├── .chglog
    ├── CHANGELOG.tpl.md
    └── config.yml
├── .pre-commit-config.yaml
├── CHANGELOG.md
├── LICENSE
├── Makefile
├── README.md
├── main.tf
├── outputs.tf
├── samples
    ├── add_available_ssh_hosts_to_motd.sh
    ├── ami.tf
    ├── iam_allow_associateaddress.tf
    ├── iam_s3_readonly.tf
    └── s3_ssh_public_keys.tf
├── user_data.sh
├── variables.tf
└── versions.tf


/.chglog/CHANGELOG.tpl.md:
--------------------------------------------------------------------------------
 1 | {{ if .Versions -}}
 2 | <a name="unreleased"></a>
 3 | ## [Unreleased]
 4 | {{ if .Unreleased.CommitGroups -}}
 5 | {{ range .Unreleased.CommitGroups -}}
 6 | ### {{ .Title }}
 7 | {{ range .Commits -}}
 8 | - {{ if .Scope }}**{{ .Scope }}:** {{ end }}{{ .Subject }}
 9 | {{ end }}
10 | {{ end -}}
11 | {{ else }}
12 | {{ range .Unreleased.Commits -}}
13 | - {{ if .Scope }}**{{ .Scope }}:** {{ end }}{{ .Subject }}
14 | {{ end }}
15 | {{ end -}}
16 | {{ end -}}
17 | 
18 | {{ range .Versions }}
19 | <a name="{{ .Tag.Name }}"></a>
20 | ## {{ if .Tag.Previous }}[{{ .Tag.Name }}]{{ else }}{{ .Tag.Name }}{{ end }} - {{ datetime "2006-01-02" .Tag.Date }}
21 | {{ if .CommitGroups -}}
22 | {{ range .CommitGroups -}}
23 | ### {{ .Title }}
24 | {{ range .Commits -}}
25 | - {{ if .Scope }}**{{ .Scope }}:** {{ end }}{{ .Subject }}
26 | {{ end }}
27 | {{ end -}}
28 | {{ else }}
29 | {{ range .Commits -}}
30 | - {{ if .Scope }}**{{ .Scope }}:** {{ end }}{{ .Subject }}
31 | {{ end }}
32 | {{ end -}}
33 | 
34 | {{- if .NoteGroups -}}
35 | {{ range .NoteGroups -}}
36 | ### {{ .Title }}
37 | {{ range .Notes }}
38 | {{ .Body }}
39 | {{ end }}
40 | {{ end -}}
41 | {{ end -}}
42 | {{ end -}}
43 | 
44 | {{- if .Versions }}
45 | [Unreleased]: {{ .Info.RepositoryURL }}/compare/{{ $latest := index .Versions 0 }}{{ $latest.Tag.Name }}...HEAD
46 | {{ range .Versions -}}
47 | {{ if .Tag.Previous -}}
48 | [{{ .Tag.Name }}]: {{ $.Info.RepositoryURL }}/compare/{{ .Tag.Previous.Name }}...{{ .Tag.Name }}
49 | {{ end -}}
50 | {{ end -}}
51 | {{ end -}}


--------------------------------------------------------------------------------
/.chglog/config.yml:
--------------------------------------------------------------------------------
 1 | style: github
 2 | template: CHANGELOG.tpl.md
 3 | info:
 4 |   title: CHANGELOG
 5 |   repository_url: https://github.com/terraform-community-modules/tf_aws_bastion_s3_keys
 6 | options:
 7 |   header:
 8 |     pattern: "^(.*)$"
 9 |     pattern_maps:
10 |       - Subject
11 | 


--------------------------------------------------------------------------------
/.pre-commit-config.yaml:
--------------------------------------------------------------------------------
 1 | repos:
 2 | - repo: git://github.com/antonbabenko/pre-commit-terraform
 3 |   rev: v1.21.0
 4 |   hooks:
 5 |     - id: terraform_fmt
 6 |     - id: terraform_docs
 7 | - repo: git://github.com/pre-commit/pre-commit-hooks
 8 |   rev: v2.4.0
 9 |   hooks:
10 |     - id: check-merge-conflict
11 | 


