From 9b68fd08db8f4a55e630f90bc28bf3681345320f Mon Sep 17 00:00:00 2001 From: bunchmj Date: Sun, 15 Oct 2023 23:49:30 -0500 Subject: [PATCH 1/6] wip --- README.md | 3 +++ iam.tf | 66 +++++++++++++++++++++++++++++++++++++++++++++++++++ logging.tf | 20 ++++++++++++++++ s3-buckets.tf | 6 +++++ 4 files changed, 95 insertions(+) diff --git a/README.md b/README.md index b801359..ee86462 100644 --- a/README.md +++ b/README.md @@ -31,6 +31,7 @@ No modules. | Name | Type | |------|------| +| [aws_cloudtrail.ssh-access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail) | resource | | [aws_cloudwatch_event_rule.ssh_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_rule) | resource | | [aws_cloudwatch_event_target.ssm_target](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target) | resource | | [aws_cloudwatch_log_group.ec2_cloudwatch_logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource | @@ -61,6 +62,7 @@ No modules. | [aws_s3_bucket_logging.access_logging_on_session_logs_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_logging) | resource | | [aws_s3_bucket_notification.session_logs_bucket_notification](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_notification) | resource | | [aws_s3_bucket_ownership_controls.session_logs_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_ownership_controls) | resource | +| [aws_s3_bucket_policy.cloudwatch-s3-policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource | | [aws_s3_bucket_public_access_block.session_logs_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource | | [aws_s3_bucket_server_side_encryption_configuration.session_logs_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource | | [aws_s3_bucket_versioning.session_logs_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource | @@ -72,6 +74,7 @@ No modules. | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | | [aws_iam_policy.AmazonElasticFileSystemFullAccess](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source | | [aws_iam_policy.AmazonSSMManagedInstanceCore](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source | +| [aws_iam_policy_document.cloudwatch-policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.ssm_ec2_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.ssm_s3_cwl_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_kms_key.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_key) | data source | diff --git a/iam.tf b/iam.tf index 5de63fb..9ba8b6c 100644 --- a/iam.tf +++ b/iam.tf @@ -51,6 +51,72 @@ resource "aws_iam_role_policy_attachment" "bastion-ssm-aws-efs-policy-attach" { policy_arn = data.aws_iam_policy.AmazonElasticFileSystemFullAccess.arn } +data "aws_iam_policy_document" "cloudwatch-policy" { + + statement { + sid = "AWSCloudTrailAclCheck" + effect = "Allow" + + principals { + type = "Service" + identifiers = ["cloudtrail.amazonaws.com"] + } + + actions = [ + "s3:GetBucketAcl", + ] + + resources = [ + aws_s3_bucket.access_logs_bucket.arn + ] + + condition { + test = "StringEquals" + variable = "AWS:SourceArn" + + values = [ + "arn:${data.aws_partition.current.partition}:cloudtrail:${var.region}:${data.aws_caller_identity.current.account_id}:trail/${var.name}-ssh-access", + ] + } + } + + statement { + sid = "AWSCloudTrailWrite" + effect = "Allow" + + principals { + type = "Service" + identifiers = ["cloudtrail.amazonaws.com"] + } + + actions = [ + "s3:PutObject", + ] + + resources = [ + "arn:${data.aws_partition.current.partition}:s3:::${aws_s3_bucket.access_logs_bucket.id}/*", + ] + + condition { + test = "StringEquals" + variable = "s3:x-amz-acl" + + values = [ + "bucket-owner-full-control", + ] + } + + condition { + test = "StringEquals" + variable = "AWS:SourceArn" + + values = [ + "arn:${data.aws_partition.current.partition}:cloudtrail:${var.region}:${data.aws_caller_identity.current.account_id}:trail/${var.name}-ssh-access", + ] + } + } +} + # Create S3/CloudWatch Logs access document, policy and attach to role data "aws_iam_policy_document" "ssm_s3_cwl_access" { # checkov:skip=CKV_AWS_111: ADD REASON diff --git a/logging.tf b/logging.tf index fe6c943..9907147 100644 --- a/logging.tf +++ b/logging.tf @@ -5,6 +5,26 @@ resource "aws_cloudwatch_log_group" "ssh_access_log_group" { kms_key_id = data.aws_kms_key.default.arn } +# Create a cloudtrail and event rule to monitor bastion access over ssh +resource "aws_cloudtrail" "ssh-access" { + # checkov:skip=CKV_AWS_252: SNS not currently needed + # checkov:skip=CKV2_AWS_10: Cloudwatch logs already being used with cloudtrail + name = "${var.name}-ssh-access" + s3_bucket_name = aws_s3_bucket.access_logs_bucket.id + kms_key_id = aws_kms_key.ssmkey.arn + is_multi_region_trail = true + enable_log_file_validation = true + event_selector { + read_write_type = "All" + include_management_events = true + } + depends_on = [ + aws_s3_bucket_policy.cloudwatch-s3-policy, + data.aws_kms_key.default.arn, + aws_cloudwatch_log_group.ssh_access_log_group + ] +} + resource "aws_cloudwatch_event_rule" "ssh_access" { name = "${var.name}-ssh-access" description = "filters ssm access logs and sends usable data to a cloudwatch log group" diff --git a/s3-buckets.tf b/s3-buckets.tf index 6dd1bf9..8505370 100644 --- a/s3-buckets.tf +++ b/s3-buckets.tf @@ -1,6 +1,12 @@ ##################################################### ##################### S3 Bucket ##################### +resource "aws_s3_bucket_policy" "cloudwatch-s3-policy" { + bucket = aws_s3_bucket.access_logs_bucket.bucket + policy = data.aws_iam_policy_document.cloudwatch-policy.json + +} + # Create S3 bucket for session logs with versioning, encryption, blocked public access enabled resource "aws_s3_bucket" "session_logs_bucket" { # checkov:skip=CKV_AWS_144: Cross region replication overkill From dd91b415f7e3e477e3415f858bf3d5c6fc704288 Mon Sep 17 00:00:00 2001 From: bunchmj Date: Mon, 16 Oct 2023 00:07:45 -0500 Subject: [PATCH 2/6] wip --- iam.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/iam.tf b/iam.tf index 9ba8b6c..706c821 100644 --- a/iam.tf +++ b/iam.tf @@ -67,7 +67,7 @@ data "aws_iam_policy_document" "cloudwatch-policy" { ] resources = [ - aws_s3_bucket.access_logs_bucket.arn + data.aws_s3_bucket.access_logs_bucket.arn ] condition { @@ -94,7 +94,7 @@ data "aws_iam_policy_document" "cloudwatch-policy" { ] resources = [ - "arn:${data.aws_partition.current.partition}:s3:::${aws_s3_bucket.access_logs_bucket.id}/*", + "arn:${data.aws_partition.current.partition}:s3:::${data.aws_s3_bucket.access_logs_bucket.id}/*", ] condition { From a4bf63e340f00cd53880323475626f70c01e4b45 Mon Sep 17 00:00:00 2001 From: bunchmj Date: Mon, 16 Oct 2023 00:20:01 -0500 Subject: [PATCH 3/6] wip --- logging.tf | 6 +++--- s3-buckets.tf | 3 +-- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/logging.tf b/logging.tf index 9907147..7eee921 100644 --- a/logging.tf +++ b/logging.tf @@ -10,8 +10,8 @@ resource "aws_cloudtrail" "ssh-access" { # checkov:skip=CKV_AWS_252: SNS not currently needed # checkov:skip=CKV2_AWS_10: Cloudwatch logs already being used with cloudtrail name = "${var.name}-ssh-access" - s3_bucket_name = aws_s3_bucket.access_logs_bucket.id - kms_key_id = aws_kms_key.ssmkey.arn + s3_bucket_name = data.aws_s3_bucket.access_logs_bucket.id + kms_key_id = data.aws_kms_key.default.arn is_multi_region_trail = true enable_log_file_validation = true event_selector { @@ -20,7 +20,7 @@ resource "aws_cloudtrail" "ssh-access" { } depends_on = [ aws_s3_bucket_policy.cloudwatch-s3-policy, - data.aws_kms_key.default.arn, + data.aws_kms_key.default, aws_cloudwatch_log_group.ssh_access_log_group ] } diff --git a/s3-buckets.tf b/s3-buckets.tf index 8505370..31fecd5 100644 --- a/s3-buckets.tf +++ b/s3-buckets.tf @@ -2,9 +2,8 @@ ##################### S3 Bucket ##################### resource "aws_s3_bucket_policy" "cloudwatch-s3-policy" { - bucket = aws_s3_bucket.access_logs_bucket.bucket + bucket = data.aws_s3_bucket.access_logs_bucket.bucket policy = data.aws_iam_policy_document.cloudwatch-policy.json - } # Create S3 bucket for session logs with versioning, encryption, blocked public access enabled From 58b633aaa44bb90c8f40897d1f7e76657cffcf38 Mon Sep 17 00:00:00 2001 From: bunchmj Date: Mon, 16 Oct 2023 01:48:13 -0500 Subject: [PATCH 4/6] access_log_bucket vs access_logs_bucket ??? --- examples/complete/README.md | 12 ++++++------ examples/complete/main.tf | 32 ++++++++++++++++---------------- 2 files changed, 22 insertions(+), 22 deletions(-) diff --git a/examples/complete/README.md b/examples/complete/README.md index 2834d78..180d02b 100644 --- a/examples/complete/README.md +++ b/examples/complete/README.md @@ -31,12 +31,12 @@ Example that uses the module with many of its configurations. Used in CI E2E tes |------|------| | [aws_kms_alias.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource | | [aws_kms_key.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource | -| [aws_s3_bucket.access_log_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource | -| [aws_s3_bucket_lifecycle_configuration.access_log_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_lifecycle_configuration) | resource | -| [aws_s3_bucket_notification.access_log_bucket_notification](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_notification) | resource | -| [aws_s3_bucket_public_access_block.access_log_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource | -| [aws_s3_bucket_server_side_encryption_configuration.access_log_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource | -| [aws_s3_bucket_versioning.access_log_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource | +| [aws_s3_bucket.access_logs_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource | +| [aws_s3_bucket_lifecycle_configuration.access_logs_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_lifecycle_configuration) | resource | +| [aws_s3_bucket_notification.access_logs_bucket_notification](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_notification) | resource | +| [aws_s3_bucket_public_access_block.access_logs_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource | +| [aws_s3_bucket_server_side_encryption_configuration.access_logs_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource | +| [aws_s3_bucket_versioning.access_logs_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource | | [aws_sqs_queue.access_log_queue](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue) | resource | | [random_id.default](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource | | [aws_ami.amazonlinux2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source | diff --git a/examples/complete/main.tf b/examples/complete/main.tf index 46a6323..5deae02 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -10,7 +10,7 @@ locals { # Add randomness to names to avoid collisions when multiple users are using this example vpc_name = "${var.name_prefix}-${lower(random_id.default.hex)}" bastion_name = "${var.name_prefix}-bastion-${lower(random_id.default.hex)}" - access_log_bucket_name_prefix = "${var.name_prefix}-accesslog-${lower(random_id.default.hex)}" + access_logs_bucket_name_prefix = "${var.name_prefix}-accesslog-${lower(random_id.default.hex)}" session_log_bucket_name_prefix = "${var.name_prefix}-bastionsessionlog-${lower(random_id.default.hex)}" kms_key_alias_name_prefix = "alias/${var.name_prefix}-${lower(random_id.default.hex)}" access_log_sqs_queue_name = "${var.name_prefix}-accesslog-access-${lower(random_id.default.hex)}" @@ -123,31 +123,31 @@ data "aws_iam_policy_document" "kms_access" { # Create S3 bucket for access logs with versioning, encryption, blocked public access enabled -resource "aws_s3_bucket" "access_log_bucket" { +resource "aws_s3_bucket" "access_logs_bucket" { # checkov:skip=CKV_AWS_144: Cross region replication is overkill # checkov:skip=CKV_AWS_18: "Ensure the S3 bucket has access logging enabled" -- This is the access logging bucket. Logging to the logging bucket would cause an infinite loop. - bucket_prefix = local.access_log_bucket_name_prefix + bucket_prefix = local.access_logs_bucket_name_prefix force_destroy = true tags = var.tags lifecycle { precondition { - condition = length(local.access_log_bucket_name_prefix) <= 37 + condition = length(local.access_logs_bucket_name_prefix) <= 37 error_message = "Bucket name prefixes may not be longer than 37 characters." } } } -resource "aws_s3_bucket_versioning" "access_log_bucket" { - bucket = aws_s3_bucket.access_log_bucket.id +resource "aws_s3_bucket_versioning" "access_logs_bucket" { + bucket = aws_s3_bucket.access_logs_bucket.id versioning_configuration { status = "Enabled" } } -resource "aws_s3_bucket_server_side_encryption_configuration" "access_log_bucket" { - bucket = aws_s3_bucket.access_log_bucket.id +resource "aws_s3_bucket_server_side_encryption_configuration" "access_logs_bucket" { + bucket = aws_s3_bucket.access_logs_bucket.id rule { apply_server_side_encryption_by_default { @@ -157,16 +157,16 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "access_log_bucket } } -resource "aws_s3_bucket_public_access_block" "access_log_bucket" { - bucket = aws_s3_bucket.access_log_bucket.id +resource "aws_s3_bucket_public_access_block" "access_logs_bucket" { + bucket = aws_s3_bucket.access_logs_bucket.id block_public_acls = true block_public_policy = true ignore_public_acls = true restrict_public_buckets = true } -resource "aws_s3_bucket_lifecycle_configuration" "access_log_bucket" { - bucket = aws_s3_bucket.access_log_bucket.id +resource "aws_s3_bucket_lifecycle_configuration" "access_logs_bucket" { + bucket = aws_s3_bucket.access_logs_bucket.id rule { id = "delete_after_X_days" @@ -204,7 +204,7 @@ resource "aws_sqs_queue" "access_log_queue" { "Action": "sqs:SendMessage", "Resource": "arn:${data.aws_partition.current.partition}:sqs:*:*:${local.access_log_sqs_queue_name}", "Condition": { - "ArnEquals": { "aws:SourceArn": "${aws_s3_bucket.access_log_bucket.arn}" } + "ArnEquals": { "aws:SourceArn": "${aws_s3_bucket.access_logs_bucket.arn}" } } } ] @@ -212,9 +212,9 @@ resource "aws_sqs_queue" "access_log_queue" { POLICY } -resource "aws_s3_bucket_notification" "access_log_bucket_notification" { +resource "aws_s3_bucket_notification" "access_logs_bucket_notification" { count = var.enable_sqs_events_on_access_log_access ? 1 : 0 - bucket = aws_s3_bucket.access_log_bucket.id + bucket = aws_s3_bucket.access_logs_bucket.id queue { queue_arn = aws_sqs_queue.access_log_queue[0].arn @@ -249,7 +249,7 @@ module "bastion" { vpc_id = module.vpc.vpc_id subnet_id = module.vpc.private_subnets[0] region = var.region - access_logs_bucket_name = aws_s3_bucket.access_log_bucket.id + access_logs_bucket_name = aws_s3_bucket.access_logs_bucket.id session_log_bucket_name_prefix = local.session_log_bucket_name_prefix kms_key_arn = aws_kms_key.default.arn ssh_user = var.bastion_ssh_user From 0b9005cef3d3a3ee87b35e054144d44c15450fe8 Mon Sep 17 00:00:00 2001 From: bunchmj Date: Mon, 16 Oct 2023 01:54:28 -0500 Subject: [PATCH 5/6] session_log_bucket vs session_logs_bucket inconsistency ??? --- README.md | 2 +- examples/complete/main.tf | 4 ++-- s3-buckets.tf | 2 +- variables.tf | 4 ++-- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index ee86462..1ad0e8b 100644 --- a/README.md +++ b/README.md @@ -117,7 +117,7 @@ No modules. | [region](#input\_region) | AWS Region | `string` | n/a | yes | | [root\_volume\_config](#input\_root\_volume\_config) | n/a |
