Added Bastion functionality to EC2

iam.tf

@@ -1,6 +1,6 @@
 # AWS SSM resources
 resource "aws_iam_role" "this" {
-  name               = "${var.env}-openvpn-connector"
+  name               = local.name
   assume_role_policy = data.aws_iam_policy_document.this.json
 }
 
@@ -10,7 +10,7 @@ resource "aws_iam_role_policy_attachment" "this" {
 }
 
 resource "aws_iam_instance_profile" "this" {
-  name = "${var.env}-openvpn-connector"
+  name = local.name
   role = aws_iam_role.this.name
 }
 

main.tf

@@ -1,8 +1,8 @@
 # Security Groups
 resource "aws_security_group" "this" {
   count       = var.enabled ? 1 : 0
-  name        = "${var.env}-openvpn-connector"
-  description = "Security Group for Cloud OpenVPN EC2 Instance (connector)"
+  name        = local.name
+  description = "Security Group for Cloud OpenVPN+Bastion EC2 Instance (connector)"
   vpc_id      = var.vpc_id
 
   ingress {
@@ -24,7 +24,7 @@ resource "aws_security_group" "this" {
   tags = {
     Terraform = "true"
     Env       = var.env
-    Name      = "${var.env}-openvpn-connector"
+    Name      = local.name
   }
 
   lifecycle {
@@ -40,9 +40,12 @@ resource "aws_instance" "this" {
   iam_instance_profile   = aws_iam_instance_profile.this.name
   subnet_id              = var.private_subnets[0]
   key_name               = var.ec2_key_pair_name
-  vpc_security_group_ids = [aws_security_group.this[0].id]
+  vpc_security_group_ids = concat(var.ext_security_groups, [
+    aws_security_group.this[0].id
+  ])
 
-  disable_api_termination = true
+  disable_api_termination     = true
+  associate_public_ip_address = false
 
   lifecycle {
     ignore_changes = all
@@ -53,7 +56,7 @@ resource "aws_instance" "this" {
   tags = {
     Terraform = "true"
     Env       = var.env
-    Name      = "${var.env}-openvpn-connector"
+    Name      = local.name
   }
 
 }

output.tf

@@ -0,0 +1,19 @@
+output "cmd" {
+  value = {
+    up     = "ssh -M -S bastion.sock -fNT ubuntu@${element(aws_instance.this.*.id, 0)} "
+    down   = "ssh -S bastion.sock -O exit ubuntu@${element(aws_instance.this.*.id, 0)} "
+    status = "ssh -S bastion.sock -O check ubuntu@${element(aws_instance.this.*.id, 0)}"
+  }
+}
+
+output "instance_id" {
+  value = element(aws_instance.this.*.id, 0)
+}
+
+output "ssh_config" {
+  value = local.ssh_config
+}
+
+output "security_group" {
+  value = element(aws_security_group.this.*.id, 0)
+}

variables.tf

@@ -1,10 +1,13 @@
 variable "env" {}
+
+variable "aws_profile" {}
 variable "vpc_id" {}
 variable "private_subnets" {}
 variable "ec2_key_pair_name" {}
 variable "openvpn_token" {}
 
 variable "instance_type" {
+  type    = string
   default = "t3.nano"
 }
 
@@ -14,6 +17,12 @@ variable "enabled" {
   description = "Gives ability to enable or disable Creation of NAT EC2"
 }
 
+variable "ext_security_groups" {
+  description = "External security groups to add to bastion host"
+  type        = list(any)
+  default     = []
+}
+
 variable "allowed_cidr_blocks" {
   type        = list(string)
   description = "List of network subnets that are allowed"
@@ -26,3 +35,24 @@ variable "ssm_role_arn" {
   type    = string
   default = "arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM"
 }
+
+variable "ssh_forward_rules" {
+  type        = list(string)
+  description = "Rules that will enable port forwarding. SSH Config syntax"
+  default     = []
+}
+
+locals {
+  name         = "${var.env}-openvpn-connector(bastion)"
+  proxycommand = <<-EOT
+    ProxyCommand sh -c "aws ssm start-session --target %h --document-name AWS-StartSSHSession --parameters 'portNumber=%p'"
+    EOT
+  ssh_config = concat([
+    "# SSH over Session Manager",
+    "host i-* mi-*",
+    "ServerAliveInterval 180",
+    local.proxycommand,
+  ], var.ssh_forward_rules)
+  ssm_document_name = local.name
+}
+

versions.tf

@@ -6,6 +6,10 @@ terraform {
     template = {
       source = "hashicorp/template"
     }
+    local = {
+      source  = "hashicorp/local"
+      version = "~> 1.2"
+    }
   }
   required_version = ">= 0.13"
 }