--------------------------------------------------------------------------------
/CHANGELOG.md:
--------------------------------------------------------------------------------
  1 | <a name="unreleased"></a>
  2 | ## [Unreleased]
  3 | 
  4 | 
  5 | 
  6 | <a name="v2.1.0"></a>
  7 | ## [v2.1.0] - 2021-09-22
  8 | 
  9 | - feat: Added a flexible way to pass a custom user-data script ([#38](https://github.com/terraform-community-modules/tf_aws_bastion_s3_keys/issues/38))
 10 | 
 11 | 
 12 | <a name="v2.0.0"></a>
 13 | ## [v2.0.0] - 2020-01-07
 14 | 
 15 | 
 16 | 
 17 | <a name="v1.10.1"></a>
 18 | ## [v1.10.1] - 2020-01-07
 19 | 
 20 | - Updated CHANGELOG
 21 | - Updated CHANGELOG
 22 | - Added git-chklog files
 23 | - Fixed for Terraform 0.12
 24 | - Support for Terraform 0.12 (fixes [#55](https://github.com/terraform-community-modules/tf_aws_bastion_s3_keys/issues/55)) ([#56](https://github.com/terraform-community-modules/tf_aws_bastion_s3_keys/issues/56))
 25 | 
 26 | 
 27 | <a name="v1.10.0"></a>
 28 | ## [v1.10.0] - 2018-10-31
 29 | 
 30 | - Fix typo in title ([#50](https://github.com/terraform-community-modules/tf_aws_bastion_s3_keys/issues/50))
 31 | - :recycle: Run apt or yum if available but not both ([#52](https://github.com/terraform-community-modules/tf_aws_bastion_s3_keys/issues/52))
 32 | 
 33 | 
 34 | <a name="v1.9.0"></a>
 35 | ## [v1.9.0] - 2018-10-31
 36 | 
 37 | - Simplification ([#53](https://github.com/terraform-community-modules/tf_aws_bastion_s3_keys/issues/53))
 38 | 
 39 | ### 
 40 | 
 41 | * Remove `file()` call as the resources provides an `source` attribute to read local file
 42 | 
 43 | 
 44 | <a name="v1.8.1"></a>
 45 | ## [v1.8.1] - 2018-08-16
 46 | 
 47 | - Updated CHANGELOG
 48 | - Small tidy up of README ([#47](https://github.com/terraform-community-modules/tf_aws_bastion_s3_keys/issues/47))
 49 | 
 50 | 
 51 | <a name="v1.8.0"></a>
 52 | ## [v1.8.0] - 2018-04-11
 53 | 
 54 | - Fixed formatting
 55 | - Updated changelog
 56 | - Reload via name change ([#45](https://github.com/terraform-community-modules/tf_aws_bastion_s3_keys/issues/45))
 57 | 
 58 | 
 59 | <a name="v1.7.0"></a>
 60 | ## [v1.7.0] - 2018-04-03
 61 | 
 62 | - Updated changelog for v1.7.0
 63 | 
 64 | 
 65 | <a name="v1.6.0"></a>
 66 | ## [v1.6.0] - 2018-04-03
 67 | 
 68 | - Updated changelog for v1.6.0
 69 | - Updated changelog
 70 | - Added pre-commit hooks
 71 | - Fixed formatting
 72 | - Add the root volume size as a variable ([#42](https://github.com/terraform-community-modules/tf_aws_bastion_s3_keys/issues/42))
 73 | 
 74 | 
 75 | <a name="v1.5.0"></a>
 76 | ## [v1.5.0] - 2018-04-03
 77 | 
 78 | - Replace older local keys with newer S3 keys ([#43](https://github.com/terraform-community-modules/tf_aws_bastion_s3_keys/issues/43))
 79 | - Add asg_id output ([#41](https://github.com/terraform-community-modules/tf_aws_bastion_s3_keys/issues/41))
 80 | 
 81 | 
 82 | <a name="v1.3.1"></a>
 83 | ## [v1.3.1] - 2018-02-16
 84 | 
 85 | 
 86 | 
 87 | <a name="v1.4.0"></a>
 88 | ## [v1.4.0] - 2018-02-16
 89 | 
 90 | - Fix deprecation warning ([#40](https://github.com/terraform-community-modules/tf_aws_bastion_s3_keys/issues/40))
 91 | 
 92 | ### 
 93 | 
 94 | * aws_iam_instance_profile.s3_readonly-allow_associateaddress: "roles": [DEPRECATED] Use `role` instead. Only a single role can be passed to an IAM Instance Profile
 95 | 
 96 | 
 97 | <a name="v1.3.0"></a>
 98 | ## [v1.3.0] - 2018-02-15
 99 | 
100 | - Fix deprecation warning ([#39](https://github.com/terraform-community-modules/tf_aws_bastion_s3_keys/issues/39))
101 | - fix for case with no s3 keys (set access via aws keypair) ([#37](https://github.com/terraform-community-modules/tf_aws_bastion_s3_keys/issues/37))
102 | 
103 | ### 
104 | 
105 | * aws_iam_instance_profile.s3_readonly: "roles": [DEPRECATED] Use `role` instead. Only a single role can be passed to an IAM Instance Profile
106 | 
107 | 
108 | <a name="v1.2.6"></a>
109 | ## [v1.2.6] - 2017-10-05
110 | 
111 | - Extra tags for the bastion host ([#36](https://github.com/terraform-community-modules/tf_aws_bastion_s3_keys/issues/36))
112 | 
113 | 
114 | <a name="v1.2.5"></a>
115 | ## [v1.2.5] - 2017-09-26
116 | 
117 | - Fixed wrong command in README
118 | - Fix typo ami_id => ami. ([#32](https://github.com/terraform-community-modules/tf_aws_bastion_s3_keys/issues/32))
119 | - Add possibility to disable detailed monitoring ([#31](https://github.com/terraform-community-modules/tf_aws_bastion_s3_keys/issues/31))
120 | 
121 | 
122 | <a name="v1.2.4"></a>
123 | ## [v1.2.4] - 2017-06-14
124 | 
125 | - Added possibility to specify allowed IPv6 CIDR blocks ([#30](https://github.com/terraform-community-modules/tf_aws_bastion_s3_keys/issues/30))
126 | 
127 | 
128 | <a name="v1.2.3"></a>
129 | ## [v1.2.3] - 2017-06-09
130 | 
131 | - Add the ability to allow access based on security group ID ([#29](https://github.com/terraform-community-modules/tf_aws_bastion_s3_keys/issues/29))
132 | 
133 | 
134 | <a name="v1.2.2"></a>
135 | ## [v1.2.2] - 2017-06-08
136 | 
137 | - Changelog
138 | - Adding allowed_cidr var ([#28](https://github.com/terraform-community-modules/tf_aws_bastion_s3_keys/issues/28))
139 | - Add associate address permission ([#27](https://github.com/terraform-community-modules/tf_aws_bastion_s3_keys/issues/27))
140 | - Fixed conditional check for selinuxenabled
141 | - adding a conditional check for selinuxenabled binary ([#23](https://github.com/terraform-community-modules/tf_aws_bastion_s3_keys/issues/23))
142 | - Update EIP association doc ([#18](https://github.com/terraform-community-modules/tf_aws_bastion_s3_keys/issues/18))
143 | - [re-]apply selinux labels to authorized_keys ([#17](https://github.com/terraform-community-modules/tf_aws_bastion_s3_keys/issues/17))
144 | - fix issue where aws binary not found in PATH for S3 sync cron job ([#14](https://github.com/terraform-community-modules/tf_aws_bastion_s3_keys/issues/14))
145 | - support setting a launch configuration key_name ([#13](https://github.com/terraform-community-modules/tf_aws_bastion_s3_keys/issues/13))
146 | - assorted example fixes ([#11](https://github.com/terraform-community-modules/tf_aws_bastion_s3_keys/issues/11))
147 | - fix user_data.sh on RHEL/Centos ([#12](https://github.com/terraform-community-modules/tf_aws_bastion_s3_keys/issues/12))
148 | - Option to use instance public IP (not EIP) ([#10](https://github.com/terraform-community-modules/tf_aws_bastion_s3_keys/issues/10))
149 | - Remove StrictHostKey checking ([#9](https://github.com/terraform-community-modules/tf_aws_bastion_s3_keys/issues/9))
150 | - Added enabled_metrics to auto-scalling group
151 | 
152 | ### 
153 | 
154 | User ubuntu
155 | 
156 | ProxyCommand ssh -o 'ForwardAgent yes' ubuntu[@bastion](https://github.com/bastion).example.com 'ssh-add && nc %h %p'
157 | ```
158 | 
159 | * Update user_data.sh
160 | 
161 | * moving stricthostkey checking disable into script
162 | 
163 | * moving outside of update_ssh_authorized_keys and added perms
164 | 
165 | 
166 | <a name="v1.2.1"></a>
167 | ## [v1.2.1] - 2016-08-16
168 | 
169 | - Updated readme with example
170 | - Updated changelog
171 | - Updated changelog
172 | - Support lists natively
173 | 
174 | 
175 | <a name="v1.2.0"></a>
176 | ## [v1.2.0] - 2016-08-08
177 | 
178 | - Use datatype for termplate_file and minor update for compact security_groups ([#7](https://github.com/terraform-community-modules/tf_aws_bastion_s3_keys/issues/7))
179 | 
180 | 
181 | <a name="v1.1.1"></a>
182 | ## [v1.1.1] - 2016-05-10
183 | 
184 | - Updated changelog
185 | - Ensure each key is on a newline ([#6](https://github.com/terraform-community-modules/tf_aws_bastion_s3_keys/issues/6))
186 | - Allows specifying security group ids to be added to the bastion box(es)
187 | 
188 | 
189 | <a name="v1.1.0"></a>
190 | ## [v1.1.0] - 2016-04-06
191 | 
192 | - Added CHANGELOG.md
193 | - Merge pull request [#4](https://github.com/terraform-community-modules/tf_aws_bastion_s3_keys/issues/4) from terraform-community-modules/bastion_asg
194 | - Use autoscaling group for bastion host
195 | 
196 | 
197 | <a name="v1.0.1"></a>
198 | ## [v1.0.1] - 2016-03-31
199 | 
200 | - Merge pull request [#3](https://github.com/terraform-community-modules/tf_aws_bastion_s3_keys/issues/3) from bnordbo/master
201 | - Documentation fixes
202 | - Allow using S3 URI too
203 | - Fix inverted logic
204 | - Allow key update frequency to be customized
205 | 
206 | 
207 | <a name="v1.0.0"></a>
208 | ## v1.0.0 - 2016-01-12
209 | 
210 | - Merge pull request [#2](https://github.com/terraform-community-modules/tf_aws_bastion_s3_keys/issues/2) from terraform-community-modules/dynamic_keys_update
211 | - Add crontab setup and support for additional user data script
212 | - Merge pull request [#1](https://github.com/terraform-community-modules/tf_aws_bastion_s3_keys/issues/1) from blotto/nn_cat_keys
213 | - append keys, do not overwrite.
214 | - Corrected link to source in README.md
215 | - Migrated bastion module to separate repository
216 | - Initial commit
217 | 
218 | 
219 | [Unreleased]: https://github.com/terraform-community-modules/tf_aws_bastion_s3_keys/compare/v2.1.0...HEAD
220 | [v2.1.0]: https://github.com/terraform-community-modules/tf_aws_bastion_s3_keys/compare/v2.0.0...v2.1.0
221 | [v2.0.0]: https://github.com/terraform-community-modules/tf_aws_bastion_s3_keys/compare/v1.10.1...v2.0.0
222 | [v1.10.1]: https://github.com/terraform-community-modules/tf_aws_bastion_s3_keys/compare/v1.10.0...v1.10.1
223 | [v1.10.0]: https://github.com/terraform-community-modules/tf_aws_bastion_s3_keys/compare/v1.9.0...v1.10.0
224 | [v1.9.0]: https://github.com/terraform-community-modules/tf_aws_bastion_s3_keys/compare/v1.8.1...v1.9.0
225 | [v1.8.1]: https://github.com/terraform-community-modules/tf_aws_bastion_s3_keys/compare/v1.8.0...v1.8.1
226 | [v1.8.0]: https://github.com/terraform-community-modules/tf_aws_bastion_s3_keys/compare/v1.7.0...v1.8.0
227 | [v1.7.0]: https://github.com/terraform-community-modules/tf_aws_bastion_s3_keys/compare/v1.6.0...v1.7.0
228 | [v1.6.0]: https://github.com/terraform-community-modules/tf_aws_bastion_s3_keys/compare/v1.5.0...v1.6.0
229 | [v1.5.0]: https://github.com/terraform-community-modules/tf_aws_bastion_s3_keys/compare/v1.3.1...v1.5.0
230 | [v1.3.1]: https://github.com/terraform-community-modules/tf_aws_bastion_s3_keys/compare/v1.4.0...v1.3.1
231 | [v1.4.0]: https://github.com/terraform-community-modules/tf_aws_bastion_s3_keys/compare/v1.3.0...v1.4.0
232 | [v1.3.0]: https://github.com/terraform-community-modules/tf_aws_bastion_s3_keys/compare/v1.2.6...v1.3.0
233 | [v1.2.6]: https://github.com/terraform-community-modules/tf_aws_bastion_s3_keys/compare/v1.2.5...v1.2.6
234 | [v1.2.5]: https://github.com/terraform-community-modules/tf_aws_bastion_s3_keys/compare/v1.2.4...v1.2.5
235 | [v1.2.4]: https://github.com/terraform-community-modules/tf_aws_bastion_s3_keys/compare/v1.2.3...v1.2.4
236 | [v1.2.3]: https://github.com/terraform-community-modules/tf_aws_bastion_s3_keys/compare/v1.2.2...v1.2.3
237 | [v1.2.2]: https://github.com/terraform-community-modules/tf_aws_bastion_s3_keys/compare/v1.2.1...v1.2.2
238 | [v1.2.1]: https://github.com/terraform-community-modules/tf_aws_bastion_s3_keys/compare/v1.2.0...v1.2.1
239 | [v1.2.0]: https://github.com/terraform-community-modules/tf_aws_bastion_s3_keys/compare/v1.1.1...v1.2.0
240 | [v1.1.1]: https://github.com/terraform-community-modules/tf_aws_bastion_s3_keys/compare/v1.1.0...v1.1.1
241 | [v1.1.0]: https://github.com/terraform-community-modules/tf_aws_bastion_s3_keys/compare/v1.0.1...v1.1.0
242 | [v1.0.1]: https://github.com/terraform-community-modules/tf_aws_bastion_s3_keys/compare/v1.0.0...v1.0.1
243 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
  1 | Apache License
  2 |                            Version 2.0, January 2004
  3 |                         http://www.apache.org/licenses/
  4 | 
  5 |    TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
  6 | 
  7 |    1. Definitions.
  8 | 
  9 |       "License" shall mean the terms and conditions for use, reproduction,
