forked from segmentio/stack
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathmain.tf
84 lines (72 loc) · 2.33 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
/**
* The bastion host acts as the "jump point" for the rest of the infrastructure.
* Since most of our instances aren't exposed to the external internet, the bastion acts as the gatekeeper for any direct SSH access.
* The bastion is provisioned using the key name that you pass to the stack (and hopefully have stored somewhere).
* If you ever need to access an instance directly, you can do it by "jumping through" the bastion.
*
* $ terraform output # print the bastion ip
* $ ssh -i <path/to/key> ubuntu@<bastion-ip> ssh ubuntu@<internal-ip>
*
* Usage:
*
* module "bastion" {
* source = "github.com/segmentio/stack/bastion"
* region = "us-west-2"
* security_groups = "sg-1,sg-2"
* vpc_id = "vpc-12"
* key_name = "ssh-key"
* subnet_id = "pub-1"
* environment = "prod"
* }
*
*/
variable "instance_type" {
default = "t2.micro"
description = "Instance type, see a list at: https://aws.amazon.com/ec2/instance-types/"
}
variable "region" {
description = "AWS Region, e.g us-west-2"
}
variable "security_groups" {
description = "a comma separated lists of security group IDs"
}
variable "vpc_id" {
description = "VPC ID"
}
variable "key_name" {
description = "The SSH key pair, key name"
}
variable "subnet_id" {
description = "A external subnet id"
}
variable "environment" {
description = "Environment tag, e.g prod"
}
module "ami" {
source = "github.com/terraform-community-modules/tf_aws_ubuntu_ami/ebs"
region = "${var.region}"
distribution = "trusty"
instance_type = "${var.instance_type}"
}
resource "aws_instance" "bastion" {
ami = "${module.ami.ami_id}"
source_dest_check = false
instance_type = "${var.instance_type}"
subnet_id = "${var.subnet_id}"
key_name = "${var.key_name}"
vpc_security_group_ids = ["${split(",",var.security_groups)}"]
monitoring = true
user_data = "${file(format("%s/user_data.sh", path.module))}"
tags {
Name = "bastion"
Environment = "${var.environment}"
}
}
resource "aws_eip" "bastion" {
instance = "${aws_instance.bastion.id}"
vpc = true
}
// Bastion external IP address.
output "external_ip" {
value = "${aws_eip.bastion.public_ip}"
}