terraform-google-modules/terraform-google-bastion-host terraform-google-modules/terraform-google-bastion-host

  • Stars
    star
    126
  • Rank 284,543 (Top 6 %)
  • Language HCL
  • License
    Apache License 2.0
  • Created about 6 years ago
  • Updated 2 months ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
terraform-google-modules/terraform-google-bastion-host
github

terraform-google-modules

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Generates a bastion host VM compatible with OS Login and IAP Tunneling that can be used to access internal VMs

terraform-google-bastion-host

This module will generate a bastion host vm compatible with OS Login and IAP Tunneling that can be used to access internal VMs.

This module will:

  • Create a dedicated service account for the bastion host
  • Create a GCE instance to be the bastion host
  • Create a firewall rule to allow TCP:22 SSH access from the IAP to the bastion
  • Necessary IAM bindings to allow IAP and OS Logins from specified members

Usage

Basic usage of this module is as follows:

module "iap_bastion" {
  source = "terraform-google-modules/bastion-host/google"

  project = var.project
  zone    = var.zone
  network = google_compute_network.net.self_link
  subnet  = google_compute_subnetwork.net.self_link
  members = [
    "group:[email protected]",
    "user:[email protected]",
  ]
}

Functional example is included in the examples directory.

Requirements

These sections describe requirements for using this module.

Software

The following dependencies must be available:

APIs

A project with the following APIs enabled must be used to host the resources of this module:

  • Google Cloud Storage JSON API: storage-api.googleapis.com
  • Compute Engine API: compute.googleapis.com
  • Cloud Identity-Aware Proxy API: iap.googleapis.com
  • OS Login API: oslogin.googleapis.com

The Project Factory module can be used to provision a project with the necessary APIs enabled.

Permissions

This module only sets up permissions for the bastion service account, not the users who need access. To allow access, grant one of the following instance access roles.

  • roles/compute.osLogin Does not grant administrator permissions
  • roles/compute.osAdminLogin Grants administrator permissions.

If the user does not share the same domain as the org the bastion is in, you will also need to grant that user roles/compute.osLoginExternalUser. This is to prevent external SSH access from being granted at the project level. See the OS Login documentation for more information.

Inputs

Name Description Type Default Required
access_config Access configs for network, nat_ip and DNS 
list(object({
    network_tier           = string
    nat_ip                 = string
    public_ptr_domain_name = string
  }))
 
[
  {
    "nat_ip": "",
    "network_tier": "PREMIUM",
    "public_ptr_domain_name": ""
  }
]
 no
additional_networks Additional network interface details for the instance template, if any. 
list(object({
    network            = string
    subnetwork         = string
    subnetwork_project = string
    network_ip         = string
    access_config = list(object({
      nat_ip       = string
      network_tier = string
    }))
  }))
 [] no
additional_ports A list of additional ports/ranges to open access to on the instances from IAP. list(string) [] no
create_firewall_rule If we need to create the firewall rule or not. bool true no
create_instance_from_template Whether to create and instance from the template or not. If false, no instance is created, but the instance template is created and usable by a MIG bool true no
disk_labels Key-value map of labels to assign to the bastion host disk map(any) {} no
disk_size_gb Boot disk size in GB number 100 no
disk_type Boot disk type, can be either pd-ssd, local-ssd, or pd-standard string "pd-standard" no
external_ip Set to true if an ephemeral or static external IP/DNS is required, must also set access_config if true bool false no
fw_name_allow_ssh_from_iap Firewall rule name for allowing SSH from IAP string "allow-ssh-from-iap-to-tunnel" no
host_project The network host project ID string "" no
image Source image for the Bastion. If image is not specified, image_family will be used (which is the default). string "" no
image_family Source image family for the Bastion. string "debian-11" no
image_project Project where the source image for the Bastion comes from string "debian-cloud" no
labels Key-value map of labels to assign to the bastion host map(any) {} no
machine_type Instance type for the Bastion host string "n1-standard-1" no
members List of IAM resources to allow access to the bastion host list(string) [] no
metadata Key-value map of additional metadata to assign to the instances map(string) {} no
name Name of the Bastion instance string "bastion-vm" no
name_prefix Name prefix for instance template string "bastion-instance-template" no
network Self link for the network on which the Bastion should live string n/a yes
preemptible Allow the instance to be preempted bool false no
project The project ID to deploy to string n/a yes
random_role_id Enables role random id generation. bool true no
region The region where the bastion instance template will live string null no
scopes List of scopes to attach to the bastion host list(string) 
[
  "cloud-platform"
]
 no
service_account_email If set, the service account and its permissions will not be created. The service account being passed in should have at least the roles listed in the service_account_roles variable so that logging and OS Login work as expected. string "" no
service_account_name Account ID for the service account string "bastion" no
service_account_roles List of IAM roles to assign to the service account. list(string) 
[
  "roles/logging.logWriter",
  "roles/monitoring.metricWriter",
  "roles/monitoring.viewer",
  "roles/compute.osLogin"
]
 no
service_account_roles_supplemental An additional list of roles to assign to the bastion if desired list(string) [] no
shielded_vm Enable shielded VM on the bastion host (recommended) bool true no
startup_script Render a startup script with a template. string "" no
subnet Self link for the subnet on which the Bastion should live. Can be private when using IAP string n/a yes
tags Network tags, provided as a list list(string) [] no
zone The primary zone where the bastion host will live string "us-central1-a" no

