updated changelog and readme for release 3.6

Changleog.md

@@ -1,8 +1,21 @@
-# 3.5
+**N.B. It is not possible to successfully apply module version >/=3.4 over version </=3.3 due to change from 'aws_security_group' to aws_security_group_rules' you will need to terraform destroy; terraform apply in this case**
+
+# 3.6 (tested!) 
+## With special thanks to Luis Silva for his excellent contributions
+
+**Bugfix:** This version fixes breakage bugs in 3.4; 3.5 and has been tested!
+
+**Feature:** This release introduces separate security groups for the load balancer and for the service EC2 host. It is now only possible to reach the ec2 host via the load balancer, even on a public subnet. This is true for both the containerised ssh service on port 22 and the ecs host sshd on port 2222 (if enabled). No public IP address is assigned.
+
+**Feature:** New output: bastion_sg_id gives the Security Group id of the bastion host which may be useful for other services
+
+**Documentation:** update readme to reflect new ouptputs and names; acknowledgements
+
+# 3.5 (broken, withdrawn)
 
 **Bugfix:** Remove parentheses from the name of the sample policy ouptut to make it parsable when called from module
 
-# 3.4
+# 3.4 (broken, withdrawn)
 
 **N.B. This change means that it is not possible to successfully apply module version 3.4 over version 3.3- you will need to terraform destroy; terraform apply in this case**
 
@@ -35,7 +48,7 @@ In version 1.0 (download this release if you want it!) this plan deployed a simp
 
 # 1.1
 
-Thanks to Piotr Jaromin for implementing these features
+## Thanks to Piotr Jaromin for implementing these features
 
 * S3 bucket is no longer necessary, golang script for iam-authorized-command is stored inside this repository.
 * IAM roles are generated based on region and environment role, so there should be no more conflicts.

README.md

@@ -1,10 +1,14 @@
 This Terraform deploys an sshd bastion service on AWS:
 ===================================
 
+**N.B. If you are using a newer version of this module when you have an older version deployed, please review the changelog!**
+
 # Overview
 
 This plan provides socket-activated sshd-containers with one container instantiated per connection and destroyed on connection termination or else after 12 hours- to deter things like reverse tunnels etc. The host assumes an IAM role, inherited by the containers, allowing it to query IAM users and request their ssh public keys lodged with AWS. The actual call for public keys is made with a [GO binary](https://github.com/Fullscreen/iam-authorized-keys-command), which is built during host intial launch and made available via shared volume in the docker image. In use the Docker container queries AWS for users with ssh keys at runtime, creates local linux user accounts for them and handles their login. The users who may access the bastion service may be restricted to membership of a defined AWS IAM group which is not set up or managed by this plan.  When the connection is closed the container exits. This means that users log in _as themselves_ and manage their own ssh keys using the AWS web console or CLI. For any given session they will arrive in a vanilla Ubuntu container with passwordless sudo and can install whatever applications and frameworks might be required for that session. Because the IAM identity checking and user account population is done at container run time and the containers are called on demand, there is no delay between creating an account with a public ssh key on AWS and being able to access the bastion. If users have more than one ssh public key then their account will be set up so that any of them may be used- AWS allows up to 5 keys per user. Asides from the resources provided by AWS and remote repositories this plan is entirely self contained. There is no reliance on registries, build chains etc.
 
+## With thanks to  Piotr Jaromin and Luis Silva for their excellent contributions to this project
+
 # Ability to assume a role in another account (New in Version 3)
 
 With version 3 series (backward compatible with version 2) the ability to assume a role in another account has now been integrated with conditional logic. If you supply the ARN for a role for the bastion service to assume in another account ${var.assume_role_arn} then this plan will create an instance profile, role and policy along with each bastion to make use of it. A matching sample policy and trust relationship is given as an output from the plan to assist with application in the other account. If you do not supply this arn then this plan presumes IAM lookups in the same account and creates an appropriate instance profile, role and policies for each bastion in the same AWS account. 'Each bastion' here refers to a combination of environment, AWS account, AWS region and VPCID determined by deployment. Since this is a high availabilty service, it is not envisaged that there would be reason for more than one independent deployment within such a combination. 
@@ -19,8 +23,6 @@ In version 1.x series (download this release if you want it!) this plan deployed
 
 # Service deployed by this plan
 
-**With thanks to  Piotr Jaromin for his excellent contributions to this project**
-
 This plan creates a load balancer and autoscaling group with a dns entry for the service of the format
 
   	name = "${var.environment_name}-${data.aws_region.current.name}-${var.vpc}-bastion-service.${var.dns_domain}"
@@ -237,5 +239,6 @@ These have been generated with [terraform-docs](https://github.com/segmentio/ter
 
 | Name | Description |
 |------|-------------|
-| policy_example_for_parent_account_(empty_if_not_used) | You must apply an IAM policy with trust realtionship identical or compatible with this in your other AWS account for IAM lookups to function there with STS:AssumeRole and allow users to login |
+| bastion_sg_id | Security Group id of the bastion host |
+| policy_example_for_parent_account_empty_if_not_used | You must apply an IAM policy with trust realtionship identical or compatible with this in your other AWS account for IAM lookups to function there with STS:AssumeRole and allow users to login |
 | service_dns_entry | dns-registered url for service and host |