search

AndrewGuenther / fck-nat

Feasible cost konfigurable NAT: An AWS NAT Instance AMI
https://fck-nat.dev
MIT License
1.33k stars 53 forks source link

Update Cloudformation Template in deployment documentation #89

Closed tschirmer closed 4 months ago

tschirmer commented 4 months ago

Please update the cloudformation template so that it works on this page: https://github.com/AndrewGuenther/fck-nat/blob/main/docs/deploying.md

I've debugged it, and here is the working version:

Parameters:
  vpc:
    Type: String
    Default: ""
  subnet:
    Type: String
    Default: ""
  CIDR:
    Type: String
    Default: ""

Resources:
  FckNatInterface:
    Type: AWS::EC2::NetworkInterface
    Properties:
      SubnetId: !Sub "${subnet}"
      GroupSet:
        - !GetAtt NatSecurityGroup.GroupId
      SourceDestCheck: false

  FckNatAsgInstanceProfile:
    Type: AWS::IAM::InstanceProfile
    Properties:
      Roles:
        - !Ref NatRole

  FckNatLaunchTemplate:
    Type: AWS::EC2::LaunchTemplate
    Properties:
      LaunchTemplateName: FckNatLaunchTemplate
      LaunchTemplateData:
        ImageId: ami-0799b4d92d35edd4a
        InstanceType: t4g.nano
        IamInstanceProfile:
           Name: !Ref FckNatAsgInstanceProfile
        SecurityGroupIds:
          - !GetAtt NatSecurityGroup.GroupId
        UserData:
          Fn::Base64: !Join
              - ""
              - - |-
                  #!/bin/bash
                  echo "eni_id=
                - !Ref FckNatInterface
                - |-
                  " >> /etc/fck-nat.conf
                  service fck-nat restart
    DependsOn:
      - NatRole

  FckNatAsg:
    Type: AWS::AutoScaling::AutoScalingGroup
    Properties:
      MaxSize: "1"
      MinSize: "1"
      DesiredCapacity: "1"
      LaunchTemplate:
        LaunchTemplateId: !Ref FckNatLaunchTemplate
        Version: !GetAtt FckNatLaunchTemplate.LatestVersionNumber
      VPCZoneIdentifier:
        - !Sub "${subnet}"
    UpdatePolicy:
      AutoScalingScheduledAction:
        IgnoreUnmodifiedGroupSizeProperties: true

  NatSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Security Group for NAT
      SecurityGroupIngress:
        - CidrIp: !Sub "${CIDR}"
          IpProtocol: "-1"
      SecurityGroupEgress:
        - CidrIp: 0.0.0.0/0
          Description: Allow all outbound traffic by default
          IpProtocol: "-1"
      VpcId: !Sub "${vpc}"

  NatRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Statement:
          - Action: sts:AssumeRole
            Effect: Allow
            Principal:
              Service: ec2.amazonaws.com
        Version: "2012-10-17"
      Policies:
        - PolicyDocument:
            Statement:
              - Action:
                  - ec2:AttachNetworkInterface
                  - ec2:ModifyNetworkInterfaceAttribute
                Effect: Allow
                Resource: "*"
            Version: "2012-10-17"
          PolicyName: attachNatEniPolicy
        - PolicyDocument:
            Statement:
              - Action:
                  - ec2:AssociateAddress
                  - ec2:DisassociateAddress
                Effect: Allow
                Resource: "*"
            Version: "2012-10-17"
          PolicyName: associateNatAddressPolicy
AndrewGuenther commented 4 months ago

Can you be more specific about what is broken here? Diffing this with what's currently in place it looks like this just changes resource names rather than making any functional changes.

tschirmer commented 4 months ago

I just did the diff, and it looks it's the same? I must have used an older cloudformation template from somewhere else. Not sure how, I swear I used this. Either way, I'll close this off.