This repository contains Terraform configuration files that create an AWS EC2 instance using a hardened AMI, assigns it to a security group, and attaches it to a subnet. This is for secure access into a private subnet via a hardened device. It also creates an SSH key pair for the instance and an IAM instance profile with an optional role. Additionally, it creates an optional KMS key and security group for event queue.
To view examples for how you can leverage this Bastion, please see the examples directory.
| Name | Version |
|---|---|
| terraform | >= 1.0.0 |
| aws | >= 4.9.0 |
| cloudinit | >= 2.0.0 |
| time | >= 0.9.1 |
| Name | Version |
|---|---|
| aws | >= 4.9.0 |
| cloudinit | >= 2.0.0 |
No modules.
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| access_logs_bucket_name | Name of S3 bucket to use to store access logs | string |
n/a | yes |
| access_logs_target_prefix | Prefix for all log object keys for the access log. | string |
"bastion-session-logs/" |
no |
| additional_user_data_script | Additional user data script to run on instance boot | string |
"" |
no |
| allowed_public_ips | List of public IPs or private IP (internal) of Software Defined Perimeter to allow SSH access from | list(string) |
[] |
no |
| ami_canonical_owner | Filter for AMI using this canonical owner ID | string |
null |
no |
| ami_id | ID of AMI to use for Bastion | string |
"" |
no |
| ami_name_filter | Filter for AMI using this name. Accepts wildcards | string |
"" |
no |
| ami_virtualization_type | Filter for AMI using this virtualization type | string |
"" |
no |
| assign_public_ip | Determines if an instance gets a public IP assigned at launch time | bool |
false |
no |
| cloudwatch_log_group_name | Name of the CloudWatch Log Group for storing SSM Session Logs | string |
"/ssm/session-logs" |
no |
| cloudwatch_logs_retention | Number of days to retain Session Logs in CloudWatch | number |
365 |
no |
| enable_bastion_terraform_permissions | Enable Terraform permissions for Bastion | bool |
false |
no |
| enable_log_to_cloudwatch | Enable Session Manager to Log to CloudWatch Logs | bool |
true |
no |
| enable_log_to_s3 | Enable Session Manager to Log to S3 | bool |
true |
no |
| enable_sqs_events_on_bastion_login | If true, generates an SQS event whenever an object is created in the Session Logs S3 bucket, which happens whenever someone logs in to the Bastion. | bool |
false |
no |
| eni_attachment_config | Optional list of enis to attach to instance | list(object({ |
null |
no |
| instance_type | Instance type to use for Bastion | string |
"m5.large" |
no |
| kms_key_arn | KMS Key ARN to use for encryption | string |
n/a | yes |
| linux_shell_profile | The ShellProfile to use for linux based machines. | string |
"" |
no |
| log_archive_days | Number of days to wait before archiving to Glacier | number |
30 |
no |
| log_expire_days | Number of days to wait before deleting | number |
365 |
no |
| name | Name of Bastion | string |
n/a | yes |
| permissions_boundary | (Optional) The ARN of the policy that is used to set the permissions boundary for the role. | string |
null |
no |
| policy_arns | List of IAM policy ARNs to attach to the instance profile | list(string) |
[] |
no |
| policy_content | JSON IAM Policy body. Use this to add a custom policy to your instance profile (Optional) | string |
null |
no |
| private_ip | The private IP address to assign to the bastion | string |
null |
no |
| region | AWS Region | string |
n/a | yes |
| root_volume_config | n/a | object({ |
{ |
no |
| security_group_ids | List of security groups to associate with instance | list(any) |
[] |
no |
| session_log_bucket_name_prefix | Name prefix of S3 bucket to store session logs | string |
n/a | yes |
| ssh_password | Password for SSH access if SSM authentication is enabled | string |
n/a | yes |
| ssh_user | Username to use when accessing the instance using SSH | string |
"ubuntu" |
no |
| ssm_enabled | Enable SSM agent | bool |
true |
no |
| subnet_id | IDs of subnets to deploy the instance in | string |
"" |
no |
| subnet_name | Names of subnets to deploy the instance in | string |
"" |
no |
| tags | A map of tags to add to all resources | map(string) |
{} |
no |
| tenancy | The tenancy of the instance (if the instance is running in a VPC). Valid values are 'default' or 'dedicated'. | string |
"default" |
no |
| vpc_id | VPC id | string |
n/a | yes |
| windows_shell_profile | The ShellProfile to use for windows based machines. | string |
"" |
no |
| zarf_version | The version of Zarf to use | string |
"" |
no |
| Name | Description |
|---|---|
| bastion_role_arn | Bastion Role ARN |
| bastion_role_name | Bastion Role Name |
| instance_id | Instance Id |
| primary_network_interface_id | Primary Network Interface Id |
| private_dns | Private DNS |
| private_ip | Private IP |
| public_ip | Public IP |
| region | Region the bastion was deployed to |
| security_group_ids | Security Group Ids |
| session_logs_bucket_arn | Session Logs Bucket ARN |
| session_logs_bucket_name | Session Logs Bucket Name |