This module creates an auto-scaling instance group and Network Load Balancer in Amazon Web Services for a Banyan Access Tier. A network load balancer forwards traffic to the instance group which, when added to the proper tags and banyan zero trust policies, allows for connections to internal services or to the network via service tunnel.
This module will create an access tier definition in the Banyan API, and an access_tier
scoped API key. It will populate the launch configuration of all instances in the auto-scaling group with a short script to download the latest version of the Banyan NetAgent (or a pinned version if set), install it as a service, and launch the netagent with the API key and access tier configuration name for your Banyan organization.
In order to ease the installation and configuration of the access tier, the new netagent only needs an access tier scoped API key, Banyan API URL, and the name of an access tier configuration in order to successfully connect. In this new module the access tier is defined in the Banyan API with the banyan_accesstier
resource from the banyan
terraform provider. The API key is created specifically for the access tier and added to the launch configuration
terraform {
required_providers {
banyan = {
source = "banyansecurity/banyan"
version = "1.0.0"
}
}
}
provider "banyan" {
api_key = "ADMIN-SCOPE-API-KEY"
}
provider "aws" {
region = "us-west-2"
}
module "aws_accesstier" {
source = "banyansecurity/banyan-accesstier2/aws"
name = "example"
banyan_host = var.banyan_host
private_subnet_ids = ["subnet-0bff66824ea1ede35", "subnet-0e4680564d8fd1f69"]
public_subnet_ids = ["subnet-0bd9c5568baa33137", "subnet-0a2f69d9f6cdc0b1a"]
vpc_id = "vpc-0c5252fae45fe5011"
member_security_groups = [aws_security_group.allow_at.id]
}
This example will configure the Banyan terraform provider and the AWS provider. It will then create an access tier
with a wildcard DNS record pointing to the address of the access tier. The access tier is configured with the tunnel CIDR of 10.10.0.0/16
.
This corresponds to CIDR of the private network(s) (the entire VPC or individual subnets in AWS). A service tunnel is configured
to use this access tier, with a policy which allows any user with a High
trust level access to the service tunnel.
This policy could be narrowed down further using the access.l4_access
attribute of the banyan_policy_tunnel
resource.
This is an effective replacement of a VPN tunnel, which leverages the device trust, continuous authorization and SAML capabilities of Banyan.
terraform {
required_providers {
banyan = {
source = "banyansecurity/banyan"
version = "1.0.0"
}
}
}
provider "banyan" {
api_key = "ADMIN-SCOPE-API-KEY"
}
provider "aws" {
region = "us-west-2"
}
module "aws_accesstier" {
source = "banyansecurity/banyan-accesstier2/aws"
name = "example"
private_subnet_ids = ["subnet-0bff66824ea1ede35", "subnet-0e4680564d8fd1f69"]
public_subnet_ids = ["subnet-0bd9c5568baa33137", "subnet-0a2f69d9f6cdc0b1a"]
vpc_id = "vpc-0c5252fae45fe5011"
member_security_groups = [aws_security_group.allow_at.id]
tunnel_cidrs = ["10.10.0.0/16"]
}
resource "banyan_service_tunnel" "example" {
name = "example-anyone-high"
description = "tunnel allowing anyone with a high trust level"
access_tier = banyan_accesstier.example.name
policy = banyan_policy_infra.anyone-high.id
}
resource "banyan_policy_infra" "anyone-high" {
name = "allow-anyone-high-trust"
description = "${module.aws_accesstier.name} allow"
access {
roles = ["ANY"]
trust_level = "High"
}
}
resource "aws_route53_record" "aws_accesstier" {
zone_id = local.route53_zone_id
name = "*.${module.aws_accesstier.name}.mycompany.com"
type = "CNAME"
ttl = 300
records = [module.aws_accesstier.address]
}
Set netagent_version
to the desired version number. This will ensure all instances are pinned to the same version number. If netagent_version
is not specified, each instance will automatically install the latest version.
-
The default value for
management_cidr
leaves SSH closed to instances in the access tier. -
The current recommended setup for to use a banyan SSH service to SSH to a host inside the private network, which in turn has SSH access to the instances in the auto-scaling group. This way no SSH service is exposed to the internet.
Name | Version |
---|---|
banyan | >=1.0.0 |
Name | Version |
---|---|
aws | n/a |
banyan | >=1.0.0 |
No modules.
