Skip to content

Commit

Permalink
Merge pull request #1 from hazelops/openvpn+bastion
Browse files Browse the repository at this point in the history
Added Bastion functionality to EC2
  • Loading branch information
igorkotof authored Nov 3, 2021
2 parents b532455 + 066c6f6 commit d96d59d
Show file tree
Hide file tree
Showing 5 changed files with 64 additions and 8 deletions.
4 changes: 2 additions & 2 deletions iam.tf
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# AWS SSM resources
resource "aws_iam_role" "this" {
name = "${var.env}-openvpn-connector"
name = local.name
assume_role_policy = data.aws_iam_policy_document.this.json
}

Expand All @@ -10,7 +10,7 @@ resource "aws_iam_role_policy_attachment" "this" {
}

resource "aws_iam_instance_profile" "this" {
name = "${var.env}-openvpn-connector"
name = local.name
role = aws_iam_role.this.name
}

Expand Down
15 changes: 9 additions & 6 deletions main.tf
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
# Security Groups
resource "aws_security_group" "this" {
count = var.enabled ? 1 : 0
name = "${var.env}-openvpn-connector"
description = "Security Group for Cloud OpenVPN EC2 Instance (connector)"
name = local.name
description = "Security Group for Cloud OpenVPN+Bastion EC2 Instance (connector)"
vpc_id = var.vpc_id

ingress {
Expand All @@ -24,7 +24,7 @@ resource "aws_security_group" "this" {
tags = {
Terraform = "true"
Env = var.env
Name = "${var.env}-openvpn-connector"
Name = local.name
}

lifecycle {
Expand All @@ -40,9 +40,12 @@ resource "aws_instance" "this" {
iam_instance_profile = aws_iam_instance_profile.this.name
subnet_id = var.private_subnets[0]
key_name = var.ec2_key_pair_name
vpc_security_group_ids = [aws_security_group.this[0].id]
vpc_security_group_ids = concat(var.ext_security_groups, [
aws_security_group.this[0].id
])

disable_api_termination = true
disable_api_termination = true
associate_public_ip_address = false

lifecycle {
ignore_changes = all
Expand All @@ -53,7 +56,7 @@ resource "aws_instance" "this" {
tags = {
Terraform = "true"
Env = var.env
Name = "${var.env}-openvpn-connector"
Name = local.name
}

}
19 changes: 19 additions & 0 deletions output.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
output "cmd" {
value = {
up = "ssh -M -S bastion.sock -fNT ubuntu@${element(aws_instance.this.*.id, 0)} "
down = "ssh -S bastion.sock -O exit ubuntu@${element(aws_instance.this.*.id, 0)} "
status = "ssh -S bastion.sock -O check ubuntu@${element(aws_instance.this.*.id, 0)}"
}
}

output "instance_id" {
value = element(aws_instance.this.*.id, 0)
}

output "ssh_config" {
value = local.ssh_config
}

output "security_group" {
value = element(aws_security_group.this.*.id, 0)
}
30 changes: 30 additions & 0 deletions variables.tf
Original file line number Diff line number Diff line change
@@ -1,10 +1,13 @@
variable "env" {}

variable "aws_profile" {}
variable "vpc_id" {}
variable "private_subnets" {}
variable "ec2_key_pair_name" {}
variable "openvpn_token" {}

variable "instance_type" {
type = string
default = "t3.nano"
}

Expand All @@ -14,6 +17,12 @@ variable "enabled" {
description = "Gives ability to enable or disable Creation of NAT EC2"
}

variable "ext_security_groups" {
description = "External security groups to add to bastion host"
type = list(any)
default = []
}

variable "allowed_cidr_blocks" {
type = list(string)
description = "List of network subnets that are allowed"
Expand All @@ -26,3 +35,24 @@ variable "ssm_role_arn" {
type = string
default = "arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM"
}

variable "ssh_forward_rules" {
type = list(string)
description = "Rules that will enable port forwarding. SSH Config syntax"
default = []
}

locals {
name = "${var.env}-openvpn-connector(bastion)"
proxycommand = <<-EOT
ProxyCommand sh -c "aws ssm start-session --target %h --document-name AWS-StartSSHSession --parameters 'portNumber=%p'"
EOT
ssh_config = concat([
"# SSH over Session Manager",
"host i-* mi-*",
"ServerAliveInterval 180",
local.proxycommand,
], var.ssh_forward_rules)
ssm_document_name = local.name
}

4 changes: 4 additions & 0 deletions versions.tf
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,10 @@ terraform {
template = {
source = "hashicorp/template"
}
local = {
source = "hashicorp/local"
version = "~> 1.2"
}
}
required_version = ">= 0.13"
}

0 comments on commit d96d59d

Please sign in to comment.