Migrate NAT instances to Amazon Linux 2 (#157)

* Migrate to NAT instances to Amazon Linux 2 * Update documentation with new AMI file * Use template_cloudinit_config instead of manual crafting of multipart user data * Update ecs/network/README.md * Make versions consistent * Use count.index in a more straightforward way Co-authored-by: Marek Skrajnowski <[email protected]> --------- Co-authored-by: Marek Skrajnowski <[email protected]>
codequest-eu · Feb 14, 2024 · 8796045 · 8796045
1 parent 0dc2bc1
commit 8796045
Show file tree

Hide file tree

Showing 7 changed files with 52 additions and 7 deletions.
diff --git a/ecs/README.md b/ecs/README.md
@@ -83,7 +83,7 @@ Based on [AWS reference architecture](https://github.com/aws-samples/ecs-refarch
 | <a name="input_environment"></a> [environment](#input\_environment) | Kebab-cased environment name, eg. development, staging, production. | `string` | n/a | yes |
 | <a name="input_lb_ssl_policy"></a> [lb\_ssl\_policy](#input\_lb\_ssl\_policy) | SSL policy to set on the HTTPS ALB listener, see https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html#describe-ssl-policies | `string` | `"ELBSecurityPolicy-TLS-1-2-2017-01"` | no |
 | <a name="input_nat_instance"></a> [nat\_instance](#input\_nat\_instance) | Use NAT instances instead of NAT gateways. | `bool` | `false` | no |
-| <a name="input_nat_instance_ami_name"></a> [nat\_instance\_ami\_name](#input\_nat\_instance\_ami\_name) | Name of the EC2 AMI used by NAT instances | `string` | `"amzn-ami-vpc-nat-2018.03.0.20230905.0-x86_64-ebs"` | no |
+| <a name="input_nat_instance_ami_name"></a> [nat\_instance\_ami\_name](#input\_nat\_instance\_ami\_name) | Name of the EC2 AMI used by NAT instances | `string` | `"amzn2-ami-kernel-5.10-hvm-2.0.20240131.0-x86_64-gp2"` | no |
 | <a name="input_nat_instance_type"></a> [nat\_instance\_type](#input\_nat\_instance\_type) | EC2 instance type to use to create a NAT instance. | `string` | `"t3.nano"` | no |
 | <a name="input_project"></a> [project](#input\_project) | Kebab-cased project name | `string` | n/a | yes |
 | <a name="input_project_index"></a> [project\_index](#input\_project\_index) | Unique project number in 0-255 range which will be used to build the VPC CIDR block: 10.{project\_index}.0.0/16 | `number` | n/a | yes |

diff --git a/ecs/network/README.md b/ecs/network/README.md
@@ -19,6 +19,7 @@ Creates networking resources needed for a standard ECS cluster setup:
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.12, <2.0 |
 | <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.0.0 |
+| <a name="requirement_cloudinit"></a> [cloudinit](#requirement\_cloudinit) | >= 2.3.3 |
 | <a name="requirement_null"></a> [null](#requirement\_null) | >= 2.1.2 |
 | <a name="requirement_tls"></a> [tls](#requirement\_tls) | >= 3.2.0 |
 
@@ -27,6 +28,7 @@ Creates networking resources needed for a standard ECS cluster setup:
 | Name | Version |
 |------|---------|
 | <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.0.0 |
+| <a name="provider_cloudinit"></a> [cloudinit](#provider\_cloudinit) | >= 2.3.3 |
 | <a name="provider_null"></a> [null](#provider\_null) | >= 2.1.2 |
 | <a name="provider_tls"></a> [tls](#provider\_tls) | >= 3.2.0 |
 
@@ -105,6 +107,7 @@ Creates networking resources needed for a standard ECS cluster setup:
 | [aws_ami.nat](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source |
 | [aws_availability_zones.zones](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source |
 | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+| [cloudinit_config.config](https://registry.terraform.io/providers/hashicorp/cloudinit/latest/docs/data-sources/config) | data source |
 
