Terraform module to create ASG bastion host using ssm session manager on top of golden bastion AMI baked by site-infra team. This module creates following resources:
- aws_autoscaling_group. To stop or start an instances, you can change the asg_capacity value.
- aws_launch_template.
- aws_security_group. Several security group will be created by this module, to give access from this bastion, you need to attach the share security group to your database.
- An existing vpc.
- An existing subnet, recommended using private subnet.
- IAM Policy to grants access to use session manager and send logs to s3.
This Terraform module uses another Terraform module, here is the list of Terraform module dependencies:
This module was created on 16/10/2018. The latest stable version of Terraform which this module tested working is Terraform 0.13.7 on 29/09/2021.
Name | Version |
---|---|
terraform | >= 0.13 |
Name | Version |
---|---|
aws | n/a |
Name | Source | Version |
---|---|---|
aws-autoscaling_bastion_asg | github.com/traveloka/terraform-aws-autoscaling | v0.4.0 |
bastion | github.com/traveloka/terraform-aws-iam-role.git//modules/instance | v3.0.0 |
Name | Description | Type | Default | Required |
---|---|---|---|---|
additional_asg_tags | The created ASG (and spawned instances) will have these tags, merged over the default | list(map(string)) |
[] |
no |
ami_name_prefix | prefix for ami filter | string |
"tvlk/ubuntu-20/tsi/bastion*" |
no |
ami_owner_account_id | aws account id who owns the golden bastion AMI owner. | string |
n/a | yes |
asg_capacity | capacity of ec2 instances for autoscaling group | string |
n/a | yes |
asg_default_cooldown | Time, in seconds, the minimum interval of two scaling activities | string |
"300" |
no |
asg_health_check_grace_period | Time, in seconds, to wait for new instances before checking their health | string |
"300" |
no |
asg_health_check_type | healthchek type for autoscaling group | string |
"EC2" |
no |
asg_wait_for_capacity_timeout | A maximum duration that Terraform should wait for ASG instances to be healthy before timing out | string |
"0m" |
no |
description | description for this cluster | string |
n/a | yes |
ebs_optimized | whether ec2 instance using ebs optimized or not | string |
"false" |
no |
enable_detailed_monitoring | wheter to enable detailed monitoring for ec2 instances or not | string |
"false" |
no |
environment | environment for this resources. | string |
n/a | yes |
instance_type | instance type for bastion hosts. | string |
"t2.medium" |
no |
launch_template_overrides | List of nested arguments provides the ability to specify multiple instance types. See https://www.terraform.io/docs/providers/aws/r/autoscaling_group.html#override When using plain launch template, the first element's instance_type will be used as the launch template instance type. |
list(map(string)) |
[ |
no |
mixed_instances_distribution | Specify the distribution of on-demand instances and spot instances. See https://docs.aws.amazon.com/autoscaling/ec2/APIReference/API_InstancesDistribution.html | map(string) |
{ |
no |
product_domain | product domain who own this ec2 instances. | string |
n/a | yes |
service_name | service name for the instance | string |
n/a | yes |
subnet_tier | tier of subnet where bastion ec2 instance reside, we recommend to use the subnet with tier app, as it is private. | string |
"app" |
no |
user_data | The spawned instances will have this user data. Use the rendered value of a terraform's template_cloudinit_config data |
string |
" " |
no |
volume_size | size for root volume instances. | string |
"8" |
no |
volume_type | type of ebs volume for root volume instances. | string |
"gp3" |
no |
vpc_id | vpc id where ec2 instances reside. | string |
n/a | yes |
Name | Description |
---|---|
asg_bastion_name | The name of the auto scaling group for bastion |
instance_role_name | role name for the instances. |
sg_bastion_id | id of security group for bastion instance. |
shared_sg_elasticsearch_id | id of shared security group for elasticsearch. |
shared_sg_memcached_id | id of shared security group for memcached. |
shared_sg_mongod_id | id of shared security group for mongod. |
shared_sg_mysql_id | id of shared security group for mysql. |
shared_sg_postgres_id | id of shared security group for postgres. |
shared_sg_redis_id | id of shared security group for redis. |
This module accepting or open for any contributions from anyone, please see the CONTRIBUTING.md for more detail about how to contribute to this module.
This module is under Apache License 2.0 - see the LICENSE file for details.