Don't route S3 traffic to a nat-gateway

runtime/opt/taupage/init.d/00-create-custom-routing.py

@@ -31,15 +31,21 @@ def main():
     if not nat_gateways or not isinstance(nat_gateways, dict):  # nat gateways must be non empty dictionary
         sys.exit(0)
 
-    METADATA_URL = 'http://169.254.169.254/latest/meta-data/network/interfaces/macs/'
+    METADATA_URL = 'http://169.254.169.254/latest/meta-data/'
     try:
-        r = requests.get(METADATA_URL)
-        mac = r.text.split()[0]
-        r = requests.get(METADATA_URL + mac + 'subnet-id')
+        r = requests.get(METADATA_URL + 'placement/availability-zone')
+        region = r.text.strip()[:-1]
+        logging.info('Region=%s', region)
+
+        r = requests.get(METADATA_URL + 'mac')
+        mac = r.text.strip()
+
+        r = requests.get(METADATA_URL + 'network/interfaces/macs/' + mac + '/subnet-id')
         subnet = r.text
         if subnet not in nat_gateways:
             logging.warning('Can not find subnet %s in the nat_gateways mapping', subnet)
             sys.exit(0)
+
         logging.info('Will use %s nat gateway for outgoing https traffic', nat_gateways[subnet])
     except Exception:
         logging.exception('Failed to read metadata')
@@ -62,6 +68,18 @@ def main():
 
     subprocess_call(['ip', 'route', 'add', 'default', 'via', nat_gateways[subnet], 'table', 'https'])
 
+    # S3 is exceptional, it has it's own endpoint in VPC
+    try:
+        r = requests.get('https://ip-ranges.amazonaws.com/ip-ranges.json')
+        ranges = [e['ip_prefix'] for e in r.json()['prefixes']
+                  if e['service'] == 'S3' and e['region'] == region and 'ip_prefix' in e]
+    except Exception:
+        logging.exception('Failed to load ip-ranges.json')
+
+    # Don't mark outgoing traffic to S3
+    for r in ranges:
+        subprocess_call(['iptables', '-t', 'mangle', '-I', 'OUTPUT', '-d', r, '-j', 'ACCEPT'])
+
 
 if __name__ == '__main__':
     main()