From 3b7ef9ea978227055c655b12ccd2445764e0a186 Mon Sep 17 00:00:00 2001 From: darenmcgill Date: Sun, 5 Feb 2023 10:57:00 -0700 Subject: [PATCH 01/10] Changing security rules --- main.tf | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/main.tf b/main.tf index 5d9beb7..ce5e93c 100644 --- a/main.tf +++ b/main.tf @@ -10,8 +10,8 @@ resource "aws_security_group_rule" "egress" { type = "egress" cidr_blocks = ["0.0.0.0/0"] from_port = 0 - to_port = 65535 - protocol = "tcp" + to_port = 0 + protocol = "-1" } resource "aws_security_group_rule" "ingress_any" { @@ -19,8 +19,8 @@ resource "aws_security_group_rule" "ingress_any" { type = "ingress" cidr_blocks = var.private_subnets_cidr_blocks from_port = 0 - to_port = 65535 - protocol = "all" + to_port = 0 + protocol = "-1" } resource "aws_network_interface" "this" { From df58b79787bb3b124be0c9b2b17d018ce4c781cc Mon Sep 17 00:00:00 2001 From: darenmcgill Date: Mon, 3 Apr 2023 14:40:51 -0600 Subject: [PATCH 02/10] changing instance types to t4g and t3a --- variables.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/variables.tf b/variables.tf index 21b2abf..02280b3 100644 --- a/variables.tf +++ b/variables.tf @@ -39,7 +39,7 @@ variable "image_id" { variable "instance_types" { description = "Candidates of spot instance type for the NAT instance. This is used in the mixed instances policy" type = list(string) - default = ["t3.nano", "t3a.nano"] + default = ["t4g.nano", "t3a.nano"] } variable "use_spot_instance" { From bd2c80236679d0ca29aaac2b80270a39e22c2e1d Mon Sep 17 00:00:00 2001 From: darenmcgill Date: Thu, 6 Apr 2023 15:13:57 -0600 Subject: [PATCH 03/10] changing instance types to t4g and changed default to a on-demand instance and not a spot instance --- README.md | 37 +++++++++++++++----------- main.tf | 20 +------------- runonce.sh | 11 ++++---- snat.service | 4 ++- snat.sh | 74 ++++++++++++++++++++++++++++++++++++++++------------ variables.tf | 8 +++++- 6 files changed, 96 insertions(+), 58 deletions(-) diff --git a/README.md b/README.md index 4ccb2f4..c33fa24 100644 --- a/README.md +++ b/README.md @@ -144,6 +144,13 @@ Move "module.nat.aws_eip.this" to "aws_eip.nat" Successfully moved 1 object(s). ``` +## Changes for latest version + +Default is on-demand and not a spot instance. Also instance type is default t4g.nano to change this you need to add + + +instance_types = ["t3.nano"] +architecture = ["x86_64"] ## Contributions @@ -163,22 +170,22 @@ No requirements. ## Inputs -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [enabled](#input\_enabled) | Enable or not costly resources | `bool` | `true` | no | -| [image\_id](#input\_image\_id) | AMI of the NAT instance. Default to the latest Amazon Linux 2 | `string` | `""` | no | -| [instance\_types](#input\_instance\_types) | Candidates of spot instance type for the NAT instance. This is used in the mixed instances policy | `list(string)` | 
[
  "t3.nano",
  "t3a.nano"
]
| no | -| [key\_name](#input\_key\_name) | Name of the key pair for the NAT instance. You can set this to assign the key pair to the NAT instance | `string` | `""` | no | -| [name](#input\_name) | Name for all the resources as identifier | `string` | n/a | yes | -| [private\_route\_table\_ids](#input\_private\_route\_table\_ids) | List of ID of the route tables for the private subnets. You can set this to assign the each default route to the NAT instance | `list(string)` | `[]` | no | -| [private\_subnets\_cidr\_blocks](#input\_private\_subnets\_cidr\_blocks) | List of CIDR blocks of the private subnets. The NAT instance accepts connections from this subnets | `list(string)` | n/a | yes | -| [public\_subnet](#input\_public\_subnet) | ID of the public subnet to place the NAT instance | `string` | n/a | yes | +| Name | Description | Type | Default | Required | +|------|-------------|------|----------------------------------------------------------|:--------:| +| [enabled](#input\_enabled) | Enable or not costly resources | `bool` | `true` | no | +| [image\_id](#input\_image\_id) | AMI of the NAT instance. Default to the latest Amazon Linux 2 | `string` | `""` | no | +| [instance\_types](#input\_instance\_types) | Candidates of spot instance type for the NAT instance. This is used in the mixed instances policy | `list(string)` | 