Name | Type |
---|---|
aws_alb.nlb | resource |
aws_autoscaling_group.asg | resource |
aws_autoscaling_policy.cpu_policy | resource |
aws_launch_configuration.conf | resource |
aws_lb_listener.listener443 | resource |
aws_lb_listener.listener51820 | resource |
aws_lb_listener.listener80 | resource |
aws_lb_listener.listener8443 | resource |
aws_lb_target_group.target443 | resource |
aws_lb_target_group.target51820 | resource |
aws_lb_target_group.target80 | resource |
aws_lb_target_group.target8443 | resource |
aws_security_group.sg | resource |
banyan_accesstier.accesstier | resource |
banyan_api_key.accesstier | resource |
aws_ami.ubuntu | data source |
aws_vpc.selected | data source |
Name | Description | Type | Default | Required |
---|---|---|---|---|
name | Name to use when registering this Access Tier with the Banyan command center | string |
n/a | yes |
private_subnet_ids | IDs of the subnets where the Access Tier should create instances | list(string) |
n/a | yes |
public_subnet_ids | IDs of the subnets where the load balancer should create endpoints | list(string) |
n/a | yes |
vpc_id | ID of the VPC in which to create the Access Tier | string |
n/a | yes |
autoscaling_group_tags | Additional tags to the autoscaling_group | map(any) |
null |
no |
banyan_host | URL to the Banyan API server | string |
"https://net.banyanops.com/" |
no |
cluster | Name of an existing Shield cluster to register this Access Tier with. This value is set automatically if omitted from the configuration | string |
null |
no |
command_center_cidrs | CIDR blocks to allow Command Center connections to | list(string) |
[ |
no |
console_log_level | Controls verbosity of logs to console. Must be one of "ERR", "WARN", "INFO", "DEBUG" | string |
null |
no |
cross_zone_enabled | Allow load balancer to distribute traffic to other zones | bool |
true |
no |
custom_user_data | Custom commands to append to the launch configuration initialization script | list(string) |
[] |
no |
datadog_api_key | API key for DataDog | string |
null |
no |
disable_snat | Disable Source Network Address Translation (SNAT) | bool |
false |
no |
enable_hsts | If enabled, Banyan will send the HTTP Strict-Transport-Security response header | bool |
null |
no |
event_key_rate_limiting | Enable rate limiting of Access Event generated based on a derived “key” value. Each key has a separate rate limiter, and events with the same key value are subjected to the rate limiter for that key | bool |
null |
no |
events_rate_limiting | Enable rate limiting of Access Event generation based on a credit-based rate control mechanism | bool |
null |
no |
file_log | Whether to log to file or not | bool |
null |
no |
file_log_level | Controls verbosity of logs to file. Must be one of "ERR", "WARN", "INFO", "DEBUG" | string |
null |
no |
forward_trust_cookie | Forward the Banyan trust cookie to upstream servers. This may be enabled if upstream servers wish to make use of information in the Banyan trust cookie | bool |
null |
no |
healthcheck_cidrs | CIDR blocks to allow health check connections from (recommended to use the VPC CIDR range) | list(string) |
[ |
no |
http_endpoint_imds_v2 | value for http_endpoint to enable imds v2 for ec2 instance | string |
"enabled" |
no |
http_hop_limit_imds_v2 | value for http_put_response_hop_limit to enable imds v2 for ec2 instance | number |
1 |
no |
http_tokens_imds_v2 | value for http_tokens to enable imds v2 for ec2 instance | string |
"required" |
no |
iam_instance_profile | The name attribute of the IAM instance profile to associate with launched instances | string |
null |
no |
instance_type | EC2 instance type to use when creating Access Tier instances | string |
"t3.medium" |
no |
lb_tags | Additional tags to add to the load balancer | map(any) |
null |
no |
log_num | For file logs: Number of files to use for log rotation | number |
null |
no |
log_size | For file logs: Size of each file for log rotation | number |
null |
no |
managed_internal_cidrs | CIDR blocks to allow managed internal services connections to | list(string) |
[ |
no |
management_cidrs | CIDR blocks to allow SSH connections from. Default is the VPC CIDR range | list(string) |
[] |
no |
max_instance_lifetime | The maximum amount of time, in seconds, that an instance can be in service, values must be either equal to 0 or between 604800 and 31536000 seconds | number |
null |
no |
member_security_groups | Additional security groups which the access tier shou | list(string) |
[] |
no |
min_instances | Minimum number of Access Tier instances to keep alive | number |
2 |
no |
netagent_version | Override to use a specific version of netagent (e.g. 1.49.1 ). Omit for the latest version available |
string |
null |
no |
redirect_http_to_https | If true, requests to the Access Tier on port 80 will be redirected to port 443 | bool |
true |
no |
security_group_tags | Additional tags to the security_group | map(any) |
null |
no |
shield_cidrs | CIDR blocks to allow Shield (Cluster Coordinator) connections to | list(string) |
[ |
no |
shield_port | TCP port number to allow Shield (Cluster Coordinator) connections to | number |
0 |
no |
src_nat_cidr_range | CIDR range which source Network Address Translation (SNAT) will be disabled for | string |
null |
no |
ssh_key_name | Name of an SSH key stored in AWS to allow management access | string |
"" |
no |
statsd_address | Address to send statsd messages: “hostname:port” for UDP, “unix:///path/to/socket” for UDS | string |
null |
no |
sticky_sessions | Enable session stickiness for apps that require it | bool |
false |
no |
tags | Add tags to each resource | map(any) |
null |
no |
target_group_tags | Additional tags to each target_group | map(any) |
null |
no |
trustprovider_cidrs | CIDR blocks to allow TrustProvider connections to | list(string) |
[ |
no |
tunnel_cidrs | Backend CIDR Ranges that correspond to the IP addresses in your private network(s) | list(string) |
null |
no |
tunnel_port | UDP port for end users to this access tier to utilize when using service tunnel | number |
null |
no |
tunnel_private_domains | Any internal domains that can only be resolved on your internal network’s private DNS | list(string) |
null |
no |
Name | Description |
---|---|
address | DNS name of the load balancer (example: banyan-nlb-b335ff082d3b27ff.elb.us-east-1.amazonaws.com ) |
api_key_id | ID of the API key associated with the Access Tier |
name | Name to use when registering this Access Tier with the console |
nlb_zone_id | Zone ID of the load balancer (example: Z26RNL4JYFTOTI ) |
security_group_id | The ID of the security group, which can be added as an inbound rule on other backend groups (example: sg-1234abcd ) |