Merge pull request #73 from masterpointio/add-bastion-ami-var

Adds ability to pass Bastion AMI + Adds `allow_ssh_commands` variable

Author: Guimove

README.md

@@ -59,9 +59,11 @@ module "bastion" {
 | Name | Description | Type | Default | Required |
 |------|-------------|:----:|:-----:|:-----:|
 | auto_scaling_group_subnets | List of subnet were the Auto Scalling Group will deploy the instances | list | - | yes |
-| bastion_amis |  | map | `<map>` | no |
+| allow_ssh_commands | Allows the SSH user to execute one-off commands. Pass 'True' to enable. Warning: These commands are not logged and increase the vulnerability of the system. Use at your own discretion. | string | "" | no |
 | bastion_host_key_pair | Select the key pair to use to launch the bastion host | string | - | yes |
 | bastion_instance_count | Count of bastion instance created on VPC | string | `1` | no |
+| bastion_launch_configuration_name | Bastion Launch configuration Name, will also be used for the ASG | string | `lc` | no |
+| bastion_ami | The AMI that the Bastion Host will use. If not supplied, the latest Amazon2 AMI will be used. | string | `` | no |
 | bastion_record_name | DNS record name to use for the bastion | string | `` | no |
 | bucket_name | Bucket name were the bastion will store the logs | string | - | yes |
 | bucket_force_destroy | On destroy, bucket and all objects should be destroyed when using true | string | false | no |

main.tf

@@ -5,6 +5,7 @@ data "template_file" "user_data" {
     aws_region              = var.region
     bucket_name             = var.bucket_name
     extra_user_data_content = var.extra_user_data_content
+    allow_ssh_commands      = var.allow_ssh_commands
   }
 }
 
@@ -238,7 +239,7 @@ resource "aws_iam_instance_profile" "bastion_host_profile" {
 
 resource "aws_launch_template" "bastion_launch_template" {
   name_prefix   = local.name_prefix
-  image_id      = data.aws_ami.amazon-linux-2.id
+  image_id      = var.bastion_ami != "" ? var.bastion_ami : data.aws_ami.amazon-linux-2.id
   instance_type = "t3.nano"
   monitoring {
     enabled = true
@@ -303,4 +304,3 @@ resource "aws_autoscaling_group" "bastion_auto_scaling_group" {
     create_before_destroy = true
   }
 }
-

user_data.sh

@@ -45,12 +45,16 @@ if [[ -z $SSH_ORIGINAL_COMMAND ]]; then
 
 else
 
-  # The "script" program could be circumvented with some commands (e.g. bash, nc).
-  # Therefore, I intentionally prevent users from supplying commands.
-
-  echo "This bastion supports interactive sessions only. Do not supply a command"
-  exit 1
-
+  # If the module consumer wants to allow remote commands (for ansible or other) then allow that command through.
+  if [ "${allow_ssh_commands}" == "True" ]; then
+    exec /bin/bash -c "$SSH_ORIGINAL_COMMAND"
+  else
+    # The "script" program could be circumvented with some commands (e.g. bash, nc).
+    # Therefore, I intentionally prevent users from supplying commands.
+
+    echo "This bastion supports interactive sessions only. Do not supply a command"
+    exit 1
+  fi
 fi
 
 EOF

variables.tf

@@ -57,6 +57,12 @@ variable "bastion_launch_template_name" {
   default     = "lt"
 }
 
+variable "bastion_ami" {
+  type        = string
+  description = "The AMI that the Bastion Host will use."
+  default     = ""
+}
+
 variable "elb_subnets" {
   type        = list(string)
   description = "List of subnet were the ELB will be deployed"
@@ -111,6 +117,12 @@ variable "private_ssh_port" {
 
 variable "extra_user_data_content" {
   description = "Additional scripting to pass to the bastion host. For example, this can include installing postgresql for the `psql` command."
-  type = string
-  default = ""
+  type        = string
+  default     = ""
+}
+
+variable "allow_ssh_commands" {
+  description = "Allows the SSH user to execute one-off commands. Pass 'True' to enable. Warning: These commands are not logged and increase the vulnerability of the system. Use at your own discretion."
+  type        = string
+  default     = ""
 }