AWS Bastion SSM IAM
Terraform module which provides a Bastion for AWS utilizing
- Autoscaling group of min/max 1 for resiliency
- AWS SSM Session Manager, this allows users to start a Terminal Session or Tunnel to an instance without the need of public internet access
- ec2-instance-connect, for the creation of temporary ssh keys on the instance
NOTE Important, this module managed the SSM Document SSM-SessionManagerRunShell, in some cases it already exists. To make sure Terraform is used to maintain this Document please execute: aws ssm delete-document --name SSM-SessionManagerRunShell. In case you do not want to overwrite SSM-SessionManagerRunShell, you can use the module directive create_new_ssm_document to create a different document name. This document needs to be refered to as follows: SSM_DOCUMENT_NAME="SSM-SessionManagerRunShell-JKURx" ./ssh_terminal
NOTE For this to work you need to install the session manager plugin for the AWSCLI, click (here)[https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-working-with-install-plugin.html] for more information.
Examples
Check the examples directory for installation.
Client
SSH Terminal
The bash script client/ssh_terminal provides a simplified way to ssh to the IAM Bastion, it uses a recent awscli-client with ssm terminal support.
SSH Tunnel
The bash script client/ssh_tunnel creates an SSH tunnel using the BASTION, it uses a recent awscli-client with ssm terminal support and ec2-instance-connect for uploading the SSH Public key to AWS. Make sure the
BASTION has access to the resources it needs access to by modifying the Security Group of the resouce.
By default the public key file $HOME/.ssh/id_rsa.pub will be used for temporary access. The ENVIRONMENT variable SSH_PUB_KEY_FILE can be used to set a different public key, as of now AWS does not support ed25519 public keys.
By default the ENVIRONMENT variable AWS_REGION will be used for the awscli-tool, if you are using awscli profiles, please provide the correct region by setting the AWS_REGION-variable.
If DEV_LOCAL_PORT is specified, the ssh tunnel will be created with DEV_LOCAL_PORT as local port to connect to, if not a RANDOM port will be used.
Example:
./ssh_tunnel private_subnet.isdfjsdf.eu-central-1.rds.amazonaws.com:3306Requirements
| Name | Version |
|---|---|
| terraform | >= 1.2.4 |
| aws | >= 3 |
| random | >= 3.1 |
Providers
| Name | Version |
|---|---|
| aws | >= 3 |
| random | >= 3.1 |
| template | n/a |
Modules
No modules.
Resources
| Name | Type |
|---|---|
| aws_autoscaling_group.this | resource |
| aws_cloudwatch_log_group.this | resource |
| aws_iam_instance_profile.this | resource |
| aws_iam_role.this | resource |
| aws_iam_role_policy.kms | resource |
| aws_iam_role_policy_attachment.this | resource |
| aws_kms_key.this | resource |
| aws_launch_configuration.this | resource |
| aws_security_group.allow_egress | resource |
| aws_ssm_document.session_manager_prefs | resource |
| random_string.this | resource |
| aws_ami.amazon_linux_2 | data source |
| aws_caller_identity.current | data source |
| aws_iam_policy_document.kms_key_policy | data source |
| aws_iam_policy_document.kms_key_policy_iam_profile | data source |
| aws_iam_policy_document.trust_policy | data source |
| aws_region.current | data source |
| template_file.init | data source |
Inputs
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| subnet_ids | The subnets where the Bastion can reside in, they can be private | list(string) |
n/a | yes |
| vpc_id | The VPC-ID | string |
n/a | yes |
| create_new_ssm_document | This module can create a new SSM document for the SSH Terminal | bool |
false |
no |
| create_security_group | This module can create a security group for the bastion instance by default | bool |
true |
no |
| image_id | AMI to be used. If blank, latest amazon linux 2 will be used | string |
"" |
no |
| instance_type | The instance type of the bastion | string |
"t3.nano" |
no |
| log_retention | The amount of days the logs need to be kept | number |
30 |
no |
| name | The name to be interpolated, defaults to bastion-ssm-iam | string |
"bastion-ssm-iam" |
no |
| security_group_ids | The security group ids which can be given to the bastion instance, defaults to empty | list(string) |
[] |
no |
| tags | Tags to be added to the launch configuration for the bastion host, additionally to name tag | list(object({ |
[] |
no |
Outputs
| Name | Description |
|---|---|
| instance_profile_name | The instance profile name of SSM |
| security_group_id | The security group id of the bastion server |
| ssm_document_name | The document name of SSM |
License
Copyright (c) 2021 Flaconi GmbH