bastion
Guimove/bastion/aws
Terraform module which creates SSH bastion infrastructure on AWS
AWS Bastion Terraform module ===========================================  Terraform module which creates a secure SSH bastion on AWS. Mainly inspired by Securely Connect to Linux Instances Running in a Private Amazon VPC Features -------- This module will create an SSH bastion to securely connect in SSH to your private instances. !Bastion Infrastrucutre All SSH commands are logged on an S3 bucket for security compliance, in the /logs path. SSH users are managed by their public key, simply drop the SSH key of the user in the /public-keys path of the bucket. Keys should be named like 'username.pub', this will create the user 'username' on the bastion server. Username must contain alphanumeric characters only. The
| Name | Type | Description | Default |
|---|---|---|---|
| create_dns_record | bool | Choose if you want to create a record name for the bastion (LB). If true, 'hoste | |
| vpc_id | string | VPC ID where we'll deploy the bastion | |
| bucket_name | string | Bucket name where the bastion will store the logs | |
| auto_scaling_group_subnets | list(string) | List of subnets where the Auto Scaling Group will deploy the instances | |
| region | string | | |
| bastion_host_key_pair | string | Select the key pair to use to launch the bastion host | |
| disk_encrypt | bool | Instance EBS encryption | true |
| http_put_response_hop_limit | number | The desired HTTP PUT response hop limit for instance metadata requests | 1 |
| ipv6_cidrs | list(string) | List of IPv6 CIDRs that can access the bastion. Default: ::/0 | [
"::/0"
] |
| kms_enable_key_rotation | bool | Enable key rotation for the KMS key | false |
| allow_ssh_commands | bool | Allows the SSH user to execute one-off commands. Pass true to enable. Warning: T | false |
| bastion_iam_permissions_boundary | string | IAM Role Permissions Boundary to constrain the bastion host role | "" |
| extra_user_data_content | string | Additional scripting to pass to the bastion host. For example, this can include | "" |
| public_ssh_port | number | Set the SSH port to use from desktop to the bastion | 22 |
| associate_public_ip_address | bool | true | |
| enable_http_protocol_ipv6 | bool | Enables or disables the IPv6 endpoint for the instance metadata service | false |
| http_endpoint | bool | Whether the metadata service is available | true |
| use_imds_v2 | bool | Use (IMDSv2) Instance Metadata Service V2 | false |
| bastion_iam_role_name | string | IAM role name to create | null |
| elb_subnets | list(string) | List of subnets where the ELB will be deployed | [] |
| hosted_zone_id | string | Name of the hosted zone where we'll register the bastion DNS name | "" |
| disk_size | number | Root EBS size in GB | 8 |
| instance_type | string | Instance size of the bastion | "t3.nano" |
| log_standard_ia_days | number | Number of days before moving logs to IA Storage | 30 |
| private_ssh_port | number | Set the SSH port to use between the bastion and private instance | 22 |
| bastion_iam_policy_name | string | IAM policy name to create for granting the instance role access to the bucket | "BastionHost" |
| … and 3 more inputs | |||
elb_arn — The ARN of the ELB for bastion hostselb_ip — The DNS name of the ELB for bastion hoststarget_group_arn — The ARN of the target group for the ELBbastion_elb_id — The ID of the ELB for bastion hostsbucket_kms_key_arn — The ARN of the KMS key for the bucketbucket_name — The ID of the S3 bucketbucket_kms_key_alias — The name of the KMS key alias for the bucketprivate_instances_security_group — The ID of the security group for private instancesbastion_auto_scaling_group_name — The name of the Auto Scaling Group for bastion hostsbastion_host_security_group — The ID of the bastion host security groupbucket_arn — The ARN of the S3 bucket