From 745565ebdaabc80c3e90c7f8c5fb214a42bb4596 Mon Sep 17 00:00:00 2001
From: Armaan Tobaccowalla <armaan@tobaccowalla.com>
Date: Wed, 17 Mar 2021 18:29:03 -0400
Subject: [PATCH] Bastion (#64)

* Upgrade to tf 0.14

* Make admin key pair

* Configure bastion

* Fix DNS records

* Fix comment
---
 container_exec.sh                             |  33 ----
 container_exec_entry.sh                       |  23 ---
 terraform/.terraform.lock.hcl                 | 187 ++++++++++++++++++
 terraform/README.md                           |   4 +
 terraform/bastion.tf                          |  54 +++++
 terraform/eks.tf                              |   7 +
 terraform/files/bastion/container_exec.sh     |  28 +++
 .../files/bastion/container_exec_entry.sh     |  24 +++
 terraform/files/bastion/ssh_authorized_keys   |  16 ++
 terraform/files/bastion/user_data.sh          |  46 +++++
 terraform/main.tf                             |   7 +
 terraform/modules/domain/outputs.tf           |   3 +
 terraform/route53.tf                          |   9 +
 terraform/vault.tf                            |   7 +-
 14 files changed, 386 insertions(+), 62 deletions(-)
 delete mode 100755 container_exec.sh
 delete mode 100755 container_exec_entry.sh
 create mode 100644 terraform/.terraform.lock.hcl
 create mode 100644 terraform/bastion.tf
 create mode 100755 terraform/files/bastion/container_exec.sh
 create mode 100755 terraform/files/bastion/container_exec_entry.sh
 create mode 100644 terraform/files/bastion/ssh_authorized_keys
 create mode 100644 terraform/files/bastion/user_data.sh
 create mode 100644 terraform/modules/domain/outputs.tf

diff --git a/container_exec.sh b/container_exec.sh
deleted file mode 100755
index 5e7ec828..00000000
--- a/container_exec.sh
+++ /dev/null
@@ -1,33 +0,0 @@
-#!/bin/bash
-
-source ~/.do_creds.sh
-
-curl -s -X GET -H "Content-Type: application/json" \
-    -H "Authorization: Bearer $DO_AUTH_TOKEN" \
-    "https://api.digitalocean.com/v2/kubernetes/clusters/${K8S_CLUSTER_ID}/kubeconfig" > kubeconfig.yaml
-
-export KUBECONFIG=$PWD/kubeconfig.yaml
-
-echo -n "Would you like to connect to staging or production? [production] "
-read dep_type
-
-if [ -z $dep_type ] || [ $dep_type == "production" ] || [ $dep_type == "prod" ]; then
-	namespace="default"
-elif [ $dep_type == "staging" ]; then
-	namespace="staging"
-else
-  echo "Please enter nothing, production, prod, or staging. You entered: ${dep_type}"
-  echo "Press enter to exit"
-  read dummy
-	exit 1
-fi
-
-echo "List of deployments: "
-kubectl get deployment -n $namespace
-
-echo -n "Enter deployment name: "
-read dep_name
-
-kubectl exec -it -n $namespace $(kubectl get pod -n $namespace | grep $dep_name | head -n 1 | cut -d " " -f 1) /bin/bash
-echo "Press enter to exit"
-read
diff --git a/container_exec_entry.sh b/container_exec_entry.sh
deleted file mode 100755
index 83131b4c..00000000
--- a/container_exec_entry.sh
+++ /dev/null
@@ -1,23 +0,0 @@
-#!/bin/bash
-
-if [ $2 == "startexec" ]; then
-  container_exec.sh
-  exit $?
-fi
-
-echo "List of active sessions:"
-
-tmux ls
-
-echo -n "Enter session name: "
-
-read session_name
-
-tmux has-session -t $session_name 2>/dev/null
-
-
-if [ $? != 0 ]; then
-  tmux new -s $session_name "startexec"
-else
-  tmux attach -t $session_name
-fi
diff --git a/terraform/.terraform.lock.hcl b/terraform/.terraform.lock.hcl
new file mode 100644
index 00000000..944b6155
--- /dev/null
+++ b/terraform/.terraform.lock.hcl
