Use custom image for the nat instance (#3801)

infrastructure/applications/pretix/main.tf

@@ -85,10 +85,10 @@ resource "aws_ecs_task_definition" "pretix_service" {
   family = "${terraform.workspace}-pretix"
   container_definitions = jsonencode([
     {
-      name      = "pretix"
-      image     = "${data.aws_ecr_repository.repo.repository_url}@${data.aws_ecr_image.image.image_digest}"
-      memoryReservation    = 1900
-      essential = true
+      name              = "pretix"
+      image             = "${data.aws_ecr_repository.repo.repository_url}@${data.aws_ecr_image.image.image_digest}"
+      memoryReservation = 1900
+      essential         = true
       environment = [
         {
           name  = "DATABASE_NAME"

infrastructure/applications/pycon_backend/cdn.tf

@@ -37,7 +37,7 @@ resource "aws_cloudfront_distribution" "media_cdn" {
     cached_methods   = ["GET", "HEAD"]
     target_origin_id = "default"
 
-    cache_policy_id          = data.aws_cloudfront_cache_policy.caching_optimized.id
+    cache_policy_id = data.aws_cloudfront_cache_policy.caching_optimized.id
 
     viewer_protocol_policy = "redirect-to-https"
     compress               = true

infrastructure/applications/pycon_backend/worker.tf

@@ -257,10 +257,10 @@ resource "aws_ecs_task_definition" "worker" {
   family = "pythonit-${terraform.workspace}-worker"
   container_definitions = jsonencode([
     {
-      name      = "worker"
-      image     = "${data.aws_ecr_repository.be_repo.repository_url}@${data.aws_ecr_image.be_arm_image.image_digest}"
-      memoryReservation    = 400
-      essential = true
+      name              = "worker"
+      image             = "${data.aws_ecr_repository.be_repo.repository_url}@${data.aws_ecr_image.be_arm_image.image_digest}"
+      memoryReservation = 400
+      essential         = true
       entrypoint = [
         "/home/app/.venv/bin/celery",
       ]
@@ -310,10 +310,10 @@ resource "aws_ecs_task_definition" "beat" {
   family = "pythonit-${terraform.workspace}-beat"
   container_definitions = jsonencode([
     {
-      name      = "beat"
-      image     = "${data.aws_ecr_repository.be_repo.repository_url}@${data.aws_ecr_image.be_arm_image.image_digest}"
-      memoryReservation    = 400
-      essential = true
+      name              = "beat"
+      image             = "${data.aws_ecr_repository.be_repo.repository_url}@${data.aws_ecr_image.be_arm_image.image_digest}"
+      memoryReservation = 400
+      essential         = true
       entrypoint = [
         "/home/app/.venv/bin/celery",
       ]

infrastructure/global/vpc/nat.tf

@@ -1,39 +1,7 @@
-# data "aws_ami" "nat" {
-#   most_recent = true
-
-#   filter {
-#     name   = "name"
-#     values = ["amzn-ami-vpc-nat-2018.03.0.20190826-x86_64-ebs"]
-#   }
-
-#   owners = ["137112412989"] # Amazon
-# }
-
-resource "aws_eip" "nat" {
-  for_each = toset(keys(local.public_azs_cidr))
-  vpc      = true
+resource "aws_eip" "nat_instance" {
+  domain = "vpc"
   tags = {
-    Name = "nat public ip ${each.key}"
-  }
-}
-
-resource "aws_eip_association" "nat_ip_assoc" {
-  for_each      = toset(keys(local.public_azs_cidr))
-  instance_id   = aws_instance.nat[each.key].id
-  allocation_id = aws_eip.nat[each.key].id
-}
-
-resource "aws_instance" "nat" {
-  for_each               = toset(keys(local.public_azs_cidr))
-  ami                    = "ami-001b36cbc16911c13"
-  instance_type          = "t3a.nano"
-  subnet_id              = aws_subnet.public[each.key].id
-  availability_zone      = each.key
-  vpc_security_group_ids = [aws_security_group.nat.id]
-  source_dest_check      = false
-
-  tags = {
-    Name = "nat instance - ${each.key}"
+    Name = "nat public ip"
   }
 }
 
@@ -91,3 +59,31 @@ resource "aws_security_group" "nat" {
     Name = "nat instance security group"
   }
 }
+
+data "template_file" "nat_user_data" {
+  template = file("${path.module}/nat_instance_user_data.sh")
+}
+
+resource "aws_instance" "nat_instance" {
+  ami                    = "ami-0c058ff13c7598bc3"
+  instance_type          = "t4g.nano"
+  availability_zone      = "eu-central-1a"
+  subnet_id              = aws_subnet.public["eu-central-1a"].id
+  vpc_security_group_ids = [aws_security_group.nat.id]
+  source_dest_check      = false
+  user_data              = data.template_file.nat_user_data.rendered
+  key_name               = "pretix"
+
+  root_block_device {
+    volume_size = 8
+  }
+
+  tags = {
+    Name = "nat instance"
+  }
+}
+
+resource "aws_eip_association" "nat_instance_ip_assoc" {
+  instance_id   = aws_instance.nat_instance.id
+  allocation_id = aws_eip.nat_instance.id
+}

infrastructure/global/vpc/nat_instance_user_data.sh

@@ -0,0 +1,14 @@
+#!/bin/bash
+
+sudo yum install iptables-services -y
+sudo systemctl enable iptables
+sudo systemctl start iptables
+
+sudo touch /etc/sysctl.d/custom-ip-forwarding.conf
+sudo chmod 666 /etc/sysctl.d/custom-ip-forwarding.conf
+sudo echo "net.ipv4.ip_forward=1" >> /etc/sysctl.d/custom-ip-forwarding.conf
+sudo sysctl -p /etc/sysctl.d/custom-ip-forwarding.conf
+
+sudo /sbin/iptables -t nat -A POSTROUTING -o ens5 -j MASQUERADE
+sudo /sbin/iptables -F FORWARD
+sudo service iptables save

infrastructure/global/vpc/private_subnet.tf

@@ -17,15 +17,15 @@ resource "aws_route_table" "private" {
 
   route {
     cidr_block           = "0.0.0.0/0"
-    network_interface_id = aws_instance.nat[each.key].primary_network_interface_id
+    network_interface_id = aws_instance.nat_instance.primary_network_interface_id
   }
 
   tags = {
     Name = "private subnet route table ${each.value}"
   }
 
   depends_on = [
-    aws_instance.nat
+    aws_instance.nat_instance
   ]
 }