project_conquer/aws/templates/ec2/fck-nat.yaml

Parameters:
  vpc:
    Type: String
    Default: "vpc-121212121212121212"
  subnet:
    Type: String
    Default: "subnet-121212121212121212"
  CIDR:
    Type: String
    Default: "10.0.0.0/16"

Resources:
  FckNatInterface:
    Type: AWS::EC2::NetworkInterface
    Properties:
      SubnetId: !Sub "${subnet}"
      GroupSet:
        - Fn::GetAtt:
            - NatSecurityGroup
            - GroupId
      SourceDestCheck: false

  FckNatAsgInstanceProfile:
    Type: AWS::IAM::InstanceProfile
    Properties:
      Roles:
        - Ref: NatRole

  FckNatLaunchTemplate:
    Type: AWS::EC2::LaunchTemplate
    Properties:
      LaunchTemplateName: FckNatLaunchTemplate
      LaunchTemplateData:
        ImageId: ami-05b6d5a2e26f13c93
        InstanceType: t4g.nano
        IamInstanceProfile:
          Arn: !GetAtt FckNatAsgInstanceProfile.Arn
        SecurityGroups:
          - Fn::GetAtt:
              - NatSecurityGroup
              - GroupId
        UserData:
          Fn::Base64:
            Fn::Join:
              - ""
              - - |-
                  #!/bin/bash
                  echo "eni_id=                  
                - Ref: FckNatInterface
                - |-
                  " >> /etc/fck-nat.conf
                  service fck-nat restart                  
    DependsOn:
      - NatRole

  FckNatAsg:
    Type: AWS::AutoScaling::AutoScalingGroup
    Properties:
      MaxSize: "1"
      MinSize: "1"
      DesiredCapacity: "1"
      LaunchTemplateId:
        Ref: FckNatLaunchTemplate
      VPCZoneIdentifier:
        - !Sub "${subnet}"
    UpdatePolicy:
      AutoScalingScheduledAction:
        IgnoreUnmodifiedGroupSizeProperties: true

  NatSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Security Group for NAT
      SecurityGroupIngress:
        - CidrIp: !Sub "${CIDR}"
          IpProtocol: "-1"
      SecurityGroupEgress:
        - CidrIp: 0.0.0.0/0
          Description: Allow all outbound traffic by default
          IpProtocol: "-1"
      VpcId: !Sub "${vpc}"

  NatRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Statement:
          - Action: sts:AssumeRole
            Effect: Allow
            Principal:
              Service: ec2.amazonaws.com
        Version: "2012-10-17"
      Policies:
        - PolicyDocument:
            Statement:
              - Action:
                  - ec2:AttachNetworkInterface
                  - ec2:ModifyNetworkInterfaceAttribute
                Effect: Allow
                Resource: "*"
            Version: "2012-10-17"
          PolicyName: attachNatEniPolicy
        - PolicyDocument:
            Statement:
              - Action:
                  - ec2:AssociateAddress
                  - ec2:DisassociateAddress
                Effect: Allow
                Resource: "*"
            Version: "2012-10-17"
          PolicyName: associateNatAddressPolicy