feat: add variable for egress protocol

[seagyn]

Adds the ability to set the protocol for egress out of the NAT instance. The main driver for this is something like Tailscale which requires the ability to open an outbound UDP connection to get direct connectivity to other nodes.

It might be worth changing this to only have options for "tcp" or "all". Can't imagine a "udp" only NAT but maybe someone will want that.

[hostmaster]

It would be a very useful feature because tcp seems very restrictive. I believeall would be preferred in the vast majority of use cases. I run into the same issue, we need UDP and ICMP.

There is a duplicated PR about the same problem #56 It's not merged yet.

[seagyn]

@hostmaster after doing this PR( we realised there is an output for the SG id which you can use to create a security group rule to open the SG up further.

[hostmaster]

@seagyn thank you for sharing. I would prefer an egress rule properly configured in the first place

[seagyn]

@hostmaster us too but at least this can unblock it (also only a single extra resource in TF).

[morganrowse]

For reference, add this below the module

resource "aws_security_group_rule" "udp_out" {
  security_group_id = module.nat.sg_id
  from_port         = 0
  to_port           = 0
  protocol          = "-1"
  type              = "egress"
  cidr_blocks       = ["0.0.0.0/0"]
  ipv6_cidr_blocks  = ["::/0"]
}