 10 |       and distribution as defined by Sections 1 through 9 of this document.
 11 | 
 12 |       "Licensor" shall mean the copyright owner or entity authorized by
 13 |       the copyright owner that is granting the License.
 14 | 
 15 |       "Legal Entity" shall mean the union of the acting entity and all
 16 |       other entities that control, are controlled by, or are under common
 17 |       control with that entity. For the purposes of this definition,
 18 |       "control" means (i) the power, direct or indirect, to cause the
 19 |       direction or management of such entity, whether by contract or
 20 |       otherwise, or (ii) ownership of fifty percent (50%) or more of the
 21 |       outstanding shares, or (iii) beneficial ownership of such entity.
 22 | 
 23 |       "You" (or "Your") shall mean an individual or Legal Entity
 24 |       exercising permissions granted by this License.
 25 | 
 26 |       "Source" form shall mean the preferred form for making modifications,
 27 |       including but not limited to software source code, documentation
 28 |       source, and configuration files.
 29 | 
 30 |       "Object" form shall mean any form resulting from mechanical
 31 |       transformation or translation of a Source form, including but
 32 |       not limited to compiled object code, generated documentation,
 33 |       and conversions to other media types.
 34 | 
 35 |       "Work" shall mean the work of authorship, whether in Source or
 36 |       Object form, made available under the License, as indicated by a
 37 |       copyright notice that is included in or attached to the work
 38 |       (an example is provided in the Appendix below).
 39 | 
 40 |       "Derivative Works" shall mean any work, whether in Source or Object
 41 |       form, that is based on (or derived from) the Work and for which the
 42 |       editorial revisions, annotations, elaborations, or other modifications
 43 |       represent, as a whole, an original work of authorship. For the purposes
 44 |       of this License, Derivative Works shall not include works that remain
 45 |       separable from, or merely link (or bind by name) to the interfaces of,
 46 |       the Work and Derivative Works thereof.
 47 | 
 48 |       "Contribution" shall mean any work of authorship, including
 49 |       the original version of the Work and any modifications or additions
 50 |       to that Work or Derivative Works thereof, that is intentionally
 51 |       submitted to Licensor for inclusion in the Work by the copyright owner
 52 |       or by an individual or Legal Entity authorized to submit on behalf of
 53 |       the copyright owner. For the purposes of this definition, "submitted"
 54 |       means any form of electronic, verbal, or written communication sent
 55 |       to the Licensor or its representatives, including but not limited to
 56 |       communication on electronic mailing lists, source code control systems,
 57 |       and issue tracking systems that are managed by, or on behalf of, the
 58 |       Licensor for the purpose of discussing and improving the Work, but
 59 |       excluding communication that is conspicuously marked or otherwise
 60 |       designated in writing by the copyright owner as "Not a Contribution."
 61 | 
 62 |       "Contributor" shall mean Licensor and any individual or Legal Entity
 63 |       on behalf of whom a Contribution has been received by Licensor and
 64 |       subsequently incorporated within the Work.
 65 | 
 66 |    2. Grant of Copyright License. Subject to the terms and conditions of
 67 |       this License, each Contributor hereby grants to You a perpetual,
 68 |       worldwide, non-exclusive, no-charge, royalty-free, irrevocable
 69 |       copyright license to reproduce, prepare Derivative Works of,
 70 |       publicly display, publicly perform, sublicense, and distribute the
 71 |       Work and such Derivative Works in Source or Object form.
 72 | 
 73 |    3. Grant of Patent License. Subject to the terms and conditions of
 74 |       this License, each Contributor hereby grants to You a perpetual,
 75 |       worldwide, non-exclusive, no-charge, royalty-free, irrevocable
 76 |       (except as stated in this section) patent license to make, have made,
 77 |       use, offer to sell, sell, import, and otherwise transfer the Work,
 78 |       where such license applies only to those patent claims licensable
 79 |       by such Contributor that are necessarily infringed by their
 80 |       Contribution(s) alone or by combination of their Contribution(s)
 81 |       with the Work to which such Contribution(s) was submitted. If You
 82 |       institute patent litigation against any entity (including a
 83 |       cross-claim or counterclaim in a lawsuit) alleging that the Work
 84 |       or a Contribution incorporated within the Work constitutes direct
 85 |       or contributory patent infringement, then any patent licenses
 86 |       granted to You under this License for that Work shall terminate
 87 |       as of the date such litigation is filed.
 88 | 
 89 |    4. Redistribution. You may reproduce and distribute copies of the
 90 |       Work or Derivative Works thereof in any medium, with or without
 91 |       modifications, and in Source or Object form, provided that You
 92 |       meet the following conditions:
 93 | 
 94 |       (a) You must give any other recipients of the Work or
 95 |           Derivative Works a copy of this License; and
 96 | 
 97 |       (b) You must cause any modified files to carry prominent notices
 98 |           stating that You changed the files; and
 99 | 
100 |       (c) You must retain, in the Source form of any Derivative Works
101 |           that You distribute, all copyright, patent, trademark, and
102 |           attribution notices from the Source form of the Work,
103 |           excluding those notices that do not pertain to any part of
104 |           the Derivative Works; and
105 | 
106 |       (d) If the Work includes a "NOTICE" text file as part of its
107 |           distribution, then any Derivative Works that You distribute must
108 |           include a readable copy of the attribution notices contained
109 |           within such NOTICE file, excluding those notices that do not
110 |           pertain to any part of the Derivative Works, in at least one
111 |           of the following places: within a NOTICE text file distributed
112 |           as part of the Derivative Works; within the Source form or
113 |           documentation, if provided along with the Derivative Works; or,
114 |           within a display generated by the Derivative Works, if and
115 |           wherever such third-party notices normally appear. The contents
116 |           of the NOTICE file are for informational purposes only and
117 |           do not modify the License. You may add Your own attribution
118 |           notices within Derivative Works that You distribute, alongside
119 |           or as an addendum to the NOTICE text from the Work, provided
120 |           that such additional attribution notices cannot be construed
121 |           as modifying the License.
122 | 
123 |       You may add Your own copyright statement to Your modifications and
124 |       may provide additional or different license terms and conditions
125 |       for use, reproduction, or distribution of Your modifications, or
126 |       for any such Derivative Works as a whole, provided Your use,
127 |       reproduction, and distribution of the Work otherwise complies with
128 |       the conditions stated in this License.
129 | 
130 |    5. Submission of Contributions. Unless You explicitly state otherwise,
131 |       any Contribution intentionally submitted for inclusion in the Work
132 |       by You to the Licensor shall be under the terms and conditions of
133 |       this License, without any additional terms or conditions.
134 |       Notwithstanding the above, nothing herein shall supersede or modify
135 |       the terms of any separate license agreement you may have executed
136 |       with Licensor regarding such Contributions.
137 | 
138 |    6. Trademarks. This License does not grant permission to use the trade
139 |       names, trademarks, service marks, or product names of the Licensor,
140 |       except as required for reasonable and customary use in describing the
141 |       origin of the Work and reproducing the content of the NOTICE file.
142 | 
143 |    7. Disclaimer of Warranty. Unless required by applicable law or
144 |       agreed to in writing, Licensor provides the Work (and each
145 |       Contributor provides its Contributions) on an "AS IS" BASIS,
146 |       WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
147 |       implied, including, without limitation, any warranties or conditions
148 |       of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
149 |       PARTICULAR PURPOSE. You are solely responsible for determining the
150 |       appropriateness of using or redistributing the Work and assume any
151 |       risks associated with Your exercise of permissions under this License.
152 | 
153 |    8. Limitation of Liability. In no event and under no legal theory,
154 |       whether in tort (including negligence), contract, or otherwise,
155 |       unless required by applicable law (such as deliberate and grossly
156 |       negligent acts) or agreed to in writing, shall any Contributor be
157 |       liable to You for damages, including any direct, indirect, special,
158 |       incidental, or consequential damages of any character arising as a
159 |       result of this License or out of the use or inability to use the
160 |       Work (including but not limited to damages for loss of goodwill,
161 |       work stoppage, computer failure or malfunction, or any and all
162 |       other commercial damages or losses), even if such Contributor
163 |       has been advised of the possibility of such damages.
164 | 
165 |    9. Accepting Warranty or Additional Liability. While redistributing
166 |       the Work or Derivative Works thereof, You may choose to offer,
167 |       and charge a fee for, acceptance of support, warranty, indemnity,
168 |       or other liability obligations and/or rights consistent with this
169 |       License. However, in accepting such obligations, You may act only
170 |       on Your own behalf and on Your sole responsibility, not on behalf
171 |       of any other Contributor, and only if You agree to indemnify,
172 |       defend, and hold each Contributor harmless for any liability
173 |       incurred by, or claims asserted against, such Contributor by reason
174 |       of your accepting any such warranty or additional liability.
175 | 
176 |    END OF TERMS AND CONDITIONS
177 | 
178 |    APPENDIX: How to apply the Apache License to your work.
179 | 
180 |       To apply the Apache License to your work, attach the following
181 |       boilerplate notice, with the fields enclosed by brackets "{}"
182 |       replaced with your own identifying information. (Don't include
183 |       the brackets!)  The text should be enclosed in the appropriate
184 |       comment syntax for the file format. We also recommend that a
185 |       file or class name and description of purpose be included on the
186 |       same "printed page" as the copyright notice for easier
187 |       identification within third-party archives.
188 | 
189 |    Copyright {yyyy} {name of copyright owner}
190 | 
191 |    Licensed under the Apache License, Version 2.0 (the "License");
192 |    you may not use this file except in compliance with the License.
193 |    You may obtain a copy of the License at
194 | 
195 |        http://www.apache.org/licenses/LICENSE-2.0
196 | 
197 |    Unless required by applicable law or agreed to in writing, software
198 |    distributed under the License is distributed on an "AS IS" BASIS,
199 |    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
200 |    See the License for the specific language governing permissions and
201 |    limitations under the License.
202 | 


