mikesparr/setup_gcp_bastion.sh

## setup_gcp_bastion.sh
#!/usr/bin/env bash

# set vars
export PROJECT_ID=$(gcloud config get-value project)
export PROJECT_USER=$(gcloud config get-value core/account) # set current user
export PROJECT_NUMBER=$(gcloud projects describe $PROJECT_ID --format="value(projectNumber)")
export IDNS=${PROJECT_ID}.svc.id.goog # workflow identity domain

export REGION="us-central1"
export ZONE="us-central1-a"
export NETWORK_NAME="default"
export BASTION_TEMPLATE_NAME="bastion-template"
export BASTION_GROUP_NAME="bastion"

export CLOUD_ROUTER_NAME="router-1"
export CLOUD_ROUTER_ASN="64520"
export NAT_GW_NAME="internet-gw"

# confirm they are installing in right project
while true; do
    read -p "Create bastion on project ${PROJECT_ID} as user ${PROJECT_USER}? " -n 1 -r yn
    echo
    case $yn in
        [Yy]* ) break;;
        [Nn]* ) exit;;
        * ) echo "Please answer yes or no.";;
    esac
done

# enable APIs
gcloud services enable compute.googleapis.com \
    iap.googleapis.com

# grant SSH access
gcloud compute firewall-rules create allow-ssh-ingress-from-iap \
    --direction=INGRESS \
    --action=allow \
    --rules=tcp:22 \
    --source-ranges=35.235.240.0/20

# grant user tunneling (one for each user or group [preferred])
gcloud projects add-iam-policy-binding $PROJECT_ID \
    --member=user:$PROJECT_USER \
    --role=roles/iap.tunnelResourceAccessor

# create cloud router and nat gateway
gcloud compute routers create $CLOUD_ROUTER_NAME \
    --network $NETWORK_NAME \
    --asn $CLOUD_ROUTER_ASN \
    --region $REGION

gcloud compute routers nats create $NAT_GW_NAME \
    --router=$CLOUD_ROUTER_NAME \
    --region=$REGION \
    --auto-allocate-nat-external-ips \
    --nat-all-subnet-ip-ranges \
    --enable-logging

# create bastion jump host instance template (with NO external IP)
gcloud beta compute --project=$PROJECT_ID instance-templates create $BASTION_TEMPLATE_NAME \
    --machine-type=e2-micro \
    --subnet=projects/${PROJECT_ID}/regions/${REGION}/subnetworks/${NETWORK_NAME} \
    --network-tier=STANDARD \
    --no-address \
    --maintenance-policy=MIGRATE \
    --service-account=${PROJECT_NUMBER}-compute@developer.gserviceaccount.com \
    --scopes=https://www.googleapis.com/auth/cloud-platform \
    --region=$REGION \
    --tags=bastion \
    --image=ubuntu-2004-focal-v20201028 \
    --image-project=ubuntu-os-cloud \
    --boot-disk-size=10GB \
    --boot-disk-type=pd-standard \
    --boot-disk-device-name=$BASTION_TEMPLATE_NAME \
    --shielded-secure-boot \
    --shielded-vtpm \
    --shielded-integrity-monitoring \
    --labels=role=bastion \
    --reservation-affinity=any

# create bastion jump host managed instance group (1)
gcloud compute --project=$PROJECT_ID instance-groups managed create $BASTION_GROUP_NAME \
    --base-instance-name=$BASTION_GROUP_NAME \
    --template=$BASTION_TEMPLATE_NAME \
    --size=1 \
    --zone=$ZONE

# wait for instance to start
sleep 45

# fetch bastion instance name
export BASTION_NAME=$(gcloud compute instance-groups managed list-instances $BASTION_GROUP_NAME --zone $ZONE --format="value(instance)")

# connect to bastion via IAP tunnel
gcloud beta compute ssh $BASTION_NAME \
    --project $PROJECT_ID \
    --zone $ZONE \
    --tunnel-through-iap

## teardown_gcp_bastion.sh
#!/usr/bin/env bash

# set vars
export PROJECT_ID=$(gcloud config get-value project)
export PROJECT_USER=$(gcloud config get-value core/account) # set current user
export PROJECT_NUMBER=$(gcloud projects describe $PROJECT_ID --format="value(projectNumber)")
export IDNS=${PROJECT_ID}.svc.id.goog # workflow identity domain

export REGION="us-central1"
export ZONE="us-central1-a"
export NETWORK_NAME="default"
export BASTION_TEMPLATE_NAME="bastion-template"
export BASTION_GROUP_NAME="bastion"

export CLOUD_ROUTER_NAME="router-1"
export CLOUD_ROUTER_ASN="64520"
export NAT_GW_NAME="internet-gw"

# confirm they are deleting from right project
while true; do
    read -p "Do you wish to delete bastion from ${PROJECT_ID}? " -n 1 -r yn
    echo
    case $yn in
        [Yy]* ) break;;
        [Nn]* ) exit;;
        * ) echo "Please answer yes or no.";;
    esac
done

