Add nat-instance (#51)

aknysh · web-flow · commit b622cfcb0d7b · 2019-06-05T21:49:39.000-04:00
* Add `nat-instance`

* Pin terraform `required_version`

* Update README

* Pin aws provider

* Update `aws_security_group_rule`
diff --git a/LICENSE b/LICENSE
@@ -186,7 +186,7 @@
       same "printed page" as the copyright notice for easier
       identification within third-party archives.
 
-   Copyright 2017-2018 Cloud Posse, LLC
+   Copyright 2017-2019 Cloud Posse, LLC
 
    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.
diff --git a/README.md b/README.md
@@ -45,6 +45,11 @@ We literally have [*hundreds of terraform modules*][terraform_modules] that are
 
 ## Usage
 
+
+**IMPORTANT:** The `master` branch is used in `source` just as an example. In your code, do not pin to `master` because there may be breaking changes between releases.
+Instead pin to the release tag (e.g. `?ref=tags/x.y.z`) of one of our [latest releases](https://github.com/cloudposse/terraform-aws-dynamic-subnets/releases).
+
+
 ```hcl
 module "subnets" {
   source              = "git::https://github.com/cloudposse/terraform-aws-dynamic-subnets.git?ref=master"
@@ -156,10 +161,12 @@ Available targets:
 | delimiter | Delimiter to be used between `namespace`, `stage`, `name`, and `attributes` | string | `-` | no |
 | igw_id | Internet Gateway ID the public route table will point to (e.g. `igw-9c26a123`) | string | - | yes |
 | map_public_ip_on_launch | Instances launched into a public subnet should be assigned a public IP address | string | `true` | no |
-| max_subnet_count | Sets the maximum amount of subnets to deploy.  0 will deploy a subnet for every availablility zone within the region | string | `0` | no |
+| max_subnet_count | Sets the maximum amount of subnets to deploy.  0 will deploy a subnet for every provided availablility zone (in `availability_zones` variable) within the region | string | `0` | no |
 | name | Name (e.g. `app`) | string | - | yes |
 | namespace | Namespace (e.g. `cp` or `cloudposse`) | string | - | yes |
-| nat_gateway_enabled | Flag to enable/disable NAT gateways for private subnets | string | `true` | no |
+| nat_gateway_enabled | Flag to enable/disable NAT Gateways to allow servers in the private subnets to access the Internet | string | `true` | no |
+| nat_instance_enabled | Flag to enable/disable NAT Instances to allow servers in the private subnets to access the Internet | string | `false` | no |
+| nat_instance_type | NAT Instance type | string | `t3.micro` | no |
 | private_network_acl_id | Network ACL ID that will be added to private subnets. If empty, a new ACL will be created | string | `` | no |
 | public_network_acl_id | Network ACL ID that will be added to public subnets. If empty, a new ACL will be created | string | `` | no |
 | region | AWS Region (e.g. `us-east-1`) | string | - | yes |
@@ -174,13 +181,14 @@ Available targets:
 | Name | Description |
 |------|-------------|
 | availability_zones | List of Availability Zones where subnets were created |
-| nat_gateway_ids | AWS IDs of the NAT gateways created |
-| private_route_table_ids | AWS IDs of the created private route tables |
+| nat_gateway_ids | IDs of the NAT Gateways created |
+| nat_instance_ids | IDs of the NAT Instances created |
+| private_route_table_ids | IDs of the created private route tables |
 | private_subnet_cidrs | CIDR blocks of the created private subnets |
-| private_subnet_ids | AWS IDs of the created private subnets |
-| public_route_table_ids | AWS IDs of the created public route tables |
+| private_subnet_ids | IDs of the created private subnets |
+| public_route_table_ids | IDs of the created public route tables |
 | public_subnet_cidrs | CIDR blocks of the created public subnets |
-| public_subnet_ids | AWS IDs of the created public subnets |
+| public_subnet_ids | IDs of the created public subnets |
 
 
 
diff --git a/docs/terraform.md b/docs/terraform.md
@@ -8,10 +8,12 @@
 | delimiter | Delimiter to be used between `namespace`, `stage`, `name`, and `attributes` | string | `-` | no |
 | igw_id | Internet Gateway ID the public route table will point to (e.g. `igw-9c26a123`) | string | - | yes |
 | map_public_ip_on_launch | Instances launched into a public subnet should be assigned a public IP address | string | `true` | no |
-| max_subnet_count | Sets the maximum amount of subnets to deploy.  0 will deploy a subnet for every availablility zone within the region | string | `0` | no |
