SSH bastion
This module creates a flexible and highly available SSH bastion with a fixed public IP address. This includes adding users, group, SSH keys and sudo config to give you a simple but complete SSH gateway into your AWS infrastructure without the need for a configuration management system. This module creates an autoscaling group, security groups, IAM policy, elastic IP and user-data to automatically assign the elastic IP and setup users and keys.
module "bastion1" {
source = "git@github.com:deliveryhero/tf-ssh-bastion.git?ref=0.2"
name = "staging"
vpc_id = "vpc123456"
instance_key_name = "my-ec2-key"
public_subnet_ids = ["${module.vpc1.public_subnets}"]
allowed_ssh_cidr_blocks = [
"203.1.2.3/32",
]
users = [
{
username = "max"
group = "ubuntu"
key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDez8.."
},
{
username = "phil"
group = "sudo"
key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDez8.."
}
]
}See example for a complete example with VPC.
Documentation generation
Documentation should be modified within main.tf and generated using terraform-docs:
terraform-docs --with-aggregate-type-defaults md ./ > README.mdLicense
MIT Licensed. See LICENSE for full details.
Inputs
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| allowed_ssh_cidr_blocks | CIDR blocks to allow SSH from. Should be set to your trusted IP or IP ranges | list | [ "0.0.0.0/0" ] |
no |
| extra_iam_policy_arns | List of extra IAM policy ARNs to attach to the bastion role | list | [] |
no |
| extra_sg_ids | List of extra security group IDs for the bastion instance | list | [] |
no |
| extra_user_data | Any extra user-data. Will be appended to existing | string | "" |
no |
| instance_ami_id | AMI ID for bastion instance. If not specified, see instance_ami_default | string | "" |
no |
| instance_ami_name_filter | The name filter to use for getting an AMI ID for the region | string | "ubuntu/images/hvm-ssd/ubuntu-xenial-16.04-amd64-server-*" |
no |
| instance_ami_owner_id_filter | The owner IDs to use for getting an AMI ID for the region. The default is the Ubuntu account ID. | list | [ "099720109477" ] |
no |
| instance_hostname | Hostname for bastion instance. If not specified, local.resource_name will be used | string | "" |
no |
| instance_key_name | Name of the SSH key in EC2 to use for instance | string | "" |
no |
| instance_type | EC2 instance type | string | "t2.micro" |
no |
| instance_volume_size | Instance EBS volume size | string | "32" |
no |
| name | A unique name to identify this bastion and related resources | string | n/a | yes |
| public_subnet_ids | List of public subnets | list | n/a | yes |
| resource_name_suffix | A suffix to append to names of resources | string | "-bastion" |
no |
| route53_record_name | Name of the route53 record. Only used if route53_zone_id is passed. If not set then name variable is used |
string | "" |
no |
| route53_record_ttl | TTL of route53 record. Only used if route53_zone_id is passed also | string | "60" |
no |
| route53_zone_id | If specified a route53 record will be created | string | "" |
no |
| tags | A map of tags to add to all resources. | map | {} |
no |
| users | A list of maps of extra users containing usernames, keys and groups. See README for example | list | [] |
no |
| vpc_id | The ID of the VPC where this bastion will exist | string | n/a | yes |
Outputs
| Name | Description |
|---|---|
| allow_ssh_from_bastion_sg_id | Put instances into this security group to allow SSH from the bastion |
| autoscaling_group_name | Name of the autoscaling group |
| aws_iam_role_id | Name of the bastion inance role |
| eip | The elastic IP that is assigned to the bastion instance |
| role_arn | ARN of the bastion instance role |
| sg_id | The security group of the bastion instance |
| user_data_full | The complete user-data from the bastion instance |
| user_data_users | The useradd and SSH key setup part of the user-data from the bastion instance |