Fix to enable snat after reboot

Author: int128

.gitignore

@@ -1,3 +1,4 @@
 .terraform/
 .terraform.*
 *.tfstate
+*.tfstate.backup

data/init.sh

@@ -85,12 +85,31 @@ resource "aws_launch_template" "this" {
     delete_on_termination       = true
   }
 
-  user_data = base64encode(
-    templatefile("${path.module}/data/init.sh", {
-      eni_id          = aws_network_interface.this.id
-      extra_user_data = var.extra_user_data
+  user_data = base64encode(join("\n", [
+    "#cloud-config",
+    yamlencode({
+      # https://cloudinit.readthedocs.io/en/latest/topics/modules.html
+      write_files : [
+        {
+          path : "/opt/nat/runonce.sh",
+          content : templatefile("${path.module}/runonce.sh", { eni_id = aws_network_interface.this.id }),
+          permissions : "0755",
+        },
+        {
+          path : "/opt/nat/snat.sh",
+          content : file("${path.module}/snat.sh"),
+          permissions : "0755",
+        },
+        {
+          path : "/etc/systemd/system/snat.service",
+          content : file("${path.module}/snat.service"),
+        },
+      ],
+      runcmd : [
+        ["/opt/nat/runonce.sh"],
+      ],
     })
-  )
+  ]))
 
   description = "Launch template for NAT instance ${var.name}"
   tags = {

main.tf

@@ -0,0 +1,12 @@
+#!/bin/bash -x
+
+# attach the ENI
+aws ec2 attach-network-interface \
+  --region "$(/opt/aws/bin/ec2-metadata -z  | sed 's/placement: \(.*\).$/\1/')" \
+  --instance-id "$(/opt/aws/bin/ec2-metadata -i | cut -d' ' -f2)" \
+  --device-index 1 \
+  --network-interface-id "${eni_id}"
+
+# start SNAT
+systemctl enable snat
+systemctl start snat

runonce.sh

@@ -0,0 +1,9 @@
+[Unit]
+Description = SNAT via ENI eth1
+
+[Service]
+ExecStart = /opt/nat/snat.sh
+Type = oneshot
+
+[Install]
+WantedBy = multi-user.target

snat.service

@@ -0,0 +1,20 @@
+#!/bin/bash -x
+
+# wait for eth1
+while ! ip link show dev eth1; do
+  sleep 1
+done
+
+# Enable IP forwarding and NAT
+sysctl -q -w net.ipv4.ip_forward=1
+sysctl -q -w net.ipv4.conf.eth1.send_redirects=0
+iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
+
+# Switch the default route to eth1
+ip route del default dev eth0
+
+# Waiting for network connection
+curl --retry 10 http://www.example.com
+
+# Restart the SSM agent
+systemctl restart amazon-ssm-agent.service

snat.sh

@@ -30,12 +30,6 @@ variable "private_route_table_ids" {
   default     = []
 }
 
-variable "extra_user_data" {
-  description = "Extra script to run in the NAT instance"
-  type        = string
-  default     = ""
-}
-
 variable "image_id" {
   description = "AMI of the NAT instance. Default to the latest Amazon Linux 2"
   type        = string