About

Terraform module to create NAT instances using launch templates & ASG.

The main objective is to create NAT instances per each route table supplied to the module. Example: You have created 3 private subnets without NAT gateways using terraform-aws-modules/vpc/aws module and by default you'll have a list with th 3 route tables for each private subnet (per az). And you have 3 public subnets each in its own az. With the help of this module, by passing list of public subnets and routes tabele ids, you'll get NAT instances for each route table which is effectively 1 NAT instance per AZ.

Module uses Ubuntu 22 AMI automatically configured to masquerade connections from your VPC cidr block. By default module is using arm64 architecture and t4g.nano instance type. In terms of cost-effectiveness this allows to run 3 NAT instances for just $9 per month as total cost.

NOTES:

• if a length of public_subnet_ids is not equal to a length of private_route_table_ids (e.g, 1 route table and 3 public subnets), then the module will automatically choose the min number among these two (in our example that's 1) and thus will create 1 NAT instance resources.

• Module does not add SSH keys to the instances and moreover its userdata script disables SSH daemon. Instead it assigns SSM role to the instance (which AMI already has ssm-agent) thus urging to use SSM Connect feature in case you need to get into the instance's shell. Module is able to either create a new IAM role with SSM permissions or process the existing role supplied as var.aws_iam_instance_profile

Usage

provider "aws" {
  region  = "us-east-2"
}

module "nat-instance" {
  source = "slitsevych/nat-instance/aws"

  public_subnet_ids        = module.vpc.public_subnets                     # required
  private_route_table_ids  = module.vpc.private_route_table_ids            # required
  security_groups          = [module.security_group_nat.security_group_id] # default is [] --> will be created by the module

  #name                     = "nat-instance" # default is "nat-instance"
  #instance_type            = "t4g.nano"     # default is "t4g.nano"
  #aws_iam_instance_profile = ""             # default is "" --> will be created by the module
  #ami                      = ""             # default is "" --> will be evaluated by the module
  
  tags = {
    Env = "common"
  }

  depends_on = [module.vpc] # created with terraform-aws-modules/vpc/aws; explicit dependency and thus this line is not necessary, provided just for information 
}

Requirements

Name	Version
terraform	>= 1.5.0
aws	>= 5.0

Providers

Name	Version
aws	>= 5.0

Modules

Name	Source	Version
security_group_nat	terraform-aws-modules/security-group/aws	5.1.0

Resources

Name	Type
aws_autoscaling_group.nat_instance	resource
aws_eip.public_ip	resource
aws_iam_instance_profile.ssm_profile	resource
aws_iam_role.ec2_ssm_role	resource
aws_iam_role_policy_attachment.ssm_policy_attach	resource
aws_launch_template.nat_instance	resource
aws_network_interface.nat	resource
aws_route.internet	resource
aws_ami.nat	data source
aws_iam_policy_document.assume_role	data source
aws_region.current	data source
aws_subnet.nat_all	data source
aws_subnet.nat_single	data source
aws_vpc.vpc	data source

Inputs

Name	Description	Type	Default	Required
ami	AMI for nat instance	string	""	no
aws_iam_instance_profile	Name of IAM instance profile to assign to EC2 instance	string	""	no
instance_type	NAT instance type (default to ARM-based)	string	"t4g.nano"	no
name	General name for resources	string	"nat-instance"	no
private_route_table_ids	List of private route table IDs for which we will create NAT rules	list(string)	n/a	yes
public_subnet_ids	List of public subnets ids in which we will create NAT instances	list(string)	n/a	yes
security_groups	List of security groups created outside of module to attach	list(string)	[]	no
tags	A map of tags to add to all resources	map(any)	{}	no

Outputs

Name	Description
autoscaling_group_ids	n/a
azs	n/a
eip	n/a
elastic_ips	n/a
eni_ids	n/a
launch_template_ids	n/a
network_interface_id	n/a
route_ids	n/a