add vpcaccess role

[awsible] / roles / vpcaccess / files / ec2-pat.sh

diff --git a/roles/vpcaccess/files/ec2-pat.sh b/roles/vpcaccess/files/ec2-pat.sh
new file mode 100644 (file)
index 0000000..6e119cc
--- /dev/null
+++ b/roles/vpcaccess/files/ec2-pat.sh
@@ -0,0 +1,43 @@
+#!/bin/bash
+
+# Configure the instance to run as a Port Address Translator (PAT) to provide
+# Internet connectivity to private instances.
+#
+
+IF='eth0'
+
+set -o pipefail
+
+function log(){
+    echo "$@" | /usr/bin/logger -t 'ec2-pat'
+}
+
+echo "Determining the MAC address on ${IF}"
+if ! IF_MAC=$(/sbin/ip address show dev ${IF} |
+            /bin/grep 'link/ether' |
+            /bin/awk '{print tolower($2)}')
+then
+   log "Unable to determine MAC address on eth0"
+   exit 1
+fi
+log "Found MAC: ${IF_MAC} on ${IF}"
+
+VPC_CIDR_URI="http://169.254.169.254/latest/meta-data/network/interfaces/macs/${IF_MAC}/vpc-ipv4-cidr-block"
+if ! VPC_CIDR_RANGE=$(/usr/bin/curl --retry 3 --retry-delay 1 --silent --fail "${VPC_CIDR_URI}")
+then
+    VPC_CIDR_RANGE="0.0.0.0/0"
+    log "Unable to retrive VPC CIDR range from meta-data. Using ${VPC_CIDR_RANGE} instead. PAT may not function correctly!"
+else
+    log "Retrived the VPC CIDR range: ${VPC_CIDR_RANGE} from meta-data"
+fi
+
+if ! /sbin/sysctl -w 'net.ipv4.ip_forward=1' &&
+        /sbin/sysctl -w "net.ipv4.conf.${IF}.send_redirects=0" &&
+        /sbin/iptables -t nat -A POSTROUTING -o ${IF} -s ${VPC_CIDR_RANGE} -j MASQUERADE
+then
+   log "Configuration of PAT failed"
+   exit 1
+fi
+
+log "Configuration of PAT complete"
+/sbin/iptables-save > /etc/sysconfig/iptables