--------------------------------------------------------------------------------
/Makefile:
--------------------------------------------------------------------------------
1 | .PHONY: changelog release
2 | 
3 | changelog:
4 | 	git-chglog -o CHANGELOG.md --next-tag `semtag final -s minor -o`
5 | 
6 | release:
7 | 	semtag final -s minor
8 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # tf_aws_bastion_s3_keys
  2 | 
  3 | A Terraform module for creating resilient bastion host using auto-scaling group (min=max=desired=1) and populate its `~/.ssh/authorized_keys` with public keys fetched from S3 bucket.
  4 | 
  5 | This module can append public keys, setup cron to update them and run additional commands at the end of setup. Note that if it is set up to update the keys, removing a key from the bucket will also remove it from the bastion host.
  6 | 
  7 | Only SSH access is allowed to the bastion host.
  8 | 
  9 | ## Input variables:
 10 | 
 11 |   * `name` - Name (default, `bastion`)
 12 |   * `instance_type` - Instance type (default, `t2.micro`)
 13 |   * `ami` - AMI ID of Ubuntu (see `samples/ami.tf`)
 14 |   * `region` - Region (default, `eu-west-1`)
 15 |   * `iam_instance_profile` - IAM instance profile which is allowed to access S3 bucket (see `samples/iam_s3_readonly.tf`)
 16 |   * `enable_monitoring` - Whether to enable detailed monitoring (default, `true`)
 17 |   * `s3_bucket_name` - S3 bucket name which contains public keys (see `samples/s3_ssh_public_keys.tf`)
 18 |   * `s3_bucket_uri `– S3 URI which contains the public keys. If specified, `s3_bucket_name` will be ignored
 19 |   * `vpc_id` - VPC where bastion host should be created
 20 |   * `subnet_ids` - List of subnet IDs where auto-scaling should create instances
 21 |   * `keys_update_frequency` - How often to update keys. A cron timespec or an empty string to turn off (default)
 22 |   * `additional_user_data_script` - Additional user-data script to run at the end
 23 |   * `user_data_file` - Override whold user-data script to add some custom security policies or to add support for OS you prefer. If not specified (by default) standard script will be used.
 24 |   * `associate_public_ip_address` - Whether to auto-assign public IP to the instance (by default - `false`)
 25 |   * `eip` - EIP to put into EC2 tag (can be used with scripts like https://github.com/skymill/aws-ec2-assign-elastic-ip, default - empty value)
 26 |   * `key_name` - Launch configuration key name to be applied to created instance(s).
 27 |   * `allowed_cidr` - A list of CIDR Networks to allow ssh access to. Defaults to "0.0.0.0/0"
 28 |   * `allowed_ipv6_cidr` - A list of IPv6 CIDR Networks to allow ssh access to. Defaults to "::/0"
 29 |   * `allowed_security_groups` - A list of Security Group ID's to allow access to the bastion host (useful if bastion is deployed internally) Defaults to empty list
 30 |   * `extra_tags` - Optional a list of Key/Values Tags to be associated to the bastion host (see [Interpolated Tags](https://www.terraform.io/docs/providers/aws/r/autoscaling_group.html)) 
 31 | 
 32 | ## Outputs:
 33 | 
 34 |   * ssh_user - SSH user to login to bastion
 35 |   * security_group_id - ID of the security group the bastion host is launched in.
 36 | 
 37 | ## Terraform versions
 38 | 
 39 | For Terraform 0.12, use the version from master:
 40 | 
 41 |     source  = "github.com/terraform-community-modules/tf_aws_bastion_s3_keys"
 42 | 
 43 | For Terraform 0.11, pin the module version to match `v1.*`. For e.g.:
 44 | 
 45 |     source  = "github.com/terraform-community-modules/tf_aws_bastion_s3_keys?ref=v1.10.0"
 46 | 
 47 | ## Example
 48 | 
 49 | Basic example - In your terraform code add something like this:
 50 | 
 51 | ```hcl
 52 | module "bastion" {
 53 |   source                      = "github.com/terraform-community-modules/tf_aws_bastion_s3_keys"
 54 |   instance_type               = "t2.micro"
 55 |   ami                         = "ami-123456"
 56 |   region                      = "eu-west-1"
 57 |   iam_instance_profile        = "s3_readonly"
 58 |   s3_bucket_name              = "public-keys-demo-bucket"
 59 |   vpc_id                      = "vpc-123456"
 60 |   subnet_ids                  = ["subnet-123456", "subnet-6789123", "subnet-321321"]
 61 |   keys_update_frequency       = "5,20,35,50 * * * *"
 62 |   additional_user_data_script = "date"
 63 | }
 64 | ```
 65 | 
 66 | If you want to assign EIP to instance launched by an auto-scaling group you can provide the desired `eip` as module input and then execute `additional_user_data_script` which sets EIP. This way you can use Route53 with EIP, which will always point to existing bastion instance. You will also need to add `ec2:AssociateAddress` permission to `iam_instance_profile` (see `samples/iam_allow_associateaddress.tf`):
 67 | 
 68 | ```hcl
 69 | module "bastion" {
 70 |   // see above
 71 |   eip = "${aws_eip.bastion.public_ip}"
 72 |   iam_instance_profile        = "s3_readonly-allow_associateaddress"
 73 |   additional_user_data_script = <<EOF
 74 | REGION=$(curl -s http://169.254.169.254/latest/dynamic/instance-identity/document | grep region | awk -F\" '{print $4}')
 75 | INSTANCE_ID=$(curl -s http://169.254.169.254/latest/meta-data/instance-id)
 76 | aws ec2 associate-address --region $REGION --instance-id $INSTANCE_ID --allocation-id ${aws_eip.bastion.id}
 77 | EOF
 78 | }
 79 | 
 80 | resource "aws_eip" "bastion" {
 81 |   vpc = true
 82 | }
 83 | 
 84 | resource "aws_route53_record" "bastion" {
 85 |   zone_id = "..."
 86 |   name    = "bastion.example.com"
 87 |   type    = "A"
 88 |   ttl     = "3600"
 89 |   records = [aws_eip.bastion.public_ip]
 90 | }
 91 | ```
 92 | 
 93 | After you run `terraform apply` you should be able to login to your bastion host like:
 94 | 
 95 | ```
 96 | $ ssh ${module.bastion.ssh_user}@${aws_eip.bastion.public_ip}
 97 | ```
 98 | 
 99 | or even like this:
100 | 
101 | ```
102 | $ ssh ubuntu@bastion.example.com
103 | ```
104 | 
105 | PS: In some cases you may consider adding flag `-A` to ssh command to enable forwarding of the authentication agent connection.
106 | 
107 | <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
108 | ## Inputs
109 | 
110 | | Name | Description | Type | Default | Required |
111 | |------|-------------|:----:|:-----:|:-----:|
112 | | additional\_user\_data\_script |  | string | `""` | no |
113 | | allowed\_cidr | A list of CIDR Networks to allow ssh access to. | list(string) | `[ "0.0.0.0/0" ]` | no |
114 | | allowed\_ipv6\_cidr | A list of IPv6 CIDR Networks to allow ssh access to. | list(string) | `[ "::/0" ]` | no |
115 | | allowed\_security\_groups | A list of Security Group ID's to allow access to. | list(string) | `[]` | no |
116 | | ami |  | string | n/a | yes |
117 | | apply\_changes\_immediately | Whether to apply the changes at once and recreate auto-scaling group | string | `"false"` | no |
118 | | associate\_public\_ip\_address |  | string | `"false"` | no |
119 | | eip |  | string | `""` | no |
120 | | enable\_hourly\_cron\_updates |  | string | `"false"` | no |
121 | | enable\_monitoring |  | string | `"true"` | no |
122 | | extra\_tags | A list of tags to associate to the bastion instance. | object | `[]` | no |
123 | | iam\_instance\_profile |  | string | n/a | yes |
124 | | instance\_type |  | string | `"t2.micro"` | no |
125 | | instance\_volume\_size\_gb | The root volume size, in gigabytes | string | `"8"` | no |
126 | | key\_name |  | string | `""` | no |
127 | | keys\_update\_frequency |  | string | `""` | no |
128 | | name |  | string | `"bastion"` | no |
129 | | region |  | string | `"eu-west-1"` | no |
130 | | s3\_bucket\_name |  | string | n/a | yes |
131 | | s3\_bucket\_uri |  | string | `""` | no |
132 | | security\_group\_ids | Comma seperated list of security groups to apply to the bastion. | string | `""` | no |
133 | | ssh\_user |  | string | `"ubuntu"` | no |
134 | | subnet\_ids | A list of subnet ids | list | `[]` | no |
135 | | user\_data\_file |  | string | `"user_data.sh"` | no |
136 | | vpc\_id |  | string | n/a | yes |
137 | 
138 | ## Outputs
139 | 
140 | | Name | Description |
141 | |------|-------------|
142 | | asg\_id |  |
143 | | security\_group\_id |  |
144 | | ssh\_user |  |
145 | 
146 | <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
147 | 
148 | 
149 | ## Authors
150 | 
151 | Created and maintained by [Anton Babenko](https://github.com/antonbabenko).
152 | 
153 | # License
154 | 
155 | Apache 2 Licensed. See LICENSE for full details.
156 | 


