Deployment

pelotech-nat is designed to be deployed using the terraform-aws-fck-nat Terraform module with pelotech-nat AMIs.

Prerequisites

Terraform >= 1.0
A VPC with public and private subnets
pelotech-nat AMI available in your region (see supported regions)

Minimal Example

data "aws_ami" "pelotech_nat" {
  most_recent = true
  owners      = ["self"] # or the Pelotech account ID

  filter {
    name   = "name"
    values = ["pelotech-nat-al2023-hvm-*-arm64-ami"]
  }
}

module "nat" {
  source = "git::https://github.com/RaJiska/terraform-aws-fck-nat.git"

  name      = "my-nat"
  vpc_id    = module.vpc.vpc_id
  subnet_id = module.vpc.public_subnets[0]

  instance_type = "t4g.nano"
  ami_id        = data.aws_ami.pelotech_nat.id
}

HA Mode with Auto Scaling Group

For high availability, enable HA mode. This creates an ASG that automatically replaces the instance if it fails health checks.

module "nat_ha" {
  source = "git::https://github.com/RaJiska/terraform-aws-fck-nat.git"

  name      = "my-nat-ha"
  vpc_id    = module.vpc.vpc_id
  subnet_id = module.vpc.public_subnets[0]

  instance_type = "t4g.nano"
  ami_id        = data.aws_ami.pelotech_nat.id

  ha_mode          = true
  use_spot_instances = true
}

With Elastic IP and Route Table Updates

resource "aws_eip" "nat" {
  domain = "vpc"
}

module "nat_eip" {
  source = "git::https://github.com/RaJiska/terraform-aws-fck-nat.git"

  name      = "my-nat-eip"
  vpc_id    = module.vpc.vpc_id
  subnet_id = module.vpc.public_subnets[0]

  instance_type = "t4g.nano"
  ami_id        = data.aws_ami.pelotech_nat.id

  eip_allocation_ids   = [aws_eip.nat.id]
  update_route_tables  = true
  route_tables_ids = {
    "private-a" = module.vpc.private_route_table_ids[0]
    "private-b" = module.vpc.private_route_table_ids[1]
  }
}

Key Module Inputs

Input	Description	Default
`name`	Name prefix for resources	(required)
`vpc_id`	VPC ID	(required)
`subnet_id`	Public subnet ID for the NAT instance	(required)
`instance_type`	EC2 instance type	`t4g.nano`
`ami_id`	AMI ID for the NAT instance	(fck-nat default)
`ha_mode`	Enable HA mode with ASG	`false`
`use_spot_instances`	Use spot instances (HA mode only)	`false`
`eip_allocation_ids`	List of EIP allocation IDs to associate	`[]`
`update_route_tables`	Automatically update route tables	`false`
`route_tables_ids`	Map of route table IDs to update	`{}`

Key Outputs

Output	Description
`instance_id`	EC2 instance ID (non-HA mode)
`eni_id`	Primary ENI ID
`sg_id`	Security group ID
`asg_name`	ASG name (HA mode)

IAM Requirements

The NAT instance requires the following IAM permissions:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:ModifyNetworkInterfaceAttribute",
        "ec2:AssociateAddress",
        "ec2:AttachNetworkInterface"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": "ssm:GetParameter",
      "Resource": "arn:aws:ssm:*:*:parameter/pelotech-nat/*"
    }
  ]
}

The ssm:GetParameter permission is only required if using the CloudWatch agent with SSM-based configuration. The terraform-aws-fck-nat module handles IAM role creation automatically.