Added files

examples/bastion/.terraform-version

@@ -0,0 +1 @@
+0.12.6

examples/bastion/README.md

@@ -0,0 +1,31 @@
+# Terraform bastion test
+
+### Generate ssh keys
+```
+source ./init.sh
+```
+
+### Init terraform
+```
+terrafrom init
+```
+
+### Plan changes
+```
+terrafrom plan
+```
+
+### Apply changes
+```
+terrafrom apply
+```
+
+### Test bastion is up
+```
+ssh -i <key> ec2-user@<bastion-ip>
+```
+
+### Destroy
+```
+terrafrom destroy
+```

examples/bastion/init.sh

@@ -0,0 +1,4 @@
+#!/bin/bash
+
+mkdir -p generated
+ssh-keygen -t rsa -C "demo" -P '' -f generated/id_rsa

examples/bastion/main.tf

@@ -0,0 +1,58 @@
+# required to due to https://github.com/hashicorp/terraform/issues/21330
+# otherwise the terraform operation will fail with 
+# -> The argument "region" is required, but was not set.
+provider "aws" {
+  version = "~> 2.0"
+  region  = var.aws_region
+}
+
+module "vpc" {
+  source = "git::https://github.com/philips-software/terraform-aws-vpc.git?ref=2.0.0"
+
+  environment = var.environment
+  aws_region  = var.aws_region
+}
+
+resource "aws_key_pair" "bastion_key" {
+  count      = var.enable_bastion ? 1 : 0
+  key_name   = var.key_name
+  public_key = file(var.ssh_key_file_bastion)
+}
+
+# Default bastion
+module "bastion" {
+  source         = "../.."
+  enable_bastion = true
+
+  environment = var.environment
+  project     = var.project
+
+  aws_region = var.aws_region
+  key_name   = aws_key_pair.bastion_key[0].key_name
+  subnet_id  = element(module.vpc.public_subnets, 0)
+  vpc_id     = module.vpc.vpc_id
+}
+
+# test custom AMI
+module "bastion_custom" {
+  source         = "../.."
+  enable_bastion = true
+
+  environment = var.environment
+  project     = var.project
+
+  aws_region = var.aws_region
+  key_name   = aws_key_pair.bastion_key[0].key_name
+  subnet_id  = element(module.vpc.public_subnets, 0)
+  vpc_id     = module.vpc.vpc_id
+
+  amazon_optimized_amis = {
+    us-east-1 = "ami-a4c7edb2" # N. Virginia
+    eu-west-1 = "ami-d7b9a2b1" # Ireland
+  }
+
+  tags = {
+    my-tag = "my-new-tag"
+  }
+}
+

examples/bastion/outputs.tf

@@ -0,0 +1,16 @@
+output "default_instance_id" {
+  value = module.bastion.instance_id
+}
+
+output "default_public_ip" {
+  value = module.bastion.public_ip
+}
+
+output "custom_instance_id" {
+  value = module.bastion_custom.instance_id
+}
+
+output "custom_public_ip" {
+  value = module.bastion_custom.public_ip
+}
+

examples/bastion/terraform.tfvars

@@ -0,0 +1,7 @@
+key_name = "bastion-test"
+
+environment = "bastion-test"
+
+project = "Forest"
+
+aws_region = "eu-west-1"

examples/bastion/variables.tf

@@ -0,0 +1,30 @@
+variable "aws_region" {
+  description = "The Amazon region"
+  type        = string
+}
+
+variable "project" {
+  description = "Name of the project"
+  type        = string
+}
+
+variable "environment" {
+  description = "Logical name of the environment"
+  type        = string
+}
+
+variable "key_name" {
+  description = "SSH key name for the environment"
+  type        = string
+}
+
+variable "ssh_key_file_bastion" {
+  description = "SSH key file for the bastion host"
+  default     = "generated/id_rsa.pub"
+}
+
+variable "enable_bastion" {
+  description = "Enable a bastion host"
+  default     = "true"
+}
+

