Bastion Module

This repository contains Terraform configuration files that create an AWS EC2 instance using a hardened AMI, assigns it to a security group, and attaches it to a subnet. This is for secure access into a private subnet via a hardened device. It also creates an SSH key pair for the instance and an IAM instance profile with an optional role. Additionally, it creates an optional KMS key and security group for event queue.

Examples

To view examples for how you can leverage this Bastion, please see the examples directory.

Requirements

Name	Version
terraform	>= 1.0.0
aws	>= 4.9.0
cloudinit	>= 2.0.0
time	>= 0.9.1

Providers

Name	Version
aws	>= 4.9.0
cloudinit	>= 2.0.0

Modules

No modules.

Resources

Name	Type
aws_ebs_volume.bastion_secondary_ebs_volume	resource
aws_iam_instance_profile.bastion_ssm_profile	resource
aws_iam_policy.custom	resource
aws_iam_policy.terraform_policy	resource
aws_iam_role.bastion_ssm_role	resource
aws_iam_role_policy_attachment.bastion-ssm-aws-efs-policy-attach	resource
aws_iam_role_policy_attachment.bastion-ssm-aws-ssm-policy-attach	resource
aws_iam_role_policy_attachment.bastion-ssm-s3-cwl-policy-attach	resource
aws_iam_role_policy_attachment.custom	resource
aws_iam_role_policy_attachment.managed	resource
aws_iam_role_policy_attachment.terraform	resource
aws_instance.application	resource
aws_network_interface_attachment.attach	resource
aws_security_group.sg	resource
aws_volume_attachment.ebs_attachment	resource
aws_ami.from_filter	data source
aws_iam_policy.AmazonElasticFileSystemFullAccess	data source
aws_iam_policy.AmazonSSMManagedInstanceCore	data source
aws_iam_policy.CloudWatchLogsFullAccess	data source
aws_partition.current	data source
aws_region.current	data source
aws_subnet.subnet_by_name	data source
cloudinit_config.config	data source

Inputs

Name	Description	Type	Default	Required
additional_user_data_script	Additional user data script to run on instance boot	string	""	no
allowed_public_ips	List of public IPs or private IP (internal) of Software Defined Perimeter to allow SSH access from	list(string)	[]	no
ami_canonical_owner	Filter for AMI using this canonical owner ID	string	null	no
ami_id	ID of AMI to use for Bastion	string	""	no
ami_name_filter	Filter for AMI using this name. Accepts wildcards	string	""	no
ami_virtualization_type	Filter for AMI using this virtualization type	string	""	no
assign_public_ip	Determines if an instance gets a public IP assigned at launch time	bool	false	no
bastion_instance_tags	A map of tags to add to the bastion instance	map(string)	{}	no
bastion_secondary_ebs_volume_size	value of the secondary EBS volume size in GB	string	"70"	no
enable_bastion_terraform_permissions	Enable Terraform permissions for Bastion	bool	false	no
enable_log_to_cloudwatch	Enable Session Manager to Log to CloudWatch Logs	bool	false	no
enable_secondary_ebs_volume	Enable the creation of a secondary EBS volume	bool	false	no
eni_attachment_config	Optional list of enis to attach to instance	list(object({ network_interface_id = string device_index = string }))	null	no
instance_type	Instance type to use for Bastion	string	"m5.large"	no
max_ssh_sessions	Maximum number of ssh connections that are allowed	number	1	no
max_ssm_connections	Maximum number of simultaneous connections that SSM will allow	number	1	no
name	Name of Bastion	string	n/a	yes
permissions_boundary	(Optional) The ARN of the policy that is used to set the permissions boundary for the role.	string	null	no
policy_arns	List of IAM policy ARNs to attach to the instance profile	list(string)	[]	no
policy_content	JSON IAM Policy body. Use this to add a custom policy to your instance profile (Optional)	string	null	no
private_ip	The private IP address to assign to the bastion	string	null	no
region	AWS Region	string	n/a	yes
root_volume_config	n/a	object({ volume_type = any volume_size = any })	{ "volume_size": "20", "volume_type": "gp3" }	no
secrets_manager_secret_id	The ID of the Secrets Manager secret for the bastion to pull from for SSH access if SSM authentication is enabled, optional	string	""	no
security_group_ids	List of security groups to associate with instance	list(any)	[]	no
ssh_password	Password for SSH access if SSM authentication is enabled, optional	string	""	no
ssh_user	Username to use when accessing the instance using SSH	string	"ec2-user"	no
ssm_enabled	Enable SSM agent	bool	true	no
subnet_id	IDs of subnets to deploy the instance in	string	""	no
subnet_name	Names of subnets to deploy the instance in	string	""	no
tags	A map of tags to add to all resources	map(string)	{}	no
tenancy	The tenancy of the instance (if the instance is running in a VPC). Valid values are 'default' or 'dedicated'.	string	"default"	no
terminate_oldest_ssm_connection_first	Determines how the SSM connections will be terminated. If true then oldest connection will terminate first. Defaults to false	bool	false	no
uds_cli_version	The version of UDS CLI to use	string	"v0.11.0"	no
user_data_override	Override the default module user data with your own. This will disable the default user data and use your own.	string	null	no
vpc_id	VPC id	string	n/a	yes
zarf_version	The version of Zarf to use	string	""	no

Outputs

Name	Description
bastion_role_arn	Bastion Role ARN
bastion_role_name	Bastion Role Name
instance_id	Instance Id
primary_network_interface_id	Primary Network Interface Id
private_dns	Private DNS
private_ip	Private IP
public_ip	Public IP
region	Region the bastion was deployed to
security_group_ids	Security Group Ids