Merge pull request #22 from joshuamkite/feature/mantenance

Feature/maintenance
joshuamkite · Jan 9, 2019 · b312296 · b312296
2 parents 8db8f93 + 1058b73
commit b312296
Show file tree

Hide file tree

Showing 10 changed files with 144 additions and 8 deletions.
diff --git a/CONTRIBUTING b/CONTRIBUTING
@@ -0,0 +1,5 @@
+# Contributing to this module
+
+I am always happy to consider contributions to the code offered here. Please feel free to raise issues or pull requests. All proposed code changes must be tested before submission!
+
+Thanks
diff --git a/README.md b/README.md
@@ -1,4 +1,4 @@
-This Terraform deploys a stateless containerised sshd bastion service on AWS:
+This Terraform deploys a stateless containerised sshd bastion service on AWS with IAM based authentication:
 ===================================
 
 **N.B. If you are using a newer version of this module when you have an older version deployed, please review the changelog!**
@@ -246,6 +246,7 @@ These have been generated with [terraform-docs](https://github.com/segmentio/ter
 | lb_healthcheck_port | TCP port to conduct lb target group healthchecks. Acceptable values are 22 or 2222 | string | `2222` | no |
 | lb_healthy_threshold | Healthy threshold for lb target group | string | `2` | no |
 | lb_interval | interval for lb target group health check | string | `30` | no |
+| lb_is_internal | whether the lb will be internal | string | false | no |
 | lb_unhealthy_threshold | Unhealthy threshold for lb target group | string | `2` | no |
 | route53_zone_id | Route53 zoneId | string | `` | no |
 | security_groups_additional | additional security group IDs to attach to host instance | list | `<list>` | no |

diff --git a/changelog.md b/changelog.md
@@ -1,9 +1,22 @@
 **N.B.**
 
-* **It is not possible to successfully apply module version >/= 4.0 over versions </= 3.xx due to chang from classic to network load balancer**
+* **It is not possible to successfully apply module version >/= 4.0 over versions </= 3.xx due to change from classic to network load balancer**
 
 **You will need to terraform destroy; terraform apply in such case**
 
+# 4.5
+
+**Feature:** Bastion load balancer can now be internal (Thanks Instacart)
+**Feature:** Bastion can now be assigned a public IP - permits use of module without NAT gateway (Thanks Ivan Mesic navi7)
+**Feature:** Example of simple use of module with a public IP (Thanks Ivan Mesic navi7)
+**Bugfix:** Populate user data with default if empty (Thanks Ivan Mesic navi7)
+
+# 4.4
+
+**Feature:** Adds a new variable so that the hostname can be overridden completely
+**Feature:** Removes the 'provider' so that it can set by the plan calling this module (as per Terraform guidelines)
+**Feature:** Adds a shebang as the default content for the shell script multipart mime types. This is so that, when using custom userdata, systemd doesn't report errors.
+
 # 4.3
 
 **Feature:** You can now specify a list of one or more security groups to attach to the host instance launch configuration. This can be supplied together with or instead of a whitelisted range of CIDR blocks. **N.B. This is _not_ aws_security_group_rule/source_security_group_id!** If you wish to append your own 'security_group_id' rules then you will need to attach these from a plan caling this module (using output "bastion_sg_id") or as part of a separate security group which you then attach. 