+| max_subnet_count | Sets the maximum amount of subnets to deploy.  0 will deploy a subnet for every provided availablility zone (in `availability_zones` variable) within the region | string | `0` | no |
 | name | Name (e.g. `app`) | string | - | yes |
 | namespace | Namespace (e.g. `cp` or `cloudposse`) | string | - | yes |
-| nat_gateway_enabled | Flag to enable/disable NAT gateways for private subnets | string | `true` | no |
+| nat_gateway_enabled | Flag to enable/disable NAT Gateways to allow servers in the private subnets to access the Internet | string | `true` | no |
+| nat_instance_enabled | Flag to enable/disable NAT Instances to allow servers in the private subnets to access the Internet | string | `false` | no |
+| nat_instance_type | NAT Instance type | string | `t3.micro` | no |
 | private_network_acl_id | Network ACL ID that will be added to private subnets. If empty, a new ACL will be created | string | `` | no |
 | public_network_acl_id | Network ACL ID that will be added to public subnets. If empty, a new ACL will be created | string | `` | no |
 | region | AWS Region (e.g. `us-east-1`) | string | - | yes |
@@ -26,11 +28,12 @@
 | Name | Description |
 |------|-------------|
 | availability_zones | List of Availability Zones where subnets were created |
-| nat_gateway_ids | AWS IDs of the NAT gateways created |
-| private_route_table_ids | AWS IDs of the created private route tables |
+| nat_gateway_ids | IDs of the NAT Gateways created |
+| nat_instance_ids | IDs of the NAT Instances created |
+| private_route_table_ids | IDs of the created private route tables |
 | private_subnet_cidrs | CIDR blocks of the created private subnets |
-| private_subnet_ids | AWS IDs of the created private subnets |
-| public_route_table_ids | AWS IDs of the created public route tables |
+| private_subnet_ids | IDs of the created private subnets |
+| public_route_table_ids | IDs of the created public route tables |
 | public_subnet_cidrs | CIDR blocks of the created public subnets |
-| public_subnet_ids | AWS IDs of the created public subnets |
+| public_subnet_ids | IDs of the created public subnets |
 
diff --git a/main.tf b/main.tf
@@ -1,5 +1,14 @@
+# Pin the `aws` provider
+# https://www.terraform.io/docs/configuration/providers.html
+# Any non-beta version >= 2.12.0 and < 2.13.0, e.g. 2.12.X
+provider "aws" {
+  version = "~> 2.12.0"
+}
+
+# Terraform
+#--------------------------------------------------------------
 terraform {
-  required_version = ">= 0.10.2"
+  required_version = "~> 0.11.0"
 }
 
 # Get object aws_vpc by vpc_id
diff --git a/nat-gateway.tf b/nat-gateway.tf
diff --git a/nat-instance.tf b/nat-instance.tf
@@ -0,0 +1,93 @@
+module "nat_instance_label" {
+  source     = "git::https://github.com/cloudposse/terraform-null-label.git?ref=tags/0.3.3"
+  namespace  = "${var.namespace}"
+  stage      = "${var.stage}"
+  name       = "${var.name}"
+  delimiter  = "${var.delimiter}"
+  attributes = "${compact(concat(var.attributes,list("nat", "instance")))}"
+  tags       = "${var.tags}"
+}
+
+locals {
+  nat_instance_enabled = "${var.nat_instance_enabled == "true" ? true : false}"
+  nat_instance_count   = "${local.nat_instance_enabled ? length(var.availability_zones) : 0}"
+  cidr_block           = "${var.cidr_block != "" ? var.cidr_block : data.aws_vpc.default.cidr_block}"
+}
+
+resource "aws_security_group" "nat_instance" {
+  count       = "${local.nat_instance_enabled ? 1 : 0}"
+  name        = "${module.nat_instance_label.id}"
+  description = "Security Group for NAT Instance"
+  vpc_id      = "${var.vpc_id}"
+  tags        = "${module.nat_instance_label.tags}"
+}
+
+resource "aws_security_group_rule" "nat_instance_egress" {
+  count             = "${local.nat_instance_enabled ? 1 : 0}"
+  description       = "Allow all egress traffic"
+  from_port         = 0
+  to_port           = 0
+  protocol          = "-1"
+  cidr_blocks       = ["0.0.0.0/0"]
+  security_group_id = "${join("", aws_security_group.nat_instance.*.id)}"
+  type              = "egress"
+}
+
+resource "aws_security_group_rule" "nat_instance_ingress" {
+  count             = "${local.nat_instance_enabled ? 1 : 0}"
+  description       = "Allow ingress traffic from the VPC CIDR block"
+  from_port         = 0
+  to_port           = 0
+  protocol          = "-1"
+  cidr_blocks       = ["${local.cidr_block}"]
+  security_group_id = "${join("", aws_security_group.nat_instance.*.id)}"
+  type              = "ingress"
+}
+
