Add support to specify CIDR from where ssh is allowed on bastion host

stakater · Aug 29, 2017 · 8dd5b0f · 8dd5b0f
1 parent a742732
commit 8dd5b0f
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 8 deletions.
diff --git a/modules/bastion/main.tf b/modules/bastion/main.tf
@@ -12,9 +12,7 @@ resource "aws_security_group" "bastion" {
     from_port = 22
     to_port   = 22
 
-    cidr_blocks = [
-      "0.0.0.0/0",
-    ]
+    cidr_blocks = "${var.allow_ssh_cidrs}"
   }
 
   egress {
@@ -46,11 +44,11 @@ data "template_file" "user_data" {
 }
 
 resource "aws_launch_configuration" "bastion" {
-  name_prefix   = "${var.name}"
-  image_id      = "${var.ami}"
-  instance_type = "${var.instance_type}"
-  key_name      = "${var.keypair}"
-  user_data     = "${data.template_file.user_data.rendered}"
+  name_prefix                 = "${var.name}"
+  image_id                    = "${var.ami}"
+  instance_type               = "${var.instance_type}"
+  key_name                    = "${var.keypair}"
+  user_data                   = "${data.template_file.user_data.rendered}"
   associate_public_ip_address = "${var.associate_public_ip_address}"
 
   security_groups = [

diff --git a/modules/bastion/variables.tf b/modules/bastion/variables.tf
@@ -56,6 +56,12 @@ variable "associate_public_ip_address" {
   default     = true
 }
 
+variable "allow_ssh_cidrs" {
+  description = "List Cidrs from where ssh is to be allowed for bastion host. Default is anywhere"
+  type        = "list"
+  default     = ["0.0.0.0/0"]
+}
+
 variable "eip" {
   default = ""
 }
diff --git a/modules/network.tf b/modules/network.tf
@@ -65,6 +65,12 @@ variable "bastion_host_keypair" {
   default     = "bastion-host"
 }
 
+variable "bastion_host_allow_ssh_cidrs" {
+  description = "List Cidrs from where ssh is to be allowed for bastion host. Default is anywhere"
+  type        = "list"
+  default     = ["0.0.0.0/0"]
+}
+
 variable "bastion_host_ami_id" {
   description = "AMI ID from which the bastian host instance will be created."
   default     = ""
@@ -164,6 +170,7 @@ module "bastion-host" {
   source                      = "./bastion"
   instance_type               = "t2.nano"
   keypair                     = "${var.bastion_host_keypair}"
+  allow_ssh_cidrs             = "${var.bastion_host_allow_ssh_cidrs}"
   ami                         = "${var.bastion_host_ami_id}"
   region                      = "${var.aws_region}"
   s3_bucket_uri               = "s3://${var.config_bucket_name}/keypairs"