bastion module

# ====== Bastion security groups ======= #

# Allow access to the bastion host from authorised networks.
# This security group will be applied to the bastion server.

resource "aws_security_group" "bastion" {
    name = "bastion"
    description = "Allow access from allowed_networks via SSH, and NAT internal traffic"
    vpc_id = "${var.vpc_id}"

    # SSH
    ingress = {
        from_port = 22
        to_port = 22
        protocol = "tcp"
        cidr_blocks = [ "${var.allowed_ip_addresses}" ]
        self = false
    }

    # NAT
    ingress {
        from_port = 0
        to_port = 65535
        protocol = "tcp"
        cidr_blocks = [
            "${var.cidr_block}"
        ]
        self = false
    }

    egress {
      from_port = 22
      to_port = 22
      protocol = "tcp"
      cidr_blocks = ["${var.cidr_block}"]
    }
}

# Allow access to other servers from the bastion host.
# This security group will be applied to any server that is accessed by the bastion server.

resource "aws_security_group" "allow_bastion" {
    name = "allow_bastion_ssh"
    description = "Allow access from bastion host"
    vpc_id = "${var.vpc_id}"

    ingress {
        from_port = 0
        to_port = 65535
        protocol = "tcp"
        security_groups = ["${aws_security_group.bastion.id}"]
        self = false
    }
}

# ====== Bastion host instances ======= #

resource "template_file" "user_data" {
    template = "${file("${path.module}/user_data.sh")}"
    vars {
        ssh_key = "${file("${path.module}/ssh/id_rsa")}"
    }
}

resource "aws_instance" "bastion_host" {
    ami = "${var.ami}"
    instance_type = "${var.instance_type}"
    key_name = "${var.key_name}"
    vpc_security_group_ids = ["${aws_security_group.bastion.id}"]
    user_data = "${template_file.user_data.rendered}"
    subnet_id = "${element(split(",", var.public_subnets), 0)}"
    tags { Name = "bastion-host" }
}

# ====== Domain name ======= #

# Associate the instances created above with a single domain name.

resource "aws_route53_record" "bastion_host" {
  zone_id = "Z3820KW3201KHJ"
  name = "${var.bastion_host_domain_name}"
  type = "A"
  ttl = "300"
  records = ["${aws_instance.bastion_host.public_ip}"]
}

make plan

~ module.bastion-host.aws_security_group.bastion
    ingress.#:                            "3" => "2"
    ingress.2541437006.cidr_blocks.#:     "1" => "0"
    ingress.2541437006.cidr_blocks.0:     "0.0.0.0/0" => ""
    ingress.2541437006.from_port:         "22" => "0"
    ingress.2541437006.protocol:          "tcp" => ""
    ingress.2541437006.security_groups.#: "0" => "0"
    ingress.2541437006.self:              "0" => "0"
    ingress.2541437006.to_port:           "22" => "0"
    ingress.2609145604.cidr_blocks.#:     "1" => "1"
    ingress.2609145604.cidr_blocks.0:     "82.35.29.203/32" => "82.35.29.203/32"
    ingress.2609145604.from_port:         "22" => "22"
    ingress.2609145604.protocol:          "tcp" => "tcp"
    ingress.2609145604.security_groups.#: "0" => "0"
    ingress.2609145604.self:              "0" => "0"
    ingress.2609145604.to_port:           "22" => "22"
    ingress.3581498979.cidr_blocks.#:     "1" => "1"
    ingress.3581498979.cidr_blocks.0:     "10.0.0.0/16" => "10.0.0.0/16"
    ingress.3581498979.from_port:         "0" => "0"
    ingress.3581498979.protocol:          "tcp" => "tcp"
    ingress.3581498979.security_groups.#: "0" => "0"
    ingress.3581498979.self:              "0" => "0"
    ingress.3581498979.to_port:           "65535" => "65535"