@@ -0,0 +1,187 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/cyrilgdn/postgresql" {
+  version     = "1.11.2"
+  constraints = "~> 1.8"
+  hashes = [
+    "h1:jxA3dCAzKazh0vLXUTOrvQF349QZkwLnmSqkd2rwvtY=",
+    "zh:0e1c014d74454e11abc03ed6f8b765e322ffab7d0d42f9690bc8000616a7dc5f",
+    "zh:10b6443b1eda9af0be7cbcc0c707cfe41d89ec2b8962892f788613641b2a2a9f",
+    "zh:209b6e36308befe6032a4c92f9cd7d8b01b1dd35924cce4005797a7c3f164987",
+    "zh:2838aff2a2d144d63c22c465364de58016d89589ded05c46ab6cb5bd5fdeb5c5",
+    "zh:37ed32b4f7c388cfcbaf97efec552e889fc298376a5888ed5c4201734578cc40",
+    "zh:4a46115298aab30b16f9b120fc63674e9f08e63ebd36d1c4d635e09ea27967ad",
+    "zh:4e3911b21fa2ecf2eb793691d3cf4a7fbb8c70fa27ee8f5bcdd667e8002e16d5",
+    "zh:52cdcc9c1ceaae14256db53e8d1bcf182f58177ddd0640c816b26e5ef729b139",
+    "zh:6a4cc872e93abc5ff5cf96b720f40e4e29e76c952c3f66d4d225e40c425d8a38",
+    "zh:c708fbc279fcc5f1eba6aa0a359767fb97802c85f70d50ef023645244fdf23a5",
+    "zh:d7d7d14c6e4442fc87af3e267bfad74885d0ad106e4feb02f9e659f1f14300f0",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/aws" {
+  version     = "3.32.0"
+  constraints = ">= 2.0.0, >= 2.68.0, >= 3.3.0, ~> 3.18"
+  hashes = [
+    "h1:l8jJYQ4bPEbNwZUoHYmeR1woajPzJSX5hPCLWuRVFwc=",
+    "zh:04e4f700c21b1f58e7603638160bd5ad3b85519c35dc75bada3e52b164d06d3e",
+    "zh:09f2338404d4b2d4dcb29781ac59a6955d935745e896d4ee661d83cac8d7c677",
+    "zh:16bdf96d8139268766921d5b891b865f67936190dc302283ba50b94e42510ec5",
+    "zh:1f0eb671390ee41ddf22faf22d00da636e57164214a37c77f7d3fb1f19ea9cce",
+    "zh:3703b0ba118887cb558085f4b7e732e4e374f455221fcf724bada6f71bd25d55",
+    "zh:a344b8b1d0c541abcfc3a5bd22aa28d1a07aff416db753d53219158a86e956cc",
+    "zh:a4798f3bf4ecbdfcd2ea72061e54053423a47f48812749b2cc7dc8dcf8a11eb4",
+    "zh:aeb5c18afe26388748289f2a3819c7c9210cb669efe01b3e28bf542c51c83bd7",
+    "zh:b0a3f5940f76dbd3ea9699f98f9cabc443c210c06f30caeb792e5843b7550cc1",
+    "zh:baa2854e3fbf3df9653a5e6a0f1093a018dad39312346426f4bcefc2ebfd74cc",
+    "zh:e305b3d227f2013ddd7cf22f2cfa4603a55187c8eddd07f980350a828b67ce49",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/helm" {
+  version     = "1.3.2"
+  constraints = "~> 1.3"
+  hashes = [
+    "h1:qwL8ISnGPQJMsie6WmAweovActsjtVFyunLrk+CJ5yo=",
+    "zh:0d8e1293cb99b61d3aefbab3f1c1e258e121d860312115e23b240e8acb92b855",
+    "zh:17524fac3f1eb46901a27ecef0c054c8b5390994b2f0bd48746a5eb47e42fad5",
+    "zh:74ff2d471fc934d0e65452f914248c23394937a9b4cfb560ce920d5c42568303",
+    "zh:855255f4afe7b86d88744f5615b6b6a6172fa7fc28c24d8fb5838b715e3b8a97",
+    "zh:8b3bb0f0e2e6908c3d41ee183451cb388a80cf576b0953ad3d1e06cb4de22842",
+    "zh:b46d607cedfefc94460bbff8a9d46e50f7dce364dc4050a2df81357159e07f81",
+    "zh:c9b9f3b0e6aaec7081230df257f89e00e522a3a283197126d88ae646551cde6e",
+    "zh:ccb0b341351df79773367aa6d895b89647ceb9a75fff1c434ee480513515d112",
+    "zh:e39f56174f61556f2937fe50035703346833555cb83f2a880e3a4d832262120e",
+    "zh:f792f8b620551198807bed0752453ff0574b1b7b03ec9d9a580177b84049c700",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/kubernetes" {
+  version     = "1.13.3"
+  constraints = ">= 1.11.1, ~> 1.13"
+  hashes = [
+    "h1:whoGs/NeucMF8U/urPaeXdQUb+ppaO1Ae4r5aJRhfrU=",
+    "zh:11fd58df9c297a4f3cab82ce8eb2f54f1be27f78fa23be2273ecd545ab254b91",
+    "zh:5b9e6f352c5666d791e2658a1d18bf0990f3ab70c99c916c393a2ee7f385364c",
+    "zh:5c94f1350471a5c8e8ee6675874608c506a0bfd3164bdd91b802842723547e2c",
+    "zh:5d9c5c44dba9addbb86491339012096e74778bb4ea93b70f12333bffba3d05e6",
