Nat Instance Module

This Terraform module provisions an Amazon Autoscaling group with an EC2 instance running iptables and squid proxy, allowing for a low-cost alternative to a NAT gateway whilst also providing filtering for outbound http/https traffic.

Overview

The module creates:

An Autoscaling group to maintain EC2 instances in a running state
A Lambda function to perform various actions in response to metric alarms, S3 triggers and to perform updates to the private route table(s)
An S3 trigger to detect changes to squid configuration files
A cloud-init template to configure iptables, squid and Cloudwatch agent on the EC2 instances
Cloudwatch log groups for the squid proxy cache and access logs, and Lambda invocation logs

The running instances can be accessed via SSM for debugging purposes.

Usage with Terraform

module "nat-instance" {
  source = "git@github.com:<org>/squid-proxy.git?ref=v1.0.0"

  allowed_domains = [
    ".amazonaws.com",
    "api.sendgrid.com",
  ]
  enable_eip         = true
  private_subnet_ids = ["subnet-10a214dfcd63a97a4", "subnet-c727b18850685046b"]
  public_subnet_ids  = ["subnet-37f911e98a8616eee", "subnet-233bfad11fdd81dfd"]
  vpc_id             = "vpc-1eb7bfbe312f068e1"
}

Notes

Instance AMI will not be updated automatically (ignored in lifecycle)

Inputs

Name	Description	Type	Default	Required
additional_egress_rules	Additional egress rules to apply to the security group.	map(object({ cidr_ipv4 = string description = optional(string, null) ip_protocol = string from_port = number to_port = number }))	`null`	no
additional_ingress_rules	Additional ingress rules to apply to the security group.	map(object({ cidr_ipv4 = string description = optional(string, null) ip_protocol = string from_port = number to_port = number }))	`null`	no
allowed_web_domains	List of allowed domains.	`list(string)`	[ ".amazonaws.com", ".amazon.com" ]	no
architectures	Lambda function architecture.	`list(string)`	[ "arm64" ]	no
detailed_monitoring	Whether or not to enable detailed monitoring for the EC2 instance.	`bool`	`false`	no
enable_eip	Whether or not to enable a consistent elastic IP for the EC2 instances.	`bool`	`false`	no
instance_type	The instance type to use for the ASG.	`string`	`"t4g.small"`	no
name	The name to use for resources.	`string`	`"nat"`	no
private_subnet_ids	List of private subnet ID's in the VPC.	`list(string)`	n/a	yes
public_subnet_ids	List of public subnet ID's to deploy the ASG to.	`list(string)`	n/a	yes
vpc_id	The ID of the VPC to deploy the NAT instance/squid proxy to.	`string`	n/a	yes

Modules

Name	Source	Version
config_bucket	terraform-aws-modules/s3-bucket/aws	~> 5.0
squid_config	terraform-aws-modules/s3-bucket/aws//modules/object	~> 5.0
whitelist	terraform-aws-modules/s3-bucket/aws//modules/object	~> 5.0

Outputs

No outputs.

Providers

Name	Version
archive	2.7.1
aws	6.2.0

Requirements

Name	Version
terraform	>= 1.8
aws	~> 6.0
random	~> 3.6
time	0.13.1

Resources

Name	Type
aws_autoscaling_group.nat	resource
aws_cloudwatch_log_group.access	resource
aws_cloudwatch_log_group.cache	resource
aws_cloudwatch_log_group.iptables	resource
aws_cloudwatch_log_group.lambda	resource
aws_cloudwatch_metric_alarm.squid	resource
aws_eip.nat	resource
aws_iam_instance_profile.instance	resource
aws_iam_policy.instance	resource
aws_iam_policy.lambda	resource
aws_iam_role.asg_lifecycle	resource
aws_iam_role.instance	resource
aws_iam_role.lambda	resource
aws_iam_role_policy.asg_lifecycle	resource
aws_iam_role_policy_attachment.cloudwatch	resource
aws_iam_role_policy_attachment.custom	resource
aws_iam_role_policy_attachment.lambda_custom	resource
aws_iam_role_policy_attachment.lambda_managed	resource
aws_iam_role_policy_attachment.ssm	resource
aws_lambda_function.nat	resource
aws_lambda_permission.alarm_sns	resource
aws_lambda_permission.lifecycle_sns	resource
aws_lambda_permission.s3_trigger	resource
aws_launch_template.nat	resource
aws_s3_bucket_notification.bucket_notification	resource
aws_security_group.instance	resource
aws_sns_topic.alarm	resource
aws_sns_topic.asg_lifecycle	resource
aws_sns_topic_subscription.lambda	resource
aws_sns_topic_subscription.lambda_sub	resource
aws_sqs_queue.dlq	resource
aws_vpc_security_group_egress_rule.this	resource
aws_vpc_security_group_ingress_rule.this	resource
archive_file.lambda_source_code	data source
aws_ami.amazon_linux_2	data source
aws_caller_identity.this	data source
aws_ec2_instance_type.this	data source
aws_iam_policy_document.instance	data source
aws_iam_policy_document.lambda	data source
aws_region.current	data source
aws_route_table.private	data source
aws_vpc.this	data source

Name		Name	Last commit message	Last commit date
Latest commit History 44 Commits
.github/workflows		.github/workflows
config_files		config_files
src		src
templates		templates
.gitignore		.gitignore
.pre-commit-config.yaml		.pre-commit-config.yaml
.releaserc.yaml		.releaserc.yaml
.tfdocs-config.yml		.tfdocs-config.yml
.tool-versions		.tool-versions
.trivyignore		.trivyignore
README.md		README.md
alarms.tf		alarms.tf
bucket.tf		bucket.tf
data.tf		data.tf
lambda.tf		lambda.tf
main.tf		main.tf
outputs.tf		outputs.tf
renovate.json		renovate.json
variables.tf		variables.tf
versions.tf		versions.tf

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Repository files navigation

Nat Instance Module

Overview

Usage with Terraform

Notes

Inputs

Modules

Outputs

Providers

Requirements

Resources

About

Uh oh!

Releases 9

Packages

Uh oh!

Contributors 2

Uh oh!

Languages

digorgonzola/nat-instance

Folders and files

Latest commit

History

Repository files navigation

Nat Instance Module

Overview

Usage with Terraform

Notes

Inputs

Modules

Outputs

Providers

Requirements

Resources

About

Resources

Uh oh!

Stars

Watchers

Forks

Releases 9

Packages 0

Uh oh!

Contributors 2

Uh oh!

Languages

Packages