--------------------------------------------------------------------------------
/main.tf:
--------------------------------------------------------------------------------
  1 | resource "aws_security_group" "bastion" {
  2 |   name        = var.name
  3 |   vpc_id      = var.vpc_id
  4 |   description = "Bastion security group (only SSH inbound access is allowed)"
  5 | 
  6 |   tags = {
  7 |     Name = var.name
  8 |   }
  9 | }
 10 | 
 11 | resource "aws_security_group_rule" "ssh_ingress" {
 12 |   type              = "ingress"
 13 |   from_port         = "22"
 14 |   to_port           = "22"
 15 |   protocol          = "tcp"
 16 |   cidr_blocks       = var.allowed_cidr
 17 |   ipv6_cidr_blocks  = var.allowed_ipv6_cidr
 18 |   security_group_id = aws_security_group.bastion.id
 19 | }
 20 | 
 21 | resource "aws_security_group_rule" "ssh_sg_ingress" {
 22 |   count                    = length(var.allowed_security_groups)
 23 |   type                     = "ingress"
 24 |   from_port                = "22"
 25 |   to_port                  = "22"
 26 |   protocol                 = "tcp"
 27 |   source_security_group_id = element(var.allowed_security_groups, count.index)
 28 |   security_group_id        = aws_security_group.bastion.id
 29 | }
 30 | 
 31 | resource "aws_security_group_rule" "bastion_all_egress" {
 32 |   type      = "egress"
 33 |   from_port = "0"
 34 |   to_port   = "65535"
 35 |   protocol  = "all"
 36 | 
 37 |   cidr_blocks = [
 38 |     "0.0.0.0/0",
 39 |   ]
 40 | 
 41 |   ipv6_cidr_blocks = [
 42 |     "::/0",
 43 |   ]
 44 | 
 45 |   security_group_id = aws_security_group.bastion.id
 46 | }
 47 | 
 48 | data "template_file" "user_data" {
 49 |   template = var.user_data_file != "" ? var.user_data_file : file("${path.module}/user_data.sh")
 50 | 
 51 |   vars = {
 52 |     s3_bucket_name              = var.s3_bucket_name
 53 |     s3_bucket_uri               = var.s3_bucket_uri
 54 |     ssh_user                    = var.ssh_user
 55 |     keys_update_frequency       = var.keys_update_frequency
 56 |     enable_hourly_cron_updates  = var.enable_hourly_cron_updates
 57 |     additional_user_data_script = var.additional_user_data_script
 58 |   }
 59 | }
 60 | 
 61 | //resource "aws_instance" "bastion" {
 62 | //  ami                    = "${var.ami}"
 63 | //  instance_type          = "${var.instance_type}"
 64 | //  iam_instance_profile   = "${var.iam_instance_profile}"
 65 | //  subnet_id              = "${var.subnet_id}"
 66 | //  vpc_security_group_ids = ["${aws_security_group.bastion.id}"]
 67 | //  user_data              = "${template_file.user_data.rendered}"
 68 | //
 69 | //  count                  = 1
 70 | //
 71 | //  tags {
 72 | //    Name = "${var.name}"
 73 | //  }
 74 | //}
 75 | 
 76 | resource "aws_launch_configuration" "bastion" {
 77 |   name_prefix       = "${var.name}-"
 78 |   image_id          = var.ami
 79 |   instance_type     = var.instance_type
 80 |   user_data         = data.template_file.user_data.rendered
 81 |   enable_monitoring = var.enable_monitoring
 82 | 
 83 |   security_groups = compact(
 84 |     concat(
 85 |       [aws_security_group.bastion.id],
 86 |       split(",", var.security_group_ids),
 87 |     ),
 88 |   )
 89 | 
 90 |   root_block_device {
 91 |     volume_size = var.instance_volume_size_gb
 92 |   }
 93 | 
 94 |   iam_instance_profile        = var.iam_instance_profile
 95 |   associate_public_ip_address = var.associate_public_ip_address
 96 |   key_name                    = var.key_name
 97 | 
 98 |   lifecycle {
 99 |     create_before_destroy = true
100 |   }
101 | }
102 | 
103 | resource "aws_autoscaling_group" "bastion" {
104 |   name = var.apply_changes_immediately ? aws_launch_configuration.bastion.name : var.name
105 | 
106 |   vpc_zone_identifier = var.subnet_ids
107 | 
108 |   desired_capacity          = "1"
109 |   min_size                  = "1"
110 |   max_size                  = "1"
111 |   health_check_grace_period = "60"
112 |   health_check_type         = "EC2"
113 |   force_delete              = false
114 |   wait_for_capacity_timeout = 0
115 |   launch_configuration      = aws_launch_configuration.bastion.name
116 | 
117 |   enabled_metrics = [
118 |     "GroupMinSize",
119 |     "GroupMaxSize",
120 |     "GroupDesiredCapacity",
121 |     "GroupInServiceInstances",
122 |     "GroupPendingInstances",
123 |     "GroupStandbyInstances",
124 |     "GroupTerminatingInstances",
125 |     "GroupTotalInstances",
126 |   ]
127 | 
128 |   tags = concat(
129 |     [
130 |       {
131 |         "key"                 = "Name"
132 |         "value"               = var.name
133 |         "propagate_at_launch" = true
134 |       },
135 |       {
136 |         "key"                 = "EIP"
137 |         "value"               = var.eip
138 |         "propagate_at_launch" = true
139 |       },
140 |     ],
141 |     var.extra_tags,
142 |   )
143 | 
144 |   lifecycle {
145 |     create_before_destroy = true
146 |   }
147 | }
148 | 
149 | 