Outputs

Name Description
hostname Host name of the bastion
instance_template Self link of the bastion instance template for use with a MIG
ip_address Internal IP address of the bastion host
self_link Self link of the bastion host
service_account The email for the service account created for the bastion host

Contributing

Refer to the contribution guidelines for information on contributing to this module.

More Repositories

1

terraform-example-foundation

Shows how the CFT modules can be composed to build a secure cloud foundation
HCL
1,211
star
2

terraform-google-kubernetes-engine

Configures opinionated GKE clusters
HCL
1,131
star
3

terraform-google-project-factory

Creates an opinionated Google Cloud project by using Shared VPC, IAM, and Google Cloud APIs
HCL
826
star
4

terraform-google-network

Sets up a new VPC network on Google Cloud
HCL
411
star
5

terraform-google-lb-http

Creates a global HTTP load balancer for Compute Engine by using forwarding rules
HCL
315
star
6

terraform-docs-samples

Terraform samples intended for inclusion in cloud.google.com
HCL
290
star
7

terraform-google-sql-db

Creates a Cloud SQL database instance
HCL
263
star
8

terraform-google-vm

Provisions VMs in Google Cloud
HCL
220
star
9

terraform-google-bootstrap

Bootstraps Terraform usage and related CI/CD in a new Google Cloud organization
HCL
210
star
10

terraform-google-vault

Deploys Vault on Compute Engine
HCL
192
star
11

terraform-google-bigquery

Creates opinionated BigQuery datasets and tables
HCL
190
star
12

terraform-google-iam

Manages multiple IAM roles for resources on Google Cloud
HCL
189
star
13

terraform-google-github-actions-runners

Creates self-hosted GitHub Actions Runners on Google Cloud
HCL
181
star
14

terraform-google-cloud-storage

Creates one or more Cloud Storage buckets and assigns basic permissions on them to arbitrary users
HCL
168
star
15

terraform-google-container-vm

Deploys containers on Compute Engine instances
HCL
155
star
16

terraform-google-gcloud

Executes Google Cloud CLI commands within Terraform
HCL
138
star
17

terraform-google-service-accounts

Creates one or more service accounts and grants them basic roles
HCL
115
star
18

docs-examples

Open in Cloud Shell Examples for the Google provider docs
HCL
110
star
19

cloud-foundation-training

HCL
96
star
20

terraform-google-lb

Creates a regional TCP proxy load balancer for Compute Engine by using target pools and forwarding rules
HCL
92
star
21

