Skip to content

RaJiska/terraform-aws-fck-nat

Repository files navigation

Terraform fck-nat

Introduction

A Terraform module for deploying NAT Instances using fck-nat. The (f)easible (c)ost (k)onfigurable NAT! The following is a list of features available with this module:

  • High-availability mode achieved through a floating internal ENI automatically attached to instances being started by an ASG
  • Optional consistent static IP via EIP re-attachment to the internet facing ENI
  • Cloudwatch metrics reported similar to those available with the managed NAT Gateway
  • Use of spot instances instead of on-demand for reduced costs

Example

module "fck-nat" {
  source = "git::https://github.com/RaJiska/terraform-aws-fck-nat.git"

  name                 = "my-fck-nat"
  vpc_id               = "vpc-abc1234"
  subnet_id            = "subnet-abc1234"
  # ha_mode              = true                 # Enables high-availability mode
  # eip_allocation_ids   = ["eipalloc-abc1234"] # Allocation ID of an existing EIP
  # use_cloudwatch_agent = true                 # Enables Cloudwatch agent and have metrics reported

  update_route_tables = true
  route_tables_ids = {
    "your-rtb-name-A" = "rtb-abc1234Foo"
    "your-rtb-name-B" = "rtb-abc1234Bar"
  }
}

Requirements

Name Version
terraform ~> 1.3
aws >= 4.0

Providers

Name Version
aws >= 4.0

Resources

Name Type
aws_autoscaling_group.main resource
aws_iam_instance_profile.main resource
aws_iam_policy.main resource
aws_iam_role.main resource
aws_iam_role_policy_attachment.main resource
aws_instance.main resource
aws_launch_template.main resource
aws_network_interface.main resource
aws_route.main resource
aws_security_group.main resource
aws_ssm_parameter.cloudwatch_agent_config resource
aws_ami.main data source
aws_arn.ssm_param data source
aws_caller_identity.current data source
aws_iam_policy_document.instance_assume_role_policy data source
aws_iam_policy_document.main data source
aws_region.current data source
aws_vpc.main data source

Inputs

Name Description Type Default Required
additional_security_group_ids A list of identifiers of security groups to be added for the NAT instance list(string) [] no
ami_id AMI to use for the NAT instance. Uses fck-nat latest AMI in the region if none provided string null no
attach_ssm_policy Whether to attach the minimum required IAM permissions to connect to the instance via SSM. bool true no
cloudwatch_agent_configuration CloudWatch configuration for the NAT instance
object({
namespace = optional(string, "fck-nat"),
collection_interval = optional(number, 60),
endpoint_override = optional(string, "")
})
{
"collection_interval": 60,
"endpoint_override": "",
"namespace": "fck-nat"
}
no
cloudwatch_agent_configuration_param_arn ARN of the SSM parameter containing the CloudWatch agent configuration. If none provided, creates one string null no
ebs_root_volume_size Size of the EBS root volume in GB number 8 no
eip_allocation_ids EIP allocation IDs to use for the NAT instance. Automatically assign a public IP if none is provided. Note: Currently only supports at most one EIP allocation. list(string) [] no
encryption Whether or not to encrypt the EBS volume bool true no
ha_mode Whether or not high-availability mode should be enabled via autoscaling group bool true no
instance_type Instance type to use for the NAT instance string "t4g.micro" no
kms_key_id Will use the provided KMS key ID to encrypt the EBS volume. Uses the default KMS key if none provided string null no
name Name used for resources created within the module string n/a yes
route_table_id Deprecated. Use route_tables_ids instead string null no
route_tables_ids Route tables to update. Only valid if update_route_tables is true map(string) {} no
ssh_cidr_blocks CIDR blocks to allow SSH access to the NAT instance from
object({
ipv4 = optional(list(string), [])
ipv6 = optional(list(string), [])
})
{
"ipv4": [],
"ipv6": []
}
no
ssh_key_name Name of the SSH key to use for the NAT instance. SSH access will be enabled only if a key name is provided string null no
subnet_id Subnet ID to deploy the NAT instance into string n/a yes
tags Tags to apply to resources created within the module map(string) {} no
update_route_table Deprecated. Use update_route_tables instead bool false no
update_route_tables Whether or not to update the route tables with the NAT instance bool false no
use_cloudwatch_agent Whether or not to enable CloudWatch agent for the NAT instance bool false no
use_default_security_group Whether or not to use the default security group for the NAT instance bool true no
use_spot_instances Whether or not to use spot instances for running the NAT instance bool false no
use_ssh Whether or not to enable SSH access to the NAT instance bool false no
vpc_id VPC ID to deploy the NAT instance into string n/a yes

Outputs

Name Description
ami_id AMI to use for the NAT instance. Uses fck-nat latest arm64 AMI in the region if none provided
autoscaling_group_arn The ARN of the autoscaling group if running in HA mode
cw_agent_config_ssm_parameter_arn The ARN of the SSM parameter containing the Cloudwatch agent config
encryption Whether or not fck-nat instance EBS volumes are encrypted
eni_arn The ARN of the static ENI used by the fck-nat instance
eni_id The ID of the static ENI used by the fck-nat instance
ha_mode Whether or not high-availability mode is enabled via autoscaling group
instance_arn The ARN of the fck-nat instance if running in non-HA mode
instance_profile_arn The ARN of the instance profile used by the fck-nat instance
instance_public_ip The public IP address of the fck-nat instance if running in non-HA mode
instance_type Instance type used for the fck-nat instance
kms_key_id KMS key ID to use for encrypting fck-nat instance EBS volumes
launch_template_id The ID of the launch template used to spawn fck-nat instances
name Name used for resources created within the module
role_arn The ARN of the role used by the fck-nat instance profile
security_group_id Deprecated. The ID of the security group used by fck-nat ENIs
security_group_ids List of security group IDs used by fck-nat ENIs
subnet_id Subnet ID to which the fck-nat instance is deployed into
vpc_id VPC ID to which the fck-nat instance is deployed into