Help me vpc -> bastion -> rds about terraform-aws-bastion HOT 8 CLOSED

Just to well understand your issue :

You connect to the bastion from your computer ==> ELB (10.0.x.0/24) ==> Bastion (10.0.10x.0/24) right ?

For the rds connection, you connect directly with the bastion ? I meen using psql on the bastion
Or you connect from your computer by using an SSH Tunnel from the bastion ?

For the newtork part, all seems OK in what you describe.
Just a little typo mistake :

private subnets : 10.0.10x.0/24 with x between 0-2

bastion EC2 in public subnets, 10.0.10x.0/24 with x between 0-2

10.0.10x.0/24 is public or private ?

from terraform-aws-bastion.

ELB is in public subnet
BASTION is in private subnet

I Succeed to connection on bastion host with ssh -i .. ec2-user@,
I try create ssh tunnel but fail ....
I
I try ,after install telnet on bastion host access to rds with telnet 5432 but fail ...

ELB ( 10.0.x.0/24 ) -> bastion ( 10.0.10x.0/24 ) -> RDS ( 10.0.20x.0/24 )

10.0.10x.0/24 is private ..

security group on RDS
allow IN :=> 5432 / TCP from 10.0.10x.0/24 , OUT :=> ALL / ALL to 0.0.0.0/0

from terraform-aws-bastion.

Telnet is not enabled it's normal.
To enable the ssh tunnel, you need to be sure that, the following lines are no present in the user_data.sh (arround line 22) or use the last version on this module :

awk '!/AllowTcpForwarding/' /etc/ssh/sshd_config > temp && mv temp /etc/ssh/sshd_config
echo "AllowTcpForwarding no" >> /etc/ssh/sshd_config

What command to you use to open the ssh tunnel ?

from terraform-aws-bastion.

sh -N -L 5432:testdb.c4ph7qms4ytk.eu-west-3.rds.amazonaws.com:5432 ec2-user@tf-lb-20190501161031900800000004-d40f07fdab3ad749.elb.eu-west-3.amazonaws.com -i innovagro-infrastructure-live/non-prod/bastion

where :

• testdb.c4ph7qms4ytk.eu-west-3.rds.amazonaws.com : RDS name
• tf-lb-20190501161031900800000004-d40f07fdab3ad749.elb.eu-west-3.amazonaws.com : ELB name
• innovagro-infrastructure-live/non-prod/bastion : Private Key

it's ready ?

from terraform-aws-bastion.

Imo you cannot use the same local and remote port. Try replacing the first 5432 by 5433.

Please retry in verdbose mode (-v) and share the output.

from terraform-aws-bastion.

first command : ok to connect bastion

ssh ec2-user@tf-lb-20190502164059063400000001-5c5860b0e0f80ee7.elb.eu-west-3.amazonaws.com -i bastion
NOTE: This SSH session will be recorded
AUDIT KEY: 2019-05-02_16-56-48_ec2-user