+    "zh:6336f9cbb0b580f247cebb97fb7d4cc5e7fe9cc734d8d958d84c4ea3f1e24041",
+    "zh:bca3b9d4dcbe6f804f5611a83add371dc03b5aa92271f60ebdc2216bfedfab28",
+    "zh:cbcdc87a593090f490f7899f4f2d302e0c7023155591fcf65e6fadd69f5452f0",
+    "zh:ec2886a1adbfe3c861b2deb9446369111b9c6116701ae73ef372dc7df5bb3c9e",
+    "zh:edb5b4172610672bb4d7425511961fda2047b8a00675b99ae6887cd2ece4bda9",
+    "zh:ff7ea7743246181ea739643d7751c37041c4016eb6bbc39beb1e3b4e99629112",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/local" {
+  version     = "2.1.0"
+  constraints = ">= 1.3.0, >= 1.4.0"
+  hashes = [
+    "h1:EYZdckuGU3n6APs97nS2LxZm3dDtGqyM4qaIvsmac8o=",
+    "zh:0f1ec65101fa35050978d483d6e8916664b7556800348456ff3d09454ac1eae2",
+    "zh:36e42ac19f5d68467aacf07e6adcf83c7486f2e5b5f4339e9671f68525fc87ab",
+    "zh:6db9db2a1819e77b1642ec3b5e95042b202aee8151a0256d289f2e141bf3ceb3",
+    "zh:719dfd97bb9ddce99f7d741260b8ece2682b363735c764cac83303f02386075a",
+    "zh:7598bb86e0378fd97eaa04638c1a4c75f960f62f69d3662e6d80ffa5a89847fe",
+    "zh:ad0a188b52517fec9eca393f1e2c9daea362b33ae2eb38a857b6b09949a727c1",
+    "zh:c46846c8df66a13fee6eff7dc5d528a7f868ae0dcf92d79deaac73cc297ed20c",
+    "zh:dc1a20a2eec12095d04bf6da5321f535351a594a636912361db20eb2a707ccc4",
+    "zh:e57ab4771a9d999401f6badd8b018558357d3cbdf3d33cc0c4f83e818ca8e94b",
+    "zh:ebdcde208072b4b0f8d305ebf2bfdc62c926e0717599dcf8ec2fd8c5845031c3",
+    "zh:ef34c52b68933bedd0868a13ccfd59ff1c820f299760b3c02e008dc95e2ece91",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/null" {
+  version     = "3.1.0"
+  constraints = ">= 2.1.0"
+  hashes = [
+    "h1:vpC6bgUQoJ0znqIKVFevOdq+YQw42bRq0u+H3nto8nA=",
+    "zh:02a1675fd8de126a00460942aaae242e65ca3380b5bb192e8773ef3da9073fd2",
+    "zh:53e30545ff8926a8e30ad30648991ca8b93b6fa496272cd23b26763c8ee84515",
+    "zh:5f9200bf708913621d0f6514179d89700e9aa3097c77dac730e8ba6e5901d521",
+    "zh:9ebf4d9704faba06b3ec7242c773c0fbfe12d62db7d00356d4f55385fc69bfb2",
+    "zh:a6576c81adc70326e4e1c999c04ad9ca37113a6e925aefab4765e5a5198efa7e",
+    "zh:a8a42d13346347aff6c63a37cda9b2c6aa5cc384a55b2fe6d6adfa390e609c53",
+    "zh:c797744d08a5307d50210e0454f91ca4d1c7621c68740441cf4579390452321d",
+    "zh:cecb6a304046df34c11229f20a80b24b1603960b794d68361a67c5efe58e62b8",
+    "zh:e1371aa1e502000d9974cfaff5be4cfa02f47b17400005a16f14d2ef30dc2a70",
+    "zh:fc39cc1fe71234a0b0369d5c5c7f876c71b956d23d7d6f518289737a001ba69b",
+    "zh:fea4227271ebf7d9e2b61b89ce2328c7262acd9fd190e1fd6d15a591abfa848e",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/random" {
+  version     = "3.1.0"
+  constraints = ">= 2.1.0, ~> 3.0"
+  hashes = [
+    "h1:BZMEPucF+pbu9gsPk0G0BHx7YP04+tKdq2MrRDF1EDM=",
+    "zh:2bbb3339f0643b5daa07480ef4397bd23a79963cc364cdfbb4e86354cb7725bc",
+    "zh:3cd456047805bf639fbf2c761b1848880ea703a054f76db51852008b11008626",
+    "zh:4f251b0eda5bb5e3dc26ea4400dba200018213654b69b4a5f96abee815b4f5ff",
+    "zh:7011332745ea061e517fe1319bd6c75054a314155cb2c1199a5b01fe1889a7e2",
+    "zh:738ed82858317ccc246691c8b85995bc125ac3b4143043219bd0437adc56c992",
+    "zh:7dbe52fac7bb21227acd7529b487511c91f4107db9cc4414f50d04ffc3cab427",
+    "zh:a3a9251fb15f93e4cfc1789800fc2d7414bbc18944ad4c5c98f466e6477c42bc",
+    "zh:a543ec1a3a8c20635cf374110bd2f87c07374cf2c50617eee2c669b3ceeeaa9f",
+    "zh:d9ab41d556a48bd7059f0810cf020500635bfc696c9fc3adab5ea8915c1d886b",
+    "zh:d9e13427a7d011dbd654e591b0337e6074eef8c3b9bb11b2e39eaaf257044fd7",
