Skip to content

Latest commit

 

History

History
122 lines (94 loc) · 6.93 KB

README.md

File metadata and controls

122 lines (94 loc) · 6.93 KB

bastion-group

This module will generate a managed instance group of bastion host VMs compatible with OS Login and IAP Tunneling that can be used to access internal VMs.

This module will:

  • Create a dedicated service account for the bastion host
  • Create managed instance group of GCE instances to be the bastion host
  • Create a firewall rule to allow TCP:22 SSH access from the IAP to the bastion
  • Necessary IAM bindings to allow IAP and OS Logins from specified members

Usage

Basic usage of this module is as follows:

module "bastion_group" {
  source = "terraform-google-modules/bastion-host/google//modules/bastion-group"

  target_size = 2
  project     = var.project
  region      = var.region
  zone        = var.zone
  network     = google_compute_network.net.self_link
  subnet      = google_compute_subnetwork.net.self_link
  members = [
    "group:[email protected]",
    "user:[email protected]",
  ]
}

Once the bastion group is created, you can search for the newly created instances with something similar to the following:

$ gcloud compute instance-groups list-instances bastion-mig --region us-west1
NAME          ZONE        STATUS
bastion-9qgq  us-west1-c  RUNNING
bastion-rtv4  us-west1-b  RUNNING

Functional example is included in the examples directory.

Requirements

These sections describe requirements for using this module.

Software

The following dependencies must be available:

APIs

A project with the following APIs enabled must be used to host the resources of this module:

  • Google Cloud Storage JSON API: storage-api.googleapis.com
  • Compute Engine API: compute.googleapis.com
  • Cloud Identity-Aware Proxy API: iap.googleapis.com
  • OS Login API: oslogin.googleapis.com

The Project Factory module can be used to provision a project with the necessary APIs enabled.

Inputs

Name Description Type Default Required
additional_networks Additional network interface details for the instance template, if any. 
list(object({
    network            = string
    subnetwork         = string
    subnetwork_project = string
    network_ip         = string
    access_config = list(object({
      nat_ip       = string
      network_tier = string
    }))
  }))
 [] no
fw_name_allow_ssh_from_health_check_cidrs Firewall rule name for allowing Health Checks string "allow-ssh-from-health-check-cidrs" no
fw_name_allow_ssh_from_iap Firewall rule name for allowing SSH from IAP string "allow-ssh-from-iap-to-bastion-group" no
health_check Health check config for the mig. 
object({
    type                = string
    initial_delay_sec   = number
    check_interval_sec  = number
    healthy_threshold   = number
    timeout_sec         = number
    unhealthy_threshold = number
    response            = string
    proxy_header        = string
    port                = number
    request             = string

    # Unused fields.
    request_path = string
    host         = string
  })
 
{
  "check_interval_sec": 30,
  "healthy_threshold": 1,
  "host": "",
  "initial_delay_sec": 30,
  "port": 22,
  "proxy_header": "NONE",
  "request": "",
  "request_path": "",
  "response": "",
  "timeout_sec": 10,
  "type": "tcp",
  "unhealthy_threshold": 5
}
 no
host_project The network host project ID string "" no
image_family Source image family for the Bastion. string "debian-11" no
image_project Project where the source image for the Bastion comes from string "debian-cloud" no
labels Key-value map of labels to assign to the bastion host map(any) {} no
machine_type Instance type for the Bastion host string "n1-standard-1" no
members List of IAM resources to allow access to the bastion host list(string) [] no
metadata Key-value map of additional metadata to assign to the instances map(string) {} no
name Name prefix of bastion instances string "bastion" no
network Self link for the network on which the Bastion should live string n/a yes
project The project ID to deploy to string n/a yes
random_role_id Enables role random id generation. bool true no
region The primary region where the bastion host will live string "us-central1" no
scopes List of scopes to attach to the bastion host list(string) 
[
  "cloud-platform"
]
 no
service_account_email If set, the service account and its permissions will not be created. The service account being passed in should have at least the roles listed in the parent module service_account_roles variable so that logging and OS Login work as expected. string "" no
service_account_name Account ID for the service account string "bastion-group" no
service_account_roles List of IAM roles to assign to the service account. list(string) 
[
  "roles/logging.logWriter",
  "roles/monitoring.metricWriter",
  "roles/monitoring.viewer",
  "roles/compute.osLogin"
]
 no
service_account_roles_supplemental An additional list of roles to assign to the bastion if desired list(string) 
[
  ""
]
 no
shielded_vm Enable shielded VM on the bastion host (recommended) bool true no
startup_script Render a startup script with a template. string "" no
subnet Self link for the subnet on which the Bastion should live. Can be private when using IAP string n/a yes
tags Network tags, provided as a list list(string) [] no
target_size Number of instances to create number 1 no
zone The primary zone where the bastion host will live string "us-central1-a" no

Outputs

Name Description
instance_group Instance-group url of managed instance group
self_link Name of the bastion MIG
service_account The email for the service account created for the bastion host

Contributing

Refer to the contribution guidelines for information on contributing to this module.