[ec2-user@ip-10-0-101-152 ~]$

second command : ko

ssh -N -L 5432:innovagro-stage-baccus-db.c4ph7qms4ytk.eu-west-3.rds.amazonaws.com:5432 ec2-user@tf-lb-20190502164059063400000001-5c5860b0e0f80ee7.elb.eu-west-3.amazonaws.com -i bastion
^C%
➜ non-prod git:(develop) ✗ ssh -N -L 5432:innovagro-stage-baccus-db.c4ph7qms4ytk.eu-west-3.rds.amazonaws.com:5432 ec2-user@tf-lb-20190502164059063400000001-5c5860b0e0f80ee7.elb.eu-west-3.amazonaws.com -i bastion -v
OpenSSH_7.9p1, LibreSSL 2.7.3
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 48: Applying options for *
debug1: Connecting to tf-lb-20190502164059063400000001-5c5860b0e0f80ee7.elb.eu-west-3.amazonaws.com port 22.
debug1: Connection established.
debug1: identity file bastion type 0
debug1: identity file bastion-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.9
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4
debug1: match: OpenSSH_7.4 pat OpenSSH_7.0*,OpenSSH_7.1*,OpenSSH_7.2*,OpenSSH_7.3*,OpenSSH_7.4*,OpenSSH_7.5*,OpenSSH_7.6*,OpenSSH_7.7* compat 0x04000002
debug1: Authenticating to tf-lb-20190502164059063400000001-5c5860b0e0f80ee7.elb.eu-west-3.amazonaws.com:22 as 'ec2-user'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: [email protected] MAC: compression: none
debug1: kex: client->server cipher: [email protected] MAC: compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:wxxZKmiSMY/pbexofCfWkOhxiIxUEB/CnxZZ+IBHRTs
debug1: Host 'tf-lb-20190502164059063400000001-5c5860b0e0f80ee7.elb.eu-west-3.amazonaws.com' is known and matches the ECDSA host key.
debug1: Found key in /Users/gwendallgarnier/.ssh/known_hosts:55
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 134217728 blocks
debug1: Will attempt key: bastion RSA SHA256:froSARAguiOGS0r4AXeEFxN/7Elx7fnwS90mCiAFf6M explicit
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: Next authentication method: publickey
debug1: Offering public key: bastion RSA SHA256:froSARAguiOGS0r4AXeEFxN/7Elx7fnwS90mCiAFf6M explicit
debug1: Server accepts key: bastion RSA SHA256:froSARAguiOGS0r4AXeEFxN/7Elx7fnwS90mCiAFf6M explicit
debug1: Authentication succeeded (publickey).
Authenticated to tf-lb-20190502164059063400000001-5c5860b0e0f80ee7.elb.eu-west-3.amazonaws.com ([52.47.130.91]:22).
debug1: Local connections to LOCALHOST:5432 forwarded to remote address innovagro-stage-baccus-db.c4ph7qms4ytk.eu-west-3.rds.amazonaws.com:5432
debug1: Local forwarding listening on ::1 port 5432.
debug1: channel 0: new [port listener]
debug1: Local forwarding listening on 127.0.0.1 port 5432.
➜ non-prod git:(develop) ✗ ssh -N -L 5432:innovagro-stage-baccus-db.c4ph7qms4ytk.eu-west-3.rds.am
azonaws.com:5432 ec2-user@tf-lb-20190502164059063400000001-5c5860b0e0f80ee7.elb.eu-west-3.amazonaw
s.com -i bastion -v
OpenSSH_7.9p1, LibreSSL 2.7.3
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 48: Applying options for *
debug1: Connecting to tf-lb-20190502164059063400000001-5c5860b0e0f80ee7.elb.eu-west-3.amazonaws.co
m port 22.
debug1: Connection established.
debug1: identity file bastion type 0
debug1: identity file bastion-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.9
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4
debug1: match: OpenSSH_7.4 pat OpenSSH_7.0*,OpenSSH_7.1*,OpenSSH_7.2*,OpenSSH_7.3*,OpenSSH_7.4*,Op
enSSH_7.5*,OpenSSH_7.6*,OpenSSH_7.7* compat 0x04000002
debug1: Authenticating to tf-lb-20190502164059063400000001-5c5860b0e0f80ee7.elb.eu-west-3.amazonaws.com:22 as 'ec2-user'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: [email protected] MAC: compression: none
debug1: kex: client->server cipher: [email protected] MAC: compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:wxxZKmiSMY/pbexofCfWkOhxiIxUEB/CnxZZ+IBHRTs
debug1: Host 'tf-lb-20190502164059063400000001-5c5860b0e0f80ee7.elb.eu-west-3.amazonaws.com' is known and matches the ECDSA host key.
debug1: Found key in /Users/gwendallgarnier/.ssh/known_hosts:55
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 134217728 blocks
debug1: Will attempt key: bastion RSA SHA256:froSARAguiOGS0r4AXeEFxN/7Elx7fnwS90mCiAFf6M explicit
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: Next authentication method: publickey
debug1: Offering public key: bastion RSA SHA256:froSARAguiOGS0r4AXeEFxN/7Elx7fnwS90mCiAFf6M explicit
debug1: Server accepts key: bastion RSA SHA256:froSARAguiOGS0r4AXeEFxN/7Elx7fnwS90mCiAFf6M explicit
debug1: Authentication succeeded (publickey).
Authenticated to tf-lb-20190502164059063400000001-5c5860b0e0f80ee7.elb.eu-west-3.amazonaws.com ([52.47.130.91]:22).
debug1: Local connections to LOCALHOST:5432 forwarded to remote address innovagro-stage-baccus-db.c4ph7qms4ytk.eu-west-3.rds.amazonaws.com:5432
debug1: Local forwarding listening on ::1 port 5432.
debug1: channel 0: new [port listener]
debug1: Local forwarding listening on 127.0.0.1 port 5432.
debug1: channel 1: new [port listener]
debug1: Requesting [email protected]
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype [email protected] want_reply 0

from terraform-aws-bastion.

mmmh I don't see any error... The ssh tunnel is not giving you the hand back and it's normal.

You have to open a new terminal and then use a psql command with 127.0.0.1 as the hostname while the tunnel is running.

from terraform-aws-bastion.

Eureka ! i find
you modify security group for outbound rules 👍

current value

resource "aws_security_group" "bastion_host_security_group" {
description = "Enable SSH access to the bastion host from external via SSH port"
vpc_id = "${var.vpc_id}"

ingress {
from_port = "${var.public_ssh_port}"
protocol = "TCP"
to_port = "${var.public_ssh_port}"
cidr_blocks = "${var.cidrs}"
}

egress {
from_port = "${var.private_ssh_port}"
protocol = "TCP"
to_port = "${var.private_ssh_port}"
cidr_blocks = ["0.0.0.0/0"]
}

egress {
from_port = 443
to_port = 443
protocol = "TCP"
cidr_blocks = ["0.0.0.0/0"]
}

egress {
from_port = 80
to_port = 80
protocol = "TCP"
cidr_blocks = ["0.0.0.0/0"]
}

tags = "${merge(var.tags)}"
}

modification value

resource "aws_security_group" "bastion_host_security_group" {
description = "Enable SSH access to the bastion host from external via SSH port"
vpc_id = "${var.vpc_id}"

ingress {
from_port = "${var.public_ssh_port}"
protocol = "TCP"
to_port = "${var.public_ssh_port}"
cidr_blocks = "${var.cidrs}"
}

egress {
from_port = 0
to_port = 65535
protocol = "TCP"
cidr_blocks = ["0.0.0.0/0"]
}

tags = "${merge(var.tags)}"
}

from terraform-aws-bastion.