New: module bastion

Magicloud · Magicloud · commit f0d5b7ff34c4 · 2019-08-02T19:39:55.000+08:00
Setup a ssh bastion for specified VPC. This is useful when managing a VPC.

Simply a single node ASG (with EIP) with SSH-in allowed.
diff --git a/examples/bastion-test/tester.tf b/examples/bastion-test/tester.tf
@@ -0,0 +1,37 @@
+variable "region" {
+  description = "The region to put resources in"
+  default     = "us-east-1"
+}
+
+variable "az" {
+  description = "The availability zone to put resources in"
+  default     = "us-east-1c"
+}
+
+variable "key_name" {
+  description = "The keypair used to ssh into the asg intances"
+  default     = "shida-east-1"
+}
+
+provider "aws" {
+  region = var.region
+}
+
+module "vpc" {
+  source              = "../../modules/vpc-scenario-1"
+  azs                 = [var.az]
+  name_prefix         = "bastion-test"
+  cidr                = "192.168.0.0/16"
+  public_subnet_cidrs = ["192.168.0.0/16"]
+  region              = var.region
+  map_on_launch       = false
+}
+
+module "bastion" {
+  source           = "../../modules/bastion"
+  region           = var.region
+  key_name         = var.key_name
+  public_subnet_id = module.vpc.public_subnet_ids[0]
+  identifier       = "test"
+  vpc_id           = module.vpc.vpc_id
+}
diff --git a/examples/single-node-asg-test/tester.tf b/examples/single-node-asg-test/tester.tf
@@ -37,7 +37,7 @@ module "snasg" {
   key_name           = var.key_name
   subnet_id          = module.vpc.public_subnet_ids[0]
   security_group_ids = [aws_security_group.eiptest.id]
-  assign_eip         = true
+  assign_eip         = false # true case is tested in bastion-test example
 }
 
 module "ubuntu-ami" {
diff --git a/modules/bastion/README.md b/modules/bastion/README.md
@@ -0,0 +1,3 @@
+# SSH Bastion
+
+This is a module to provide a bastion to access the inside of a VPC from Internet.
diff --git a/modules/bastion/main.tf b/modules/bastion/main.tf
@@ -0,0 +1,58 @@
+variable "vpc_id" {
+  type        = string
+  description = "ID of the VPC."
+}
+
+variable "identifier" {
+  type        = string
+  description = "Identifier of related resources."
+}
+
+variable "region" {
+  type        = string
+  description = "AWS region for this bastion to be in."
+}
+
+variable "key_name" {
+  type        = string
+  description = "SSH key pair name for the bastion."
+}
+
+variable "public_subnet_id" {
+  type        = string
+  description = "The subnet for the bastion. The subnet must be able to access Internet."
+}
+
+module "instance" {
+  source             = "../single-node-asg"
+  name_prefix        = var.identifier
+  name_suffix        = "bastion"
+  ami                = module.ubuntu-ami.id
+  instance_type      = "t2.nano"
+  region             = var.region
+  key_name           = var.key_name
+  subnet_id          = var.public_subnet_id
+  security_group_ids = [aws_security_group.bastion.id]
+  assign_eip         = true
+}
+
+resource "aws_security_group" "bastion" {
+  name   = "${var.identifier}-bastion"
+  vpc_id = var.vpc_id
+}
+
+module "bastion-ssh-rule" {
+  source            = "../../modules/ssh-sg"
+  cidr_blocks       = ["0.0.0.0/0"]
+  security_group_id = aws_security_group.bastion.id
+}
+
+module "bastion-egress-rule" {
+  source            = "../../modules/open-egress-sg"
+  security_group_id = aws_security_group.bastion.id
+}
+
+module "ubuntu-ami" {
+  source  = "../../modules/ami-ubuntu"
+  release = "18.04"
+}

Original file line number	Diff line number	Diff line change
`@@ -37,7 +37,7 @@ module "snasg" {`
`37`	`37`	`key_name = var.key_name`
`38`	`38`	`subnet_id = module.vpc.public_subnet_ids[0]`
`39`	`39`	`security_group_ids = [aws_security_group.eiptest.id]`
`40`		`- assign_eip = true`
	`40`	`+ assign_eip = false # true case is tested in bastion-test example`
`41`	`41`	`}`
`42`	`42`
`43`	`43`	`module "ubuntu-ami" {`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+# SSH Bastion`
	`2`	`+`
	`3`	`+This is a module to provide a bastion to access the inside of a VPC from Internet.`