Add support to specify CIDR from where ssh is allowed on bastion host

hazim1093 · hazim1093 · commit 8dd5b0f6b525 · 2017-08-29T19:01:44.000+05:00
diff --git a/modules/bastion/main.tf b/modules/bastion/main.tf
@@ -12,9 +12,7 @@ resource "aws_security_group" "bastion" {
     from_port = 22
     to_port   = 22
 
-    cidr_blocks = [
-      "0.0.0.0/0",
-    ]
+    cidr_blocks = "${var.allow_ssh_cidrs}"
   }
 
   egress {
@@ -46,11 +44,11 @@ data "template_file" "user_data" {
 }
 
 resource "aws_launch_configuration" "bastion" {
-  name_prefix   = "${var.name}"
-  image_id      = "${var.ami}"
-  instance_type = "${var.instance_type}"
-  key_name      = "${var.keypair}"
-  user_data     = "${data.template_file.user_data.rendered}"
+  name_prefix                 = "${var.name}"
+  image_id                    = "${var.ami}"
+  instance_type               = "${var.instance_type}"
+  key_name                    = "${var.keypair}"
+  user_data                   = "${data.template_file.user_data.rendered}"
   associate_public_ip_address = "${var.associate_public_ip_address}"
 
   security_groups = [
diff --git a/modules/bastion/variables.tf b/modules/bastion/variables.tf
@@ -56,6 +56,12 @@ variable "associate_public_ip_address" {
   default     = true
 }
 
+variable "allow_ssh_cidrs" {
+  description = "List Cidrs from where ssh is to be allowed for bastion host. Default is anywhere"
+  type        = "list"
+  default     = ["0.0.0.0/0"]
+}
+
 variable "eip" {
   default = ""
 }
diff --git a/modules/network.tf b/modules/network.tf
@@ -65,6 +65,12 @@ variable "bastion_host_keypair" {
   default     = "bastion-host"
 }
 
+variable "bastion_host_allow_ssh_cidrs" {
+  description = "List Cidrs from where ssh is to be allowed for bastion host. Default is anywhere"
+  type        = "list"
+  default     = ["0.0.0.0/0"]
+}
+
 variable "bastion_host_ami_id" {
   description = "AMI ID from which the bastian host instance will be created."
   default     = ""
@@ -164,6 +170,7 @@ module "bastion-host" {
   source                      = "./bastion"
   instance_type               = "t2.nano"
   keypair                     = "${var.bastion_host_keypair}"
+  allow_ssh_cidrs             = "${var.bastion_host_allow_ssh_cidrs}"
   ami                         = "${var.bastion_host_ami_id}"
   region                      = "${var.aws_region}"
   s3_bucket_uri               = "s3://${var.config_bucket_name}/keypairs"

Original file line number	Diff line number	Diff line change
`@@ -56,6 +56,12 @@ variable "associate_public_ip_address" {`
`56`	`56`	`default = true`
`57`	`57`	`}`
`58`	`58`
	`59`	`+variable "allow_ssh_cidrs" {`
	`60`	`+ description = "List Cidrs from where ssh is to be allowed for bastion host. Default is anywhere"`
	`61`	`+ type = "list"`
	`62`	`+ default = ["0.0.0.0/0"]`
	`63`	`+}`
	`64`	`+`
`59`	`65`	`variable "eip" {`
`60`	`66`	`default = ""`
`61`	`67`	`}`