+// aws --region us-west-2 ec2 describe-images --owners amazon --filters Name="name",Values="amzn-ami-vpc-nat*" Name="virtualization-type",Values="hvm"
+data "aws_ami" "nat_instance" {
+  count       = "${local.nat_instance_enabled ? 1 : 0}"
+  most_recent = true
+
+  filter {
+    name   = "name"
+    values = ["amzn-ami-vpc-nat*"]
+  }
+
+  filter {
+    name   = "virtualization-type"
+    values = ["hvm"]
+  }
+
+  owners = ["amazon"]
+}
+
+// https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-comparison.html
+// https://docs.aws.amazon.com/vpc/latest/userguide/VPC_NAT_Instance.html
+// https://dzone.com/articles/nat-instance-vs-nat-gateway
+resource "aws_instance" "nat_instance" {
+  count                  = "${local.nat_instance_count}"
+  ami                    = "${join("", data.aws_ami.nat_instance.*.id)}"
+  instance_type          = "${var.nat_instance_type}"
+  subnet_id              = "${element(aws_subnet.public.*.id, count.index)}"
+  vpc_security_group_ids = ["${aws_security_group.nat_instance.id}"]
+  tags                   = "${merge(module.nat_instance_label.tags, map("Name",format("%s%s%s", module.nat_label.id, var.delimiter, replace(element(var.availability_zones, count.index),"-",var.delimiter))))}"
+
+  # Required by NAT
+  # https://docs.aws.amazon.com/vpc/latest/userguide/VPC_NAT_Instance.html#EIP_Disable_SrcDestCheck
+  source_dest_check = false
+
+  associate_public_ip_address = true
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+resource "aws_route" "nat_instance" {
+  count                  = "${local.nat_instance_count}"
+  route_table_id         = "${element(aws_route_table.private.*.id, count.index)}"
+  instance_id            = "${element(aws_instance.nat_instance.*.id, count.index)}"
+  destination_cidr_block = "0.0.0.0/0"
+  depends_on             = ["aws_route_table.private"]
+}
diff --git a/outputs.tf b/outputs.tf
@@ -1,10 +1,10 @@
 output "public_subnet_ids" {
-  description = "AWS IDs of the created public subnets"
+  description = "IDs of the created public subnets"
   value       = ["${aws_subnet.public.*.id}"]
 }
 
 output "private_subnet_ids" {
-  description = "AWS IDs of the created private subnets"
+  description = "IDs of the created private subnets"
   value       = ["${aws_subnet.private.*.id}"]
 }
 
@@ -19,20 +19,25 @@ output "private_subnet_cidrs" {
 }
 
 output "public_route_table_ids" {
-  description = "AWS IDs of the created public route tables"
+  description = "IDs of the created public route tables"
   value       = ["${aws_route_table.public.*.id}"]
 }
 
 output "private_route_table_ids" {
-  description = "AWS IDs of the created private route tables"
+  description = "IDs of the created private route tables"
   value       = ["${aws_route_table.private.*.id}"]
 }
 
 output "nat_gateway_ids" {
-  description = "AWS IDs of the NAT gateways created"
+  description = "IDs of the NAT Gateways created"
   value       = ["${aws_nat_gateway.default.*.id}"]
 }
 
+output "nat_instance_ids" {
+  description = "IDs of the NAT Instances created"
+  value       = ["${aws_instance.nat_instance.*.id}"]
+}
+
 output "availability_zones" {
   description = "List of Availability Zones where subnets were created"
   value       = "${var.availability_zones}"
diff --git a/variables.tf b/variables.tf
@@ -43,7 +43,7 @@ variable "region" {
 
 variable "max_subnet_count" {
   default     = 0
-  description = "Sets the maximum amount of subnets to deploy.  0 will deploy a subnet for every availablility zone within the region"
+  description = "Sets the maximum amount of subnets to deploy.  0 will deploy a subnet for every provided availablility zone (in `availability_zones` variable) within the region"
 }
 
 variable "vpc_id" {
@@ -82,10 +82,20 @@ variable "private_network_acl_id" {
 }
 
 variable "nat_gateway_enabled" {
-  description = "Flag to enable/disable NAT gateways for private subnets"
+  description = "Flag to enable/disable NAT Gateways to allow servers in the private subnets to access the Internet"
   default     = "true"
 }
 
+variable "nat_instance_enabled" {
+  description = "Flag to enable/disable NAT Instances to allow servers in the private subnets to access the Internet"
+  default     = "false"
+}
+
+variable "nat_instance_type" {
+  description = "NAT Instance type"
+  default     = "t3.micro"
+}
+
 variable "map_public_ip_on_launch" {
   default     = "true"
   description = "Instances launched into a public subnet should be assigned a public IP address"
