Tagging along

Following fast on the extensible user data and policy setting we have now:

Fixed extensible tagging for autoscaling group
Fixed built-in tagging interpolation in autoscaling group

Log- it's better than bad it's good

Feature: Implement appendable user data - you can now add userdata from an encompassing plan

Feature: The role created by this module is now available as an output so that an encompassing plan may use it e.g. for additional policies attachment

• Both changes make it possible to set up your logging solution of choice, e.g. cloudwatch to send the host journal to.

Change: EC2 healthcheck port now defaults to 2222 - this avoids scaling issues with IAM in large deployments

So many options

Feature: ELB health check port may be optionally set to either port 22 (containerised service; default) or port 2222 (EC2 host sshd). If you are deploying a large number of bastion instances, all of them checking into the same parent account for IAM queries in reponse to load balancer health checks on port 22 causes IAM rate limiting from AWS. Using the modified EC2 host sshd of port 2222 avoids this issue and is recommended for larger deployments. The host sshd is set to port 2222 as part of the service setup so this heathcheck is not entirely invalid. Security group rules are conditionally created to support any combination of access/healthceck on port 2222 or not.

Feature: Friendlier DNS and hostnaming. You can now define the last part of the hostname. By default this is the vpc ID via the magic default value of 'vpc_id' but you can pass a custom string, or an empty value to omit this. e.g.

module default: dev-ap-northeast-1-vpc-1a23b456d7890-bastion-service.yourdomain.com

bastion_vpc_name = "compute" gives dev-ap-northeast-1-compute-bastion-service.yourdomain.com

bastion_vpc_name = "" gives dev-ap-northeast-1-bastion-service.yourdomain.com

In the last case the service container shell prompt is set similar to you@dev-ap-northeast-1_3

Feature: Route 53 record creation is now optional. If you do not supply a value for route53_zone_id then no record will be created. Value for dns_domain has also been made optional in support of this. New outputs: elb_dns_name and elb_zone_id have been made available to support alternative options.

Feature: Service container Ubuntu version is now a variable. Tested with 16.04 (default) and 18.04. With other releases YMMV.

I get by with a little help from my friends

3.6 (tested!)

With special thanks to Luis Silva for his excellent contributions

Bugfix: This version fixes breakage bugs in 3.4; 3.5 and has been tested!

Feature: This release introduces separate security groups for the load balancer and for the service EC2 host. It is now only possible to reach the ec2 host via the load balancer, even on a public subnet. This is true for both the containerised ssh service on port 22 and the ecs host sshd on port 2222 (if enabled). No public IP address is assigned.

Feature: New output: bastion_sg_id gives the Security Group id of the bastion host which may be useful for other services

Documentation: update readme to reflect new outputs and names; acknowledgements

going_global

Change AWS name for Elastic Load Balancer to reflect VPC within 32 character AWS name name limit in order to accommodate bastions in multiple VPC's per region

3.2

make service host pem key optional

High Availabilty

Breaking Changes from version 1.x series

In version 1.0 (download this release if you want it!) this plan deployed a simple static host. With the version 2 branch a move has been made to make this a high availability service with an autoscaling group, health checks and a load balancer. This has necessitated the removal of the feature in version 1.x of creating and attaching to the container host an Elastic Network Interface for each additional subnet specified. With the new branch additional subnets are supplied instead to the autoscaling group and load balancer. The expectation is that separation will be managed by vpc rather than segregated subnet. The VPC-id is also integrated into the DNS entry to permit multiple deployments to different vpc's within a single region.

deprecated s3 and iam warning

Thanks to Piotr Jaromin for implementing these features

• S3 bucket is no longer necessary, golang script for iam-authorized-command is stored inside this repository.
• IAM roles are generated based on region and environment role, so there should be no more conflicts.
• Added additional user-data file to output variables, it can be used to populate ecs/k8s nodes(based on amazon linux image), to allow sshing from bastion into nodes.
• Added tags variable ( it will attach additional tags to aws resources)