Skip to content

Latest commit

 

History

History
113 lines (98 loc) · 12.2 KB

README.md

File metadata and controls

113 lines (98 loc) · 12.2 KB
Raw

Bastion Module

This repository contains Terraform configuration files that create an AWS EC2 instance using a hardened AMI, assigns it to a security group, and attaches it to a subnet. This is for secure access into a private subnet via a hardened device. It also creates an SSH key pair for the instance and an IAM instance profile with an optional role. Additionally, it creates an optional KMS key and security group for event queue.

Examples

To view examples for how you can leverage this Bastion, please see the examples directory.

Requirements

Name Version
terraform >= 1.0.0
aws >= 4.9.0
cloudinit >= 2.0.0
time >= 0.9.1

Providers

Name Version
aws >= 4.9.0
cloudinit >= 2.0.0

Modules

No modules.

Resources

Name Type
aws_ebs_volume.bastion_secondary_ebs_volume resource
aws_iam_instance_profile.bastion_ssm_profile resource
aws_iam_policy.custom resource
aws_iam_policy.terraform_policy resource
aws_iam_role.bastion_ssm_role resource
aws_iam_role_policy_attachment.bastion-ssm-aws-efs-policy-attach resource
aws_iam_role_policy_attachment.bastion-ssm-aws-ssm-policy-attach resource
aws_iam_role_policy_attachment.bastion-ssm-s3-cwl-policy-attach resource
aws_iam_role_policy_attachment.custom resource
aws_iam_role_policy_attachment.managed resource
aws_iam_role_policy_attachment.terraform resource
aws_instance.application resource
aws_network_interface_attachment.attach resource
aws_security_group.sg resource
aws_volume_attachment.ebs_attachment resource
aws_ami.from_filter data source
aws_iam_policy.AmazonElasticFileSystemFullAccess data source
aws_iam_policy.AmazonSSMManagedInstanceCore data source
aws_iam_policy.CloudWatchLogsFullAccess data source
aws_partition.current data source
aws_region.current data source
aws_subnet.subnet_by_name data source
cloudinit_config.config data source

Inputs

Name Description Type Default Required
additional_user_data_script Additional user data script to run on instance boot string "" no
allowed_public_ips List of public IPs or private IP (internal) of Software Defined Perimeter to allow SSH access from list(string) [] no
ami_canonical_owner Filter for AMI using this canonical owner ID string null no
ami_id ID of AMI to use for Bastion string "" no
ami_name_filter Filter for AMI using this name. Accepts wildcards string "" no
ami_virtualization_type Filter for AMI using this virtualization type string "" no
assign_public_ip Determines if an instance gets a public IP assigned at launch time bool false no
bastion_instance_tags A map of tags to add to the bastion instance map(string) {} no
bastion_secondary_ebs_volume_size value of the secondary EBS volume size in GB string "70" no
enable_bastion_terraform_permissions Enable Terraform permissions for Bastion bool false no
enable_log_to_cloudwatch Enable Session Manager to Log to CloudWatch Logs bool false no
enable_secondary_ebs_volume Enable the creation of a secondary EBS volume bool false no
eni_attachment_config Optional list of enis to attach to instance 
list(object({
    network_interface_id = string
    device_index         = string
  }))
 null no
instance_type Instance type to use for Bastion string "m5.large" no
max_ssh_sessions Maximum number of ssh connections that are allowed number 1 no
max_ssm_connections Maximum number of simultaneous connections that SSM will allow number 1 no
name Name of Bastion string n/a yes
permissions_boundary (Optional) The ARN of the policy that is used to set the permissions boundary for the role. string null no
policy_arns List of IAM policy ARNs to attach to the instance profile list(string) [] no
policy_content JSON IAM Policy body. Use this to add a custom policy to your instance profile (Optional) string null no
private_ip The private IP address to assign to the bastion string null no
region AWS Region string n/a yes
root_volume_config n/a 
object({
    volume_type = any
    volume_size = any
  })
 
{
  "volume_size": "20",
  "volume_type": "gp3"
}
 no
secrets_manager_secret_id The ID of the Secrets Manager secret for the bastion to pull from for SSH access if SSM authentication is enabled, optional string "" no
security_group_ids List of security groups to associate with instance list(any) [] no
ssh_password Password for SSH access if SSM authentication is enabled, optional string "" no
ssh_user Username to use when accessing the instance using SSH string "ec2-user" no
ssm_enabled Enable SSM agent bool true no
subnet_id IDs of subnets to deploy the instance in string "" no
subnet_name Names of subnets to deploy the instance in string "" no
tags A map of tags to add to all resources map(string) {} no
tenancy The tenancy of the instance (if the instance is running in a VPC). Valid values are 'default' or 'dedicated'. string "default" no
terminate_oldest_ssm_connection_first Determines how the SSM connections will be terminated. If true then oldest connection will terminate first. Defaults to false bool false no
uds_cli_version The version of UDS CLI to use string "v0.11.0" no
user_data_override Override the default module user data with your own. This will disable the default user data and use your own. string null no
vpc_id VPC id string n/a yes
zarf_version The version of Zarf to use string "" no

Outputs

Name Description
bastion_role_arn Bastion Role ARN
bastion_role_name Bastion Role Name
instance_id Instance Id
primary_network_interface_id Primary Network Interface Id
private_dns Private DNS
private_ip Private IP
public_ip Public IP
region Region the bastion was deployed to
security_group_ids Security Group Ids