Skip to content
/ terraform-aws-bastion-ssm-iam Public
forked from Flaconi/terraform-aws-bastion-ssm-iam

AWS Bastion server which can reside in the private subnet utilizing Systems Manager Sessions

License

MIT license
0 stars 8 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

zeet-co/terraform-aws-bastion-ssm-iam

BranchesTags
 
 

Repository files navigation

AWS Bastion SSM IAM

Lint Status Docs Status Tag license

Terraform module which provides a Bastion for AWS utilizing

  • Autoscaling group of min/max 1 for resiliency
  • AWS SSM Session Manager, this allows users to start a Terminal Session or Tunnel to an instance without the need of public internet access
  • ec2-instance-connect, for the creation of temporary ssh keys on the instance

NOTE Important, this module managed the SSM Document SSM-SessionManagerRunShell, in some cases it already exists. To make sure Terraform is used to maintain this Document please execute: aws ssm delete-document --name SSM-SessionManagerRunShell. In case you do not want to overwrite SSM-SessionManagerRunShell, you can use the module directive create_new_ssm_document to create a different document name. This document needs to be refered to as follows: SSM_DOCUMENT_NAME="SSM-SessionManagerRunShell-JKURx" ./ssh_terminal

NOTE For this to work you need to install the session manager plugin for the AWSCLI, click (here)[https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-working-with-install-plugin.html] for more information.

Examples

Check the examples directory for installation.

Client

SSH Terminal

The bash script client/ssh_terminal provides a simplified way to ssh to the IAM Bastion, it uses a recent awscli-client with ssm terminal support.

SSH Tunnel

The bash script client/ssh_tunnel creates an SSH tunnel using the BASTION, it uses a recent awscli-client with ssm terminal support and ec2-instance-connect for uploading the SSH Public key to AWS. Make sure the BASTION has access to the resources it needs access to by modifying the Security Group of the resouce.

By default the public key file $HOME/.ssh/id_rsa.pub will be used for temporary access. The ENVIRONMENT variable SSH_PUB_KEY_FILE can be used to set a different public key, as of now AWS does not support ed25519 public keys. By default the ENVIRONMENT variable AWS_REGION will be used for the awscli-tool, if you are using awscli profiles, please provide the correct region by setting the AWS_REGION-variable. If DEV_LOCAL_PORT is specified, the ssh tunnel will be created with DEV_LOCAL_PORT as local port to connect to, if not a RANDOM port will be used.

Example:

./ssh_tunnel private_subnet.isdfjsdf.eu-central-1.rds.amazonaws.com:3306

Requirements

Name Version
terraform >= 1.2.4
aws >= 3
random >= 3.1

Providers

Name Version
aws >= 3
random >= 3.1
template n/a

Modules

No modules.

Resources

Name Type
aws_autoscaling_group.this resource
aws_cloudwatch_log_group.this resource
aws_iam_instance_profile.this resource
aws_iam_role.this resource
aws_iam_role_policy.kms resource
aws_iam_role_policy_attachment.this resource
aws_kms_key.this resource
aws_launch_configuration.this resource
aws_security_group.allow_egress resource
aws_ssm_document.session_manager_prefs resource
random_string.this resource
aws_ami.amazon_linux_2 data source
aws_caller_identity.current data source
aws_iam_policy_document.kms_key_policy data source
aws_iam_policy_document.kms_key_policy_iam_profile data source
aws_iam_policy_document.trust_policy data source
aws_region.current data source
template_file.init data source

Inputs

Name Description Type Default Required
subnet_ids The subnets where the Bastion can reside in, they can be private list(string) n/a yes
vpc_id The VPC-ID string n/a yes
create_new_ssm_document This module can create a new SSM document for the SSH Terminal bool false no
create_security_group This module can create a security group for the bastion instance by default bool true no
image_id AMI to be used. If blank, latest amazon linux 2 will be used string "" no
instance_type The instance type of the bastion string "t3.nano" no
log_retention The amount of days the logs need to be kept number 30 no
name The name to be interpolated, defaults to bastion-ssm-iam string "bastion-ssm-iam" no
security_group_ids The security group ids which can be given to the bastion instance, defaults to empty list(string) [] no
tags Tags to be added to the launch configuration for the bastion host, additionally to name tag 
list(object({
    key                 = string
    value               = string
    propagate_at_launch = bool
  }))
 [] no

Outputs

Name Description
instance_profile_name The instance profile name of SSM
security_group_id The security group id of the bastion server
ssm_document_name The document name of SSM

License

MIT

Copyright (c) 2021 Flaconi GmbH

About

AWS Bastion server which can reside in the private subnet utilizing Systems Manager Sessions

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • HCL 43.7%
  • Makefile 35.5%
  • Shell 20.8%