add cost breakdown table; allow using nat instance

Author: tmokmss

README.md

@@ -106,12 +106,27 @@ cp .env.local.example .env.local
 ```
 
 ## Cost
-Lambda, SQS, CloudWatch, CloudFront, and S3 offer free tier plans, which allows you to use those services almost freely for small businesses.
-Up to one million requests per month, most of the costs related to those services are free. See [this page for more details](https://aws.amazon.com/free/).
 
-Aurora PostgreSQL Serverless v2 is billed based on compute and storage usage. The database automatically scales up and down based on workload, and you only pay for the resources you use. See [this page for the current prices](https://aws.amazon.com/rds/aurora/pricing/). Aurora Serverless v2 can scale down to almost zero during periods of inactivity, helping to minimize costs (see [database.ts](cdk/lib/constructs/database.ts) for configuration details).
-
-Other costs will be derived from data transfer and Elastic Container Repository (used for Docker Lambda). Although it usually does not cost much compared to other services, you may want to continuously monitor the billing metrics. Please refer to [the document to set CloudWatch alarm for AWS charges](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/monitor_estimated_charges_with_cloudwatch.html).
+The following table provides a sample cost breakdown for deploying this system in the us-east-1 (N. Virginia) region for one month (when deployed using less expensive configuration).
+
+| Service | Usage Details | Monthly Cost [USD] |
+|---------|--------------|-------------------|
+| Aurora Serverless v2 | 0.5 ACU × 2 hour/day, 1GB storage | 3.6 |
+| Cognito | 100 MAU (Monthly Active Users) | 1.5 |
+| AppSync Events | 100 events/month, 10 hours connection/user | 0.02 |
+| Lambda | 1000 requests/month, 512MB×200ms/request | 0.15 |
+| Lambda@Edge | 100 requests/month, 128MB×50ms/request | 0.09 |
+| VPC | NAT Instance (t4g.nano) x1 | 3.02 |
+| EventBridge | Scheduler 100 jobs/month | 0.0001 |
+| CloudFront | Data transfer 1kB/request | 0.01 |
+| Total | | 8.49 |
+
+Notes:
+- Assumes 100 users per month and 1000 requests per user
+- Aurora usage assumed at 1 hour per day
+- Actual costs may vary depending on usage patterns
+
+Costs could be further reduced by leveraging Free Tier benefits where applicable. Lambda, SQS, CloudWatch, CloudFront, EC2, and Cognito offer free tier plans, which allows you to use those services almost freely for small businesses. See [this page for more details](https://aws.amazon.com/free/).
 
 ## Clean up
 To avoid incurring future charges, clean up the resources you created.

cdk/bin/cdk.ts

@@ -9,11 +9,13 @@ const app = new cdk.App();
 interface EnvironmentProps {
   account: string;
   domainName: string;
+  useNatInstance?: boolean;
 }
 
 const props: EnvironmentProps = {
   account: process.env.CDK_DEFAULT_ACCOUNT!,
-  domainName: 'mtomooka.people.aws.dev',
+  domainName: 'FIXME.example.com',
+  useNatInstance: true,
 };
 
 const virginia = new UsEast1Stack(app, 'ServerlessWebappStarterKitUsEast1Stack', {

cdk/lib/main-stack.ts

@@ -4,7 +4,7 @@ import { Construct } from 'constructs';
 import { AsyncJob } from './constructs/async-job';
 import { Auth } from './constructs/auth';
 import { Database } from './constructs/database';
-import { Vpc } from 'aws-cdk-lib/aws-ec2';
+import { InstanceClass, InstanceSize, InstanceType, NatProvider, Vpc } from 'aws-cdk-lib/aws-ec2';
 import { HostedZone } from 'aws-cdk-lib/aws-route53';
 import { ICertificate } from 'aws-cdk-lib/aws-certificatemanager';
 import { Webapp } from './constructs/webapp';