+    "zh:f7605bd1437752114baf601bdf6931debe6dc6bfe3006eb7e9bb9080931dca8a",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/template" {
+  version     = "2.2.0"
+  constraints = ">= 2.0.0, >= 2.1.0"
+  hashes = [
+    "h1:94qn780bi1qjrbC3uQtjJh3Wkfwd5+tTtJHOb7KTg9w=",
+    "zh:01702196f0a0492ec07917db7aaa595843d8f171dc195f4c988d2ffca2a06386",
+    "zh:09aae3da826ba3d7df69efeb25d146a1de0d03e951d35019a0f80e4f58c89b53",
+    "zh:09ba83c0625b6fe0a954da6fbd0c355ac0b7f07f86c91a2a97849140fea49603",
+    "zh:0e3a6c8e16f17f19010accd0844187d524580d9fdb0731f675ffcf4afba03d16",
+    "zh:45f2c594b6f2f34ea663704cc72048b212fe7d16fb4cfd959365fa997228a776",
+    "zh:77ea3e5a0446784d77114b5e851c970a3dde1e08fa6de38210b8385d7605d451",
+    "zh:8a154388f3708e3df5a69122a23bdfaf760a523788a5081976b3d5616f7d30ae",
+    "zh:992843002f2db5a11e626b3fc23dc0c87ad3729b3b3cff08e32ffb3df97edbde",
+    "zh:ad906f4cebd3ec5e43d5cd6dc8f4c5c9cc3b33d2243c89c5fc18f97f7277b51d",
+    "zh:c979425ddb256511137ecd093e23283234da0154b7fa8b21c2687182d9aea8b2",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/time" {
+  version     = "0.7.0"
+  constraints = "~> 0.6"
+  hashes = [
+    "h1:1VPBq+jeoCf0wVCxnzK6BNnOmNbXf3fRnDmS43Jw7Oo=",
+    "zh:1f53008d9d445ac56da84eb548fc2354fe1b120703d788bf47f460e4aec18b85",
+    "zh:327c26cec73e7aa4bc0bb156c1a10f3f053d8f8af35c4b9e59ccb371e82dfed5",
+    "zh:38beff8856deb579251889192b49f29d674e24c605070a0bf6c694c8664e9d02",
+    "zh:56aee9534d32a1cbeee76920bc0a19d85dc51454f26a6ef5ec9db6598748001e",
+    "zh:79b96a8cd365ab1ec4d11f2f816fb07c67cfb50d337d8f9fac06b56c6c325f73",
+    "zh:7fd11d98b9547c04365ff85d8f9d27a294a14d0e16683a4927810963ad6172a4",
+    "zh:85f6ebf6dab5333158549123d92aec89c6c617673e0fd50b5e999c24e8973e44",
+    "zh:a26fd2c3eecbec7d6549e33fac80d4a1498f4ac5b8089c1a1632b97708230103",
+    "zh:a597d56f6765f493855e50542cba96b46b80104b918ec89f05195e5c3f7e6db0",
+    "zh:ef6ab738eb260de05e3d67a442cbe5c988189fcf26c976864888e3100e6a8d09",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/vault" {
+  version     = "2.18.0"
+  constraints = "~> 2.16"
+  hashes = [
+    "h1:ebkgHY+/QlBAaU/uYSsIidvlsRel80u0lQzsDcKAIeA=",
+    "zh:23d0ae08554839844249689524c8b07195479ee3dd05700e7aa1c4e012e79f72",
+    "zh:33f4ceca11e3d2806d8ff6fc55c43a54402d28a0b3a1bc7fb038ea8f0969601a",
+    "zh:3b1e88302a41fbb4da068a3e809b92689daece97ac1dde3230e9dfe477be8b1f",
+    "zh:422ef259e4a8e171f96e3e21a6c1cf9043c4f6bdcbc0f50b8add5694c65450dd",
+    "zh:7588e76fe7650803f99ab3035e0990c9c865305f3adc693bc09bc5580cb1b97f",
+    "zh:8fe921fcd952597ddd971e0f697ea3f7720789c75abb1b69df497f558e1520be",
+    "zh:9a46a788534c6d8889f05b8f40487d93fab49fa0885e187c06fcb3551d278d28",
+    "zh:a3e9e47a52d763274b0406ec2e12e9963e70c12631676336cd4feb4d9f7e02a3",
+    "zh:ddbaf058988a27ec6ffc8e0d42a6d8a47012064cbe0bec36bb1399f4ac38f63f",
+    "zh:e847e836ab4d8bc451f55025213d184d85b8d3fdf0bc44d9914dae3b3e0d962f",
+  ]
+}
diff --git a/terraform/README.md b/terraform/README.md
index 048c1186..987528b2 100644
--- a/terraform/README.md
+++ b/terraform/README.md
@@ -16,6 +16,10 @@ We use [Terraform](https://www.terraform.io/docs/index.html) to manage our infra
 
 Contains configuration to create a terraform S3 backend. `provider.tf` in is configured to use the remote S3 backend.
 
+## bastion
+
+Configures a bastion that allows Team Leads to exec into pods (normally to run manage.py commands).
+
 ## db-backup.tf
 
 Grants the `db-backup` IAM role access to the `sql.pennlabs.org` S3 bucket.