examples/bastion/versions.tf

@@ -0,0 +1,4 @@
+
+terraform {
+  required_version = ">= 0.12"
+}

main.tf

@@ -0,0 +1,103 @@
+resource "aws_security_group" "ami" {
+  count       = var.enable_bastion ? 1 : 0
+  name_prefix = "${var.environment}-security-group"
+  vpc_id      = var.vpc_id
+
+  ingress {
+    protocol  = "tcp"
+    from_port = 22
+    to_port   = 22
+
+    cidr_blocks = [var.admin_cidr]
+  }
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = merge(
+    {
+      "Name" = format("%s-bastion-sg", var.environment)
+    },
+    {
+      "Environment" = format("%s", var.environment)
+    },
+    {
+      "Project" = format("%s", var.project)
+    },
+    var.tags,
+  )
+}
+
+data "aws_ami" "aws_optimized_ami" {
+  most_recent = true
+
+  filter {
+    name   = "name"
+    values = ["amzn-ami-hvm*"]
+  }
+
+  filter {
+    name   = "architecture"
+    values = ["x86_64"]
+  }
+
+  filter {
+    name   = "root-device-type"
+    values = ["ebs"]
+  }
+
+  owners = ["137112412989"] # AWS
+}
+
+locals {
+  aws_ami_userdefined = lookup(var.amazon_optimized_amis, var.aws_region, "")
+  aws_ami             = local.aws_ami_userdefined == "" ? data.aws_ami.aws_optimized_ami.id : local.aws_ami_userdefined
+}
+
+data "template_file" "user_data" {
+  template = file("${path.module}/template/user_data.sh")
+}
+
+resource "aws_instance" "instance" {
+  count = var.enable_bastion ? 1 : 0
+
+  ami                         = local.aws_ami
+  instance_type               = var.instance_type
+  associate_public_ip_address = true
+  ebs_optimized               = var.ebs_optimized
+  subnet_id                   = var.subnet_id
+  vpc_security_group_ids      = [aws_security_group.ami[0].id]
+  key_name                    = var.key_name
+  user_data                   = var.user_data == "" ? data.template_file.user_data.rendered : var.user_data
+
+  tags = merge(
+    {
+      "Name" = format("%s-bastion", var.environment)
+    },
+    {
+      "Environment" = format("%s", var.environment)
+    },
+    {
+      "Project" = format("%s", var.project)
+    },
+    var.tags,
+  )
+
+  volume_tags = merge(
+    {
+      "Name" = format("%s-bastion", var.environment)
+    },
+    {
+      "Environment" = format("%s", var.environment)
+    },
+    {
+      "Project" = format("%s", var.project)
+    },
+    var.tags,
+  )
+}
+

outputs.tf

@@ -0,0 +1,10 @@
+output "instance_id" {
+  description = "Id of the created instance."
+  value       = element(concat(aws_instance.instance.*.id, [""]), 0)
+}
+
+output "public_ip" {
+  description = "Public ip of the created instance."
+  value       = element(concat(aws_instance.instance.*.public_ip, [""]), 0)
+}
+

template/user_data.sh

@@ -0,0 +1,24 @@
+#!/bin/bash -ex
+exec > >(tee /var/log/user-data.log|logger -t user-data -s 2>/dev/console) 2>&1
+yum -y update
+
+# Add current hostname to hosts file
+tee /etc/hosts <<EOL
+127.0.0.1   localhost localhost.localdomain `hostname`
+EOL
+
+# Set sudoers file to not requiretty
+tee /etc/sudoers <<EOL
+Defaults    !requiretty
+Defaults    !visiblepw
+Defaults    always_set_home
+Defaults    env_reset
+Defaults    env_keep =  "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS"
+Defaults    env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
+Defaults    env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
+Defaults    env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
+Defaults    env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"
+Defaults    secure_path = /sbin:/bin:/usr/sbin:/usr/bin
+root ALL=(ALL) ALL
+#includedir /etc/sudoers.d
+EOL

variables.tf

@@ -0,0 +1,72 @@
+variable "aws_region" {
+  description = "The Amazon region."
+  type        = string
+}
+
+variable "project" {
+  description = "Name of the project."
+  type        = string
+}
+
+variable "environment" {
+  description = "Logical name of the environment."
+  type        = string
+}
+
+variable "key_name" {
+  description = "SSH key name for the environment."
+  type        = string
+}
+
+variable "amazon_optimized_amis" {
+  description = "Map from region to AMI. By default the latest Amazon Linux is used."
+  type        = map(string)
+  default     = {}
+}
+
+variable "vpc_id" {
+  description = "The VPC to launch the instance in (e.g. vpc-66ecaa02)."
+  type        = string
+}
+
+variable "subnet_id" {
+  description = "Subnet in which the basion needs to be deployed."
+  type        = string
+}
+
+variable "enable_bastion" {
+  description = "If true the bastion will be created. Be default the bastion host is not running, needs explicit set to true."
+  type        = bool
+  default     = false
+}
+
+variable "instance_type" {
+  description = "EC2 instance type."
+  type        = string
+  default     = "t2.micro"
+}
+
+variable "ebs_optimized" {
+  description = "If true, the launched EC2 instance will be EBS-optimized."
+  type        = bool
+  default     = false
+}
+
+variable "admin_cidr" {
+  description = "CIDR pattern to access the bastion host"
+  type        = string
+  default     = "0.0.0.0/0"
+}
+
+variable "user_data" {
+  description = "Used data for bastion EC2 instance"
+  type        = string
+  default     = ""
+}
+
+variable "tags" {
+  description = "Map of tags to apply on the resources"
+  type        = map(string)
+  default     = {}
+}
+

versions.tf

@@ -0,0 +1,4 @@
+
+terraform {
+  required_version = ">= 0.12"
+}