terraform-google-gke-gitlab

Installs GitLab on Kubernetes Engine
HCL
90
star
22

terraform-google-vpn

Sets up a Cloud VPN gateway
HCL
88
star
23

terraform-google-log-export

Creates log exports at the project, folder, or organization level
HCL
88
star
24

terraform-google-pubsub

Creates Pub/Sub topic and subscriptions associated with the topic
HCL
85
star
25

terraform-google-lb-internal

Creates an internal load balancer for Compute Engine by using forwarding rules
HCL
81
star
26

terraform-google-org-policy

Manages Google Cloud organization policies
HCL
80
star
27

terraform-google-cloud-nat

Creates and configures Cloud NAT
HCL
80
star
28

terraform-google-startup-scripts

Provides a library of useful startup scripts to embed in VMs
Shell
73
star
29

terraform-google-k8s-gce

Modular Kubernetes Cluster for GCE using Terraform
HCL
71
star
30

terraform-google-scheduled-function

Sets up a scheduled job to trigger events and run functions
Go
71
star
31

terraform-google-slo

Creates SLOs on Google Cloud from custom Stackdriver metrics capability to export SLOs to Google Cloud services and other systems
HCL
63
star
32

terraform-google-address

Manages Google Cloud IP addresses
Shell
60
star
33

terraform-google-vpc-service-controls

Handles opinionated VPC Service Controls and Access Context Manager configuration and deployments
HCL
60
star
34

terraform-google-cloud-dns

Creates and manages Cloud DNS public or private zones and their records
HCL
57
star
35

terraform-google-event-function

Responds to logging events with a Cloud Function
HCL
52
star
36

terraform-google-composer

Manages Cloud Composer v1 and v2 along with option to manage networking
HCL
52
star
37

terraform-google-module-template

Provides a template for creating a Cloud Foundation Toolkit Terraform module
HCL
52
star
38

terraform-google-cloud-router

Manages a Cloud Router on Google Cloud
HCL
48
star
39

terraform-google-folders

Creates several Google Cloud folders under the same parent
HCL
47
star
40

terraform-google-cloud-operations

Manages Cloud Logging and Cloud Monitoring
HCL
47
star
41

terraform-google-kms

Allows managing a keyring, zero or more keys in the keyring, and IAM role bindings on individual keys
HCL
44
star
42

terraform-google-memorystore

Creates a fully functional Google Memorystore (redis) instance
HCL
43
star
43

terraform-google-group

Manages Google Groups
HCL
40
star
44

terraform-google-dataflow

Handles opinionated Dataflow job configuration and deployments
HCL
34
star
45

terraform-google-jenkins

Creates a Compute Engine instance running Jenkins
HCL
31
star
46

terraform-google-sap

Deploys SAP products
HCL
31
star
47

terraform-google-cloud-datastore

Manages Datastore
HCL
22
star
48

terraform-google-gsuite-export

Creates a Compute Engine VM instance and sets up a cronjob to export GSuite Admin SDK data to Cloud Logging on a schedule
HCL
18
star
49

terraform-google-utils

Gets the short names for a given Google Cloud region
HCL
14
star
50

terraform-google-data-fusion

Manages Cloud Data Fusion
HCL
14
star
51

terraform-google-endpoints-dns

This module creates a DNS record on the .cloud.goog domain using Cloud Endpoints.
HCL
11
star
52

terraform-google-healthcare

Handles opinionated Google Cloud Healthcare datasets and stores
HCL
11
star
53

terraform-google-migrate

Terraform module to help with migrating VMs to GCP.
HCL
10
star
54

terraform-example-shared-services

Example of using CFT to build a Shared Services architecture on GCP
HCL
6
star
55

terraform-google-datalab

Creates DataLab instances with support for GPU instances
HCL
6
star
56

terraform-google-secret

This Terraform module makes it easier to manage to manage secrets for your Google Cloud environment, such as api keys, tokens, etc.
Python
6
star
57

terraform-google-redis

HCL
5
star
58

terraform-google-airflow

HCL
4
star
59

terraform-google-api-police

HCL
3
star
60

.allstar

1
star
61

terraform-google-mariadb

HCL
1
star