--------------------------------------------------------------------------------
/outputs.tf:
--------------------------------------------------------------------------------
 1 | output "ssh_user" {
 2 |   value = var.ssh_user
 3 | }
 4 | 
 5 | output "security_group_id" {
 6 |   value = aws_security_group.bastion.id
 7 | }
 8 | 
 9 | output "asg_id" {
10 |   value = aws_autoscaling_group.bastion.id
11 | }
12 | 
13 | 


--------------------------------------------------------------------------------
/samples/add_available_ssh_hosts_to_motd.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | # This script will update motd and list available instances to login
 4 | # Script is far from perfect, so please consider improving it and send pull-request.
 5 | 
 6 | cat <<"INSTANCES_SCRIPT" > /etc/update-motd.d/60-update-list-of-running-instances
 7 | #!/bin/bash
 8 | 
 9 | aws configure set region eu-west-1
10 | 
11 | echo ""
12 | echo ""
13 | echo "Current instances grouped by AutoScaling Groups:"
14 | 
15 | # get all ASG
16 | for asg in `aws autoscaling describe-auto-scaling-groups --output text  --query 'AutoScalingGroups[*].AutoScalingGroupName'`; do
17 | echo ""
18 | echo "Autoscaling group name: $asg"
19 | 
20 | # get all instances in ASG
21 | for ip in `aws ec2 describe-instances --filters Name=tag-key,Values='aws:autoscaling:groupName' Name=tag-value,Values=$asg --output text --query 'Reservations[*].Instances[*].[PrivateIpAddress]'`; do
22 |   echo $ip
23 | done
24 | 
25 | echo ""
26 | echo "========================================================================="
27 | 
28 | done
29 | 
30 | echo ""
31 | echo "Log on to the boxes with: ssh <IP address>"
32 | echo ""
33 | INSTANCES_SCRIPT
34 | 
35 | chmod +x /etc/update-motd.d/60-update-list-of-running-instances
36 | 


