terraform-aws-nat-instance icon indicating copy to clipboard operation
terraform-aws-nat-instance copied to clipboard

Published 20 hours ago verified publisher icon int128

feat: add variable for egress protocol

Open seagyn opened this issue 1 year ago • 5 comments

Adds the ability to set the protocol for egress out of the NAT instance. The main driver for this is something like Tailscale which requires the ability to open an outbound UDP connection to get direct connectivity to other nodes.

It might be worth changing this to only have options for "tcp" or "all". Can't imagine a "udp" only NAT but maybe someone will want that.

seagyn avatar Nov 02 '23 11:11 seagyn

It would be a very useful feature because tcp seems very restrictive. I believeall would be preferred in the vast majority of use cases. I run into the same issue, we need UDP and ICMP.

There is a duplicated PR about the same problem https://github.com/int128/terraform-aws-nat-instance/pull/56 It's not merged yet.

hostmaster avatar Nov 09 '23 10:11 hostmaster

@hostmaster after doing this PR( we realised there is an output for the SG id which you can use to create a security group rule to open the SG up further.

seagyn avatar Nov 09 '23 11:11 seagyn

@seagyn thank you for sharing. I would prefer an egress rule properly configured in the first place

hostmaster avatar Nov 09 '23 12:11 hostmaster

@hostmaster us too but at least this can unblock it (also only a single extra resource in TF).

seagyn avatar Nov 09 '23 13:11 seagyn

For reference, add this below the module

resource "aws_security_group_rule" "udp_out" {
  security_group_id = module.nat.sg_id
  from_port         = 0
  to_port           = 0
  protocol          = "-1"
  type              = "egress"
  cidr_blocks       = ["0.0.0.0/0"]
  ipv6_cidr_blocks  = ["::/0"]
}

morganrowse avatar Nov 09 '23 13:11 morganrowse