object({
volume_type = any
volume_size = any
})
|
{
"volume_size": "20",
"volume_type": "gp3"
}
| no | | [security\_group\_ids](#input\_security\_group\_ids) | List of security groups to associate with instance | `list(any)` | `[]` | no | -| [session\_log\_bucket\_name\_prefix](#input\_session\_log\_bucket\_name\_prefix) | Name prefix of S3 bucket to store session logs | `string` | n/a | yes | +| [session\_log\_bucket\_name\_prefix](#input\_session\_log\_bucket\_name\_prefix) | Name prefix of S3 bucket to store session logs | `string` | n/a | yes | | [ssh\_password](#input\_ssh\_password) | Password for SSH access if SSM authentication is enabled | `string` | n/a | yes | | [ssh\_user](#input\_ssh\_user) | Username to use when accessing the instance using SSH | `string` | `"ubuntu"` | no | | [ssm\_enabled](#input\_ssm\_enabled) | Enable SSM agent | `bool` | `true` | no | diff --git a/examples/complete/main.tf b/examples/complete/main.tf index 5deae02..a54c940 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -11,7 +11,7 @@ locals { vpc_name = "${var.name_prefix}-${lower(random_id.default.hex)}" bastion_name = "${var.name_prefix}-bastion-${lower(random_id.default.hex)}" access_logs_bucket_name_prefix = "${var.name_prefix}-accesslog-${lower(random_id.default.hex)}" - session_log_bucket_name_prefix = "${var.name_prefix}-bastionsessionlog-${lower(random_id.default.hex)}" + session_logs_bucket_name_prefix = "${var.name_prefix}-bastionsessionlog-${lower(random_id.default.hex)}" kms_key_alias_name_prefix = "alias/${var.name_prefix}-${lower(random_id.default.hex)}" access_log_sqs_queue_name = "${var.name_prefix}-accesslog-access-${lower(random_id.default.hex)}" } @@ -250,7 +250,7 @@ module "bastion" { subnet_id = module.vpc.private_subnets[0] region = var.region access_logs_bucket_name = aws_s3_bucket.access_logs_bucket.id - session_log_bucket_name_prefix = local.session_log_bucket_name_prefix + session_logs_bucket_name_prefix = local.session_logs_bucket_name_prefix kms_key_arn = aws_kms_key.default.arn ssh_user = var.bastion_ssh_user ssh_password = var.bastion_ssh_password diff --git a/s3-buckets.tf b/s3-buckets.tf index 31fecd5..dccbccc 100644 --- a/s3-buckets.tf +++ b/s3-buckets.tf @@ -9,7 +9,7 @@ resource "aws_s3_bucket_policy" "cloudwatch-s3-policy" { # Create S3 bucket for session logs with versioning, encryption, blocked public access enabled resource "aws_s3_bucket" "session_logs_bucket" { # checkov:skip=CKV_AWS_144: Cross region replication overkill - bucket_prefix = "${var.session_log_bucket_name_prefix}-" + bucket_prefix = "${var.session_logs_bucket_name_prefix}-" force_destroy = true tags = var.tags diff --git a/variables.tf b/variables.tf index 1ae8fe6..c8db064 100644 --- a/variables.tf +++ b/variables.tf @@ -149,11 +149,11 @@ variable "permissions_boundary" { #### S3 Bucket -variable "session_log_bucket_name_prefix" { +variable "session_logs_bucket_name_prefix" { description = "Name prefix of S3 bucket to store session logs" type = string validation { - condition = length(var.session_log_bucket_name_prefix) <= 37 + condition = length(var.session_logs_bucket_name_prefix) <= 37 error_message = "Bucket name prefixes may not be longer than 37 characters." } } From 990a9c22d11562db4fc20e1b043843ab045d471e Mon Sep 17 00:00:00 2001 From: bunchmj Date: Mon, 16 Oct 2023 01:59:42 -0500 Subject: [PATCH 6/6] wip --- README.md | 2 +- examples/complete/main.tf | 32 ++++++++++++++++---------------- 2 files changed, 17 insertions(+), 17 deletions(-) diff --git a/README.md b/README.md index 1ad0e8b..8aa1c2a 100644 --- a/README.md +++ b/README.md @@ -117,7 +117,7 @@ No modules. | [region](#input\_region) | AWS Region | `string` | n/a | yes | | [root\_volume\_config](#input\_root\_volume\_config) | n/a |