 ## Inputs
 
@@ -117,7 +120,7 @@ Creates networking resources needed for a standard ECS cluster setup:
 | <a name="input_environment"></a> [environment](#input\_environment) | Kebab-cased environment name, eg. development, staging, production. | `string` | n/a | yes |
 | <a name="input_lb_ssl_policy"></a> [lb\_ssl\_policy](#input\_lb\_ssl\_policy) | SSL policy to set on the HTTPS ALB listener, see https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html#describe-ssl-policies | `string` | `"ELBSecurityPolicy-TLS-1-2-2017-01"` | no |
 | <a name="input_nat_instance"></a> [nat\_instance](#input\_nat\_instance) | Use NAT instances instead of NAT gateways. | `bool` | `false` | no |
-| <a name="input_nat_instance_ami_name"></a> [nat\_instance\_ami\_name](#input\_nat\_instance\_ami\_name) | Name of the EC2 AMI used by NAT instances | `string` | `"amzn-ami-vpc-nat-2018.03.0.20230905.0-x86_64-ebs"` | no |
+| <a name="input_nat_instance_ami_name"></a> [nat\_instance\_ami\_name](#input\_nat\_instance\_ami\_name) | Name of the EC2 AMI used by NAT instances | `string` | `"amzn2-ami-kernel-5.10-hvm-2.0.20240131.0-x86_64-gp2"` | no |
 | <a name="input_nat_instance_type"></a> [nat\_instance\_type](#input\_nat\_instance\_type) | EC2 instance type to use to create a NAT instance. | `string` | `"t3.nano"` | no |
 | <a name="input_project"></a> [project](#input\_project) | Kebab-cased project name | `string` | n/a | yes |
 | <a name="input_project_index"></a> [project\_index](#input\_project\_index) | Unique project number in 0-255 range which will be used to build the VPC CIDR block: 10.{project\_index}.0.0/16 | `number` | n/a | yes |

diff --git a/ecs/network/main.tf b/ecs/network/main.tf
@@ -135,19 +135,58 @@ data "aws_ami" "nat" {
   }
 }
 
+locals {
+  cloud_config = <<-EOT
+    #cloud-config
+    cloud_final_modules:
+      - [scripts-user, always]
+    EOT
+
+  forwarding_scripts = [
+    for block in local.az_private_blocks :
+    <<-EOT
+      #!/bin/bash
+      /bin/echo 1 > /proc/sys/net/ipv4/ip_forward
+      /usr/sbin/iptables -t nat -A POSTROUTING -s ${block} -j MASQUERADE
+    EOT
+  ]
+}
+
+data "cloudinit_config" "config" {
+  count = var.create && var.nat_instance ? var.availability_zones_count : 0
+
+  gzip          = true
+  base64_encode = true
+
+  part {
+    filename     = "init.cfg"
+    content_type = "text/cloud-config; charset=\"us-ascii\""
+    content      = local.cloud_config
+  }
+
+  part {
+    filename     = "script.sh"
+    content_type = "text/x-shellscript; charset=\"us-ascii\""
+    content      = local.forwarding_scripts[count.index]
+  }
+}
+
 resource "aws_instance" "nat" {
   count = var.create && var.nat_instance ? var.availability_zones_count : 0
 
   ami                    = data.aws_ami.nat[0].id
   instance_type          = var.nat_instance_type
   subnet_id              = element(aws_subnet.public[*].id, count.index)
   vpc_security_group_ids = [aws_security_group.nat[0].id]
+  user_data_base64       = data.cloudinit_config.config[count.index].rendered
+
   tags = merge(
     local.tags,
     {
       "Name" = "${local.name}-nat-${count.index}"
     },
   )
+
   source_dest_check = false
 
   lifecycle {

diff --git a/ecs/network/variables.tf b/ecs/network/variables.tf
@@ -46,7 +46,7 @@ variable "nat_instance_type" {
 variable "nat_instance_ami_name" {
   description = "Name of the EC2 AMI used by NAT instances"
   type        = string
-  default     = "amzn-ami-vpc-nat-2018.03.0.20230905.0-x86_64-ebs"
+  default     = "amzn2-ami-kernel-5.10-hvm-2.0.20240131.0-x86_64-gp2"
 }
 
 variable "enable_dns_support" {

diff --git a/ecs/network/versions.tf b/ecs/network/versions.tf
@@ -2,8 +2,9 @@ terraform {
   required_version = ">= 0.12, <2.0"
 
   required_providers {
-    aws  = ">= 4.0.0"
-    tls  = ">= 3.2.0"
-    null = ">= 2.1.2"
+    aws       = ">= 4.0.0"
+    tls       = ">= 3.2.0"
+    null      = ">= 2.1.2"
+    cloudinit = ">= 2.3.3"
   }
 }
diff --git a/ecs/variables.tf b/ecs/variables.tf
@@ -46,7 +46,7 @@ variable "nat_instance_type" {
 variable "nat_instance_ami_name" {
   description = "Name of the EC2 AMI used by NAT instances"
   type        = string
-  default     = "amzn-ami-vpc-nat-2018.03.0.20230905.0-x86_64-ebs"
+  default     = "amzn2-ami-kernel-5.10-hvm-2.0.20240131.0-x86_64-gp2"
 }
 
 variable "enable_dns_support" {

diff --git a/versions.tf b/versions.tf
@@ -10,5 +10,7 @@ terraform {
     null    = "3.2.1"
     random  = "3.5.1"
     tls     = "4.0.4"
+
+    cloudinit = "2.3.3"
   }
 }