Skip to content

trenslow/terraform-google-bastion-host

 
 

Repository files navigation

terraform-google-bastion-host

This module will generate a bastion host vm compatible with OS Login and IAP Tunneling that can be used to access internal VMs.

This module will:

  • Create a dedicated service account for the bastion host
  • Create a GCE instance to be the bastion host
  • Create a firewall rule to allow TCP:22 SSH access from the IAP to the bastion
  • Necessary IAM bindings to allow IAP and OS Logins from specified members

Usage

Basic usage of this module is as follows:

module "iap_bastion" {
  source = "terraform-google-modules/bastion-host/google"

  project = var.project
  zone    = var.zone
  network = google_compute_network.net.self_link
  subnet  = google_compute_subnetwork.net.self_link
  members = [
    "group:[email protected]",
    "user:[email protected]",
  ]
}

Functional example is included in the examples directory.

Requirements

These sections describe requirements for using this module.

Software

The following dependencies must be available:

APIs

A project with the following APIs enabled must be used to host the resources of this module:

  • Google Cloud Storage JSON API: storage-api.googleapis.com
  • Compute Engine API: compute.googleapis.com
  • Cloud Identity-Aware Proxy API: iap.googleapis.com
  • OS Login API: oslogin.googleapis.com

The Project Factory module can be used to provision a project with the necessary APIs enabled.

Permissions

This module only sets up permissions for the bastion service account, not the users who need access. To allow access, grant one of the following instance access roles.

  • roles/compute.osLogin Does not grant administrator permissions
  • roles/compute.osAdminLogin Grants administrator permissions.

If the user does not share the same domain as the org the bastion is in, you will also need to grant that user roles/compute.osLoginExternalUser. This is to prevent external SSH access from being granted at the project level. See the OS Login documentation for more information.

Inputs

Name Description Type Default Required
access_config Access configs for network, nat_ip and DNS
list(object({
network_tier = string
nat_ip = string
public_ptr_domain_name = string
}))
[
{
"nat_ip": "",
"network_tier": "PREMIUM",
"public_ptr_domain_name": ""
}
]
no
additional_networks Additional network interface details for the instance template, if any.
list(object({
network = string
subnetwork = string
subnetwork_project = string
network_ip = string
access_config = list(object({
nat_ip = string
network_tier = string
}))
}))
[] no
additional_ports A list of additional ports/ranges to open access to on the instances from IAP. list(string) [] no
create_firewall_rule If we need to create the firewall rule or not. bool true no
create_instance_from_template Whether to create and instance from the template or not. If false, no instance is created, but the instance template is created and usable by a MIG bool true no
disk_encryption_key The key used to encrypt the bastion host disk. If not set, the disk will not be encrypted. string null no
disk_labels Key-value map of labels to assign to the bastion host disk map(any) {} no
disk_size_gb Boot disk size in GB number 100 no
disk_type Boot disk type, can be either pd-ssd, local-ssd, or pd-standard string "pd-standard" no
external_ip Set to true if an ephemeral or static external IP/DNS is required, must also set access_config if true bool false no
fw_name_allow_ssh_from_iap Firewall rule name for allowing SSH from IAP string "allow-ssh-from-iap-to-tunnel" no
host_project The network host project ID string "" no
image Source image for the Bastion. If image is not specified, image_family will be used (which is the default). string "" no
image_family Source image family for the Bastion. string "debian-11" no
image_project Project where the source image for the Bastion comes from string "debian-cloud" no
labels Key-value map of labels to assign to the bastion host map(any) {} no
machine_type Instance type for the Bastion host string "n1-standard-1" no
members List of IAM resources to allow access to the bastion host list(string) [] no
metadata Key-value map of additional metadata to assign to the instances map(string) {} no
name Name of the Bastion instance string "bastion-vm" no
name_prefix Name prefix for instance template string "bastion-instance-template" no
network Self link for the network on which the Bastion should live string n/a yes
preemptible Allow the instance to be preempted bool false no
project The project ID to deploy to string n/a yes
random_role_id Enables role random id generation. bool true no
region The region where the bastion instance template will live string null no
scopes List of scopes to attach to the bastion host list(string)
[
"cloud-platform"
]
no
service_account_email If set, the service account and its permissions will not be created. The service account being passed in should have at least the roles listed in the service_account_roles variable so that logging and OS Login work as expected. string "" no
service_account_name Account ID for the service account string "bastion" no
service_account_roles List of IAM roles to assign to the service account. list(string)
[
"roles/logging.logWriter",
"roles/monitoring.metricWriter",
"roles/monitoring.viewer",
"roles/compute.osLogin"
]
no
service_account_roles_supplemental An additional list of roles to assign to the bastion if desired list(string) [] no
shielded_vm Enable shielded VM on the bastion host (recommended) bool true no
startup_script Render a startup script with a template. string "" no
subnet Self link for the subnet on which the Bastion should live. Can be private when using IAP string n/a yes
tags Network tags, provided as a list list(string) [] no
zone The primary zone where the bastion host will live string "us-central1-a" no

Outputs

Name Description
hostname Host name of the bastion
instance_template Self link of the bastion instance template for use with a MIG
ip_address Internal IP address of the bastion host
self_link Self link of the bastion host
service_account The email for the service account created for the bastion host

Contributing

Refer to the contribution guidelines for information on contributing to this module.

About

Generates a bastion host VM compatible with OS Login and IAP Tunneling that can be used to access internal VMs

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages

  • HCL 76.2%
  • Go 17.0%
  • Makefile 6.8%