object({
volume_type = any
volume_size = any
})
|
{
"volume_size": "20",
"volume_type": "gp3"
}
| no | | [security\_group\_ids](#input\_security\_group\_ids) | List of security groups to associate with instance | `list(any)` | `[]` | no | -| [session\_log\_bucket\_name\_prefix](#input\_session\_log\_bucket\_name\_prefix) | Name prefix of S3 bucket to store session logs | `string` | n/a | yes | +| [session\_logs\_bucket\_name\_prefix](#input\_session\_logs\_bucket\_name\_prefix) | Name prefix of S3 bucket to store session logs | `string` | n/a | yes | | [ssh\_password](#input\_ssh\_password) | Password for SSH access if SSM authentication is enabled | `string` | n/a | yes | | [ssh\_user](#input\_ssh\_user) | Username to use when accessing the instance using SSH | `string` | `"ubuntu"` | no | | [ssm\_enabled](#input\_ssm\_enabled) | Enable SSM agent | `bool` | `true` | no | diff --git a/examples/complete/main.tf b/examples/complete/main.tf index a54c940..9ee1162 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -8,12 +8,12 @@ resource "random_id" "default" { locals { # Add randomness to names to avoid collisions when multiple users are using this example - vpc_name = "${var.name_prefix}-${lower(random_id.default.hex)}" - bastion_name = "${var.name_prefix}-bastion-${lower(random_id.default.hex)}" + vpc_name = "${var.name_prefix}-${lower(random_id.default.hex)}" + bastion_name = "${var.name_prefix}-bastion-${lower(random_id.default.hex)}" access_logs_bucket_name_prefix = "${var.name_prefix}-accesslog-${lower(random_id.default.hex)}" session_logs_bucket_name_prefix = "${var.name_prefix}-bastionsessionlog-${lower(random_id.default.hex)}" - kms_key_alias_name_prefix = "alias/${var.name_prefix}-${lower(random_id.default.hex)}" - access_log_sqs_queue_name = "${var.name_prefix}-accesslog-access-${lower(random_id.default.hex)}" + kms_key_alias_name_prefix = "alias/${var.name_prefix}-${lower(random_id.default.hex)}" + access_log_sqs_queue_name = "${var.name_prefix}-accesslog-access-${lower(random_id.default.hex)}" } module "vpc" { @@ -245,19 +245,19 @@ module "bastion" { volume_size = "20" encrypted = true } - name = local.bastion_name - vpc_id = module.vpc.vpc_id - subnet_id = module.vpc.private_subnets[0] - region = var.region - access_logs_bucket_name = aws_s3_bucket.access_logs_bucket.id + name = local.bastion_name + vpc_id = module.vpc.vpc_id + subnet_id = module.vpc.private_subnets[0] + region = var.region + access_logs_bucket_name = aws_s3_bucket.access_logs_bucket.id session_logs_bucket_name_prefix = local.session_logs_bucket_name_prefix - kms_key_arn = aws_kms_key.default.arn - ssh_user = var.bastion_ssh_user - ssh_password = var.bastion_ssh_password - assign_public_ip = false - enable_log_to_s3 = true - enable_log_to_cloudwatch = true - private_ip = var.private_ip != "" ? var.private_ip : null + kms_key_arn = aws_kms_key.default.arn + ssh_user = var.bastion_ssh_user + ssh_password = var.bastion_ssh_password + assign_public_ip = false + enable_log_to_s3 = true + enable_log_to_cloudwatch = true + private_ip = var.private_ip != "" ? var.private_ip : null tenancy = var.bastion_tenancy zarf_version = var.zarf_version