-
Notifications
You must be signed in to change notification settings - Fork 9.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
communicator/ssh: bastion host support #2425
Conversation
I'd love to extend the Tested manually for now with the following: variable "instance_type" {
default = "t2.micro"
}
variable "key_name" {
default = "tftest"
}
module "ami" {
source = "github.com/terraform-community-modules/tf_aws_ubuntu_ami/ebs"
region = "us-west-2"
distribution = "trusty"
instance_type = "${var.instance_type}"
}
module "vpc" {
source = "github.com/terraform-community-modules/tf_aws_vpc"
name = "ssh-proxy-example"
cidr = "10.0.0.0/16"
private_subnets = "10.0.1.0/24,10.0.2.0/24,10.0.3.0/24"
public_subnets = "10.0.101.0/24,10.0.102.0/24,10.0.103.0/24"
region = "us-west-2"
azs = "us-west-2a,us-west-2b,us-west-2c"
}
resource "aws_security_group" "allow_ssh_from_world" {
name = "sshproxy_sg_allow_ssh_from_world"
description = "sshproxy_sg_allow_ssh_from_world"
vpc_id = "${module.vpc.vpc_id}"
ingress {
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
}
resource "aws_security_group" "allow_internal_traffic" {
name = "sshproxy_sg_allow_internal_traffic"
description = "sshproxy_sg_allow_internal_traffic"
vpc_id = "${module.vpc.vpc_id}"
ingress {
from_port = 0
to_port = 0
protocol = "-1"
self = true
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
}
resource "aws_instance" "public" {
ami = "${module.ami.ami_id}"
instance_type = "${var.instance_type}"
key_name = "${var.key_name}"
subnet_id = "${element(split(",", module.vpc.public_subnets), count.index)}"
vpc_security_group_ids = [
"${aws_security_group.allow_internal_traffic.id}",
"${aws_security_group.allow_ssh_from_world.id}",
]
connection {
user = "ubuntu"
agent = true
}
tags {
Name = "public-instance"
}
}
resource "aws_instance" "private" {
ami = "${module.ami.ami_id}"
instance_type = "${var.instance_type}"
key_name = "${var.key_name}"
subnet_id = "${element(split(",", module.vpc.private_subnets), count.index)}"
vpc_security_group_ids = [
"${aws_security_group.allow_internal_traffic.id}",
]
tags {
Name = "private-instance"
}
/******************************
vvv THIS WILL NOT WORK vvv
*******************************/
connection {
user = "ubuntu"
agent = true
bastion_host = "${aws_instance.public.public_ip}"
}
provisioner "remote-exec" {
inline = "echo remote-exec works >> /tmp/remote-exec"
}
/******************************
^^^ LET'S MAKE IT WORK ^^^
*******************************/
}
output "public_instance_ip" {
value = "${aws_instance.public.public_ip}"
}
output "private_instance_ip" {
value = "${aws_instance.private.private_ip}"
} |
* adds `bastion_*` fields to `connection` which add configuration for a bastion host * if `bastion_host` is set, connect to that host first, then jump through it to make the SSH connection to `host` * enables SSH Agent forwarding by default
Bastion: bastion, | ||
}, nil | ||
} | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks familiar. :)
This LGTM. A test would be really wonderful. I'll take a look. |
I think the Go SSH lib has the ability to also be an SSH server. In the past, I've used that... not sure how complete it is if it can do this for us but that would be sweet. |
This is incredibly helpful for me, thank you! |
Going to merge as-is and we can re-visit the automated testing as a separate PR. |
communicator/ssh: bastion host support
This is awesome – was just looking for bastion support. Thanks! |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further. |
bastion_*
fields toconnection
which add configuration for abastion host
bastion_host
is set, connect to that host first, then jumpthrough it to make the SSH connection to
host