Adding SSH support (#25)

* Add capability to establish SSH connections to the NAT instance. * change ssh configuration variables behaviour * update ssh configurations readme * SSH optional + no default CIDR * SSH CIDR Blocks ipv6 support + checkov false positive ignore --------- Co-authored-by: SpaicyGaming <[email protected]>
RaJiska · Jun 17, 2024 · efff249 · efff249
1 parent 9e460af
commit efff249
Show file tree

Hide file tree

Showing 5 changed files with 48 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -82,13 +82,16 @@ module "fck-nat" {
 | <a name="input_name"></a> [name](#input\_name) | Name used for resources created within the module | `string` | n/a | yes |
 | <a name="input_route_table_id"></a> [route\_table\_id](#input\_route\_table\_id) | Deprecated. Use route\_tables\_ids instead | `string` | `null` | no |
 | <a name="input_route_tables_ids"></a> [route\_tables\_ids](#input\_route\_tables\_ids) | Route tables to update. Only valid if update\_route\_tables is true | `map(string)` | `{}` | no |
+| <a name="input_ssh_cidr_blocks"></a> [ssh\_cidr\_blocks](#input\_ssh\_cidr\_blocks) | CIDR blocks to allow SSH access to the NAT instance from | <pre>object({<br>    ipv4 = optional(list(string), [])<br>    ipv6 = optional(list(string), [])<br>  })</pre> | <pre>{<br>  "ipv4": [],<br>  "ipv6": []<br>}</pre> | no |
+| <a name="input_ssh_key_name"></a> [ssh\_key\_name](#input\_ssh\_key\_name) | Name of the SSH key to use for the NAT instance. SSH access will be enabled only if a key name is provided | `string` | `null` | no |
 | <a name="input_subnet_id"></a> [subnet\_id](#input\_subnet\_id) | Subnet ID to deploy the NAT instance into | `string` | n/a | yes |
 | <a name="input_tags"></a> [tags](#input\_tags) | Tags to apply to resources created within the module | `map(string)` | `{}` | no |
 | <a name="input_update_route_table"></a> [update\_route\_table](#input\_update\_route\_table) | Deprecated. Use update\_route\_tables instead | `bool` | `false` | no |
 | <a name="input_update_route_tables"></a> [update\_route\_tables](#input\_update\_route\_tables) | Whether or not to update the route tables with the NAT instance | `bool` | `false` | no |
 | <a name="input_use_cloudwatch_agent"></a> [use\_cloudwatch\_agent](#input\_use\_cloudwatch\_agent) | Whether or not to enable CloudWatch agent for the NAT instance | `bool` | `false` | no |
 | <a name="input_use_default_security_group"></a> [use\_default\_security\_group](#input\_use\_default\_security\_group) | Whether or not to use the default security group for the NAT instance | `bool` | `true` | no |
 | <a name="input_use_spot_instances"></a> [use\_spot\_instances](#input\_use\_spot\_instances) | Whether or not to use spot instances for running the NAT instance | `bool` | `false` | no |
+| <a name="input_use_ssh"></a> [use\_ssh](#input\_use\_ssh) | Whether or not to enable SSH access to the NAT instance | `bool` | `false` | no |
 | <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | VPC ID to deploy the NAT instance into | `string` | n/a | yes |
 
 ## Outputs
@@ -104,6 +107,7 @@ module "fck-nat" {
 | <a name="output_ha_mode"></a> [ha\_mode](#output\_ha\_mode) | Whether or not high-availability mode is enabled via autoscaling group |
 | <a name="output_instance_arn"></a> [instance\_arn](#output\_instance\_arn) | The ARN of the fck-nat instance if running in non-HA mode |
 | <a name="output_instance_profile_arn"></a> [instance\_profile\_arn](#output\_instance\_profile\_arn) | The ARN of the instance profile used by the fck-nat instance |
+| <a name="output_instance_public_ip"></a> [instance\_public\_ip](#output\_instance\_public\_ip) | The public IP address of the fck-nat instance if running in non-HA mode |
 | <a name="output_instance_type"></a> [instance\_type](#output\_instance\_type) | Instance type used for the fck-nat instance |
 | <a name="output_kms_key_id"></a> [kms\_key\_id](#output\_kms\_key\_id) | KMS key ID to use for encrypting fck-nat instance EBS volumes |
 | <a name="output_launch_template_id"></a> [launch\_template\_id](#output\_launch\_template\_id) | The ID of the launch template used to spawn fck-nat instances |

diff --git a/ec2.tf b/ec2.tf
@@ -36,6 +36,7 @@ resource "aws_launch_template" "main" {
   name          = var.name
   image_id      = local.ami_id
   instance_type = var.instance_type
+  key_name      = var.ssh_key_name
 
   block_device_mappings {
     device_name = "/dev/xvda"

diff --git a/main.tf b/main.tf
@@ -14,6 +14,7 @@ data "aws_vpc" "main" {
 }
 
 resource "aws_security_group" "main" {
+  #checkov:skip=CKV_AWS_24:False positive from Checkov, ingress CIDR blocks on port 22 default to "[]"
   name        = var.name
   description = "Used in ${var.name} instance of fck-nat in subnet ${var.subnet_id}"
   vpc_id      = data.aws_vpc.main.id
@@ -26,6 +27,19 @@ resource "aws_security_group" "main" {
     cidr_blocks = data.aws_vpc.main.cidr_block_associations[*].cidr_block
   }
 
+  dynamic "ingress" {
+    for_each = var.use_ssh && (length(var.ssh_cidr_blocks.ipv4) > 0 || length(var.ssh_cidr_blocks.ipv6) > 0) ? [1] : [] #  
+
+    content {
+      description      = "SSH access"
+      from_port        = 22
+      to_port          = 22
+      protocol         = "tcp"
+      cidr_blocks      = var.ssh_cidr_blocks.ipv4
+      ipv6_cidr_blocks = var.ssh_cidr_blocks.ipv6
+    }
+  }
+
   egress {
     description      = "Unrestricted egress"
     from_port        = 0

diff --git a/output.tf b/output.tf
@@ -78,6 +78,11 @@ output "instance_arn" {
   value       = var.ha_mode ? null : aws_instance.main[0].arn
 }
 
+output "instance_public_ip" {
+  description = "The public IP address of the fck-nat instance if running in non-HA mode"
+  value       = var.ha_mode ? null : aws_instance.main[0].public_ip
+}
+
 output "autoscaling_group_arn" {
   description = "The ARN of the autoscaling group if running in HA mode"
   value       = var.ha_mode ? aws_autoscaling_group.main[0].arn : null

diff --git a/variables.tf b/variables.tf
@@ -129,6 +129,30 @@ variable "additional_security_group_ids" {
   default     = []
 }
 
+variable "use_ssh" {
+  description = "Whether or not to enable SSH access to the NAT instance"
+  type        = bool
+  default     = false
+}
+
+variable "ssh_key_name" {
+  description = "Name of the SSH key to use for the NAT instance. SSH access will be enabled only if a key name is provided"
+  type        = string
+  default     = null
+}
+
+variable "ssh_cidr_blocks" {
+  description = "CIDR blocks to allow SSH access to the NAT instance from"
+  type = object({
+    ipv4 = optional(list(string), [])
+    ipv6 = optional(list(string), [])
+  })
+  default = {
+    ipv4 = [],
+    ipv6 = []
+  }
+}
+
 variable "tags" {
   description = "Tags to apply to resources created within the module"
   type        = map(string)