Bastion

Deploy a Bastion host on to your AWS VPC network.

View on GitHub

Reference

Inputs

• additional_security_group_ids — A list of optional additional security group ids to assign to the bastion server.

• alarms_sns_topic_arn — The ARNs of SNS topics where CloudWatch alarms (e.g., for CPU, memory, and disk space usage) should send notifications.

• allow_ssh_from_cidr_list — A list of IP address ranges in CIDR format from which SSH access will be permitted. Attempts to access the bastion host from all other IP addresses will be blocked. This is only used if allow_ssh_from_cidr is true.

• ami — The AMI to run on the bastion host. This should be built from the Packer template under bastion-host.json. One of var.ami or ami_filters is required. Set to null if looking up the ami with filters.

• ami_filters — Properties on the AMI that can be used to lookup a prebuilt AMI for use with the Bastion Host. You can build the AMI using the Packer template bastion-host.json. Only used if var.ami is null. One of var.ami or ami_filters is required. Set to null if passing the ami ID directly.

• base_domain_name_tags — Tags to use to filter the Route 53 Hosted Zones that might match the hosted zone's name (use if you have multiple public hosted zones with the same name)

• cloud_init_parts — Cloud init scripts to run on the bastion host while it boots. See the part blocks in https://www.terraform.io/docs/providers/template/d/cloudinit_config.html for syntax.

• create_dns_record — Set to true to create a DNS record in Route53 pointing to the bastion. If true, be sure to set domain_name.

• default_user — The default OS user for the Bastion Host AMI. For AWS Ubuntu AMIs, which is what the Packer template in bastion-host.json uses, the default OS user is 'ubuntu'.

• domain_name — The apex domain of the hostname for the bastion server (e.g., example.com). The complete hostname for the bastion server will be name.var.domain_name (e.g., bastion.example.com). Only used if create_dns_record is true.

• enable_cloudwatch_alarms — Set to true to enable several basic CloudWatch alarms around CPU usage, memory usage, and disk space usage. If set to true, make sure to specify SNS topics to send notifications to using alarms_sns_topic_arn.

• enable_cloudwatch_log_aggregation — Set to true to send logs to CloudWatch. This is useful in combination with https://github.com/gruntwork-io/terraform-aws-monitoring/tree/master/modules/logs/cloudwatch-log-aggregation-scripts to do log aggregation in CloudWatch.

• enable_cloudwatch_metrics — Set to true to add IAM permissions to send custom metrics to CloudWatch. This is useful in combination with https://github.com/gruntwork-io/terraform-aws-monitoring/tree/master/modules/agents/cloudwatch-agent to get memory and disk metrics in CloudWatch for your Bastion host.

• enable_fail2ban — Enable fail2ban to block brute force log in attempts. Defaults to true.

• enable_ip_lockdown — Enable ip-lockdown to block access to the instance metadata. Defaults to true.

• enable_ssh_grunt — Set to true to add IAM permissions for ssh-grunt (https://github.com/gruntwork-io/terraform-aws-security/tree/master/modules/ssh-grunt), which will allow you to manage SSH access via IAM groups.

• external_account_ssh_grunt_role_arn — If you are using ssh-grunt and your IAM users / groups are defined in a separate AWS account, you can use this variable to specify the ARN of an IAM role that ssh-grunt can assume to retrieve IAM group and public SSH key info from that account. To omit this variable, set it to an empty string (do NOT use null, or Terraform will complain).

• instance_type — The type of instance to run for the bastion host

• keypair_name — The name of a Key Pair that can be used to SSH to this instance.

• name — The name of the bastion host and the other resources created by these templates

• ssh_grunt_iam_group — If you are using ssh-grunt, this is the name of the IAM group from which users will be allowed to SSH to this Bastion Host. This value is only used if enable_ssh_grunt=true.

• ssh_grunt_iam_group_sudo — If you are using ssh-grunt, this is the name of the IAM group from which users will be allowed to SSH to this Bastion Host with sudo permissions. This value is only used if enable_ssh_grunt=true.

• subnet_id — The ID of the subnet in which to deploy the bastion. Must be a subnet in vpc_id.

• tenancy — The tenancy of this server. Must be one of: default, dedicated, or host.

• vpc_id — The ID of the VPC in which to deploy the bastion.

Outputs

• bastion_host_iam_role_arn — The ARN of the bastion host's IAM role.

• bastion_host_instance_id — The EC2 instance ID of the bastion host.

• bastion_host_private_ip — The private IP address of the bastion host.

• bastion_host_public_ip — The public IP address of the bastion host.

• bastion_host_security_group_id — The ID of the bastion hosts's security group.

• dns_name — The fully qualified name of the bastion host.