Skip to content

hazelops/terraform-aws-ec2-bastion

Repository files navigation

AWS Terraform Module for EC2 Bastion with SSM

e2e tests This module creates a basic EC2 bastion host (Single or ASG) in a private subnet of a VPC and connects it to AWS Systems Manager. This Bastion host can be used to access other private resources in the VPC via SSM. There is no need to expose it via a public IP for SSH access since we're using SSM as a first transport.

Prerequisites

Usage Example

Below is a simple usage example of the module.

module "bastion" {
    source    = "hazelops/ec2-bastion/aws"
    version   = "~> 4.0"
    
    env               = "dev"
    vpc_id            = "vpc-1234567890"
    private_subnets   = ["subnet-1234567890", "subnet-1234567891"]
    ec2_key_pair_name = "my-key-pair"
    tags = {
      # Optionally add atun.io-compatible configuration here for Tunnel Discovery 
      "atun.io/env" = "dev"
      "atun.io/version" = "1"      
      
      ## Forwarding RDS to a local port 15432 
      "atun.io/host/${module.rds_api.cluster_endpoint}" = jsonencode({
        "proto" = "ssm"
        "local" =  15432
        "remote" = module.rds_api.api.cluster_port
      }),
      
      ## Forwarding Redis to a local port 16379
      "atun.io/host/${module.redis_api.cache_nodes.0.address}" = jsonencode({
        "proto" = "ssm"
        "local" =  16379
        "remote" = module.redis_api.cache_nodes.0.port
      }),
      
      ## Forwarding OpenSearch to a local port 10443
      "atun.io/host/${module.opensearch_api.endpoint}" = jsonencode({
        "proto" = "ssm"
        "local" =  10443
        "remote" = 443
      }),
    }
}

### Modules Omitted ###
module "rds_api" {
  source = "terraform-aws-modules/rds/aws"
  # Omitted for brevity
}

module "redis_api" {
  source = "terraform-aws-modules/elasticache/aws"
  # Omitted for brevity
}

module "opensearch_api" {
  source = "terraform-aws-modules/opensearch/aws"
  # Omitted for brevity
}
#######################

AWS SSM AWS-StartPortForwardingSessionToRemoteHost Usage

This is a simple example without using atun.io discovery tags. This option is limited to a single host and port.

aws ssm start-session \
--target i-xxxxxxxxxxxx \
--document-name AWS-StartPortForwardingSessionToRemoteHost \
--parameters ' \
{"host":["mydb.example.us-east-2.rds.amazonaws.com"],"portNumber":["5432"], "localPortNumber":["15432"]}'

AWS SSM With atun.io Discovery Tags

Get atun

atun up

Requirements

Name Version
terraform >= 1.0
aws >= 4

Providers

Name Version
aws >= 4

Modules

Name Source Version
asg_bastion terraform-aws-modules/autoscaling/aws ~>6.10

Resources

Name Type
aws_iam_instance_profile.this resource
aws_iam_role.this resource
aws_iam_role_policy_attachment.this resource
aws_instance.this resource
aws_security_group.this resource
aws_ami.this data source
aws_availability_zones.available data source
aws_iam_policy_document.this data source
aws_region.current data source

Inputs

Name Description Type Default Required
allowed_cidr_blocks List of network subnets that are allowed. According to PCI-DSS, CIS AWS and SOC2 providing a default wide-open CIDR is not secure. list(string) n/a yes
asg_cpu_core_count Number of CPU cores to use for autoscaling group number 1 no
asg_cpu_threads_per_core Number of threads per core to use for autoscaling group number 1 no
asg_enabled Enable autoscaling group for bastion host. If enabled, the bastion host will be created as an autoscaling group bool false no
atun_config Atun port forwarding discovery configuration map(string) {} no
ec2_key_pair_name EC2 Key Pair Name that the bastion host would be created with string n/a yes
env Environment name, for example dev string n/a yes
instance_type EC2 instance type for bastion host string "t3.nano" no
manage_iam_instance_profile Whether to manage the IAM role for the bastion host bool true no
manage_security_group Whether to manage the security group for the bastion host bool true no
name Name of the bastion host string "bastion" no
private_subnets Private subnets list(string) n/a yes
public_subnets Public subnets (if set, private subnets are ignored) list(string) [] no
security_groups Additional security groups to add to bastion host list(any) [] no
ssm_role SSM role to attach to the bastion host string "arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM" no
tags Additional tags for the resources map(string) {} no
vpc_id VPC ID where the bastion host will be created string n/a yes

Outputs

Name Description
security_group The ID of the security group
tags The tags for the bastion host