Skip to content

Releases: joshuamkite/terraform-aws-ssh-bastion-service

Wash and brush up

22 Feb 22:28
@joshuamkite joshuamkite
4.7
84b9591
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
Wash and brush up

Feature: Add output "lb_arn"

Change: All policies are now rendered with aws_iam_policy_document rather than as json blobs

Feature: Add tags to roles

Feature: Increment module version and add outputs for simple example

Assets 2
Loading

Getting up early

31 Jan 23:53
@joshuamkite joshuamkite
4.6
8190843
Compare
Choose a tag to compare
Getting up early

Bugfix: Change quote style for ssh_populate scripts to avoid early interpolation (Thanks KevinGreen)

Assets 2
Loading

Documentation

10 Jan 22:21
@joshuamkite joshuamkite
4.5.1
2eb75d2
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
Documentation

Feature: Maintenance release - documentation changes and bump module version in example only

Assets 2
Loading

Community Contributions

09 Jan 10:56
@joshuamkite joshuamkite
4.5
b312296
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
Community Contributions

Feature: Bastion load balancer can now be internal (Thanks Instacart)
Feature: Bastion can now be assigned a public IP - permits use of module without NAT gateway (Thanks Ivan Mesic navi7)
Feature: Example of simple use of module with a public IP (Thanks Ivan Mesic navi7)
Bugfix: Populate user data with default if empty (Thanks Ivan Mesic navi7)

Assets 2
Loading

Custom parameters

06 Nov 15:03
@joshuamkite joshuamkite
4.4
8db8f93
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
Custom parameters
  • Adds a new variable so that the hostname can be overridden completely
  • Removes the provider so that it can set by the plan calling this module (as per Terraform guidelines)
  • Adds a shebang as the default content for the shell script multipart mime types. This is so that, when using custom userdata, systemd doesn't report errors.
Assets 2
Loading

Dry wit

29 Sep 08:56
@joshuamkite joshuamkite
4.3
e132e3f
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
Dry wit

Feature: You can now specify a list of one or more security groups to attach to the host instance launch configuration. This can be supplied together with or instead of a whitelisted range of CIDR blocks. N.B. This is not aws_security_group_rule/source_security_group_id! If you wish to append your own 'security_group_id' rules then you will need to attach these from a plan caling this module (using output "bastion_sg_id") or as part of a separate security group which you then attach.

It may be useful in an enterprise setting to have security groups with rules managed separately from the bastion plan but of course if you do not assign a suitable security group or whitelist then you may not be able to reach the service!

Change: The code has been DRYed significantly in locals.tf (to remove unused logic evaluations) and main.tf (to condense 2 seperate aws_launch_configuration and aws_autoscaling_group blocks into one each). This makes code maintenence much easier and less error prone BUT it does mean that these resources are now 'new' so if you are deploying over an older version of this plan then you can expect them to be recreated - as lifecycle 'create before destroy' is specified, deployment will be a bit longer but downtime should be brief.

Bugfix: Previously the Golang code used for obtaining users and ssh public keys limited the number of users returned to 100 if an IAM group was specified. This has now been increased to 1000 and the code change accepted upstream.

Assets 2
Loading

special and unique

11 Sep 12:16
@joshuamkite joshuamkite
4.2
720a5b5
Compare
Choose a tag to compare
special and unique

Bugfix Make load balancer and target group names unique name to support multiple environments in one account

Assets 2
Loading

Option Paralysis

10 Sep 08:56
@joshuamkite joshuamkite
4.1
dd1307c
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
Option Paralysis

Feature: You can now specify a custom base AMI to use for the service host if you wish with var.custom_ami_id. Tested and working without other changes using Ubuntu 18.04

Feature: Userdata has been divided into sections which are now individually applicable. Each is now a HEREDOC and may be excluded by assigning any non-empty value to the relevant section variable. The value given is used simply for a logic test and not passed into userdata. If you ignore these variables then historic/ default behaviour continues and everything is built on the host instance on first boot (allow 3 minutes on t2.medium).

The variables for these sections are:

  • custom_ssh_populate - any value excludes default ssh_populate script used on container launch from userdata

  • custom_authorized_keys_command - any value excludes default Go binary to get IAM authorized keys built from source in userdata

  • custom_docker_setup - any value excludes default docker installation and container build from userdata

  • custom_systemd - any value excludes default systemd and hostname change from userdata

If you exclude any section then you must replace it with equivalent functionality, either in your base AMI or extra_user_data. Especially if you are not replacing all sections then be mindful that the systemd service expects docker to be installed and to be able to call the docker container as 'sshd_worker'. The service container in turn references the 'ssh_populate' script which calls 'iam-authorized-keys' from a specific location.

Assets 2
Loading

new balance

03 Sep 10:33
@joshuamkite joshuamkite
4.0
efaa9b2
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
new balance

Implements AWS Network Load Balancer

Assets 2
Loading

Thanks for the fix

28 Aug 21:51
@joshuamkite joshuamkite
3.10
ac11001
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
Thanks for the fix

Fix to bastion_service names to prevent error when route53_zone_id is not defined

Assets 2
Loading