diff --git a/terraform/bastion.tf b/terraform/bastion.tf
new file mode 100644
index 00000000..2506523e
--- /dev/null
+++ b/terraform/bastion.tf
@@ -0,0 +1,54 @@
+// IAM
+resource "aws_iam_instance_profile" "bastion" {
+  name = "bastion"
+  role = aws_iam_role.kubectl.name
+}
+
+// EC2 Instance
+resource "aws_instance" "bastion" {
+  // Ubuntu 20.04 Server
+  ami                    = "ami-042e8287309f5df03"
+  instance_type          = "t3.nano"
+  subnet_id              = module.vpc.public_subnets[0]
+  vpc_security_group_ids = [aws_security_group.bastion.id]
+  iam_instance_profile   = aws_iam_instance_profile.bastion.name
+  key_name               = aws_key_pair.admin.key_name
+  user_data = templatefile("files/bastion/user_data.sh", {
+    CONTAIN_EXEC_ENTRY  = file("files/bastion/container_exec_entry.sh")
+    CONTAIN_EXEC        = file("files/bastion/container_exec.sh")
+    SSH_AUTHORIZED_KEYS = file("files/bastion/ssh_authorized_keys")
+  })
+  tags = {
+    Name       = "Bastion"
+    created-by = "terraform"
+  }
+}
+
+resource "aws_security_group" "bastion" {
+  name        = "bastion"
+  description = "Allow TLS inbound traffic"
+  vpc_id      = module.vpc.vpc_id
+
+  // SSH
+  ingress {
+    description = "SSH"
+    from_port   = 22
+    to_port     = 22
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  // Access to internet (can't restrict to just the cluster
+  // because we need to download tools on first startup)
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = {
+    Name       = "Bastion"
+    created-by = "terraform"
+  }
+}
diff --git a/terraform/eks.tf b/terraform/eks.tf
index 29e228d5..51b57d6e 100644
--- a/terraform/eks.tf
+++ b/terraform/eks.tf
@@ -63,10 +63,17 @@ data "aws_iam_policy_document" "kubectl" {
   statement {
     actions = ["sts:AssumeRole"]
 
+    // Allow users to assume role
     principals {
       identifiers = concat([for member in local.platform_members : aws_iam_user.platform[member].arn], [aws_iam_user.gh-actions.arn])
       type        = "AWS"
     }
+
+    // Allow bastion instance to assume role
+    principals {
+      type        = "Service"
+      identifiers = ["ec2.amazonaws.com"]
+    }
   }
 }
 
diff --git a/terraform/files/bastion/container_exec.sh b/terraform/files/bastion/container_exec.sh
new file mode 100755
index 00000000..745ca153
--- /dev/null
+++ b/terraform/files/bastion/container_exec.sh
@@ -0,0 +1,28 @@
+#!/bin/bash
+
+# Need to escape all $ because of TF formatting
+# Disable environment type since staging doesn't exist yet
+# echo -n "Would you like to connect to staging or production? [production] "
+# read dep_type
+
+# if [ -z \$dep_type ] || [ \$dep_type == "production" ] || [ \$dep_type == "prod" ]; then
+# 	namespace="default"
+# elif [ \$dep_type == "staging" ]; then
+# 	namespace="staging"
+# else
+#   echo "Please enter nothing, production, prod, or staging. You entered: \${dep_type}"
+#   echo "Press enter to exit"
+#   read dummy
+# 	exit 1
+# fi
+namespace="default"
+
+echo "List of deployments: "
+kubectl get deployment -n \$namespace
+
+echo -n "Enter deployment name: "
+read dep_name
+
+kubectl exec -it -n \$namespace \$(kubectl get pod -n \$namespace | grep \$dep_name | head -n 1 | cut -d " " -f 1) -- /bin/bash
+echo "Press enter to exit"
+read
diff --git a/terraform/files/bastion/container_exec_entry.sh b/terraform/files/bastion/container_exec_entry.sh
new file mode 100755
index 00000000..a38919c1
