From efff249c14172400c8402cdd8058847a200e9398 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Doriann=20Corlou=C3=ABr?= Date: Mon, 17 Jun 2024 23:13:45 +0900 Subject: [PATCH] Adding SSH support (#25) * Add capability to establish SSH connections to the NAT instance. * change ssh configuration variables behaviour * update ssh configurations readme * SSH optional + no default CIDR * SSH CIDR Blocks ipv6 support + checkov false positive ignore --------- Co-authored-by: SpaicyGaming --- README.md | 4 ++++ ec2.tf | 1 + main.tf | 14 ++++++++++++++ output.tf | 5 +++++ variables.tf | 24 ++++++++++++++++++++++++ 5 files changed, 48 insertions(+) diff --git a/README.md b/README.md index 8bea94d..7ed2a5c 100644 --- a/README.md +++ b/README.md @@ -82,6 +82,8 @@ module "fck-nat" { | [name](#input\_name) | Name used for resources created within the module | `string` | n/a | yes | | [route\_table\_id](#input\_route\_table\_id) | Deprecated. Use route\_tables\_ids instead | `string` | `null` | no | | [route\_tables\_ids](#input\_route\_tables\_ids) | Route tables to update. Only valid if update\_route\_tables is true | `map(string)` | `{}` | no | +| [ssh\_cidr\_blocks](#input\_ssh\_cidr\_blocks) | CIDR blocks to allow SSH access to the NAT instance from | 
object({
    ipv4 = optional(list(string), [])
    ipv6 = optional(list(string), [])
  })
| 
{
  "ipv4": [],
  "ipv6": []
}
| no | +| [ssh\_key\_name](#input\_ssh\_key\_name) | Name of the SSH key to use for the NAT instance. SSH access will be enabled only if a key name is provided | `string` | `null` | no | | [subnet\_id](#input\_subnet\_id) | Subnet ID to deploy the NAT instance into | `string` | n/a | yes | | [tags](#input\_tags) | Tags to apply to resources created within the module | `map(string)` | `{}` | no | | [update\_route\_table](#input\_update\_route\_table) | Deprecated. Use update\_route\_tables instead | `bool` | `false` | no | @@ -89,6 +91,7 @@ module "fck-nat" { | [use\_cloudwatch\_agent](#input\_use\_cloudwatch\_agent) | Whether or not to enable CloudWatch agent for the NAT instance | `bool` | `false` | no | | [use\_default\_security\_group](#input\_use\_default\_security\_group) | Whether or not to use the default security group for the NAT instance | `bool` | `true` | no | | [use\_spot\_instances](#input\_use\_spot\_instances) | Whether or not to use spot instances for running the NAT instance | `bool` | `false` | no | +| [use\_ssh](#input\_use\_ssh) | Whether or not to enable SSH access to the NAT instance | `bool` | `false` | no | | [vpc\_id](#input\_vpc\_id) | VPC ID to deploy the NAT instance into | `string` | n/a | yes | ## Outputs @@ -104,6 +107,7 @@ module "fck-nat" { | [ha\_mode](#output\_ha\_mode) | Whether or not high-availability mode is enabled via autoscaling group | | [instance\_arn](#output\_instance\_arn) | The ARN of the fck-nat instance if running in non-HA mode | | [instance\_profile\_arn](#output\_instance\_profile\_arn) | The ARN of the instance profile used by the fck-nat instance | +| [instance\_public\_ip](#output\_instance\_public\_ip) | The public IP address of the fck-nat instance if running in non-HA mode | | [instance\_type](#output\_instance\_type) | Instance type used for the fck-nat instance | | [kms\_key\_id](#output\_kms\_key\_id) | KMS key ID to use for encrypting fck-nat instance EBS volumes | | [launch\_template\_id](#output\_launch\_template\_id) | The ID of the launch template used to spawn fck-nat instances | diff --git a/ec2.tf b/ec2.tf index 5585c88..e4039a4 100644 --- a/ec2.tf +++ b/ec2.tf @@ -36,6 +36,7 @@ resource "aws_launch_template" "main" { name = var.name image_id = local.ami_id instance_type = var.instance_type + key_name = var.ssh_key_name block_device_mappings { device_name = "/dev/xvda" diff --git a/main.tf b/main.tf index 5e37621..c294986 100644 --- a/main.tf +++ b/main.tf @@ -14,6 +14,7 @@ data "aws_vpc" "main" { } resource "aws_security_group" "main" { + #checkov:skip=CKV_AWS_24:False positive from Checkov, ingress CIDR blocks on port 22 default to "[]" name = var.name description = "Used in ${var.name} instance of fck-nat in subnet ${var.subnet_id}" vpc_id = data.aws_vpc.main.id @@ -26,6 +27,19 @@ resource "aws_security_group" "main" { cidr_blocks = data.aws_vpc.main.cidr_block_associations[*].cidr_block } + dynamic "ingress" { + for_each = var.use_ssh && (length(var.ssh_cidr_blocks.ipv4) > 0 || length(var.ssh_cidr_blocks.ipv6) > 0) ? [1] : [] # + + content { + description = "SSH access" + from_port = 22 + to_port = 22 + protocol = "tcp" + cidr_blocks = var.ssh_cidr_blocks.ipv4 + ipv6_cidr_blocks = var.ssh_cidr_blocks.ipv6 + } + } + egress { description = "Unrestricted egress" from_port = 0 diff --git a/output.tf b/output.tf index 84f907b..e3784a1 100644 --- a/output.tf +++ b/output.tf @@ -78,6 +78,11 @@ output "instance_arn" { value = var.ha_mode ? null : aws_instance.main[0].arn } +output "instance_public_ip" { + description = "The public IP address of the fck-nat instance if running in non-HA mode" + value = var.ha_mode ? null : aws_instance.main[0].public_ip +} + output "autoscaling_group_arn" { description = "The ARN of the autoscaling group if running in HA mode" value = var.ha_mode ? aws_autoscaling_group.main[0].arn : null diff --git a/variables.tf b/variables.tf index 7038ac8..ccb61ca 100644 --- a/variables.tf +++ b/variables.tf @@ -129,6 +129,30 @@ variable "additional_security_group_ids" { default = [] } +variable "use_ssh" { + description = "Whether or not to enable SSH access to the NAT instance" + type = bool + default = false +} + +variable "ssh_key_name" { + description = "Name of the SSH key to use for the NAT instance. SSH access will be enabled only if a key name is provided" + type = string + default = null +} + +variable "ssh_cidr_blocks" { + description = "CIDR blocks to allow SSH access to the NAT instance from" + type = object({ + ipv4 = optional(list(string), []) + ipv6 = optional(list(string), []) + }) + default = { + ipv4 = [], + ipv6 = [] + } +} + variable "tags" { description = "Tags to apply to resources created within the module" type = map(string)