terraform-google-bastion-host
This module will generate a bastion host vm compatible with OS Login and IAP Tunneling that can be used to access internal VMs.
This module will:
- Create a dedicated service account for the bastion host
- Create a GCE instance to be the bastion host
- Create a firewall rule to allow TCP:22 SSH access from the IAP to the bastion
- Necessary IAM bindings to allow IAP and OS Logins from specified members
Usage
Basic usage of this module is as follows:
module "iap_bastion" {
source = "terraform-google-modules/bastion-host/google"
project = var.project
zone = var.zone
network = google_compute_network.net.self_link
subnet = google_compute_subnetwork.net.self_link
members = [
"group:[email protected]",
"user:[email protected]",
]
}Functional example is included in the examples directory.
Requirements
These sections describe requirements for using this module.
Software
The following dependencies must be available:
- Terraform >= v0.12
- Terraform Provider for GCP
APIs
A project with the following APIs enabled must be used to host the resources of this module:
- Google Cloud Storage JSON API:
storage-api.googleapis.com - Compute Engine API:
compute.googleapis.com - Cloud Identity-Aware Proxy API:
iap.googleapis.com - OS Login API:
oslogin.googleapis.com
The Project Factory module can be used to provision a project with the necessary APIs enabled.
Permissions
This module only sets up permissions for the bastion service account, not the users who need access. To allow access, grant one of the following instance access roles.
roles/compute.osLoginDoes not grant administrator permissionsroles/compute.osAdminLoginGrants administrator permissions.
If the user does not share the same domain as the org the bastion is in, you will also need to grant that user roles/compute.osLoginExternalUser. This is to prevent external SSH access from being granted at the project level. See the OS Login documentation for more information.
Inputs
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| access_config | Access configs for network, nat_ip and DNS | list(object({ |
[ |
no |
| additional_ports | A list of additional ports/ranges to open access to on the instances from IAP. | list(string) |
[] |
no |
| create_firewall_rule | If we need to create the firewall rule or not. | bool |
true |
no |
| create_instance_from_template | Whether to create and instance from the template or not. If false, no instance is created, but the instance template is created and usable by a MIG | bool |
true |
no |
| disk_size_gb | Boot disk size in GB | number |
100 |
no |
| disk_type | Boot disk type, can be either pd-ssd, local-ssd, or pd-standard | string |
"pd-standard" |
no |
| external_ip | Set to true if an ephemeral or static external IP/DNS is required, must also set access_config if true | bool |
false |
no |
| fw_name_allow_ssh_from_iap | Firewall rule name for allowing SSH from IAP | string |
"allow-ssh-from-iap-to-tunnel" |
no |
| host_project | The network host project ID | string |
"" |
no |
| image | Source image for the Bastion. If image is not specified, image_family will be used (which is the default). | string |
"" |
no |
| image_family | Source image family for the Bastion. | string |
"debian-11" |
no |
| image_project | Project where the source image for the Bastion comes from | string |
"debian-cloud" |
no |
| labels | Key-value map of labels to assign to the bastion host | map(any) |
{} |
no |
| machine_type | Instance type for the Bastion host | string |
"n1-standard-1" |
no |
| members | List of IAM resources to allow access to the bastion host | list(string) |
[] |
no |
| metadata | Key-value map of additional metadata to assign to the instances | map(string) |
{} |
no |
| name | Name of the Bastion instance | string |
"bastion-vm" |
no |
| name_prefix | Name prefix for instance template | string |
"bastion-instance-template" |
no |
| network | Self link for the network on which the Bastion should live | string |
n/a | yes |
| preemptible | Allow the instance to be preempted | bool |
false |
no |
| project | The project ID to deploy to | string |
n/a | yes |
| random_role_id | Enables role random id generation. | bool |
true |
no |
| scopes | List of scopes to attach to the bastion host | list(string) |
[ |
no |
| service_account_email | If set, the service account and its permissions will not be created. The service account being passed in should have at least the roles listed in the service_account_roles variable so that logging and OS Login work as expected. |
string |
"" |
no |
| service_account_name | Account ID for the service account | string |
"bastion" |
no |
| service_account_roles | List of IAM roles to assign to the service account. | list(string) |
[ |
no |
| service_account_roles_supplemental | An additional list of roles to assign to the bastion if desired | list(string) |
[] |
no |
| shielded_vm | Enable shielded VM on the bastion host (recommended) | bool |
true |
no |
| startup_script | Render a startup script with a template. | string |
"" |
no |
| subnet | Self link for the subnet on which the Bastion should live. Can be private when using IAP | string |
n/a | yes |
| tags | Network tags, provided as a list | list(string) |
[] |
no |
| zone | The primary zone where the bastion host will live | string |
"us-central1-a" |
no |
Outputs
| Name | Description |
|---|---|
| hostname | Host name of the bastion |
| instance_template | Self link of the bastion instance template for use with a MIG |
| ip_address | Internal IP address of the bastion host |
| self_link | Self link of the bastion host |
| service_account | The email for the service account created for the bastion host |
Contributing
Refer to the contribution guidelines for information on contributing to this module.