fix: support Amazon Linux 2023 for NAT instance

CDK's NatInstanceProviderV2 uses the `route` command in its default
user data, which requires the net-tools package. However, Amazon Linux
2023 (the default AMI for NatInstanceProviderV2) doesn't have net-tools
pre-installed, causing NAT instances to fail silently.

This change provides custom user data that uses `ip route` instead of
`route` to determine the default network interface, ensuring NAT
functionality works correctly on AL2023.

Reference: https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/aws-ec2/lib/nat.ts

Author: konokenj

cdk/lib/main-stack.ts

@@ -4,7 +4,7 @@ import { Construct } from 'constructs';
 import { AsyncJob } from './constructs/async-job';
 import { Auth } from './constructs/auth/';
 import { Database } from './constructs/database';
-import { InstanceClass, InstanceSize, InstanceType, NatProvider, Vpc } from 'aws-cdk-lib/aws-ec2';
+import { InstanceClass, InstanceSize, InstanceType, NatProvider, UserData, Vpc } from 'aws-cdk-lib/aws-ec2';
 import { HostedZone } from 'aws-cdk-lib/aws-route53';
 import { ICertificate } from 'aws-cdk-lib/aws-certificatemanager';
 import { Webapp } from './constructs/webapp';
@@ -56,12 +56,29 @@ export class MainStack extends Stack {
       autoDeleteObjects: true,
     });
 
+    // Custom user data for NAT instance to support Amazon Linux 2023.
+    // CDK's default user data uses `route` command which requires net-tools package,
+    // but AL2023 doesn't have net-tools pre-installed. We use `ip route` instead.
+    const natUserData = UserData.forLinux();
+    natUserData.addCommands(
+      'yum install iptables-services -y',
+      'systemctl enable iptables',
+      'systemctl start iptables',
+      'echo "net.ipv4.ip_forward=1" > /etc/sysctl.d/custom-ip-forwarding.conf',
+      'sysctl -p /etc/sysctl.d/custom-ip-forwarding.conf',
+      "IFACE=$(ip route show default | awk '{print $5}')",
+      '/sbin/iptables -t nat -A POSTROUTING -o $IFACE -j MASQUERADE',
+      '/sbin/iptables -F FORWARD',
+      'service iptables save',
+    );
+
     const vpc = new Vpc(this, `Vpc`, {
       ...(useNatInstance
         ? {
             natGatewayProvider: NatProvider.instanceV2({
               instanceType: InstanceType.of(InstanceClass.T4G, InstanceSize.NANO),
               associatePublicIpAddress: true,
+              userData: natUserData,
             }),
             natGateways: 1,
           }

cdk/test/__snapshots__/serverless-fullstack-webapp-starter-kit-without-domain.test.ts.snap

@@ -2716,10 +2716,11 @@ yum install iptables-services -y
 systemctl enable iptables
 systemctl start iptables
 echo "net.ipv4.ip_forward=1" > /etc/sysctl.d/custom-ip-forwarding.conf
-sudo sysctl -p /etc/sysctl.d/custom-ip-forwarding.conf
-sudo /sbin/iptables -t nat -A POSTROUTING -o $(route | awk '/^default/{print $NF}') -j MASQUERADE
-sudo /sbin/iptables -F FORWARD
-sudo service iptables save",
+sysctl -p /etc/sysctl.d/custom-ip-forwarding.conf
+IFACE=$(ip route show default | awk '{print $5}')
+/sbin/iptables -t nat -A POSTROUTING -o $IFACE -j MASQUERADE
+/sbin/iptables -F FORWARD
+service iptables save",
         },
       },
       "Type": "AWS::EC2::Instance",

cdk/test/__snapshots__/serverless-fullstack-webapp-starter-kit.test.ts.snap

@@ -2548,10 +2548,11 @@ yum install iptables-services -y
 systemctl enable iptables
 systemctl start iptables
 echo "net.ipv4.ip_forward=1" > /etc/sysctl.d/custom-ip-forwarding.conf
-sudo sysctl -p /etc/sysctl.d/custom-ip-forwarding.conf
-sudo /sbin/iptables -t nat -A POSTROUTING -o $(route | awk '/^default/{print $NF}') -j MASQUERADE
-sudo /sbin/iptables -F FORWARD
-sudo service iptables save",
+sysctl -p /etc/sysctl.d/custom-ip-forwarding.conf
+IFACE=$(ip route show default | awk '{print $5}')
+/sbin/iptables -t nat -A POSTROUTING -o $IFACE -j MASQUERADE
+/sbin/iptables -F FORWARD
+service iptables save",
         },
       },
       "Type": "AWS::EC2::Instance",