/terraform-aws-jumphost

Module that creates a jumphost.

Primary LanguageHCL

terraform-aws-jumphost

The module creates a jump host to provide SSH access to the AWS network.

jumphost

The module deploys an autoscaling group with only one EC2 instance that serves as a jump host to access internal resources not accessible from the Internet otherwise.

To make sense, the autoscaling group has to reside in a public subnet, and the EC2 instance has to get a public IP address.

When the instance launches or terminates, it updates the Route53 zone, so the jump host has the DNS name jumphost.yourzone.com.

module "jumphost" {
  source            = "registry.infrahouse.com/infrahouse/jumphost/aws"
  version           = "~> 2.4"
  keypair_name      = aws_key_pair.aleks.key_name
  subnet_ids        = module.management.subnet_public_ids
  environment       = var.environment
  route53_zone_id   = module.infrahouse_com.infrahouse_zone_id
  route53_zone_name = module.infrahouse_com.infrahouse_zone_name
  extra_policies = {
    (aws_iam_policy.package-publisher.name) : aws_iam_policy.package-publisher.arn
  }
  gpg_public_key = file("./files/DEB-GPG-KEY-infrahouse-jammy")
}

Note: initial instances do not trigger the DNS lambda. We need to refresh the ASG manually to update DNS. This limitation should be fixed in the future.

IAM instance profile

The module creates an instance profile called jumphost using the instance-profile module. The profile has a role with a quite limited permissions policy.

data "aws_iam_policy_document" "jumphost_permissions" {
  statement {
    actions   = ["ec2:Describe*"]
    resources = ["*"]
  }
}

If you need the jump host to have more permissions, attach additional policies to the role. The role is returned as outputs jumphost_role_name and jumphost_role_arn.

Alternatively, you can specify a map of additional permissions in the var.extra_policies map:

module "jumphost" {
...
  extra_policies = {
    (aws_iam_policy.package-publisher.name) : aws_iam_policy.package-publisher.arn
  }
...
}

Requirements

Name Version
aws >= 5.31
cloudinit >= 2.3
null >= 3.2
random >= 3.5

Providers

Name Version
aws >= 5.31
random >= 3.5

Modules

Name Source Version
jumphost_profile registry.infrahouse.com/infrahouse/instance-profile/aws ~> 1.4
jumphost_userdata registry.infrahouse.com/infrahouse/cloud-init/aws 1.12.4

Resources

Name Type
aws_autoscaling_group.jumphost resource
aws_efs_file_system.home resource
aws_efs_mount_target.packages resource
aws_iam_policy.required resource
aws_launch_template.jumphost resource
aws_lb.jumphost resource
aws_lb_listener.jumphost resource
aws_lb_target_group.jumphost resource
aws_route53_record.jumphost_cname resource
aws_security_group.efs resource
aws_security_group.jumphost resource
aws_vpc_security_group_egress_rule.default resource
aws_vpc_security_group_egress_rule.efs resource
aws_vpc_security_group_ingress_rule.echo resource
aws_vpc_security_group_ingress_rule.efs resource
aws_vpc_security_group_ingress_rule.efs_icmp resource
aws_vpc_security_group_ingress_rule.icmp resource
aws_vpc_security_group_ingress_rule.ssh resource
random_string.asg_name resource
random_string.profile-suffix resource
aws_ami.ubuntu data source
aws_caller_identity.current data source
aws_iam_policy_document.jumphost_permissions data source
aws_iam_policy_document.required_permissions data source
aws_region.current data source
aws_route53_zone.jumphost_zone data source
aws_subnet.nlb_selected data source
aws_subnet.selected data source
aws_vpc.nlb_selected data source
aws_vpc.selected data source

Inputs

Name Description Type Default Required
ami_id AMI id for jumphost instances. By default, latest Ubuntu jammy. string null no
asg_max_size Maximum number of EC2 instances in the ASG. By default, the number of subnets plus one number null no
asg_min_size Minimal number of EC2 instances in the ASG. By default, the number of subnets number null no
environment Environment name. Passed on as a puppet fact string n/a yes
extra_files Additional files to create on an instance. 
list(object({
    content     = string
    path        = string
    permissions = string
  }))
 [] no
extra_policies A map of additional policy ARNs to attach to the jumphost role map(string) {} no
extra_repos Additional APT repositories to configure on an instance. 
map(object({
    source = string
    key    = string
  }))
 {} no
instance_role_name If specified, the instance profile wil have a role with this name string null no
instance_type EC2 Instance type string "t3a.micro" no
keypair_name SSH key pair name that will be added to the jumphost instance string n/a yes
nlb_internal If true, the load balancer's DNS name will resolve into internal IP addresses. bool false no
nlb_subnet_ids List of subnet ids where the NLB will be created list(string) n/a yes
packages List of packages to install when the instances bootstraps. list(string) [] no
puppet_custom_facts A map of custom puppet facts any {} no
puppet_debug_logging Enable debug logging if true. bool false no
puppet_environmentpath A path for directory environments. string "{root_directory}/environments" no
puppet_hiera_config_path Path to hiera configuration file. string "{root_directory}/environments/{environment}/hiera.yaml" no
puppet_manifest Path to puppet manifest. By default ih-puppet will apply {root_directory}/environments/{environment}/manifests/site.pp. string null no
puppet_module_path Path to common puppet modules. string "{root_directory}/modules" no
puppet_root_directory Path where the puppet code is hosted. string "/opt/puppet-code" no
route53_hostname An A record with this name will be created in the rout53 zone string "jumphost" no
route53_ttl TTL in seconds on the route53 record number 300 no
route53_zone_id Route53 zone id of a zone where this jumphost will put an A record any n/a yes
ssh_host_keys List of instance's SSH host keys 
list(
    object(
      {
        type : string
        private : string
        public : string
      }
    )
  )
 [] no
subnet_ids List of subnet ids where the jumphost instances will be created list(string) n/a yes
ubuntu_codename Ubuntu version to use for the jumphost string "jammy" no

Outputs

Name Description
jumphost_asg_name Jumphost autoscaling group
jumphost_hostname n/a
jumphost_instance_profile__arn Instance IAM profile ARN.
jumphost_instance_profile_name Instance IAM profile name.
jumphost_role_arn Instance IAM role ARN.
jumphost_role_name Instance IAM role name.