Guimove · cadamsdotcom · Aug 8, 2022 · Aug 9, 2022 · Aug 9, 2022 · Dec 5, 2022
diff --git a/README.md b/README.md
@@ -114,6 +114,7 @@ No modules.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_allow_ssh_commands"></a> [allow\_ssh\_commands](#input\_allow\_ssh\_commands) | Allows the SSH user to execute one-off commands. Pass true to enable. Warning: These commands are not logged and increase the vulnerability of the system. Use at your own discretion. | `bool` | `false` | no |
+| <a name="input_allow_ssh_commands_for_users"></a> [allow\_ssh\_commands\_for\)users](#input\_allow\_ssh\_commands\_for\_users) | Allows a list of users to execute one-off commands. Warning: These commands are not logged and increase the vulnerability of the system. Use at your own discretion. | `list(string)` | `[]` | no |
 | <a name="input_associate_public_ip_address"></a> [associate\_public\_ip\_address](#input\_associate\_public\_ip\_address) | n/a | `bool` | `true` | no |
 | <a name="input_auto_scaling_group_subnets"></a> [auto\_scaling\_group\_subnets](#input\_auto\_scaling\_group\_subnets) | List of subnets where the Auto Scaling Group will deploy the instances | `list(string)` | n/a | yes |
 | <a name="input_bastion_additional_security_groups"></a> [bastion\_additional\_security\_groups](#input\_bastion\_additional\_security\_groups) | List of additional security groups to attach to the launch template | `list(string)` | `[]` | no |

diff --git a/main.tf b/main.tf
@@ -13,6 +13,7 @@ data "aws_kms_alias" "kms-ebs" {
 }
 
 resource "aws_s3_object" "bucket_public_keys_readme" {
+  acl        = "private"
   bucket     = aws_s3_bucket.bucket.id
   key        = "public-keys/README.txt"
   content    = "Drop here the ssh public keys of the instances you want to control"
@@ -230,12 +231,13 @@ resource "aws_launch_template" "bastion_launch_template" {
   key_name = var.bastion_host_key_pair
 
   user_data = base64encode(templatefile("${path.module}/user_data.sh", {
-    aws_region              = var.region
-    bucket_name             = var.bucket_name
-    extra_user_data_content = var.extra_user_data_content
-    allow_ssh_commands      = lower(var.allow_ssh_commands)
-    public_ssh_port         = var.public_ssh_port
-    sync_logs_cron_job      = var.enable_logs_s3_sync ? "*/5 * * * * /usr/bin/bastion/sync_s3" : ""
+    aws_region                   = var.region
+    bucket_name                  = var.bucket_name
+    extra_user_data_content      = var.extra_user_data_content
+    allow_ssh_commands           = lower(var.allow_ssh_commands)
+    allow_ssh_commands_for_users = var.allow_ssh_commands_for_users
+    public_ssh_port              = var.public_ssh_port
+    sync_logs_cron_job           = var.enable_logs_s3_sync ? "*/5 * * * * /usr/bin/bastion/sync_s3" : ""
   }))
 
   block_device_mappings {

diff --git a/user_data.sh b/user_data.sh
@@ -49,7 +49,7 @@ if [[ -z $SSH_ORIGINAL_COMMAND ]]; then
 else
 
   # If the module consumer wants to allow remote commands (for ansible or other) then allow that command through.
-  if [ "${allow_ssh_commands}" == "true" ]; then
+  if [ "${allow_ssh_commands}" == "true" ]%{ for user in allow_ssh_commands_for_users } || [ "${user}" == "`whoami`" ]%{endfor ~}; then
     exec /bin/bash -c "$SSH_ORIGINAL_COMMAND"
   else
     # The "script" program could be circumvented with some commands (e.g. bash, nc).

diff --git a/variables.tf b/variables.tf
@@ -4,6 +4,12 @@ variable "allow_ssh_commands" {
   default     = false
 }
 
+variable "allow_ssh_commands_for_users" {
+  description = "Allows a list of users to execute one-off commands. Warning: These commands are not logged and increase the vulnerability of the system. Use at your own discretion."
+  type        = list(string)
+  default     = []
+}
+
 variable "associate_public_ip_address" {
   type    = bool
   default = true