terraform-aws-bastion

Terraform module to create Bastion Host in AWS VPC running as Spot Instance/s or On Demand.

Resources created

This module will create Bastion Host/s which will make use of Launch Template and Auto Scaling Group. Bastion host will run as a spot instance. In order to reduce the amount of Elastic IPs, module creates a route53 A record which points to the bastion host/s.

Terraform versions

Terraform 0.13+. Pin module version to ~> v2.0. Submit pull-requests to master branch.

Usage

module "bastion" {
  source = "umotif-public/bastion/aws"
  version = "~> 2.1.0"

  name_prefix = "core-example"

  vpc_id         = "vpc-abasdasd132"
  subnets        = ["subnet-abasdasd132123", "subnet-abasdasd132123132"]

  hosted_zone_id = "Z1IY32BQNIYX16"
  ssh_key_name   = "test"

  tags = {
    Project = "Test"
  }
}

Bastion Host Visual Architecture

Examples

Bastion Host

Authors

Module managed by Marcin Cuber LinkedIn.

Requirements

Name	Version
terraform	>= 0.13.0
aws	>= 3.34

Providers

Name	Version
aws	>= 3.34

Modules

No modules.

Resources

Name	Type
aws_autoscaling_group.bastion	resource
aws_autoscaling_schedule.asg_scale_down	resource
aws_autoscaling_schedule.asg_scale_up	resource
aws_iam_instance_profile.bastion	resource
aws_iam_role.bastion	resource
aws_iam_role_policy.iam_bastion_policy	resource
aws_launch_template.bastion	resource
aws_security_group.bastion	resource
aws_ami.amazon_linux	data source
aws_caller_identity.current	data source
aws_iam_policy_document.bastion_role_assume_role_policy	data source
aws_iam_policy_document.bastion_role_policy	data source
aws_partition.current	data source

Inputs

Name	Description	Type	Default	Required
ami_id	AMI ID to be used for bastion host. If not provided, it will default to latest amazon linux 2 image.	`string`	`""`	no
asg_scale_down_desired_capacity	Auto Scalling Group value for desired capacity of bastion hosts. Scale down action.	`number`	`0`	no
asg_scale_down_max_size	Auto Scalling Group value for maximum capacity of bastion hosts. Scale down action.	`number`	`0`	no
asg_scale_down_min_size	Auto Scalling Group value for minimum capacity of bastion hosts. Scale down action.	`number`	`0`	no
asg_scale_down_recurrence	The time when recurring future actions will start. Start time is specified by the user following the Unix cron syntax format. Scale down action.	`string`	`"0 18 * * MON-FRI"`	no
asg_scale_up_desired_capacity	Auto Scalling Group value for desired capacity of bastion hosts. Scale up action.	`number`	`1`	no
asg_scale_up_max_size	Auto Scalling Group value for maximum capacity of bastion hosts. Scale up action.	`number`	`1`	no
asg_scale_up_min_size	Auto Scalling Group value for minimum capacity of bastion hosts. Scale up action.	`number`	`1`	no
asg_scale_up_recurrence	The time when recurring future actions will start. Start time is specified by the user following the Unix cron syntax format. Scale up action.	`string`	`"0 9 * * MON-FRI"`	no
availability_zones	Availability zones for the default Ireland region.	`list(string)`	[ "eu-west-1a", "eu-west-1b", "eu-west-1c" ]	no
aws_partition	[Deprecated] Variable will be removed in version `3.0.0`. A Partition is a group of AWS Region and Service objects. You can use a partition to determine what services are available in a region, or what regions a service is available in.	`string`	`"public"`	no
bastion_instance_types	Bastion instance types used for spot instances.	`list(string)`	[ "t3.nano", "t3.micro", "t3.small", "t2.nano", "t2.micro", "t2.small" ]	no
delete_on_termination	Whether the volume should be destroyed on instance termination.	`bool`	`true`	no
desired_capacity	Auto Scalling Group value for desired capacity of bastion hosts.	`number`	`1`	no
device_name	The name of the device to mount.	`string`	`"/dev/xvda"`	no
egress_cidr_blocks	List of CIDR ranges to allow outbound traffic at security group level. Defaults to 0.0.0.0/0	`list(string)`	[ "0.0.0.0/0" ]	no
egress_ipv6_cidr_blocks	List of IPv6 CIDR ranges to allow outbound traffic at security group level. Defaults to ::/0	`list(string)`	[ "::/0" ]	no
enable_asg_scale_down	n/a	`bool`	`false`	no
enable_asg_scale_up	n/a	`bool`	`false`	no
encrypted	Enables EBS encryption on the volume.	`bool`	`true`	no
hosted_zone_id	Hosted zone id where A record will be added for bastion host/s.	`string`	`""`	no
ingress_cidr_blocks	List of CIDR ranges to allow ssh access at security group level. Defaults to 0.0.0.0/0	`list(string)`	[ "0.0.0.0/0" ]	no
ingress_ipv6_cidr_blocks	List of IPv6 CIDR ranges to allow ssh access at security group level. Defaults to ::/0	`list(string)`	[ "::/0" ]	no
max_size	Auto Scalling Group value for maximum capacity of bastion hosts.	`number`	`1`	no
min_size	Auto Scalling Group value for minimum capacity of bastion hosts.	`number`	`1`	no
name_prefix	A prefix used for naming resources.	`string`	n/a	yes
on_demand_base_capacity	Auto Scalling Group value for desired capacity for instance lifecycle type on-demand of bastion hosts.	`number`	`0`	no
private_subnets	Classless Inter-Domain Routing ranges for private subnets.	`list(string)`	`[]`	no
public_subnets	Classless Inter-Domain Routing ranges for public subnets.	`list(string)`	n/a	yes
region	AWS region in which resources will get deployed. Defaults to Ireland.	`string`	`"eu-west-1"`	no
ssh_key_name	SSH key used to connect to the bastion host	`string`	n/a	yes
ssh_port	SSH port used to access a bastion host.	`number`	`22`	no
tags	Default tags attached to all resources.	`map(string)`	{ "ServiceType": "ceng-eks" }	no
termination_policies	A list of policies to decide how the instances in the auto scale group should be terminated. The allowed values are OldestInstance, NewestInstance, OldestLaunchConfiguration, ClosestToNextInstanceHour, OldestLaunchTemplate, AllocationStrategy.	`list(string)`	[ "OldestInstance" ]	no
userdata_file_content	The user data to provide when launching the instance.	`string`	`""`	no
volume_size	The size of the volume in gigabytes.	`number`	`20`	no
volume_type	The type of volume. Can be `standard`, `gp2`, or `io1`.	`string`	`"gp2"`	no
vpc_id	VPC ID where bastion hosts and security groups will be created.	`string`	n/a	yes

Outputs

Name	Description
auto_scaling_group_arn	The ARN of the bastion's auto scaling group.
auto_scaling_group_id	The ID of the bastion's auto scaling group.
iam_role_arn	The ARN of the bastion's IAM Role.
iam_role_id	The ID or name of the bastion's IAM Role.
launch_template_arn	The ARN of the bastion's launch template.
launch_template_id	The ID of the bastion's launch template.
security_group_id	The ID of the bastion's security group.

License

See LICENSE for full details.

Pre-commit hooks

Install dependencies

pre-commit
terraform-docs required for terraform_docs hooks.
TFLint required for terraform_tflint hook.

MacOS

brew install pre-commit terraform-docs tflint

brew tap git-chglog/git-chglog
brew install git-chglog

isabella232 / terraform-aws-bastion-2 Goto Github PK

terraform-aws-bastion-2's Introduction