--------------------------------------------------------------------------------
/samples/ami.tf:
--------------------------------------------------------------------------------
1 | # This is just a sample definition for bastion AMI
2 | module "bastion_ami" {
3 |   source        = "github.com/terraform-community-modules/tf_aws_ubuntu_ami/ebs"
4 |   instance_type = "t2.micro"
5 |   region        = "eu-west-1"
6 |   distribution  = "trusty"
7 | }
8 | 


--------------------------------------------------------------------------------
/samples/iam_allow_associateaddress.tf:
--------------------------------------------------------------------------------
 1 | # This is just a sample definition of IAM instance profile which is allowed to read-only from S3, and associate ElasticIP addresses.
 2 | resource "aws_iam_instance_profile" "s3_readonly-allow_associateaddress" {
 3 |   name = "s3_readonly-allow_associateaddress"
 4 |   role = "${aws_iam_role.s3_readonly-allow_associateaddress.name}"
 5 | }
 6 | 
 7 | resource "aws_iam_role" "s3_readonly-allow_associateaddress" {
 8 |   name = "s3_readonly-allow_associateaddress-role"
 9 |   path = "/"
10 | 
11 |   assume_role_policy = <<EOF
12 | {
13 |   "Version": "2012-10-17",
14 |   "Statement": [
15 |     {
16 |       "Sid": "",
17 |       "Effect": "Allow",
18 |       "Principal": {
19 |         "Service": "ec2.amazonaws.com"
20 |       },
21 |       "Action": "sts:AssumeRole"
22 |     }
23 |   ]
24 | }
25 | EOF
26 | }
27 | 
28 | resource "aws_iam_role_policy" "s3_readonly-allow_associateaddress_policy" {
29 |   name = "s3_readonly-allow_associateaddress-policy"
30 |   role = "${aws_iam_role.s3_readonly-allow_associateaddress.id}"
31 | 
32 |   policy = <<EOF
33 | {
34 |     "Version": "2012-10-17",
35 |     "Statement": [
36 |         {
37 |             "Sid": "Stmt1425916919000",
38 |             "Effect": "Allow",
39 |             "Action": [
40 |                 "ec2:AssociateAddress",
41 |                 "s3:List*",
42 |                 "s3:Get*"
43 |             ],
44 |             "Resource": "*"
45 |         }
46 |     ]
47 | }
48 | EOF
49 | }
50 | 


--------------------------------------------------------------------------------
/samples/iam_s3_readonly.tf:
--------------------------------------------------------------------------------
 1 | # This is just a sample definition of IAM instance profile which is allowed to read-only from S3.
 2 | resource "aws_iam_instance_profile" "s3_readonly" {
 3 |   name = "s3_readonly"
 4 |   role = "${aws_iam_role.s3_readonly.name}"
 5 | }
 6 | 
 7 | resource "aws_iam_role" "s3_readonly" {
 8 |   name = "s3_readonly"
 9 |   path = "/"
10 | 
11 |   assume_role_policy = <<EOF
12 | {
13 |   "Version": "2012-10-17",
14 |   "Statement": [
15 |     {
16 |       "Sid": "",
17 |       "Effect": "Allow",
18 |       "Principal": {
19 |         "Service": "ec2.amazonaws.com"
20 |       },
21 |       "Action": "sts:AssumeRole"
22 |     }
23 |   ]
24 | }
25 | EOF
26 | }
27 | 
28 | resource "aws_iam_role_policy" "s3_readonly_policy" {
29 |   name = "s3_readonly-policy"
30 |   role = "${aws_iam_role.s3_readonly.id}"
31 | 
32 |   policy = <<EOF
33 | {
34 |     "Version": "2012-10-17",
35 |     "Statement": [
36 |         {
37 |             "Sid": "Stmt1425916919000",
38 |             "Effect": "Allow",
39 |             "Action": [
40 |                 "s3:List*",
41 |                 "s3:Get*"
42 |             ],
43 |             "Resource": "*"
44 |         }
45 |     ]
46 | }
47 | EOF
48 | }
49 | 


--------------------------------------------------------------------------------
/samples/s3_ssh_public_keys.tf:
--------------------------------------------------------------------------------
 1 | # This is an example of how to put public keys into S3 bucket and manage them in Terraform
 2 | variable "ssh_public_key_names" {
 3 |   default = ["user1", "user2", "admin"]
 4 |   type    = list(string)
 5 | }
 6 | 
 7 | resource "aws_s3_bucket" "ssh_public_keys" {
 8 |   region = "eu-west-1"
 9 |   bucket = "public-keys-demo-bucket"
10 |   acl    = "private"
11 | 
12 |   policy = <<EOF
13 | {
14 | 	"Version": "2008-10-17",
15 | 	"Id": "Policy142469412148",
16 | 	"Statement": [
17 | 		{
18 | 			"Sid": "Stmt1424694110324",
19 | 			"Effect": "Allow",
20 | 			"Principal": {
21 | 				"AWS": "arn:aws:iam::123456789012:root"
22 | 			},
23 | 			"Action": [
24 | 				"s3:List*",
25 | 				"s3:Get*"
26 | 			],
27 | 			"Resource": "arn:aws:s3:::public-keys-demo-bucket"
28 | 		}
29 | 	]
30 | }
31 | EOF
32 | }
33 | 
34 | resource "aws_s3_bucket_object" "ssh_public_keys" {
35 |   count = length(var.ssh_public_key_names)
36 | 
37 |   bucket = aws_s3_bucket.ssh_public_keys.bucket
38 |   key    = "${element(var.ssh_public_key_names, count.index)}.pub"
39 | 
40 |   # Make sure that you put files into correct location and name them accordingly (`public_keys/{keyname}.pub`)
41 |   source = "public_keys/${element(var.ssh_public_key_names, count.index)}.pub"
42 | 
43 |   depends_on = [aws_s3_bucket.ssh_public_keys]
44 | }
45 | 