diff --git a/examples/full-with-public-ip/README.md b/examples/full-with-public-ip/README.md
@@ -0,0 +1,9 @@
+This example shows a complete setup for a new `bastion` service with all needed parts:
+
+* a new VPC,
+* private subnet(s) inside the VPC,
+* an internet gateway and route tables.
+
+Before applying, create a key pair in the requested region named 'bastion-demo'.
+
+Because of Terraform limitations (v0.11.x) it can't compute count/length of new resources so it can't generate the `aws_subnets` data block in  [`security_group.tf`](../../security_group.tf). A hack is to first create the VPC and then the rest of the bastion host: comment out the `ssh-bastion-service` module, `terraform apply`, uncomment and `apply` again.
diff --git a/examples/full-with-public-ip/main.tf b/examples/full-with-public-ip/main.tf
@@ -0,0 +1,81 @@
+provider "aws" {
+  region = "${var.aws-region}"
+}
+
+data "aws_availability_zones" "available" {}
+
+resource "aws_vpc" "bastion" {
+  cidr_block           = "${var.cidr-start}.0.0/16"
+  enable_dns_hostnames = true
+
+  tags = {
+    Name = "bastion-${var.environment-name}-vpc"
+  }
+}
+
+resource "aws_subnet" "bastion" {
+  count = 1
+
+  availability_zone = "${data.aws_availability_zones.available.names[count.index]}"
+  cidr_block        = "${var.cidr-start}.${count.index}.0/24"
+  vpc_id            = "${aws_vpc.bastion.id}"
+
+  tags = {
+    Name = "bastion-${var.environment-name}-subnet-${count.index}"
+  }
+}
+
+resource "aws_internet_gateway" "bastion" {
+  vpc_id = "${aws_vpc.bastion.id}"
+
+  tags = {
+    Name = "bastion-${var.environment-name}-ig"
+  }
+}
+
+resource "aws_route_table" "bastion" {
+  vpc_id = "${aws_vpc.bastion.id}"
+
+  tags = {
+    Name = "bastion-${var.environment-name}-rt"
+  }
+}
+
+resource "aws_route" "bastion-ipv4-out" {
+  route_table_id         = "${aws_route_table.bastion.id}"
+  destination_cidr_block = "0.0.0.0/0"
+  gateway_id             = "${aws_internet_gateway.bastion.id}"
+}
+
+resource "aws_route_table_association" "bastion" {
+  count = 1
+
+  subnet_id      = "${aws_subnet.bastion.*.id[count.index]}"
+  route_table_id = "${aws_route_table.bastion.id}"
+}
+
+variable "everyone-cidr" {
+  default     = "0.0.0.0/0"
+  description = "Everyone"
+}
+
+# To create the bastion service, subnets need to already exist
+# This is currently a limitation of Terraform: https://github.com/hashicorp/terraform/issues/12570
+# Comment out the bastion service, apply, uncomment and apply again
+module "ssh-bastion-service" {
+  source  = "joshuamkite/ssh-bastion-service/aws"
+  version = "4.5"
+
+  aws_region  = "${var.aws-region}"
+  aws_profile = "${var.aws-profile}"
+
+  environment_name = "${var.environment-name}"
+  vpc              = "${aws_vpc.bastion.id}"
+
+  subnets_asg = ["${aws_subnet.bastion.*.id}"]
+  subnets_lb  = ["${aws_subnet.bastion.*.id}"]
+
+  cidr_blocks_whitelist_service = ["${var.everyone-cidr}"]
+
+  public_ip = true
+}
diff --git a/examples/full-with-public-ip/vars.tf b/examples/full-with-public-ip/vars.tf
@@ -0,0 +1,17 @@
+variable "aws-profile" {
+  default = ""
+}
+
+variable "aws-region" {
+  default     = "eu-west-1"
+  description = "Default AWS region"
+}
+
+variable "cidr-start" {
+  default     = "10.50"
+  description = "Default CIDR block"
+}
+
+variable "environment-name" {
+  default = "demo"
+}
diff --git a/load_balancer.tf b/load_balancer.tf
@@ -5,7 +5,7 @@
 resource "aws_lb" "bastion-service" {
   name                             = "${md5(format("bastion-service-%s",var.vpc))}"
   load_balancer_type               = "network"
-  internal                         = false
+  internal                         = "${var.lb_is_internal}"
   subnets                          = ["${var.subnets_lb}"]
   enable_cross_zone_load_balancing = true
   tags                             = "${var.tags}"

diff --git a/main.tf b/main.tf
@@ -28,7 +28,7 @@ resource "aws_launch_configuration" "bastion-service-host" {
   image_id                    = "${local.bastion_ami_id}"
   instance_type               = "${var.bastion_instance_type}"
   iam_instance_profile        = "${element((concat(aws_iam_instance_profile.bastion_service_assume_role_profile.*.arn, aws_iam_instance_profile.bastion_service_profile.*.arn)), 0)}"
-  associate_public_ip_address = "false"
+  associate_public_ip_address = "${var.public_ip}"
   security_groups             = ["${aws_security_group.bastion_service.id}", "${compact(concat(var.security_groups_additional))}"]
   user_data                   = "${data.template_cloudinit_config.config.rendered}"
   key_name                    = "${var.bastion_service_host_key_name}"

diff --git a/user_data.tf b/user_data.tf
@@ -93,7 +93,7 @@ data "template_cloudinit_config" "config" {
   part {
     filename     = "extra_user_data"
     content_type = "${var.extra_user_data_content_type}"
-    content      = "${var.extra_user_data_content}"
+    content      = "${(var.extra_user_data_content != "" ? var.extra_user_data_content : "#!/bin/bash")}"
     merge_type   = "${var.extra_user_data_merge_type}"
   }
 }
diff --git a/variables.tf b/variables.tf
@@ -29,6 +29,11 @@ variable "bastion_service_host_key_name" {
   default     = ""
 }
 
+variable "public_ip" {
+  default     = false
+  description = "Associate a public IP with the host instance when launching"
+}
+
 variable "subnets_lb" {
   type        = "list"
   description = "list of subnets for load balancer - availability zones must match subnets_asg"
@@ -64,12 +69,11 @@ variable "tags" {
 }
 
 variable "bastion_host_name" {
-  type = "string"
-  default = ""
+  type        = "string"
+  default     = ""
   description = "The hostname to give to the bastion instance"
 }
 
-
 ##############################
 #LB ASG variables
 ##############################
@@ -91,6 +95,12 @@ variable "lb_interval" {
   default     = "30"
 }
 
+variable "lb_is_internal" {
+  type        = "string"
+  description = "whether the lb will be internal"
+  default     = false
+}
+
 variable "asg_max" {
   type        = "string"
   description = "Max numbers of bastion-service hosts in ASG"