-
Notifications
You must be signed in to change notification settings - Fork 0
/
jumpbox.tf
78 lines (73 loc) · 2.14 KB
/
jumpbox.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
module "jumpbox_sg" {
source = "terraform-aws-modules/security-group/aws"
version = "~> 3.18.0"
name = "${var.name}-jumpbox"
vpc_id = module.vpc.vpc_id
ingress_cidr_blocks = ["0.0.0.0/0"]
ingress_rules = ["ssh-tcp", "all-icmp"]
egress_rules = ["all-all"]
egress_ipv6_cidr_blocks = []
}
module "jump_access_sg" {
source = "terraform-aws-modules/security-group/aws"
version = "~> 3.18.0"
name = "${var.name}-jumpbox_access"
vpc_id = module.vpc.vpc_id
ingress_with_source_security_group_id = [
{
rule : "ssh-tcp"
source_security_group_id : module.jumpbox_sg.this_security_group_id
}
]
}
module "jumpbox_role" {
source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role"
version = "~> 3.0"
trusted_role_services = [ "ec2.amazonaws.com" ]
custom_role_policy_arns = [
"arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore",
aws_iam_policy.jumpbox_ec2_connect.arn
]
create_role = true
create_instance_profile = true
role_requires_mfa = false
attach_readonly_policy = true
role_name = "${var.name}-jumpbox"
}
module "jumpbox_fleet" {
count = 1
source = "./spot-fleet"
name = "${var.name}-jumpbox"
subnet_ids = [ module.vpc.public_subnets[0] ]
target_capacity = 1
instance_types = [ "t3a.nano", "t3.nano" ]
key_name = module.key_pair.this_key_pair_key_name
user_data = <<EOF
sudo yum install -y python3
sudo python3 -m pip install -U pip
pip install --user ec2instanceconnectcli
EOF
security_group_ids = [ module.jumpbox_sg.this_security_group_id ]
instance_profile_arn = module.jumpbox_role.this_iam_instance_profile_arn
}
resource "aws_iam_policy" "jumpbox_ec2_connect" {
name = "${var.name}-jumpbox-ec2-connect"
description = "Allow EC2 Connect"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2-instance-connect:SendSSHPublicKey",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "ec2:DescribeInstances",
"Resource": "*"
}
]
}
EOF
}