13 changed files with 69 additions and 210 deletions
--- a/README.md
+++ b/README.md
@ -1,238 +1,98 @@
-# Terraform AWS Bastion Host Module
+# Terraform bastion module
-## Overview
+Module to create a bastion host (or stepping stone). The module let you enable this host once needed. Be default the host is not created.
-This Terraform module creates an EC2 bastion host (jump server) for secure SSH access to private resources in your AWS VPC. The bastion host can be enabled or disabled as needed and includes features like Elastic IP, custom security groups, and configurable instance specifications.
+## Terraform version
-## Features
+- Terraform 0.12: Pin module to `~> 2+`, submit pull request to branch `develop`
 - Terraform 0.11: Pin module to `~> 1.x`, submit pull request to branch `terrafomr011`
 - Conditional creation - Enable/disable bastion host via variable
 - Elastic IP assignment for consistent public IP
 - Dedicated network interface with security group
 - Automatic AWS optimized AMI selection
 - Custom user data support
 - EBS optimization option
 - Configurable CIDR-based access control
 - IMDSv2 enforcement for enhanced security
 - Flexible tagging support
-## Resources Created
+## Example usages:
 See also the [full examples](./examples).
 - EC2 Instance (Amazon Linux optimized AMI)
 - Elastic IP (EIP)
 - Network Interface
 - Security Group with SSH ingress rules
 - IAM instance profile (optional, via user configuration)
 ## Usage
 ### Basic Example
 ```hcl
 module "bastion" {
  source = "git@github.com:webuildyourcloud/terraform-aws-bastion.git?ref=tags/0.0.7"
  # Enable bastion creation
  enable_bastion = true
  # Naming
  environment = "prod"
  project     = "myapp"
  # Network Configuration
  aws_region = "us-east-1"
  vpc_id     = "vpc-12345678"
  subnet_id  = "subnet-12345678"
  # Instance Configuration
  instance_type = "t3.micro"
  key_name      = "my-ssh-key"
  # Security
  admin_cidr = "203.0.113.0/24"
  # Tags
  tags = {
    ManagedBy   = "terraform"
    Environment = "production"
  }
 }
 ```
-### Advanced Example with Custom AMI
+module "vpc" {
  source = "git::https://github.com/philips-software/terraform-aws-vpc?ref=2.0.0"
-```hcl
+  environment = var.environment
  aws_region  = var.aws_region
 }
 # Default bastion
 module "bastion" {
-  source = "git@github.com:webuildyourcloud/terraform-aws-bastion.git?ref=tags/0.0.7"
+  source = "git::https://github.com/philips-software/terraform-aws-bastion?ref=2.0.0"
  enable_bastion = true
-  environment    = "dev"
+
-  project        = "research"
+  environment = var.environment
-  aws_region     = "eu-west-1"
+  project     = var.project
  aws_region = var.aws_region
  key_name   = aws_key_pair.bastion_key[0].key_name
  subnet_id  = element(module.vpc.public_subnets, 0)
  vpc_id     = module.vpc.vpc_id
  subnet_id      = module.vpc.public_subnets[0]
  # Custom instance configuration
  instance_type  = "t3.small"
  ebs_optimized  = true
  key_name       = "dev-bastion-key"
  # Custom AMI per region
  amazon_optimized_amis = {
    "eu-west-1" = "ami-0123456789abcdef0"
  }
  # Restrict SSH access
  admin_cidr = "10.0.0.0/8"
  # Custom user data
  user_data = file("${path.module}/bastion-userdata.sh")
  // add additional tags
  tags = {
-    Backup      = "true"
+    my-tag = "my-new-tag"
    CostCenter  = "engineering"
  }
 }
 ```
-## Variables
+## Inputs
 | Name                    | Description                                                                                                  |    Type     |    Default    | Required |
-|------|-------------|------|---------|----------|
+| ----------------------- | ------------------------------------------------------------------------------------------------------------ | :---------: | :-----------: | :------: |
-| aws_region | The AWS region | `string` | n/a | yes |
+| admin\_cidr             | CIDR pattern to access the bastion host                                                                      |   string    | `"0.0.0.0/0"` |    no    |
-| project | Name of the project | `string` | n/a | yes |
+| amazon\_optimized\_amis | Map from region to AMI. By default the latest Amazon Linux is used.                                          | map(string) |    `<map>`    |    no    |
-| environment | Logical name of the environment | `string` | n/a | yes |
+| aws\_region             | The Amazon region.                                                                                           |   string    |      n/a      |   yes    |
-| key_name | SSH key name for the environment | `string` | n/a | yes |
+| ebs\_optimized          | If true, the launched EC2 instance will be EBS-optimized.                                                    |    bool     |   `"false"`   |    no    |
-| vpc_id | The VPC ID to launch the instance in | `string` | n/a | yes |
+| enable\_bastion         | If true the bastion will be created. Be default the bastion host is not running, needs explicit set to true. |    bool     |   `"false"`   |    no    |
-| subnet_id | Subnet in which the bastion needs to be deployed | `string` | n/a | yes |
+| environment             | Logical name of the environment.                                                                             |   string    |      n/a      |   yes    |