@@ -15,12 +15,19 @@ interface MainStackProps extends StackProps {
   readonly sharedCertificate: ICertificate;
   readonly signPayloadHandler: EdgeFunction;
   readonly domainName: string;
+
+  /**
+   * @default true
+   */
+  readonly useNatInstance?: boolean;
 }
 
 export class MainStack extends Stack {
   constructor(scope: Construct, id: string, props: MainStackProps) {
     super(scope, id, { description: 'Serverless fullstack webapp stack (uksb-1tupboc47)', ...props });
 
+    const { useNatInstance = true } = props;
+
     const hostedZone = HostedZone.fromLookup(this, 'HostedZone', {
       domainName: props.domainName,
     });
@@ -35,7 +42,15 @@ export class MainStack extends Stack {
     });
 
     const vpc = new Vpc(this, `Vpc`, {
-      natGateways: 1,
+      ...(useNatInstance
+        ? {
+            natGatewayProvider: NatProvider.instanceV2({
+              instanceType: InstanceType.of(InstanceClass.T4G, InstanceSize.NANO),
+              associatePublicIpAddress: true,
+            }),
+            natGateways: 1,
+          }
+        : {}),
     });
 
     const database = new Database(this, 'Database', { vpc });

cdk/test/__snapshots__/serverless-fullstack-webapp-starter-kit.test.ts.snap

@@ -2200,11 +2200,40 @@ Object {
       },
       "Type": "AWS::EC2::InternetGateway",
     },
+    "VpcNatSecurityGroup8DA26EDC": Object {
+      "Properties": Object {
+        "GroupDescription": "Security Group for NAT instances",
+        "SecurityGroupEgress": Array [
+          Object {
+            "CidrIp": "0.0.0.0/0",
+            "Description": "Allow all outbound traffic by default",
+            "IpProtocol": "-1",
+          },
+        ],
+        "SecurityGroupIngress": Array [
+          Object {
+            "CidrIp": "0.0.0.0/0",
+            "Description": "from 0.0.0.0/0:ALL TRAFFIC",
+            "IpProtocol": "-1",
+          },
+        ],
+        "Tags": Array [
+          Object {
+            "Key": "Name",
+            "Value": "ServerlessWebappStarterKitStack/Vpc",
+          },
+        ],
+        "VpcId": Object {
+          "Ref": "Vpc8378EB38",
+        },
+      },
+      "Type": "AWS::EC2::SecurityGroup",
+    },
     "VpcPrivateSubnet1DefaultRouteBE02A9ED": Object {
       "Properties": Object {
         "DestinationCidrBlock": "0.0.0.0/0",
-        "NatGatewayId": Object {
-          "Ref": "VpcPublicSubnet1NATGateway4D7517AA",
+        "InstanceId": Object {
+          "Ref": "VpcPublicSubnet1NatInstance57B636B8",
         },
         "RouteTableId": Object {
           "Ref": "VpcPrivateSubnet1RouteTableB2C5B500",
@@ -2265,8 +2294,8 @@ Object {
     "VpcPrivateSubnet2DefaultRoute060D2087": Object {
       "Properties": Object {
         "DestinationCidrBlock": "0.0.0.0/0",
-        "NatGatewayId": Object {
-          "Ref": "VpcPublicSubnet1NATGateway4D7517AA",
+        "InstanceId": Object {
+          "Ref": "VpcPublicSubnet1NatInstance57B636B8",
         },
         "RouteTableId": Object {
           "Ref": "VpcPrivateSubnet2RouteTableA678073B",
@@ -2327,8 +2356,8 @@ Object {
     "VpcPrivateSubnet3DefaultRoute94B74F0D": Object {
       "Properties": Object {
         "DestinationCidrBlock": "0.0.0.0/0",
-        "NatGatewayId": Object {
-          "Ref": "VpcPublicSubnet1NATGateway4D7517AA",
+        "InstanceId": Object {
+          "Ref": "VpcPublicSubnet1NatInstance57B636B8",
         },
         "RouteTableId": Object {
           "Ref": "VpcPrivateSubnet3RouteTableD98824C7",
@@ -2401,41 +2430,91 @@ Object {
       },
       "Type": "AWS::EC2::Route",
     },
-    "VpcPublicSubnet1EIPD7E02669": Object {