# grant SSH access
gcloud compute firewall-rules delete allow-ssh-ingress-from-iap

# grant user tunneling (one for each user or group [preferred])
gcloud projects remove-iam-policy-binding $PROJECT_ID \
    --member=user:$PROJECT_USER \
    --role=roles/iap.tunnelResourceAccessor

# create cloud router and nat gateway
gcloud compute routers delete $CLOUD_ROUTER_NAME \
    --region $REGION

gcloud compute routers nats delete $NAT_GW_NAME \
    --router=$CLOUD_ROUTER_NAME \
    --region=$REGION

# create bastion jump host instance template (with NO external IP)
gcloud beta compute --project=$PROJECT_ID instance-templates delete $BASTION_TEMPLATE_NAME

# create bastion jump host managed instance group (1)
gcloud compute --project=$PROJECT_ID instance-groups managed delete $BASTION_GROUP_NAME \
    --zone=$ZONE

echo "Bastion resources removed"
	#!/usr/bin/env bash

	# set vars
	export PROJECT_ID=$(gcloud config get-value project)
	export PROJECT_USER=$(gcloud config get-value core/account) # set current user
	export PROJECT_NUMBER=$(gcloud projects describe $PROJECT_ID --format="value(projectNumber)")
	export IDNS=${PROJECT_ID}.svc.id.goog # workflow identity domain

	export REGION="us-central1"
	export ZONE="us-central1-a"
	export NETWORK_NAME="default"
	export BASTION_TEMPLATE_NAME="bastion-template"
	export BASTION_GROUP_NAME="bastion"

	export CLOUD_ROUTER_NAME="router-1"
	export CLOUD_ROUTER_ASN="64520"
	export NAT_GW_NAME="internet-gw"

	# confirm they are installing in right project
	while true; do
	read -p "Create bastion on project ${PROJECT_ID} as user ${PROJECT_USER}? " -n 1 -r yn
	echo
	case $yn in
	[Yy]* ) break;;
	[Nn]* ) exit;;
	* ) echo "Please answer yes or no.";;
	esac
	done

	# enable APIs
	gcloud services enable compute.googleapis.com \
	iap.googleapis.com

	# grant SSH access
	gcloud compute firewall-rules create allow-ssh-ingress-from-iap \
	--direction=INGRESS \
	--action=allow \
	--rules=tcp:22 \
	--source-ranges=35.235.240.0/20

	# grant user tunneling (one for each user or group [preferred])
	gcloud projects add-iam-policy-binding $PROJECT_ID \
	--member=user:$PROJECT_USER \
	--role=roles/iap.tunnelResourceAccessor

	# create cloud router and nat gateway
	gcloud compute routers create $CLOUD_ROUTER_NAME \
	--network $NETWORK_NAME \
	--asn $CLOUD_ROUTER_ASN \
	--region $REGION

	gcloud compute routers nats create $NAT_GW_NAME \
	--router=$CLOUD_ROUTER_NAME \
	--region=$REGION \
	--auto-allocate-nat-external-ips \
	--nat-all-subnet-ip-ranges \
	--enable-logging

	# create bastion jump host instance template (with NO external IP)
	gcloud beta compute --project=$PROJECT_ID instance-templates create $BASTION_TEMPLATE_NAME \
	--machine-type=e2-micro \
	--subnet=projects/${PROJECT_ID}/regions/${REGION}/subnetworks/${NETWORK_NAME} \
	--network-tier=STANDARD \
	--no-address \
	--maintenance-policy=MIGRATE \
	--service-account=${PROJECT_NUMBER}-compute@developer.gserviceaccount.com \
	--scopes=https://www.googleapis.com/auth/cloud-platform \
	--region=$REGION \
	--tags=bastion \
	--image=ubuntu-2004-focal-v20201028 \
	--image-project=ubuntu-os-cloud \
	--boot-disk-size=10GB \
	--boot-disk-type=pd-standard \
	--boot-disk-device-name=$BASTION_TEMPLATE_NAME \
	--shielded-secure-boot \
	--shielded-vtpm \
	--shielded-integrity-monitoring \
	--labels=role=bastion \
	--reservation-affinity=any

	# create bastion jump host managed instance group (1)
	gcloud compute --project=$PROJECT_ID instance-groups managed create $BASTION_GROUP_NAME \
	--base-instance-name=$BASTION_GROUP_NAME \
	--template=$BASTION_TEMPLATE_NAME \
	--size=1 \
	--zone=$ZONE

	# wait for instance to start
	sleep 45

	# fetch bastion instance name
	export BASTION_NAME=$(gcloud compute instance-groups managed list-instances $BASTION_GROUP_NAME --zone $ZONE --format="value(instance)")

	# connect to bastion via IAP tunnel
	gcloud beta compute ssh $BASTION_NAME \
	--project $PROJECT_ID \
	--zone $ZONE \
	--tunnel-through-iap