This Terraform module provisions an Amazon Autoscaling group with an EC2 instance running iptables and squid proxy, allowing for a low-cost alternative to a NAT gateway whilst also providing filtering for outbound http/https traffic.
The module creates:
- An Autoscaling group to maintain EC2 instances in a running state
- A Lambda function to perform various actions in response to metric alarms, S3 triggers and to perform updates to the private route table(s)
- An S3 trigger to detect changes to squid configuration files
- A cloud-init template to configure iptables, squid and Cloudwatch agent on the EC2 instances
- Cloudwatch log groups for the squid proxy cache and access logs, and Lambda invocation logs
The running instances can be accessed via SSM for debugging purposes.
module "nat-instance" {
source = "[email protected]:<org>/nat-instance.git?ref=v2.3.1"
additional_egress_rules = {
mongodb = {
cidr_ipv4 = "0.0.0.0/0"
description = "Allow MongoDB connections"
ip_protocol = "tcp"
from_port = 27016
to_port = 27017
}
}
allowed_web_domains = [
".amazonaws.com",
"api.sendgrid.com",
]
enable_eip = true
name = "myapp-test-nat"
private_subnet_ids = ["subnet-10a214dfcd63a97a4", "subnet-c727b18850685046b"]
public_subnet_ids = ["subnet-37f911e98a8616eee", "subnet-233bfad11fdd81dfd"]
vpc_id = "vpc-1eb7bfbe312f068e1"
}- Instance AMI will not be updated automatically (ignored in lifecycle)
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| additional_egress_rules | Additional egress rules to apply to the security group. | map(object({ |
{} |
no |
| additional_ingress_rules | Additional ingress rules to apply to the security group. | map(object({ |
{} |
no |
| allowed_web_domains | List of allowed domains. | list(string) |
[ |
no |
| architectures | Lambda function architecture. | list(string) |
[ |
no |
| detailed_monitoring | Whether or not to enable detailed monitoring for the EC2 instance. | bool |
false |
no |
| enable_eip | Whether or not to enable a consistent elastic IP for the EC2 instances. | bool |
false |
no |
| enable_spot_instance | Whether or not to use spot instances for the ASG. | bool |
false |
no |
| instance_type | The instance type to use for the ASG. | string |
"t4g.small" |
no |
| name | The name to use for resources. | string |
"nat" |
no |
| private_subnet_ids | List of private subnet ID's in the VPC. | list(string) |
n/a | yes |
| public_subnet_ids | List of public subnet ID's to deploy the ASG to. | list(string) |
n/a | yes |
| tags | Tags to apply to the resources. | map(string) |
{} |
no |
| vpc_id | The ID of the VPC to deploy the NAT instance/squid proxy to. | string |
n/a | yes |
| Name | Source | Version |
|---|---|---|
| config_bucket | terraform-aws-modules/s3-bucket/aws | ~> 5.0 |
| squid_config | terraform-aws-modules/s3-bucket/aws//modules/object | ~> 5.0 |
| whitelist | terraform-aws-modules/s3-bucket/aws//modules/object | ~> 5.0 |
| Name | Description |
|---|---|
| public_ip | n/a |
| Name | Version |
|---|---|
| archive | n/a |
| aws | ~> 6.0 |
| Name | Version |
|---|---|
| terraform | >= 1.8 |
| aws | ~> 6.0 |
| random | ~> 3.6 |
| time | 0.13.1 |