--- /dev/null
+++ b/terraform/files/bastion/container_exec_entry.sh
@@ -0,0 +1,24 @@
+#!/bin/bash
+
+# Need to escape all $ because of TF formatting
+if [[ \$2 == "startexec" ]]; then
+  container_exec.sh
+  exit \$?
+fi
+
+echo "List of active sessions:"
+
+tmux ls 2>/dev/null || echo "No active sessions"
+
+echo -n "Enter session name: "
+
+read session_name
+
+tmux has-session -t \$session_name 2>/dev/null
+
+
+if [[ \$? != 0 ]]; then
+  tmux new -s \$session_name "startexec"
+else
+  tmux attach -t \$session_name
+fi
diff --git a/terraform/files/bastion/ssh_authorized_keys b/terraform/files/bastion/ssh_authorized_keys
new file mode 100644
index 00000000..a0e7ec04
--- /dev/null
+++ b/terraform/files/bastion/ssh_authorized_keys
@@ -0,0 +1,16 @@
+# Armaan
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDATHpBscMwZBByUmafMmIcbDB2my1Ejj88DAalX8lJHr4mav2ZrPVZK7XAz6SacmGiIEMCK6YgkXh502MgPKLoBEBf4OzvLJVpZlsjzJX3dK+MWTff/a1Jyo35nUOFSdjUyKPNV0CPq5bUqGvYo3hh/bCZQn+7cZ7pENPo/1J/vdmdE5CTrl0UuGqLj0OWjolJwSiL0zeUaRuWATukcn5qv4vgZ9H4woCaMEX5FEVWYPsB7kIz5jH7LlFnhvJ3N8ay3Y/2/2JzFR2RdivQID6vO8Cm7bxfoSF5GpAGJbKcFEJGuV+j/xd3QRHHsC/fHy1sSD4G2bszveHKQwQ1aVYUgq0dITx4o/WO1sbTzRruA0FA63SNAnikq7+eyJsUT/9RkHf3DKXZJqTFCZ1+dDZz9pQSv6dlx4lZ7qgUPcdBiA8WpNTxUZSZ/GvwieE8Zz5sQ6mWQlHgqoILe4t1NpRPLi5LFKvV+nR7Yt0vdlddRkuZE/hBo/XilC9lGYT9hHosZzhiQJ7NZvul9txA8N2YpDBAb1HOR3vd+mpGX0BzxpMUhrJwJdRlQANfULMalHHXTkjPqPUSctrj7zvMl/lzmbGlpClxcp+c3mlIM3lPtoW3dYnaVNK/tYuyzAAUzvNPkPKn1/6XgXhu6hf8TBFScvKSWjn2KFLbo2d0+exUMQ== armaant
+# Peyton
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDISjep4jUbOva1XvUrMoyTJ2XLnroypaOq/my06B7idX0Y3YD51uyJmCj51g62805k8HzW65Mo1jTPfM5ezeZE7qhqMA1OJyOg1dCTiyrzgLG/BV/M42eumz9Q3bO+1BXVVO6Ai/K3fnU/g7y48mfx/1rc3IDeiD6G+Dwm7zaEYESq62rrHV44uaat3Hb3sQ22IgjQ7wqcpxT28hVSqL7PWzf8nnYGg2fJgqiky52QwLPMoGItNKnFlzp7ucIGo5qJjh1TCMlRTIzmpYgFUsf4d3gHLKpFDCuoF+F2JLLTMx8AC1ti5rrmf5oslidQtIdPfRQdC7D8dBJkeoq0UdCZ pawalt
+# Davis
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCvHAB9ZOvxwBMX0TeHc9TefqjUCM0BcAKh/3HOmRV7Mcvn5x1HnH43cGknLyVSlQ9bWDGZQcKvmNBy9zeho7xMsWRJfhvJGUFVZ++TL92y4Mo4U36SGORcW4lj+MTOFgg+zovQAtPnVDvN38Ts0EHLcAG3Y2TmR+9OMi9hEAFPrlybiMmcty9R8dKsR51Kpta4XYk2613YEgPldHqOL/4tIpP3081/vKCKmL7ZjQ2nIJYOqNPalgnzCHXpXfSKUGL/BIeOYQ0l7ZRASx8uuerjjgaJsPjyxi+FkNbG3KV1gZ/9miXNiQGzhQMpwnBD0tnSohWnRCblJxu1Edcy81eRLwpIWUtnsiBI9gz3qVdGY1aWk39CLVRS4/jjeGmh9tNxru9N3fWmpR61iwpE5aVMlrWfwceTIAYIiCKrslQM9947egkH+e0gEmMsG4DwahPSqf/yXTPbNh2tOqPr+GX9DCVqDFnr+VqGRZV0CbQCETbH8Drdgy0vRQ9FMmTq5GyDldHMKmdB/9QULhSTrcesYsIrLQ/H03oTMcEmVFstCy9KMNGSD+4dluB3ho3LqU1cdHXGF13AcDvwwSbxtgH+jWhNLQ1KUSHTRdaK9PsWwKiWeRriZKmKBZlLg8SMombDxcTAPV8eFzjRo6zsYNaTYbQNGxj0f0dQgImkAqx7Ew== dhaupt
+# Eric
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDHh88eg0ibzdkLmeXdhPbylUm7veBsaWeETngZqcjp2L3MAlSiGihrUcAktcYCfnfESCGrEkKOsanYyigecmFbUkLNHdTBkgfbiFutNVTUh/4mZ6BzdVHFSHHAytnvl3f4Fkt2TnipqOYvVBMv1WSwKxZwP6p7TbGwQGEog/98BGzBqhPXIcm1zc4ftVc5uJneF3eUwP/JOXT/iDFubDKBkrF3DoPkwKYVjskQD1efaYRVvuqSy8Yb3Ai1zq/Lu8KFEiqkAFUXX+bi75QSupQ+YJheFwymp+ddK1s6JCjaBjXd7LbmOVs6IJEOc1C+kLoDk72a3ra0zp4qj5LESEo9 ezwang
+# Eric
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDHgpKNzYaDel535r/S1BkfQqkBpuBv2eQIy7O8CvYrDHQIa2HT7xDAgKUrD31dyKFNeZC/q3Hhw7mWgT3f3PC82k22els09utIwUbs6UzxR7m5OiFQGrapDj3ZkKwIQWhhWKE4I3qLnwYMJNe9FXY3bXN8RUQTSYdLQUikYGb1WWeaK16Yv62EjHcQAgyatBZ4UMT53L9hpJWIYTI9VORdR4DsKnB5oc8SqMd7mPY68bL4SPTjHUX9YZ53o8nsCQgDD9CqNFsvBIzm3ZLXQ2GgxUXZgbyq6KQqh5j29xkEGRqLfp3QpJwMpcD49+/xR1TooqOq3VjobpAzh54cJWZdiuYrPDblFakcc6sPgc/eC12Xbiob3b0n+AC149CegmRgKp5RIJzYvzrP3bk/Mk7fZIMfelHkMGphAKgHs7YotaAuE4xBHScWlwegFaorDE1SI91u0fGgKEcFPYymuf3glLUHtAK83EDEq44QxBG3JlWIKaEI/DKnO+bpPoEWfxc= ezwang
