Skip to content

Instantly share code, notes, and snippets.

@charity
Created April 14, 2016 00:16
Show Gist options
  • Save charity/beb44266cadfd935ab6a838bfe917f38 to your computer and use it in GitHub Desktop.
Save charity/beb44266cadfd935ab6a838bfe917f38 to your computer and use it in GitHub Desktop.
# file name: infra/terraform/modules/aws_vpc/bastion_sg.tf
resource "aws_security_group" "bastion_ssh_sg" {
name = "bastion_ssh"
description = "Allow ssh to bastion hosts for each vpc from anywhere"
ingress {
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
ingress {
from_port = 8
to_port = 0
protocol = "icmp"
cidr_blocks = ["0.0.0.0/0"]
}
vpc_id = "${aws_vpc.mod.id}"
tags {
Name = "ssh_to_bastion_${var.env}"
}
}
resource "aws_security_group" "ssh_from_bastion_sg" {
name = "ssh_from_bastion"
description = "Allow ssh from bastion hosts"
# allow ssh from any bastion host to anywhere else inside that VPC. VPC NACLs restrict
# everything except the ssh connections coming from that env bastion hosts or dev bastion
ingress {
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["${var.ip_range}"]
}
vpc_id = "${aws_vpc.mod.id}"
tags {
Name = "ssh_from_bastion_${var.env}"
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment