search

AndrewGuenther / fck-nat

Feasible cost konfigurable NAT: An AWS NAT Instance AMI
https://fck-nat.dev
MIT License
1.27k stars 50 forks source link

CDK With Existing VPC #22

Closed oschwartz10612 closed 1 year ago

oschwartz10612 commented 1 year ago

Hi,

I love this project and I am looking into deploying this in my environment. I am new to the CDK, but it looks like this can only be used if you are creating a new VPC, is that right? If not, could you give me a quick example of how to do that? It could be something good to add to the docs (apologies if I missed it!)

rcoundon commented 1 year ago

Hi - you should be able to use fromLookup

oschwartz10612 commented 1 year ago

Thanks for the hint. I ended up generating a Cloud formation template for a new VPC and pulling out the necessary parts. See below for what I ended up using. You can use it yourself but it requires setting the route in the route table manually. I preferred that because it let me control the switch over to the instance.

@AndrewGuenther maybe this cloud formation template we could put in the docs as a more flexible way to deploy? I personally find the CDK cumbersome for simple tasks like this. 

Parameters:
  vpc:
    Type: String
    Default: "vpc-121212121212121212"
  subnet:
    Type: String
    Default: "subnet-121212121212121212"

Resources:
  FckNatInterface:
    Type: AWS::EC2::NetworkInterface
    Properties:
      SubnetId: !Sub "${subnet}"
      GroupSet:
        - Fn::GetAtt:
            - NatSecurityGroup
            - GroupId
      SourceDestCheck: false

  FckNatAsgInstanceProfile:
    Type: AWS::IAM::InstanceProfile
    Properties:
      Roles:
        - Ref: NatRole

  FckNatAsgLaunchConfig:
    Type: AWS::AutoScaling::LaunchConfiguration
    Properties:
      ImageId: ami-05b6d5a2e26f13c93
      InstanceType: t4g.nano
      IamInstanceProfile:
        Ref: FckNatAsgInstanceProfile
      SecurityGroups:
        - Fn::GetAtt:
            - NatSecurityGroup
            - GroupId
      UserData:
        Fn::Base64:
          Fn::Join:
            - ""
            - - |-
                #!/bin/bash
                echo "eni_id=
              - Ref: FckNatInterface
              - |-
                " >> /etc/fck-nat.conf
                service fck-nat restart
    DependsOn:
      - NatRole

  FckNatAsg:
    Type: AWS::AutoScaling::AutoScalingGroup
    Properties:
      MaxSize: "1"
      MinSize: "1"
      DesiredCapacity: "1"
      LaunchConfigurationName:
        Ref: FckNatAsgLaunchConfig
      VPCZoneIdentifier:
        - !Sub "${subnet}"
    UpdatePolicy:
      AutoScalingScheduledAction:
        IgnoreUnmodifiedGroupSizeProperties: true

  NatSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Security Group for NAT
      SecurityGroupIngress: 
        - CidrIp: "10.0.0.0/16"
          IpProtocol: "-1"
      SecurityGroupEgress:
        - CidrIp: 0.0.0.0/0
          Description: Allow all outbound traffic by default
          IpProtocol: "-1"
      VpcId: !Sub "${vpc}" 

  NatRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Statement:
          - Action: sts:AssumeRole
            Effect: Allow
            Principal:
              Service: ec2.amazonaws.com
        Version: "2012-10-17"
      Policies:
        - PolicyDocument:
            Statement:
              - Action:
                  - ec2:AttachNetworkInterface
                  - ec2:ModifyNetworkInterfaceAttribute
                Effect: Allow
                Resource: "*"
            Version: "2012-10-17"
          PolicyName: attachNatEniPolicy
AndrewGuenther commented 1 year ago

@oschwartz10612 Thanks for this! This is definitely worth rolling into the docs!

oschwartz10612 commented 1 year ago

Okay, great! I will open a PR real quick and we can work there.