anomalyco · mkilp · Dec 8, 2025
diff --git a/platform/src/components/aws/vpc.ts b/platform/src/components/aws/vpc.ts
@@ -152,6 +152,26 @@ export interface VpcArgs {
            * ```
            */
           ami?: Input<string>;
+          /**
+           * The ARN of an existing IAM role to use for the NAT instance.
+           *
+           * By default, a new IAM role with SSM managed instance core permissions is created.
+           * Use this to provide a custom role with additional permissions or to comply with
+           * organizational policies.
+           *
+           * @default A new IAM role is created
+           * @example
+           * ```ts
+           * {
+           *   nat: {
+           *     ec2: {
+           *       role: "arn:aws:iam::123456789012:role/my-nat-instance-role"
+           *     }
+           *   }
+           * }
+           * ```
+           */
+          role?: Input<string>;
         }>;
       }
   >;
@@ -725,7 +745,7 @@ export class Vpc extends Component implements Link.Linkable {
         if (nat === "ec2") {
           return {
             type: "ec2" as const,
-            ec2: { instance: "t4g.nano", ami: undefined },
+            ec2: { instance: "t4g.nano", ami: undefined, role: undefined },
           };
         }
         if (nat) {
@@ -938,28 +958,35 @@ export class Vpc extends Component implements Link.Linkable {
           ),
         );
 
-        const role = new iam.Role(
-          `${name}NatInstanceRole`,
-          {
-            assumeRolePolicy: iam.getPolicyDocumentOutput({
-              statements: [
-                {
-                  actions: ["sts:AssumeRole"],
-                  principals: [
+        const role = nat.ec2.role
+          ? iam.Role.get(
+              `${name}NatInstanceRole`,
+              nat.ec2.role,
+              {},
+              { parent: self },
+            )
+          : new iam.Role(
+              `${name}NatInstanceRole`,
+              {
+                assumeRolePolicy: iam.getPolicyDocumentOutput({
+                  statements: [
                     {
-                      type: "Service",
-                      identifiers: ["ec2.amazonaws.com"],
+                      actions: ["sts:AssumeRole"],
+                      principals: [
+                        {
+                          type: "Service",
+                          identifiers: ["ec2.amazonaws.com"],
+                        },
+                      ],
                     },
                   ],
-                },
-              ],
-            }).json,
-            managedPolicyArns: [
-              interpolate`arn:${partition}:iam::aws:policy/AmazonSSMManagedInstanceCore`,
-            ],
-          },
-          { parent: self },
-        );
+                }).json,
+                managedPolicyArns: [
+                  interpolate`arn:${partition}:iam::aws:policy/AmazonSSMManagedInstanceCore`,
+                ],
+              },
+              { parent: self },
+            );
 
         const instanceProfile = new iam.InstanceProfile(
           `${name}NatInstanceProfile`,