+# Ying
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDMu3DTk+0P9rItS+PvcZq9nndalvf2fmZ26NGzkmQ6nD2gv1OZQfstYmf9Z9MStdg++JBQvXb66xJd4gTDVOn+JBZFz2Dp2Dx4jwnp6mInODgzRl8/F31ch2WfD6jrIMSEqhrhLNnhAqGt0trXxTXRayjv4L5gC1iEC4jrCLLGafA3VstUf85V9XxIc7ssPy0fQli1y9n07b0p8tGuKSU3ViKFZPECehcMHUO3tRO2ePw8XWJRuQSL/MXmIw9WdwLR0zJluDcE0Q4gROfcQr74sV4cBJZ3m9zLN6oYFvkuzo0xCQU9KRpN5xlP8xdKm6NmNJPfFcqQiJeirgEl0wpDu8CYC4lA6pC6LcCXJLp9z8JDxTok6Yn4vdQMRotyjAPNEGWcT/lxg+IVMnE5yLd0XGhPTX7R774obqiNuoItOA95EoAKIN0pQ4BoZ+73b5E5y4smM4+CCE4NfKeG9t8m1EVX9kZljoTu+sJeutsjSRNlOXM3b15vuT+DjegQNe00RHwf6F+I1PzlAilulXm/E+Ify76236n+ZaRo9VL8S12DQoHiNDFCQDf9QLPcw2X0d3lsqbOV/HLCokoEnq/sRep4pNbwnIxg8yHw9RlMg5w7YmGw4ECDOofY3OM0NAYy2u+cjXSrRmkrvu0m/fbrS6wJZWjveyZsofOKO4K8EQ== yxeng
+# Campbell
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDmCETKxE/6miROZj4NbWOFVCGoxaehkWZDNlJfUj9nFQJiwkb6RbwSUhU7Qw9Mpi6kAZpcJO99b8MMf06UvN3z3ogCOfF7brsVsRuDEil33KdNHkhFvzBAnS8B8LDo/jQTRiky7l5GX2/Xhj559rjZraVQRky/do7bunLfgEYuvGjDZvfv601Pb90yD3ir2KqZfvYAIiPd9Wdt/sBWCMZ4YuGMzjMAzJTv4Fiyuq7l+ZG7S2DdsGHiWoV9lBGY6TqVz4AFp4Hxx1ilwJtg7071gOldWDXASUbkRpC2HfBrZeMibg8eRrN4DRuubKRGJO1fezDX5dy02kdtyhRiIrhkad3S+hee7Ypuy3YH6M7RQ1A/57Sic4ma95Bd0zpu/U1JnSG9X28Z+KzcsZjKZRzf3SFMLuXUMIn9TeFEJVuD94mSnveAlmlNvb+4eTrqiK/v9pSg+Yv/LPZMY8JFLSItXpBV5DZsVAKitipP9YLfam1QVn1ZnicRy718sWSWKQo1/w3Eq+cxfhXlkrbTCBLkRC3c6wEOrS6FmN7L0vgGm5qqBQZNiobG4s4g75Vq+ky4jcWRJ0BaN8w2OJ/r+8MQ9ykm3g4caGT19ffHEEfHzG8QkdixcH4X8G4ratm/bkgFwoUAAKFKoiLQmjIQfAzYSNJE09aRsQhrQKd8kGXV2Q== cphalen
+# Charley
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK2/2kRi6dNY6NpGTwmR2DwTwXJ8wuAV1WfOEuqpxPS8 ccunning
diff --git a/terraform/files/bastion/user_data.sh b/terraform/files/bastion/user_data.sh
new file mode 100644
index 00000000..51cd1e28
--- /dev/null
+++ b/terraform/files/bastion/user_data.sh
@@ -0,0 +1,46 @@
+#!/bin/bash
+
+# Variables
+KUBECTL_VERSION="v1.20.4"
+AWS_CLI_VERSION="2.0.30"
+
+# Install packages
+apt-get install -y unzip
+
+# Move exec files to local bin
+cat <<EOF > /usr/local/bin/container_exec_entry.sh
+${CONTAIN_EXEC_ENTRY}
+EOF
+cat <<EOF > /usr/local/bin/container_exec.sh
+${CONTAIN_EXEC}
+EOF
+chmod +x /usr/local/bin/container_exec_entry.sh
+chmod +x /usr/local/bin/container_exec.sh
+
+# Make user
+adduser --disabled-password --gecos "" jump
+
+# Add SSH keys to jump user
+mkdir /home/jump/.ssh
+cat <<EOF > /home/jump/.ssh/authorized_keys
+${SSH_AUTHORIZED_KEYS}
+EOF
+chown jump:jump /home/jump/.ssh/authorized_keys
+
+# Install kubectl
+curl -LO "https://dl.k8s.io/release/$${KUBECTL_VERSION}/bin/linux/amd64/kubectl"
+chmod +x kubectl
+mv kubectl /usr/local/bin/
+
+# Install AWS CLI
+curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64-$${AWS_CLI_VERSION}.zip" -o "awscliv2.zip"
+unzip awscliv2.zip
+./aws/install
+rm awscliv2.zip
+rm -r aws
+
+# Generate kubeconfig
+su jump -c "aws eks --region us-east-1 update-kubeconfig --name production"
+
+# Set jump shell
+chsh jump -s /usr/local/bin/container_exec_entry.sh
diff --git a/terraform/main.tf b/terraform/main.tf
index 27a835a6..01895d1e 100644
--- a/terraform/main.tf
+++ b/terraform/main.tf
@@ -49,3 +49,10 @@ data "aws_iam_policy_document" "assume-kubectl" {
