This module will generate a bastion host vm compatible with OS Login and IAP Tunneling that can be used to access internal VMs.
This module will:
- Create a dedicated service account for the bastion host
- Create a GCE instance to be the bastion host
- Create a firewall rule to allow TCP:22 SSH access from the IAP to the bastion
- Necessary IAM bindings to allow IAP and OS Logins from specified members
Basic usage of this module is as follows:
module "iap_bastion" {
source = "terraform-google-modules/bastion-host/google"
project = var.project
zone = var.zone
network = google_compute_network.net.self_link
subnet = google_compute_subnetwork.net.self_link
members = [
"group:[email protected]",
"user:[email protected]",
]
}Functional example is included in the examples directory.
These sections describe requirements for using this module.
The following dependencies must be available:
A project with the following APIs enabled must be used to host the resources of this module:
- Google Cloud Storage JSON API:
storage-api.googleapis.com - Compute Engine API:
compute.googleapis.com - Cloud Identity-Aware Proxy API:
iap.googleapis.com - OS Login API:
oslogin.googleapis.com
The Project Factory module can be used to provision a project with the necessary APIs enabled.
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| additional_ports | A list of additional ports/ranges to open access to on the instances from IAP. | list(string) | <list> |
no |
| create_instance_from_template | Whether to create and instance from the template or not. If false, no instance is created, but the instance template is created and usable by a MIG | bool | "true" |
no |
| disk_size_gb | Boot disk size in GB | string | "100" |
no |
| disk_type | Boot disk type, can be either pd-ssd, local-ssd, or pd-standard | string | "pd-standard" |
no |
| fw_name_allow_ssh_from_iap | Firewall rule name for allowing SSH from IAP | string | "allow-ssh-from-iap-to-tunnel" |
no |
| host_project | The network host project ID | string | "" |
no |
| image | Source image for the Bastion. If image is not specified, image_family will be used (which is the default). | string | "" |
no |
| image_family | Source image family for the Bastion. | string | "centos-7" |
no |
| image_project | Project where the source image for the Bastion comes from | string | "gce-uefi-images" |
no |
| labels | Key-value map of labels to assign to the bastion host | map | <map> |
no |
| machine_type | Instance type for the Bastion host | string | "n1-standard-1" |
no |
| members | List of IAM resources to allow access to the bastion host | list(string) | <list> |
no |
| name | Name of the Bastion instance | string | "bastion-vm" |
no |
| name_prefix | Name prefix for instance template | string | "bastion-instance-template" |
no |
| network | Self link for the network on which the Bastion should live | string | n/a | yes |
| project | The project ID to deploy to | string | n/a | yes |
| random_role_id | Enables role random id generation. | bool | "true" |
no |
| scopes | List of scopes to attach to the bastion host | list(string) | <list> |
no |
| service_account_email | If set, the service account and its permissions will not be created. The service account being passed in should have at least the roles listed in the service_account_roles variable so that logging and OS Login work as expected. |
string | "" |
no |
| service_account_name | Account ID for the service account | string | "bastion" |
no |
| service_account_roles | List of IAM roles to assign to the service account. | list(string) | <list> |
no |
| service_account_roles_supplemental | An additional list of roles to assign to the bastion if desired | list(string) | <list> |
no |
| shielded_vm | Enable shielded VM on the bastion host (recommended) | bool | "true" |
no |
| startup_script | Render a startup script with a template. | string | "" |
no |
| subnet | Self link for the subnet on which the Bastion should live. Can be private when using IAP | string | n/a | yes |
| tags | Network tags, provided as a list | list(string) | <list> |
no |
| zone | The primary zone where the bastion host will live | string | "us-central1-a" |
no |
| Name | Description |
|---|---|
| hostname | Host name of the bastion |
| instance_template | Self link of the bastion instance template for use with a MIG |
| ip_address | Internal IP address of the bastion host |
| self_link | Self link of the bastion host |
| service_account | The email for the service account created for the bastion host |
Refer to the contribution guidelines for information on contributing to this module.