New: module bastion

Setup a ssh bastion for specified VPC. This is useful when managing a VPC.

Simply a single node ASG (with EIP) with SSH-in allowed.

Author: Magicloud

examples/bastion-test/tester.tf

@@ -0,0 +1,37 @@
+variable "region" {
+  description = "The region to put resources in"
+  default     = "us-east-1"
+}
+
+variable "az" {
+  description = "The availability zone to put resources in"
+  default     = "us-east-1c"
+}
+
+variable "key_name" {
+  description = "The keypair used to ssh into the asg intances"
+  default     = "shida-east-1"
+}
+
+provider "aws" {
+  region = var.region
+}
+
+module "vpc" {
+  source              = "../../modules/vpc-scenario-1"
+  azs                 = [var.az]
+  name_prefix         = "bastion-test"
+  cidr                = "192.168.0.0/16"
+  public_subnet_cidrs = ["192.168.0.0/16"]
+  region              = var.region
+  map_on_launch       = false
+}
+
+module "bastion" {
+  source           = "../../modules/bastion"
+  region           = var.region
+  key_name         = var.key_name
+  public_subnet_id = module.vpc.public_subnet_ids[0]
+  identifier       = "test"
+  vpc_id           = module.vpc.vpc_id
+}

examples/single-node-asg-test/tester.tf

@@ -37,7 +37,7 @@ module "snasg" {
   key_name           = var.key_name
   subnet_id          = module.vpc.public_subnet_ids[0]
   security_group_ids = [aws_security_group.eiptest.id]
-  assign_eip         = true
+  assign_eip         = false # true case is tested in bastion-test example
 }
 
 module "ubuntu-ami" {

modules/bastion/README.md

@@ -0,0 +1,3 @@
+# SSH Bastion
+
+This is a module to provide a bastion to access the inside of a VPC from Internet.

modules/bastion/main.tf

@@ -0,0 +1,73 @@
+variable "vpc_id" {
+  type        = string
+  description = "ID of the VPC."
+}
+
+variable "identifier" {
+  type        = string
+  description = "Identifier of related resources."
+}
+
+variable "region" {
+  type        = string
+  description = "AWS region for this bastion to be in."
+}
+
+variable "key_name" {
+  type        = string
+  description = "SSH key pair name for the bastion."
+}
+
+variable "public_subnet_id" {
+  type        = string
+  description = "The subnet for the bastion. The subnet must be able to access Internet."
+}
+
+variable "instance_type" {
+  type        = string
+  default     = "t2.nano"
+  description = "Bastion instance type."
+}
+
+variable "egress_cidrs" {
+  type        = list(string)
+	default     = ["0.0.0.0/0"]
+  description = "Egress subnets that bastion can access."
+}
+
+module "instance" {
+  source             = "../single-node-asg"
+  name_prefix        = var.identifier
+  name_suffix        = "bastion"
+  ami                = module.ubuntu-ami.id
+  instance_type      = var.instance_type
+  region             = var.region
+  key_name           = var.key_name
+  subnet_id          = var.public_subnet_id
+  security_group_ids = [aws_security_group.bastion.id]
+  assign_eip         = true
+}
+
+resource "aws_security_group" "bastion" {
+  name   = "${var.identifier}-bastion"
+  vpc_id = var.vpc_id
+
+	ingress {
+    from_port   = 22
+    to_port     = 22
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  egress {
+    from_port       = 0
+    to_port         = 0
+    protocol        = "-1"
+    cidr_blocks     = var.egress_cidrs
+  }
+}
+
+module "ubuntu-ami" {
+  source  = "../../modules/ami-ubuntu"
+  release = "18.04"
+}