     resources = [aws_iam_role.kubectl.arn]
   }
 }
+
+// Admin SSH key that should only be used if things go wrong
+// Has access to bastion & vault
+resource "aws_key_pair" "admin" {
+  key_name   = "admin"
+  public_key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDATHpBscMwZBByUmafMmIcbDB2my1Ejj88DAalX8lJHr4mav2ZrPVZK7XAz6SacmGiIEMCK6YgkXh502MgPKLoBEBf4OzvLJVpZlsjzJX3dK+MWTff/a1Jyo35nUOFSdjUyKPNV0CPq5bUqGvYo3hh/bCZQn+7cZ7pENPo/1J/vdmdE5CTrl0UuGqLj0OWjolJwSiL0zeUaRuWATukcn5qv4vgZ9H4woCaMEX5FEVWYPsB7kIz5jH7LlFnhvJ3N8ay3Y/2/2JzFR2RdivQID6vO8Cm7bxfoSF5GpAGJbKcFEJGuV+j/xd3QRHHsC/fHy1sSD4G2bszveHKQwQ1aVYUgq0dITx4o/WO1sbTzRruA0FA63SNAnikq7+eyJsUT/9RkHf3DKXZJqTFCZ1+dDZz9pQSv6dlx4lZ7qgUPcdBiA8WpNTxUZSZ/GvwieE8Zz5sQ6mWQlHgqoILe4t1NpRPLi5LFKvV+nR7Yt0vdlddRkuZE/hBo/XilC9lGYT9hHosZzhiQJ7NZvul9txA8N2YpDBAb1HOR3vd+mpGX0BzxpMUhrJwJdRlQANfULMalHHXTkjPqPUSctrj7zvMl/lzmbGlpClxcp+c3mlIM3lPtoW3dYnaVNK/tYuyzAAUzvNPkPKn1/6XgXhu6hf8TBFScvKSWjn2KFLbo2d0+exUMQ== admin"
+}
diff --git a/terraform/modules/domain/outputs.tf b/terraform/modules/domain/outputs.tf
new file mode 100644
index 00000000..8e4533b6
--- /dev/null
+++ b/terraform/modules/domain/outputs.tf
@@ -0,0 +1,3 @@
+output "zone_id" {
+  value = aws_route53_zone.domain.zone_id
+}
diff --git a/terraform/route53.tf b/terraform/route53.tf
index 42acca86..4974629c 100644
--- a/terraform/route53.tf
+++ b/terraform/route53.tf
@@ -9,3 +9,12 @@ module "domains" {
 data "aws_elb" "traefik" {
   name = local.traefik_lb_name
 }
+
+// Bastion
+resource "aws_route53_record" "bastion" {
+  zone_id = module.domains["pennlabs.org"].zone_id
+  name    = "bastion"
+  type    = "CNAME"
+  ttl     = 3600
+  records = [aws_instance.bastion.public_dns]
+}
diff --git a/terraform/vault.tf b/terraform/vault.tf
index 01dde06e..413ff656 100644
--- a/terraform/vault.tf
+++ b/terraform/vault.tf
@@ -83,7 +83,7 @@ resource "aws_instance" "vault" {
   subnet_id              = module.vpc.public_subnets[0]
   vpc_security_group_ids = [aws_security_group.vault.id]
   iam_instance_profile   = aws_iam_instance_profile.vault.name
-  key_name               = aws_key_pair.vault.key_name
+  key_name               = aws_key_pair.admin.key_name
   user_data = templatefile("files/vault_user_data.sh", {
     connection_url = format("postgres://vault:%s@%s/vault", random_password.postgres-password["vault"].result, aws_db_instance.production.endpoint)
     kms_key_id     = aws_kms_key.vault.key_id
@@ -116,11 +116,6 @@ resource "aws_instance" "vault" {
   }
 }
 
-// Modify this to be a different SSH key if you need direct SSH access
-resource "aws_key_pair" "vault" {
-  key_name   = "vault-access"
-  public_key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDATHpBscMwZBByUmafMmIcbDB2my1Ejj88DAalX8lJHr4mav2ZrPVZK7XAz6SacmGiIEMCK6YgkXh502MgPKLoBEBf4OzvLJVpZlsjzJX3dK+MWTff/a1Jyo35nUOFSdjUyKPNV0CPq5bUqGvYo3hh/bCZQn+7cZ7pENPo/1J/vdmdE5CTrl0UuGqLj0OWjolJwSiL0zeUaRuWATukcn5qv4vgZ9H4woCaMEX5FEVWYPsB7kIz5jH7LlFnhvJ3N8ay3Y/2/2JzFR2RdivQID6vO8Cm7bxfoSF5GpAGJbKcFEJGuV+j/xd3QRHHsC/fHy1sSD4G2bszveHKQwQ1aVYUgq0dITx4o/WO1sbTzRruA0FA63SNAnikq7+eyJsUT/9RkHf3DKXZJqTFCZ1+dDZz9pQSv6dlx4lZ7qgUPcdBiA8WpNTxUZSZ/GvwieE8Zz5sQ6mWQlHgqoILe4t1NpRPLi5LFKvV+nR7Yt0vdlddRkuZE/hBo/XilC9lGYT9hHosZzhiQJ7NZvul9txA8N2YpDBAb1HOR3vd+mpGX0BzxpMUhrJwJdRlQANfULMalHHXTkjPqPUSctrj7zvMl/lzmbGlpClxcp+c3mlIM3lPtoW3dYnaVNK/tYuyzAAUzvNPkPKn1/6XgXhu6hf8TBFScvKSWjn2KFLbo2d0+exUMQ== vault"
-}
 
 resource "aws_security_group" "vault" {
   name        = "vault"