Fix to enable snat after reboot (#18)

Author: int128

.gitignore

@@ -1,3 +1,4 @@
 .terraform/
 .terraform.*
 *.tfstate
+*.tfstate.backup

README.md

@@ -75,55 +75,6 @@ The instance will run [init.sh](data/init.sh) to enable NAT as follows:
 
 ## Configuration
 
-### Set extra IAM policies
-
-You can attach an extra policy to the IAM role of the NAT instance. For example,
-
-```tf
-resource "aws_iam_role_policy" "nat_iam_ec2" {
-  role = module.nat.iam_role_name
-  policy = <<EOF
-{
-    "Version": "2012-10-17",
-    "Statement": [
-        {
-            "Effect": "Allow",
-            "Action": [
-                "ec2:DescribeInstances"
-            ],
-            "Resource": "*"
-        }
-    ]
-}
-EOF
-}
-```
-
-### Run a script
-
-You can set an extra script to run in the NAT instance.
-The current region is exported as `AWS_DEFAULT_REGION` and you can use awscli without a region option.
-
-For example, you can expose port 8080 of the NAT instance using DNAT:
-
-```tf
-module "nat" {
-  extra_user_data = templatefile("${path.module}/data/nat-port-forward.sh", {
-    eni_private_ip = module.nat.eni_private_ip
-  })
-}
-```
-
-```sh
-# Look up the target instance
-tag_name="TARGET_TAG"
-target_private_ip="$(aws ec2 describe-instances --filters "Name=tag:Name,Values=$tag_name" | jq -r .Reservations[0].Instances[0].PrivateIpAddress)"
-
-# Expose the port of the NAT instance.
-iptables -t nat -A PREROUTING -m tcp -p tcp --dst "${eni_private_ip}" --dport 8080 -j DNAT --to-destination "$target_private_ip:8080"
-```
-
-
 ### Allow SSH access
 
 You can log in to the NAT instance from [AWS Systems Manager Session Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager.html).
@@ -167,7 +118,6 @@ No requirements.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | enabled | Enable or not costly resources | `bool` | `true` | no |
-| extra\_user\_data | Extra script to run in the NAT instance | `string` | `""` | no |
 | image\_id | AMI of the NAT instance. Default to the latest Amazon Linux 2 | `string` | `""` | no |
 | instance\_types | Candidates of spot instance type for the NAT instance. This is used in the mixed instances policy | `list` | <pre>[<br>  "t3.nano",<br>  "t3a.nano"<br>]</pre> | no |
 | key\_name | Name of the key pair for the NAT instance. You can set this to assign the key pair to the NAT instance | `string` | `""` | no |

data/init.sh

@@ -85,12 +85,31 @@ resource "aws_launch_template" "this" {
     delete_on_termination       = true
   }
 
-  user_data = base64encode(
-    templatefile("${path.module}/data/init.sh", {
-      eni_id          = aws_network_interface.this.id
-      extra_user_data = var.extra_user_data
+  user_data = base64encode(join("\n", [
+    "#cloud-config",
+    yamlencode({
+      # https://cloudinit.readthedocs.io/en/latest/topics/modules.html
+      write_files : [
+        {
+          path : "/opt/nat/runonce.sh",
+          content : templatefile("${path.module}/runonce.sh", { eni_id = aws_network_interface.this.id }),
+          permissions : "0755",
+        },
+        {
+          path : "/opt/nat/snat.sh",
+          content : file("${path.module}/snat.sh"),
+          permissions : "0755",
+        },
+        {
+          path : "/etc/systemd/system/snat.service",
+          content : file("${path.module}/snat.service"),
+        },
+      ],
+      runcmd : [
+        ["/opt/nat/runonce.sh"],
+      ],
     })
-  )
+  ]))
 
   description = "Launch template for NAT instance ${var.name}"
   tags = {

main.tf

@@ -0,0 +1,12 @@
+#!/bin/bash -x
+
+# attach the ENI
+aws ec2 attach-network-interface \
+  --region "$(/opt/aws/bin/ec2-metadata -z  | sed 's/placement: \(.*\).$/\1/')" \
+  --instance-id "$(/opt/aws/bin/ec2-metadata -i | cut -d' ' -f2)" \
+  --device-index 1 \
+  --network-interface-id "${eni_id}"
+
+# start SNAT
+systemctl enable snat
+systemctl start snat

runonce.sh

@@ -0,0 +1,9 @@
+[Unit]
+Description = SNAT via ENI eth1
+
+[Service]
+ExecStart = /opt/nat/snat.sh
+Type = oneshot
+
+[Install]
+WantedBy = multi-user.target

snat.service

@@ -0,0 +1,20 @@
+#!/bin/bash -x
+
+# wait for eth1
+while ! ip link show dev eth1; do
+  sleep 1
+done
+
+# enable IP forwarding and NAT
+sysctl -q -w net.ipv4.ip_forward=1
+sysctl -q -w net.ipv4.conf.eth1.send_redirects=0
+iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
+
+# switch the default route to eth1
+ip route del default dev eth0
+
+# wait for network connection
+curl --retry 10 http://www.example.com
+
+# reestablish connections
+systemctl restart amazon-ssm-agent.service

snat.sh

@@ -30,12 +30,6 @@ variable "private_route_table_ids" {
   default     = []
 }
 
-variable "extra_user_data" {
-  description = "Extra script to run in the NAT instance"
-  type        = string
-  default     = ""
-}
-
 variable "image_id" {
   description = "AMI of the NAT instance. Default to the latest Amazon Linux 2"
   type        = string