## # Create a bastion host to allow SSH in to the test network. # Connections are only allowed from ${var.allowed_network} # This box also acts as a NAT for the private network ## resource "aws_security_group" "bastion" { name = "bastion" description = "Allow access from allowed_network to SSH/Consul, and NAT internal traffic" vpc_id = "${aws_vpc.test.id}" # SSH ingress = { from_port = 22 to_port = 22 protocol = "tcp" cidr_blocks = [ "${var.allowed_network}" ] self = false } # Consul ingress = { from_port = 8500 to_port = 8500 protocol = "tcp" cidr_blocks = [ "${var.allowed_network}" ] self = false } # NAT ingress { from_port = 0 to_port = 65535 protocol = "tcp" cidr_blocks = [ "${aws_subnet.public.cidr_block}", "${aws_subnet.private.cidr_block}" ] self = false } } resource "aws_security_group" "allow_bastion" { name = "allow_bastion_ssh" description = "Allow access from bastion host" vpc_id = "${aws_vpc.test.id}" ingress { from_port = 0 to_port = 65535 protocol = "tcp" security_groups = ["${aws_security_group.bastion.id}"] self = false } } resource "aws_instance" "bastion" { connection { user = "ec2-user" key_file = "${var.key_path}" } ami = "${lookup(var.amazon_nat_amis, var.region)}" instance_type = "t2.micro" key_name = "${var.key_name}" security_groups = [ "${aws_security_group.bastion.id}" ] subnet_id = "${aws_subnet.dmz.id}" associate_public_ip_address = true source_dest_check = false user_data = "${file("files/bastion/cloud-init.txt")}" tags = { Name = "bastion" subnet = "dmz" role = "bastion" environment = "test" } } output "bastion" { value = "${aws_instance.bastion.public_ip}" }