-| enable_bastion | Enable bastion host creation | `bool` | `false` | no |
+| instance\_type          | EC2 instance type.                                                                                           |   string    | `"t2.micro"`  |    no    |
-| instance_type | EC2 instance type | `string` | `"t2.micro"` | no |
+| key\_name               | SSH key name for the environment.                                                                            |   string    |      n/a      |   yes    |
-| ebs_optimized | Enable EBS optimization | `bool` | `true` | no |
+| project                 | Name of the project.                                                                                         |   string    |      n/a      |   yes    |
-| admin_cidr | CIDR pattern to access the bastion host | `string` | `"0.0.0.0/0"` | no |
+| subnet\_id              | Subnet in which the basion needs to be deployed.                                                             |   string    |      n/a      |   yes    |
-| amazon_optimized_amis | Map from region to AMI (uses latest Amazon Linux if not specified) | `map(string)` | `{}` | no |
+| tags                    | Map of tags to apply on the resources                                                                        | map(string) |    `<map>`    |    no    |
-| user_data | User data for bastion EC2 instance | `string` | `""` | no |
+| user\_data              | Used data for bastion EC2 instance                                                                           |   string    |     `""`      |    no    |
-| tags | Map of tags to apply on the resources | `map(string)` | `{}` | no |
+| vpc\_id                 | The VPC to launch the instance in (e.g. vpc-66ecaa02).                                                       |   string    |      n/a      |   yes    |
 ## Outputs
 | Name         | Description                        |
-|------|-------------|
+| ------------ | ---------------------------------- |
-| instance_id | ID of the created bastion instance |
+| instance\_id | Id of the created instance.        |
-| public_ip | Public IP address of the bastion instance |
+| public\_ip   | Public ip of the created instance. |
-## Requirements
+## Automated checks
 Currently the automated checks are limited. In CI the following checks are done for the root and each example.
 - lint: `terraform validate` and `terraform fmt`
 - basic init / get check: `terraform init -get -backend=false -input=false`
-| Name | Version |
+## Generation variable documentation
-|------|---------|
+A markdown table for variables can be generated as follow. Generation requires awk and terraform-docs installed.
 | terraform | >= 0.13 |
 | aws | Latest |
 | template | Latest |
-## Security Features
+```
-
+ .ci/bin/terraform-docs.sh markdown .
 ### IMDSv2 Enforcement
 The bastion host is configured with Instance Metadata Service Version 2 (IMDSv2) enforcement:
 ```hcl
 metadata_options {
  http_endpoint = "enabled"
  http_tokens   = "required"
 }
 ```
-This provides enhanced security against SSRF attacks and unauthorized metadata access.
+## Philips Forest
-### Security Group Configuration
+This module is part of the Philips Forest.
-The module creates a dedicated security group with:
+```
- SSH (port 22) ingress from specified CIDR blocks (configurable via `admin_cidr`)
+                                                     ___                   _
- All egress traffic allowed (for package updates and outbound connections)
+                                                    / __\__  _ __ ___  ___| |_
                                                   / _\/ _ \| '__/ _ \/ __| __|
                                                  / / | (_) | | |  __/\__ \ |_
                                                  \/   \___/|_|  \___||___/\__|  
-### Network Configuration
+                                                                 Infrastructure
 - Dedicated network interface for better security isolation
 - Elastic IP for consistent public addressing
 - Deployed in public subnet for external access
 ## Important Notes
 1. **Enable Flag**: By default, `enable_bastion` is set to `false`. You must explicitly set it to `true` to create the bastion host
 2. **SSH Key**: Ensure the SSH key specified in `key_name` exists in the target region before applying
 3. **Cost Consideration**: The bastion host and Elastic IP incur hourly charges even when idle
 4. **AMI Selection**: If `amazon_optimized_amis` is not specified, the module automatically selects the latest Amazon Linux AMI
 5. **Access Control**: Restrict `admin_cidr` to specific IP ranges for production use (avoid `0.0.0.0/0`)
 6. **User Data**: Default user data template is included at `template/user_data.sh`
 ## Example Use Cases
 ### Development Environment
 ```hcl
 module "dev_bastion" {
  source         = "git@github.com:webuildyourcloud/terraform-aws-bastion.git"
  enable_bastion = true
  environment    = "dev"
  project        = "myapp"
  instance_type  = "t3.micro"
  admin_cidr     = "0.0.0.0/0"  # Open for development
 }
 ```
-### Production Environment
+Talk to the forestkeepers in the `forest`-channel on Slack.
