Adding SSH Connection Capability to NAT Instance

[michelecoco]

Overview

This PR introduces the capability to establish SSH connections to the NAT instance. This feature enables users to utilize the existing EC2 instance as an SSH tunnel, offering a cost-effective solution for accessing services on the private VPC, such as RDS instances, without the need to provision additional EC2 instances.

Motivation

The primary motivation behind this enhancement is to leverage the AWS Free Tier benefits effectively. With the AWS Free Tier providing one EC2 instance, users can now utilize the NAT instance for both its intended purpose and as an SSH tunnel, maximizing the usage of the available resources without incurring additional costs.

Usage Example

module "fck-nat" {
  # ...

  ssh_enabled    = true
  ssh_public_key = file("keys/aws_ec2.pub")
  ssh_public_key_name = "ssh-tunnel-key"
}

[kenzojrc]

When you have the time, it would be great if this could be merged into main @RaJiska

[RaJiska]

Been busy moving lately and had PRs accumulating ye. As I'm starting to get more time I will look into this either this weekend or next week.

[michelecoco]

Thank you for taking the time to review my pull request and for your valuable suggestions. I've pushed the requested changes. I decided to streamline the variables by removing ssh_enabled and adjusting the behavior of ssh_key_name. With this update, the presence of a value in ssh_key_name now determines whether SSH is enabled or disabled. If ssh_key_name is set to null, SSH is automatically disabled. Conversely, if a value is provided, SSH is enabled.

Here is an update usage example:

module "fck-nat" {
  #...

  ssh_key_name = aws_key_pair.ssh_key.key_name
  ssh_cidr_blocks = ["0.0.0.0/0"]
}

Let me know if there are any further adjustments or if you require additional information :)

[RaJiska]

Thanks for updating the PR. I'd have a couple more requests:

• Even though just using ssh_enabled is not technically essential, I believe it is a better option than enabling SSH through a value provided to ssh_key_name as it makes it clear that it enables SSH
• Thinking back about it, I think ssh_cidr_blocks should be optional, that is because the user is allowed to pass their own security groups via additional_security_group_ids. A user may therefore already have a reusable SSH security group that they would apply to the ENI rendering ssh_cidr_blocks extra. The ingress rule would therefore need to check for whether ssh_enabled is set to true, ssh_cidr_blocks is not null, ssh_cidr_blocks length > 0.

I tested the changes and it worked on my end. Once the couple points above sorted, I think it will be ready to be merged. Thank you for your continued work on this 💯

[RaJiska]

@bobsut @kenzojrc Completed through #25, thank you @SpaicyGaming .