Skip to content

Commit 6f36e26

Browse files
authored
Merge pull request #73 from masterpointio/add-bastion-ami-var
Adds ability to pass Bastion AMI + Adds `allow_ssh_commands` variable
2 parents e639412 + c690053 commit 6f36e26

File tree

4 files changed

+29
-11
lines changed

4 files changed

+29
-11
lines changed

README.md

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -59,9 +59,11 @@ module "bastion" {
5959
| Name | Description | Type | Default | Required |
6060
|------|-------------|:----:|:-----:|:-----:|
6161
| auto_scaling_group_subnets | List of subnet were the Auto Scalling Group will deploy the instances | list | - | yes |
62-
| bastion_amis | | map | `<map>` | no |
62+
| allow_ssh_commands | Allows the SSH user to execute one-off commands. Pass 'True' to enable. Warning: These commands are not logged and increase the vulnerability of the system. Use at your own discretion. | string | "" | no |
6363
| bastion_host_key_pair | Select the key pair to use to launch the bastion host | string | - | yes |
6464
| bastion_instance_count | Count of bastion instance created on VPC | string | `1` | no |
65+
| bastion_launch_configuration_name | Bastion Launch configuration Name, will also be used for the ASG | string | `lc` | no |
66+
| bastion_ami | The AMI that the Bastion Host will use. If not supplied, the latest Amazon2 AMI will be used. | string | `` | no |
6567
| bastion_record_name | DNS record name to use for the bastion | string | `` | no |
6668
| bucket_name | Bucket name were the bastion will store the logs | string | - | yes |
6769
| bucket_force_destroy | On destroy, bucket and all objects should be destroyed when using true | string | false | no |

main.tf

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,7 @@ data "template_file" "user_data" {
55
aws_region = var.region
66
bucket_name = var.bucket_name
77
extra_user_data_content = var.extra_user_data_content
8+
allow_ssh_commands = var.allow_ssh_commands
89
}
910
}
1011

@@ -238,7 +239,7 @@ resource "aws_iam_instance_profile" "bastion_host_profile" {
238239

239240
resource "aws_launch_template" "bastion_launch_template" {
240241
name_prefix = local.name_prefix
241-
image_id = data.aws_ami.amazon-linux-2.id
242+
image_id = var.bastion_ami != "" ? var.bastion_ami : data.aws_ami.amazon-linux-2.id
242243
instance_type = "t3.nano"
243244
monitoring {
244245
enabled = true
@@ -303,4 +304,3 @@ resource "aws_autoscaling_group" "bastion_auto_scaling_group" {
303304
create_before_destroy = true
304305
}
305306
}
306-

user_data.sh

Lines changed: 10 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -45,12 +45,16 @@ if [[ -z $SSH_ORIGINAL_COMMAND ]]; then
4545
4646
else
4747
48-
# The "script" program could be circumvented with some commands (e.g. bash, nc).
49-
# Therefore, I intentionally prevent users from supplying commands.
50-
51-
echo "This bastion supports interactive sessions only. Do not supply a command"
52-
exit 1
53-
48+
# If the module consumer wants to allow remote commands (for ansible or other) then allow that command through.
49+
if [ "${allow_ssh_commands}" == "True" ]; then
50+
exec /bin/bash -c "$SSH_ORIGINAL_COMMAND"
51+
else
52+
# The "script" program could be circumvented with some commands (e.g. bash, nc).
53+
# Therefore, I intentionally prevent users from supplying commands.
54+
55+
echo "This bastion supports interactive sessions only. Do not supply a command"
56+
exit 1
57+
fi
5458
fi
5559
5660
EOF

variables.tf

Lines changed: 14 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -57,6 +57,12 @@ variable "bastion_launch_template_name" {
5757
default = "lt"
5858
}
5959

60+
variable "bastion_ami" {
61+
type = string
62+
description = "The AMI that the Bastion Host will use."
63+
default = ""
64+
}
65+
6066
variable "elb_subnets" {
6167
type = list(string)
6268
description = "List of subnet were the ELB will be deployed"
@@ -111,6 +117,12 @@ variable "private_ssh_port" {
111117

112118
variable "extra_user_data_content" {
113119
description = "Additional scripting to pass to the bastion host. For example, this can include installing postgresql for the `psql` command."
114-
type = string
115-
default = ""
120+
type = string
121+
default = ""
122+
}
123+
124+
variable "allow_ssh_commands" {
125+
description = "Allows the SSH user to execute one-off commands. Pass 'True' to enable. Warning: These commands are not logged and increase the vulnerability of the system. Use at your own discretion."
126+
type = string
127+
default = ""
116128
}

0 commit comments

Comments
 (0)