-```hcl
+[![Slack](https://philips-software-slackin.now.sh/badge.svg)](https://philips-software-slackin.now.sh)
-module "prod_bastion" {
+# terraform-aws-bastion
  source         = "git@github.com:webuildyourcloud/terraform-aws-bastion.git"
  enable_bastion = true
  environment    = "prod"
  project        = "myapp"
  instance_type  = "t3.small"
  ebs_optimized  = true
  admin_cidr     = "203.0.113.0/24"  # Restricted to office network
 }
 ```
 ## Accessing the Bastion Host
 After creation, connect to the bastion using:
 ```bash
 ssh -i /path/to/key.pem ec2-user@<bastion-public-ip>
 ```
 To tunnel through the bastion to private resources:
 ```bash
 ssh -i /path/to/key.pem -A -L 8080:private-server:80 ec2-user@<bastion-public-ip>
 ```
 ## Best Practices
 1. Use restrictive CIDR blocks for `admin_cidr` in production
 2. Enable EBS optimization for better performance
 3. Use Session Manager as an alternative to SSH when possible
 4. Regularly update the bastion AMI for security patches
 5. Implement CloudWatch logging for SSH sessions
 6. Consider using AWS Systems Manager Session Manager instead of traditional SSH
 7. Tag resources appropriately for cost allocation
 8. Disable bastion when not in use to reduce costs
 ## Troubleshooting
 ### Cannot connect to bastion
 - Verify the security group allows your IP in `admin_cidr`
 - Check the Elastic IP is properly associated
 - Ensure the SSH key matches the one specified in `key_name`
 - Verify the subnet has an Internet Gateway attached
 ### Instance not created
 - Confirm `enable_bastion` is set to `true`
 - Check AWS service quotas for EC2 instances
 - Verify subnet and VPC exist
 ## License
 This module is provided as-is for use within your organization.
--- a/examples/bastion/.terraform-version
+++ b/examples/bastion/.terraform-version
--- a/examples/bastion/README.md
+++ b/examples/bastion/README.md
--- a/examples/bastion/main.tf
+++ b/examples/bastion/main.tf
--- a/examples/bastion/outputs.tf
+++ b/examples/bastion/outputs.tf
--- a/examples/bastion/terraform.tfvars
+++ b/examples/bastion/terraform.tfvars
--- a/examples/bastion/variables.tf
+++ b/examples/bastion/variables.tf
--- a/examples/bastion/versions.tf
+++ b/examples/bastion/versions.tf
--- a/main.tf
+++ b/main.tf
@ -63,9 +63,8 @@ data "template_file" "user_data" {
 }
 resource "aws_eip" "this" {
  count    = var.enable_bastion ? 1 : 0
  vpc      = true
-  instance = aws_instance.instance[0].id
+  instance = aws_instance.instance.id[0]
 }
 resource "aws_network_interface" "interface" {
@ -100,14 +99,14 @@ resource "aws_instance" "instance" {
  user_data                   = var.user_data == "" ? data.template_file.user_data.rendered : var.user_data
  network_interface {
-    network_interface_id = aws_network_interface.interface[0].id
+    network_interface_id = aws_network_interface.interface.id
    device_index         = 0
  }
  metadata_options {
    http_endpoint = "enabled"
    http_tokens   = "required"
-  
+  }
  tags = merge(
    {
--- a/outputs.tf
+++ b/outputs.tf
--- a/template/user_data.sh
+++ b/template/user_data.sh
--- a/variables.tf
+++ b/variables.tf
--- a/versions.tf
+++ b/versions.tf