--------------------------------------------------------------------------------
/user_data.sh:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | 
 3 | ##############
 4 | # Install deps
 5 | ##############
 6 | 
 7 | # Apt based distro
 8 | if command -v apt-get &>/dev/null; then
 9 |   apt-get update
10 |   apt-get install python-pip jq -y
11 | 
12 | # Yum based distro
13 | elif command -v yum &>/dev/null; then
14 |   yum update -y
15 |   # epel provides python-pip & jq
16 |   yum install -y epel-release
17 |   yum install python-pip jq -y
18 | fi
19 | 
20 | #####################
21 | 
22 | pip install --upgrade awscli
23 | 
24 | ##############
25 | 
26 | cat <<"EOF" > /home/${ssh_user}/update_ssh_authorized_keys.sh
27 | #!/usr/bin/env bash
28 | 
29 | set -e
30 | 
31 | BUCKET_NAME=${s3_bucket_name}
32 | BUCKET_URI=${s3_bucket_uri}
33 | SSH_USER=${ssh_user}
34 | MARKER="# KEYS_BELOW_WILL_BE_UPDATED_BY_TERRAFORM"
35 | KEYS_FILE=/home/$SSH_USER/.ssh/authorized_keys
36 | TEMP_KEYS_FILE=$(mktemp /tmp/authorized_keys.XXXXXX)
37 | PUB_KEYS_DIR=/home/$SSH_USER/pub_key_files/
38 | PATH=/usr/local/bin:$PATH
39 | 
40 | [[ -z $BUCKET_URI ]] && BUCKET_URI="s3://$BUCKET_NAME/"
41 | 
42 | mkdir -p $PUB_KEYS_DIR
43 | 
44 | # Add marker, if not present, and copy static content.
45 | grep -Fxq "$MARKER" $KEYS_FILE || echo -e "\n$MARKER" >> $KEYS_FILE
46 | line=$(grep -n "$MARKER" $KEYS_FILE | cut -d ":" -f 1)
47 | head -n $line $KEYS_FILE > $TEMP_KEYS_FILE
48 | 
49 | # Synchronize the keys from the bucket.
50 | aws s3 sync --delete --exact-timestamps $BUCKET_URI $PUB_KEYS_DIR
51 | for filename in $PUB_KEYS_DIR/*; do
52 |     [ -f "$filename" ] || continue
53 |     sed 's/\n\?$/\n/' < $filename >> $TEMP_KEYS_FILE
54 | done
55 | 
56 | # Move the new authorized keys in place.
57 | chown $SSH_USER:$SSH_USER $KEYS_FILE
58 | chmod 600 $KEYS_FILE
59 | mv $TEMP_KEYS_FILE $KEYS_FILE
60 | if [[ $(command -v "selinuxenabled") ]]; then
61 |     restorecon -R -v $KEYS_FILE
62 | fi
63 | EOF
64 | 
65 | cat <<"EOF" > /home/${ssh_user}/.ssh/config
66 | Host *
67 |     StrictHostKeyChecking no
68 | EOF
69 | chmod 600 /home/${ssh_user}/.ssh/config
70 | chown ${ssh_user}:${ssh_user} /home/${ssh_user}/.ssh/config
71 | 
72 | chown ${ssh_user}:${ssh_user} /home/${ssh_user}/update_ssh_authorized_keys.sh
73 | chmod 755 /home/${ssh_user}/update_ssh_authorized_keys.sh
74 | 
75 | # Execute now
76 | su ${ssh_user} -c /home/${ssh_user}/update_ssh_authorized_keys.sh
77 | 
78 | # Be backwards compatible with old cron update enabler
79 | if [ "${enable_hourly_cron_updates}" = 'true' -a -z "${keys_update_frequency}" ]; then
80 |   keys_update_frequency="0 * * * *"
81 | else
82 |   keys_update_frequency="${keys_update_frequency}"
83 | fi
84 | 
85 | # Add to cron
86 | if [ -n "$keys_update_frequency" ]; then
87 |   croncmd="/home/${ssh_user}/update_ssh_authorized_keys.sh"
88 |   cronjob="$keys_update_frequency $croncmd"
89 |   ( crontab -u ${ssh_user} -l | grep -v "$croncmd" ; echo "$cronjob" ) | crontab -u ${ssh_user} -
90 | fi
91 | 
92 | # Append addition user-data script
93 | ${additional_user_data_script}
94 | 


--------------------------------------------------------------------------------
/variables.tf:
--------------------------------------------------------------------------------
  1 | variable "allowed_cidr" {
  2 |   type = list(string)
  3 | 
  4 |   default = [
  5 |     "0.0.0.0/0",
  6 |   ]
  7 | 
  8 |   description = "A list of CIDR Networks to allow ssh access to."
  9 | }
 10 | 
 11 | variable "allowed_ipv6_cidr" {
 12 |   type = list(string)
 13 | 
 14 |   default = [
 15 |     "::/0",
 16 |   ]
 17 | 
 18 |   description = "A list of IPv6 CIDR Networks to allow ssh access to."
 19 | }
 20 | 
 21 | variable "allowed_security_groups" {
 22 |   type        = list(string)
 23 |   default     = []
 24 |   description = "A list of Security Group ID's to allow access to."
 25 | }
 26 | 
 27 | variable "name" {
 28 |   default = "bastion"
 29 | }
 30 | 
 31 | variable "extra_tags" {
 32 |   type        = list(object({ key = string, value = string, propagate_at_launch = bool }))
 33 |   default     = []
 34 |   description = "A list of tags to associate to the bastion instance."
 35 | }
 36 | 
 37 | variable "ami" {
 38 | }
 39 | 
 40 | variable "instance_type" {
 41 |   default = "t2.micro"
 42 | }
 43 | 
 44 | variable "instance_volume_size_gb" {
 45 |   description = "The root volume size, in gigabytes"
 46 |   default     = "8"
 47 | }
 48 | 
 49 | variable "iam_instance_profile" {
 50 | }
 51 | 
 52 | variable "user_data_file" {
 53 |   description = "Contents of user data file to be processed"
 54 |   default     = ""
 55 | }
 56 | 
 57 | variable "s3_bucket_name" {
 58 | }
 59 | 
 60 | variable "s3_bucket_uri" {
 61 |   default = ""
 62 | }
 63 | 
 64 | variable "enable_monitoring" {
 65 |   default = true
 66 | }
 67 | 
 68 | variable "ssh_user" {
 69 |   default = "ubuntu"
 70 | }
 71 | 
 72 | variable "enable_hourly_cron_updates" {
 73 |   default = "false"
 74 | }
 75 | 
 76 | variable "keys_update_frequency" {
 77 |   default = ""
 78 | }
 79 | 
 80 | variable "additional_user_data_script" {
 81 |   default = ""
 82 | }
 83 | 
 84 | variable "region" {
 85 |   default = "eu-west-1"
 86 | }
 87 | 
 88 | variable "vpc_id" {
 89 | }
 90 | 
 91 | variable "security_group_ids" {
 92 |   description = "Comma seperated list of security groups to apply to the bastion."
 93 |   default     = ""
 94 | }
 95 | 
 96 | variable "subnet_ids" {
 97 |   default     = []
 98 |   description = "A list of subnet ids"
 99 | }
100 | 
101 | variable "eip" {
102 |   default = ""
103 | }
104 | 
105 | variable "associate_public_ip_address" {
106 |   default = false
107 | }
108 | 
109 | variable "key_name" {
110 |   default = ""
111 | }
112 | 
113 | variable "apply_changes_immediately" {
114 |   description = "Whether to apply the changes at once and recreate auto-scaling group"
115 |   default     = false
116 | }
117 | 
118 | 


--------------------------------------------------------------------------------
/versions.tf:
--------------------------------------------------------------------------------
1 | 
2 | terraform {
3 |   required_version = ">= 0.12"
4 | }
5 | 


--------------------------------------------------------------------------------