forked from joshuamkite/terraform-aws-ssh-bastion-service
-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathmain.tf
executable file
·94 lines (76 loc) · 3.32 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
#get aws region for use later in plan
data "aws_region" "current" {}
#get list of AWS Availability Zones which can be accessed by an AWS account within the region for use later in plan
data "aws_availability_zones" "available" {}
##########################
#Query for most recent AMI of type debian
##########################
data "aws_ami" "debian" {
most_recent = true
filter {
name = "name"
values = ["debian-stretch-hvm-x86_64-*"]
}
owners = ["379101102735"] # Debian
}
############################
#Launch configuration for service host
############################
resource "aws_launch_configuration" "bastion-service-host" {
name_prefix = "${module.label.id}-host"
image_id = "${local.bastion_ami_id}"
instance_type = "${var.bastion_instance_type}"
iam_instance_profile = "${element((concat(aws_iam_instance_profile.bastion_service_assume_role_profile.*.arn, aws_iam_instance_profile.bastion_service_profile.*.arn)), 0)}"
associate_public_ip_address = "false"
security_groups = ["${aws_security_group.bastion_service.id}", "${compact(concat(var.security_groups_additional))}"]
user_data = "${data.template_cloudinit_config.config.rendered}"
key_name = "${var.bastion_service_host_key_name}"
lifecycle {
create_before_destroy = true
}
}
#######################################################
# ASG section
#######################################################
resource "aws_autoscaling_group" "bastion-service" {
availability_zones = ["${data.aws_availability_zones.available.names}"]
name = "${aws_launch_configuration.bastion-service-host.name}"
max_size = "${var.asg_max}"
min_size = "${var.asg_min}"
desired_capacity = "${var.asg_desired}"
launch_configuration = "${aws_launch_configuration.bastion-service-host.name}"
vpc_zone_identifier = ["${var.subnets_asg}"]
target_group_arns = ["${aws_lb_target_group.bastion-service.arn}", "${aws_lb_target_group.bastion-host.*.arn}"]
depends_on = ["aws_launch_configuration.bastion-service-host"]
lifecycle {
create_before_destroy = true
}
tags = ["${module.label.tags_as_list_of_maps}"]
}
####################################################
# DNS Section
###################################################
resource "aws_route53_record" "bastion_service" {
count = "${(var.route53_zone_id !="" ? 1 : 0) }"
zone_id = "${var.route53_zone_id}"
name = "${local.bastion_host_name}.${var.dns_domain}"
type = "A"
alias {
name = "${aws_lb.bastion-service.dns_name}"
zone_id = "${aws_lb.bastion-service.zone_id}"
evaluate_target_health = true
}
}
####################################################
# sample policy for parent account
###################################################
data "aws_caller_identity" "current" {}
data "template_file" "sample_policies_for_parent_account" {
count = "${local.assume_role_yes}"
template = "${file("${path.module}/sts_assumerole_example/policy_example.tpl")}"
vars {
aws_account_id = "${data.aws_caller_identity.current.account_id}"
bastion_allowed_iam_group = "${var.bastion_allowed_iam_group}"
assume_role_arn = "${var.assume_role_arn}"
}
}