This module was generated from terraform-google-module-template.

This module will generate a bastion host vm compatible with os login and IAP tunneling that can be used to access internal VMs.

The resources/services/activations/deletions that this module will create/trigger are:

• Creates a dedicated service account for the bastion host VM
• Creates a GCE instance of n1-standard to be the bastion
• Firewall to allow TCP:22 ssh access from the IAP to the bastion
• Firewall to allow TCP:22 ssh acccess from the bastion to other instances on the network
• IAM binding to allow members to utilize the IAP Tunnel
• IAM binding granting os login to members through the bastion host
• IAM binding granting the usage of the dedicated bastion host service account
• Creates a custom role that has limited privileges to enable OS Login on an instance level
• IAM binding to the custom role

Basic usage of this module is as follows:

module "iap_bastion" {
  source = "terraform-google-modules/terraform-google-iap-bastion/"
  project_id  = "<PROJECT ID>"
  subnet = "<VPC_SUBNET>"
  network = "<VPC_NETWORK>"
  zone = "<ZONE>"
  members = "<MEMBERS>"
}

Functional example is included in the examples directory.

These sections describe requirements for using this module.

The following dependencies must be available:

• Terraform v0.11
• Terraform Provider for GCP plugin v2.0

A project with the following APIs enabled must be used to host the resources of this module:

• Google Cloud Storage JSON API: storage-api.googleapis.com
• Compute Engine API: compute.googleapis.com
• Cloud Identity-Aware Proxy API: iap.googleapis.com

The Project Factory module can be used to provision a project with the necessary APIs enabled.

Refer to the contribution guidelines for information on contributing to this module.