Terraform module to create a Bastion
It's 100% Open Source and licensed under the APACHE2.
For Bastions, store ssh key in SSM, with the bastion behind and auto-scaling group. This bastion now supports Dynamic SSH keys https://aws.amazon.com/blogs/compute/new-using-amazon-ec2-instance-connect-for-ssh-access-to-your-ec2-instances/
This means that access to ssh is controlled IAM. Once you have provisioned and add your users to the ssh users group:
ssh-keygen -t rsa -f mynew_key
aws ec2-instance-connect send-ssh-public-key --region eu-west-1 --instance-id i-0e2f05807e67f0179 --availability-zone eu-west-1a --instance-os-user ec2-user --ssh-public-key file://mynew_key.pub
ssh -i mynew_key ec2-user@ec2-63-32-54-94.eu-west-1.compute.amazonaws.com
And you're in!
Include this repository as a module in your existing terraform code:
module "auto-bastion" {
source = "JamesWoolfenden/auto-bastion/aws"
version = "0.2.0"
allowed_ips = ["${chomp(data.http.myip.body)}/32"]
common_tags = var.common_tags
vpc_id = element(data.aws_vpcs.vpc.ids, 0)
instance_type = var.instance_type
ssm_standard_role = var.ssm_standard_role
subnet_ids = element(data.aws_subnet_ids.subnets.ids, 0)
name = var.name
}
No requirements.
Name | Version |
---|---|
aws | n/a |
No modules.
Name | Type |
---|---|
aws_autoscaling_group.bastion | resource |
aws_iam_group.ssh | resource |
aws_iam_group_membership.ssh | resource |
aws_iam_group_policy.ssh_policy | resource |
aws_iam_instance_profile.bastion | resource |
aws_iam_role.ssm_role | resource |
aws_iam_role_policy_attachment.ssm_standard | resource |
aws_launch_configuration.bastion | resource |
aws_security_group.instance_ssh_access | resource |
aws_ami.amazon | data source |
aws_iam_policy_document.assume | data source |
Name | Description | Type | Default | Required |
---|---|---|---|---|
account_id | The AWS account of the instances to connect to:(optional) | string |
n/a | yes |
allowed_ips | Allow this list of IPs through the firewall | list(any) |
n/a | yes |
asg | All the Settings of an Auto Scaling Group | map |
{ |
no |
common_tags | Implements the common tags scheme | map(any) |
n/a | yes |
enablesshgroup | Switch to enable ssh group | number |
1 |
no |
instance_type | The EC2 instance type | string |
"t2.micro" |
no |
name | Name of the ec2 instance | string |
n/a | yes |
region | The AWS region | string |
"eu-west-1" |
no |
ssh_name | The name of the SSH group objects | string |
"ssh" |
no |
ssm_standard_role | The IAM role to add to the instance profile, the default enables SSM | string |
"arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM" |
no |
subnet_ids | A list of Subnet IDs | list(any) |
n/a | yes |
users | List of users to add the ssh users group, (optional) | list(any) |
[ |
no |
vpc_id | The ID of the VPC being used | string |
n/a | yes |
Name | Description |
---|---|
bastion | n/a |
The Terraform resource required is:
resource "aws_iam_policy" "terraform_pike" {
name_prefix = "terraform_pike"
path = "/"
description = "Pike Autogenerated policy from IAC"
policy = jsonencode({
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"autoscaling:CreateAutoScalingGroup",
"autoscaling:CreateLaunchConfiguration",
"autoscaling:DeleteAutoScalingGroup",
"autoscaling:DeleteLaunchConfiguration",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeLaunchConfigurations",
"autoscaling:DescribeScalingActivities",
"autoscaling:UpdateAutoScalingGroup"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateSecurityGroup",
"ec2:CreateTags",
"ec2:DeleteSecurityGroup",
"ec2:DeleteTags",
"ec2:DescribeAccountAttributes",
"ec2:DescribeImages",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeSecurityGroups",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress"
],
"Resource": "*"
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": [
"iam:AddRoleToInstanceProfile",
"iam:AddUserToGroup",
"iam:AttachRolePolicy",
"iam:CreateGroup",
"iam:CreateInstanceProfile",
"iam:CreateRole",
"iam:DeleteGroup",
"iam:DeleteGroupPolicy",
"iam:DeleteInstanceProfile",
"iam:DeleteRole",
"iam:DetachRolePolicy",
"iam:GetGroup",
"iam:GetGroupPolicy",
"iam:GetInstanceProfile",
"iam:GetRole",
"iam:ListAttachedRolePolicies",
"iam:ListInstanceProfilesForRole",
"iam:ListRolePolicies",
"iam:PassRole",
"iam:PutGroupPolicy",
"iam:RemoveRoleFromInstanceProfile",
"iam:RemoveUserFromGroup"
],
"Resource": "*"
}
]
})
}
Got a question?
File a GitHub issue.
Please use the issue tracker to report any bugs or file feature requests.
Copyright © 2019-2022 James Woolfenden
See LICENSE for full details.
Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to you under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
https://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.