+    "VpcPublicSubnet1NatInstance57B636B8": Object {
+      "DependsOn": Array [
+        "VpcPublicSubnet1DefaultRoute3DA9E72A",
+        "VpcPublicSubnet1NatInstanceInstanceRole9D835E32",
+        "VpcPublicSubnet1RouteTableAssociation97140677",
+      ],
       "Properties": Object {
-        "Domain": "vpc",
+        "AvailabilityZone": "dummy1a",
+        "IamInstanceProfile": Object {
+          "Ref": "VpcPublicSubnet1NatInstanceInstanceProfileEE10C485",
+        },
+        "ImageId": Object {
+          "Ref": "SsmParameterValueawsserviceamiamazonlinuxlatestal2023amikernel61arm64C96584B6F00A464EAD1953AFF4B05118Parameter",
+        },
+        "InstanceType": "t4g.nano",
+        "NetworkInterfaces": Array [
+          Object {
+            "AssociatePublicIpAddress": true,
+            "DeviceIndex": "0",
+            "GroupSet": Array [
+              Object {
+                "Fn::GetAtt": Array [
+                  "VpcNatSecurityGroup8DA26EDC",
+                  "GroupId",
+                ],
+              },
+            ],
+            "SubnetId": Object {
+              "Ref": "VpcPublicSubnet1Subnet5C2D37C4",
+            },
+          },
+        ],
+        "SourceDestCheck": false,
         "Tags": Array [
           Object {
             "Key": "Name",
-            "Value": "ServerlessWebappStarterKitStack/Vpc/PublicSubnet1",
+            "Value": "ServerlessWebappStarterKitStack/Vpc/PublicSubnet1/NatInstance",
           },
         ],
+        "UserData": Object {
+          "Fn::Base64": "#!/bin/bash
+yum install iptables-services -y
+systemctl enable iptables
+systemctl start iptables
+echo "net.ipv4.ip_forward=1" > /etc/sysctl.d/custom-ip-forwarding.conf
+sudo sysctl -p /etc/sysctl.d/custom-ip-forwarding.conf
+sudo /sbin/iptables -t nat -A POSTROUTING -o $(route | awk '/^default/{print $NF}') -j MASQUERADE
+sudo /sbin/iptables -F FORWARD
+sudo service iptables save",
+        },
       },
-      "Type": "AWS::EC2::EIP",
+      "Type": "AWS::EC2::Instance",
     },
-    "VpcPublicSubnet1NATGateway4D7517AA": Object {
-      "DependsOn": Array [
-        "VpcPublicSubnet1DefaultRoute3DA9E72A",
-        "VpcPublicSubnet1RouteTableAssociation97140677",
-      ],
+    "VpcPublicSubnet1NatInstanceInstanceProfileEE10C485": Object {
       "Properties": Object {
-        "AllocationId": Object {
-          "Fn::GetAtt": Array [
-            "VpcPublicSubnet1EIPD7E02669",
-            "AllocationId",
+        "Roles": Array [
+          Object {
+            "Ref": "VpcPublicSubnet1NatInstanceInstanceRole9D835E32",
+          },
+        ],
+      },
+      "Type": "AWS::IAM::InstanceProfile",
+    },
+    "VpcPublicSubnet1NatInstanceInstanceRole9D835E32": Object {
+      "Properties": Object {
+        "AssumeRolePolicyDocument": Object {
+          "Statement": Array [
+            Object {
+              "Action": "sts:AssumeRole",
+              "Effect": "Allow",
+              "Principal": Object {
+                "Service": "ec2.amazonaws.com",
+              },
+            },
           ],
-        },
-        "SubnetId": Object {
-          "Ref": "VpcPublicSubnet1Subnet5C2D37C4",
+          "Version": "2012-10-17",
         },
         "Tags": Array [
           Object {
             "Key": "Name",
-            "Value": "ServerlessWebappStarterKitStack/Vpc/PublicSubnet1",
+            "Value": "ServerlessWebappStarterKitStack/Vpc/PublicSubnet1/NatInstance",
           },
         ],
       },
-      "Type": "AWS::EC2::NatGateway",
+      "Type": "AWS::IAM::Role",
     },
     "VpcPublicSubnet1RouteTable6C95E38E": Object {
       "Properties": Object {