[
  "t3.nano",
  "t3a.nano"
]
| no | +| [key\_name](#input\_key\_name) | Name of the key pair for the NAT instance. You can set this to assign the key pair to the NAT instance | `string` | `""` | no | +| [name](#input\_name) | Name for all the resources as identifier | `string` | n/a | yes | +| [private\_route\_table\_ids](#input\_private\_route\_table\_ids) | List of ID of the route tables for the private subnets. You can set this to assign the each default route to the NAT instance | `list(string)` | `[]` | no | +| [private\_subnets\_cidr\_blocks](#input\_private\_subnets\_cidr\_blocks) | List of CIDR blocks of the private subnets. The NAT instance accepts connections from this subnets | `list(string)` | n/a | yes | +| [public\_subnet](#input\_public\_subnet) | ID of the public subnet to place the NAT instance | `string` | n/a | yes | | [ssm\_policy\_arn](#input\_ssm\_policy\_arn) | SSM Policy to be attached to instance profile | `string` | `"arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"` | no | -| [tags](#input\_tags) | Tags applied to resources created with this module | `map(string)` | `{}` | no | -| [use\_spot\_instance](#input\_use\_spot\_instance) | Whether to use spot or on-demand EC2 instance | `bool` | `true` | no | -| [user\_data\_runcmd](#input\_user\_data\_runcmd) | Additional runcmd section of cloud-init | `list(list(string))` | `[]` | no | -| [user\_data\_write\_files](#input\_user\_data\_write\_files) | Additional write\_files section of cloud-init | `list(any)` | `[]` | no | -| [vpc\_id](#input\_vpc\_id) | ID of the VPC | `string` | n/a | yes | +| [tags](#input\_tags) | Tags applied to resources created with this module | `map(string)` | `{}` | no | +| [use\_spot\_instance](#input\_use\_spot\_instance) | Whether to use spot or on-demand EC2 instance | `bool` | `false` | no | +| [user\_data\_runcmd](#input\_user\_data\_runcmd) | Additional runcmd section of cloud-init | `list(list(string))` | `[]` | no | +| [user\_data\_write\_files](#input\_user\_data\_write\_files) | Additional write\_files section of cloud-init | `list(any)` | `[]` | no | +| [vpc\_id](#input\_vpc\_id) | ID of the VPC | `string` | n/a | yes | ## Outputs diff --git a/main.tf b/main.tf index ce5e93c..b35241a 100644 --- a/main.tf +++ b/main.tf @@ -44,7 +44,7 @@ data "aws_ami" "this" { owners = ["amazon"] filter { name = "architecture" - values = ["x86_64"] + values = var.architecture } filter { name = "root-device-type" @@ -191,21 +191,3 @@ resource "aws_iam_role_policy_attachment" "ssm" { role = aws_iam_role.this.name } -resource "aws_iam_role_policy" "eni" { - role = aws_iam_role.this.name - name_prefix = var.name - policy = < $i; +done + +echo "Flushing NAT table..." +iptables -t nat -F -# switch the default route to eth1 -ip route del default dev eth0 +echo "Adding NAT rule..." +iptables -t nat -A POSTROUTING -o "$nat_interface" -j MASQUERADE -m comment --comment "NAT routing rule installed" -# wait for network connection -curl --retry 10 http://www.example.com +service iptables save -# reestablish connections -systemctl restart amazon-ssm-agent.service +echo "Done!" diff --git a/variables.tf b/variables.tf index 02280b3..5a28cfb 100644 --- a/variables.tf +++ b/variables.tf @@ -42,10 +42,16 @@ variable "instance_types" { default = ["t4g.nano", "t3a.nano"] } +variable "architecture" { + description = "Candidates of spot instance type for the NAT instance. This is used in the mixed instances policy" + type = list(string) + default = ["arm64"] +} + variable "use_spot_instance" { description = "Whether to use spot or on-demand EC2 instance" type = bool - default = true + default = false } variable "key_name" { From 7065f9a83179ef7468a94736d583f06ebc9ef9d0 Mon Sep 17 00:00:00 2001 From: darenmcgill Date: Fri, 7 Apr 2023 09:08:39 -0600 Subject: [PATCH 04/10] reworking documentation --- README.md | 33 +++++++++++++++++---------------- 1 file changed, 17 insertions(+), 16 deletions(-) diff --git a/README.md b/README.md index c33fa24..d5f2fda 100644 --- a/README.md +++ b/README.md @@ -144,12 +144,13 @@ Move "module.nat.aws_eip.this" to "aws_eip.nat" Successfully moved 1 object(s). ``` -## Changes for latest version +## Changes for latest version 3.0.0 Default is on-demand and not a spot instance. Also instance type is default t4g.nano to change this you need to add instance_types = ["t3.nano"] + architecture = ["x86_64"] ## Contributions @@ -170,22 +171,22 @@ No requirements. ## Inputs -| Name | Description | Type | Default | Required | -|------|-------------|------|----------------------------------------------------------|:--------:| -| [enabled](#input\_enabled) | Enable or not costly resources | `bool` | `true` | no | -| [image\_id](#input\_image\_id) | AMI of the NAT instance. Default to the latest Amazon Linux 2 | `string` | `""` | no | -| [instance\_types](#input\_instance\_types) | Candidates of spot instance type for the NAT instance. This is used in the mixed instances policy | `list(string)` | 
[
  "t3.nano",
  "t3a.nano"
]
| no | -| [key\_name](#input\_key\_name) | Name of the key pair for the NAT instance. You can set this to assign the key pair to the NAT instance | `string` | `""` | no | -| [name](#input\_name) | Name for all the resources as identifier | `string` | n/a | yes | +| Name | Description | Type | Default | Required | +|------|-------------------------------------------------------------------------------------------------------------------------------|------|----------------------------------------------------------|:--------:| +| [enabled](#input\_enabled) | This variable is for enabling auto scaling desired capacity and minimum size in the auto scaling group. | `bool` | `true` | no | +| [image\_id](#input\_image\_id) | AMI of the NAT instance. Default to the latest Amazon Linux 2 | `string` | `""` | no | +| [instance\_types](#input\_instance\_types) | Candidates of spot instance type for the NAT instance. This is used in the mixed instances policy | `list(string)` | 
[
  "t3.nano",
  "t3a.nano"
]
| no | +| [key\_name](#input\_key\_name) | Name of the key pair for the NAT instance. You can set this to assign the key pair to the NAT instance | `string` | `""` | no | +| [name](#input\_name) | Name for all the resources as identifier | `string` | n/a | yes | | [private\_route\_table\_ids](#input\_private\_route\_table\_ids) | List of ID of the route tables for the private subnets. You can set this to assign the each default route to the NAT instance | `list(string)` | `[]` | no | -| [private\_subnets\_cidr\_blocks](#input\_private\_subnets\_cidr\_blocks) | List of CIDR blocks of the private subnets. The NAT instance accepts connections from this subnets | `list(string)` | n/a | yes | -| [public\_subnet](#input\_public\_subnet) | ID of the public subnet to place the NAT instance | `string` | n/a | yes | -| [ssm\_policy\_arn](#input\_ssm\_policy\_arn) | SSM Policy to be attached to instance profile | `string` | `"arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"` | no | -| [tags](#input\_tags) | Tags applied to resources created with this module | `map(string)` | `{}` | no | -| [use\_spot\_instance](#input\_use\_spot\_instance) | Whether to use spot or on-demand EC2 instance | `bool` | `false` | no | -| [user\_data\_runcmd](#input\_user\_data\_runcmd) | Additional runcmd section of cloud-init | `list(list(string))` | `[]` | no | -| [user\_data\_write\_files](#input\_user\_data\_write\_files) | Additional write\_files section of cloud-init | `list(any)` | `[]` | no | -| [vpc\_id](#input\_vpc\_id) | ID of the VPC | `string` | n/a | yes | +| [private\_subnets\_cidr\_blocks](#input\_private\_subnets\_cidr\_blocks) | List of CIDR blocks of the private subnets. The NAT instance accepts connections from this subnets | `list(string)` | n/a | yes | +| [public\_subnet](#input\_public\_subnet) | ID of the public subnet to place the NAT instance | `string` | n/a | yes | +| [ssm\_policy\_arn](#input\_ssm\_policy\_arn) | SSM Policy to be attached to instance profile | `string` | `"arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"` | no | +| [tags](#input\_tags) | Tags applied to resources created with this module | `map(string)` | `{}` | no | +| [use\_spot\_instance](#input\_use\_spot\_instance) | Whether to use spot or on-demand EC2 instance | `bool` | `false` | no | +| [user\_data\_runcmd](#input\_user\_data\_runcmd) | Additional runcmd section of cloud-init | `list(list(string))` | `[]` | no | +| [user\_data\_write\_files](#input\_user\_data\_write\_files) | Additional write\_files section of cloud-init | `list(any)` | `[]` | no | +| [vpc\_id](#input\_vpc\_id) | ID of the VPC | `string` | n/a | yes | ## Outputs From 666521ac8401fa0f3dbeed006f80979af5a167b9 Mon Sep 17 00:00:00 2001 From: darenmcgill Date: Fri, 7 Apr 2023 14:24:24 -0600 Subject: [PATCH 05/10] reworking documentation --- main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/main.tf b/main.tf index b35241a..b89bf83 100644 --- a/main.tf +++ b/main.tf @@ -52,7 +52,7 @@ data "aws_ami" "this" { } filter { name = "name" - values = ["amzn2-ami-hvm-*"] + values = ["al2023-*"] } filter { name = "virtualization-type" @@ -60,7 +60,7 @@ data "aws_ami" "this" { } filter { name = "block-device-mapping.volume-type" - values = ["gp2"] + values = ["gp3"] } } From 6cf28c4b99fb25a29b8643eaf20f7a2bcfeb63c4 Mon Sep 17 00:00:00 2001 From: darenmcgill Date: Fri, 7 Apr 2023 14:34:27 -0600 Subject: [PATCH 06/10] removing the t3.nano from instance type. --- variables.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/variables.tf b/variables.tf index 5a28cfb..d55b40f 100644 --- a/variables.tf +++ b/variables.tf @@ -39,7 +39,7 @@ variable "image_id" { variable "instance_types" { description = "Candidates of spot instance type for the NAT instance. This is used in the mixed instances policy" type = list(string) - default = ["t4g.nano", "t3a.nano"] + default = ["t4g.nano"] } variable "architecture" { From c3e5a96327ab769402959ffae4e81855cc238046 Mon Sep 17 00:00:00 2001 From: darenmcgill Date: Fri, 7 Apr 2023 15:26:39 -0600 Subject: [PATCH 07/10] changed network attachment --- main.tf | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/main.tf b/main.tf index b89bf83..7e3c797 100644 --- a/main.tf +++ b/main.tf @@ -79,9 +79,8 @@ resource "aws_launch_template" "this" { } network_interfaces { - associate_public_ip_address = true - security_groups = [aws_security_group.this.id] - delete_on_termination = true + device_index = 0 + network_interface_id = aws_network_interface.this.id } tag_specifications { From 5494c6d385cb7d095cef06cde9fef013e490e3f5 Mon Sep 17 00:00:00 2001 From: darenmcgill Date: Fri, 7 Apr 2023 15:32:29 -0600 Subject: [PATCH 08/10] changed network attachment --- main.tf | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 7e3c797..d0abe30 100644 --- a/main.tf +++ b/main.tf @@ -1,3 +1,7 @@ +data "aws_network_interface" "this" { + id = aws_network_interface.this.id +} + resource "aws_security_group" "this" { name_prefix = var.name vpc_id = var.vpc_id @@ -123,7 +127,7 @@ resource "aws_autoscaling_group" "this" { desired_capacity = var.enabled ? 1 : 0 min_size = var.enabled ? 1 : 0 max_size = 1 - vpc_zone_identifier = [var.public_subnet] + availability_zones = [data.aws_network_interface.this.availability_zone] mixed_instances_policy { instances_distribution { From 8f21ec062e0cebefac956e171e6062290e3c3477 Mon Sep 17 00:00:00 2001 From: Erik Jensen <365211+erikrj@users.noreply.github.com> Date: Tue, 18 Apr 2023 17:24:38 -0600 Subject: [PATCH 09/10] Fixing AMI --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index d0abe30..f4b0bc1 100644 --- a/main.tf +++ b/main.tf @@ -56,7 +56,7 @@ data "aws_ami" "this" { } filter { name = "name" - values = ["al2023-*"] + values = ["al2023-ami-minimal*"] } filter { name = "virtualization-type" From 1c6374aa45474074137d064d16d8a57091d9458b Mon Sep 17 00:00:00 2001 From: darenmcgill Date: Mon, 31 Jul 2023 10:40:57 -0600 Subject: [PATCH 10/10] adding variable file to module --- version.tf | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 version.tf diff --git a/version.tf b/version.tf new file mode 100644 index 0000000..734f855 --- /dev/null +++ b/version.tf @@ -0,0 +1,10 @@ +terraform { + required_version = ">= 0.13.1" + + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 4.0" + } + } +} \ No newline at end of file