Allow instances to be provisioned with source/dest checks disabled

lib/chef/knife/ec2_base.rb

@@ -158,6 +158,7 @@ def server_hashes(server_obj)
         server_data["security_group_ids"] = server_obj.instances[0].security_groups.map(&:group_id)
         server_data["state"] = server_obj.instances[0].state.name
         server_data["subnet_id"] = server_obj.instances[0].network_interfaces[0].subnet_id
+        server_data["source_dest_check"] = server_obj.instances[0].network_interfaces[0].source_dest_check
         server_data["tags"] = tags
         server_data["tenancy"] = server_obj.instances[0].placement.tenancy
         server_data["volume_id"] = server_obj.instances[0].block_device_mappings[0]&.ebs&.volume_id

lib/chef/knife/ec2_server_create.rb

@@ -242,6 +242,12 @@ class Ec2ServerCreate < Chef::Knife::Bootstrap
         boolean: true,
         default: false
 
+      option :disable_source_dest_check,
+        long: "--disable-source-dest-check",
+        description: "Disables the source destination check if this option is passed. This value must be passed for a NAT instance to perform NAT.",
+        boolean: true,
+        default: false
+
       option :volume_tags,
         long: "--volume-tags Tag=Value[,Tag=Value...]",
         description: "Tag the Root volume",
@@ -326,7 +332,6 @@ def plugin_create_instance!
             exit
           end
         end
-
         msg_pair("Instance ID", server.id)
         msg_pair("Flavor", server.instance_type)
         msg_pair("Image", server.image_id)
@@ -347,6 +352,8 @@ def plugin_create_instance!
         # occasionally 'ready?' isn't, so retry a couple times if needed.
         tries = 6
         begin
+          disable_source_dest_check if vpc_mode? && config_value(:disable_source_dest_check)
+
           create_tags(hashed_tags) unless hashed_tags.empty?
           create_volume_tags(hashed_volume_tags) unless hashed_volume_tags.empty?
           associate_address(elastic_ip) if config[:associate_eip]
@@ -1235,6 +1242,18 @@ def enable_classic_link(vpc_id, security_group_ids)
         })
       end
 
+      # disable_source_dest_check option is used to set value of source_dest_check attribute in ec2.
+      # By default the source destination check is enabled in ec2.
+      # This value must be disable for a NAT instance to perform NAT.
+      def disable_source_dest_check
+        ec2_connection.modify_instance_attribute({
+          source_dest_check: {
+            value: false,
+          },
+          instance_id: server.id,
+        })
+      end
+
       def tcp_test_winrm(ip_addr, port)
         tcp_socket = TCPSocket.new(ip_addr, port)
         yield

spec/unit/ec2_server_create_spec.rb

@@ -2515,6 +2515,32 @@
     end
   end
 
+  describe "disable_source_dest_check option" do
+    before do
+      expect(knife_ec2_create).to receive(:plugin_validate_options!)
+      allow(knife_ec2_create).to receive(:ami).and_return(ami)
+      allow(knife_ec2_create).to receive(:server_attributes).and_return(server_attributes)
+      expect(ec2_connection).to receive(:run_instances).with(server_attributes).and_return(server_instances)
+      knife_ec2_create.config[:yes] = true
+      allow(knife_ec2_create).to receive(:instances_wait_until_ready).with("i-00fe186450a2e8e97").and_return(true)
+      allow(ec2_connection).to receive(:describe_instances).with(instance_ids: ["i-00fe186450a2e8e97"] ).and_return(ec2_servers)
+      allow(knife_ec2_create).to receive(:server).and_return(ec2_server_attribs)
+    end
+
+    context "when subnet_id and disable_source_dest_check are passed on CLI" do
+      let(:network_interfaces) { OpenStruct.new(subnet_id: "subnet-9d4a7b6", source_dest_check: false) }
+
+      it "modify instance attribute source_dest_check as false" do
+        allow(knife_ec2_create).to receive_messages(vpc_mode?: true)
+        knife_ec2_create.config[:disable_source_dest_check] = true
+        expect(ec2_connection).to receive(:modify_instance_attribute)
+        server_def = knife_ec2_create.fetch_ec2_instance("i-00fe186450a2e8e97")
+        expect(server_def.source_dest_check).to eq(false)
+        knife_ec2_create.run
+      end
+    end
+  end
+
   describe "--security-group-id option" do
     before do
       allow(ec2_server_create).to receive(:validate_aws_config!)
@@ -2665,4 +2691,11 @@
       expect(server_def[:network_interfaces][0][:device_index]).to eq(0)
     end
   end
+
+  describe "disable_source_dest_check option is passed on CLI" do
+    let(:ec2_server_create) { Chef::Knife::Ec2ServerCreate.new(["--disable-source-dest-check"]) }
+    it "when a disable_source_dest_check is present" do
+      expect(ec2_server_create.config[:disable_source_dest_check]).to eq(true)
+    end
+  end
 end