encrypt the EBS volume. Uses the default KMS key if none provided | string |
null |
no |
name | Name used for resources created within the module | string |
n/a | yes |
route_table_id | Deprecated. Use route_tables_ids instead | string |
null |
no |
route_tables_ids | Route tables to update. Only valid if update_route_tables is true | map(string) |
{} |
no |
ssh_cidr_blocks | CIDR blocks to allow SSH access to the NAT instance from | object({ |
{ |
no |
ssh_key_name | Name of the SSH key to use for the NAT instance. SSH access will be enabled only if a key name is provided | string |
null |
no |
subnet_id | Subnet ID to deploy the NAT instance into | string |
n/a | yes |
tags | Tags to apply to resources created within the module | map(string) |
{} |
no |
update_route_table | Deprecated. Use update_route_tables instead | bool |
false |
no |
update_route_tables | Whether or not to update the route tables with the NAT instance | bool |
false |
no |
use_cloudwatch_agent | Whether or not to enable CloudWatch agent for the NAT instance | bool |
false |
no |
use_default_security_group | Whether or not to use the default security group for the NAT instance | bool |
true |
no |
use_spot_instances | Whether or not to use spot instances for running the NAT instance | bool |
false |
no |
use_ssh | Whether or not to enable SSH access to the NAT instance | bool |
false |
no |
vpc_id | VPC ID to deploy the NAT instance into | string |
n/a | yes |
Name | Description |
---|---|
ami_id | AMI to use for the NAT instance. Uses fck-nat latest arm64 AMI in the region if none provided |
autoscaling_group_arn | The ARN of the autoscaling group if running in HA mode |
cw_agent_config_ssm_parameter_arn | The ARN of the SSM parameter containing the Cloudwatch agent config |
encryption | Whether or not fck-nat instance EBS volumes are encrypted |
eni_arn | The ARN of the static ENI used by the fck-nat instance |
eni_id | The ID of the static ENI used by the fck-nat instance |
ha_mode | Whether or not high-availability mode is enabled via autoscaling group |
instance_arn | The ARN of the fck-nat instance if running in non-HA mode |
instance_profile_arn | The ARN of the instance profile used by the fck-nat instance |
instance_public_ip | The public IP address of the fck-nat instance if running in non-HA mode |
instance_type | Instance type used for the fck-nat instance |
kms_key_id | KMS key ID to use for encrypting fck-nat instance EBS volumes |
launch_template_id | The ID of the launch template used to spawn fck-nat instances |
name | Name used for resources created within the module |
role_arn | The ARN of the role used by the fck-nat instance profile |
security_group_id | Deprecated. The ID of the security group used by fck-nat ENIs |
security_group_ids | List of security group IDs used by fck-nat ENIs |
subnet_id | Subnet ID to which the fck-nat instance is deployed into |
vpc_id | VPC ID to which the fck-nat instance is deployed into |