initial release

.gitignore

@@ -0,0 +1,45 @@
+# OSX leaves these everywhere on SMB shares
+._*
+
+# OSX trash
+.DS_Store
+
+# Python
+*.pyc
+
+# Emacs save files
+*~
+\#*\#
+.\#*
+
+# Vim-related files
+[._]*.s[a-w][a-z]
+[._]s[a-w][a-z]
+*.un~
+Session.vim
+.netrwhist
+
+### https://raw.github.com/github/gitignore/90f149de451a5433aebd94d02d11b0e28843a1af/Terraform.gitignore
+
+# Local .terraform directories
+**/.terraform/*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+# Crash log files
+crash.log
+
+# Kitchen files
+**/inspec.lock
+**/.kitchen
+**/kitchen.local.yml
+**/Gemfile.lock
+
+# Ignore any .tfvars files that are generated automatically for each Terraform run. Most
+# .tfvars files are managed as part of configuration and so should be included in
+# version control.
+**/*.tfvars
+
+credentials.json

CHANGELOG.md

@@ -0,0 +1,14 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+The format is based on
+[Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
+and this project adheres to
+[Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [0.1.0] - 2019-08-02
+
+- Initial release
+
+[0.1.0]: https://github.com/terraform-google-modules/terraform-google-bastion-host/releases/tag/v0.1.0

CONTRIBUTING.md

@@ -0,0 +1,110 @@
+# Contributing
+
+This document provides guidelines for contributing to the module.
+
+## Generating Documentation for Inputs and Outputs
+
+The Inputs and Outputs tables in the READMEs of the root module,
+submodules, and example modules are automatically generated based on
+the `variables` and `outputs` of the respective modules. These tables
+must be refreshed if the module interfaces are changed.
+
+### Dependencies
+
+The following dependencies must be installed on the development system:
+
+- [make]
+- [terraform-docs] v0.6.0
+
+### Execution
+
+Run `make generate_docs` to generate new Inputs and Outputs tables.
+
+## Integration Testing
+
+Integration tests are used to verify the behaviour of the root module,
+submodules, and example modules. Additions, changes, and fixes should
+be accompanied with tests.
+
+The integration tests are run using [Kitchen][kitchen],
+[Kitchen-Terraform][kitchen-terraform], and [InSpec][inspec]. These
+tools are packaged within a Docker image for convenience.
+
+The general strategy for these tests is to verify the behaviour of the
+[example modules](./examples), thus ensuring that the root module,
+submodules, and example modules are all functionally correct.
+
+### Dependencies
+
+The following dependencies must be installed on the development system:
+
+- [Docker Engine][docker-engine]
+- [Google Cloud SDK][google-cloud-sdk]
+- [make]
+
+### Inputs
+
+Test instances are defined in the
+[Kitchen configuration file](./kitchen.yml). The inputs of each Kitchen
+instance may be configured with the `driver.variables` key in a
+local Kitchen configuration file located at `./kitchen.local.yml` or in
+a Terraform variables file located at
+`./test/fixtures/<instance>/variables.tfvars`.
+
+### Credentials
+
+Download the key of a Service Account with the
+[required roles][required-roles] to `./credentials.json`.
+
+### Interactive Execution
+
+1. Run `make docker_run` to start the testing Docker container in
+   interactive mode.
+
+1. Run `kitchen create <EXAMPLE_NAME>` to initialize the working
+   directory for an example module.
+
+1. Run `kitchen converge <EXAMPLE_NAME>` to apply the example module.
+
+1. Run `kitchen verify <EXAMPLE_NAME>` to test the example module.
+
+1. Run `kitchen destroy <EXAMPLE_NAME>` to destroy the example module
+   state.
+
+### Noninteractive Execution
+
+Run `make test_integration_docker` to test all of the example modules
+noninteractively.
+
+## Linting and Formatting
+
+Many of the files in the repository can be linted or formatted to
+maintain a standard of quality.
+
+### Dependencies
+
+The following dependencies must be installed on the development system:
+
+- [flake8]
+- [gofmt]
+- [hadolint]
+- [make]
+- [shellcheck]
+- [Terraform][terraform] v0.11
+
+### Execution
+
+Run `make check`.
+
+[docker-engine]: https://www.docker.com/products/docker-engine
+[flake8]: http://flake8.pycqa.org/en/latest/
+[gofmt]: https://golang.org/cmd/gofmt/
+[google-cloud-sdk]: https://cloud.google.com/sdk/install
+[hadolint]: https://github.com/hadolint/hadolint
+[inspec]: https://inspec.io/
+[kitchen-terraform]: https://github.com/newcontext-oss/kitchen-terraform
+[kitchen]: https://kitchen.ci/
+[make]: https://en.wikipedia.org/wiki/Make_(software)
+[shellcheck]: https://www.shellcheck.net/
+[terraform-docs]: https://github.com/segmentio/terraform-docs
+[terraform]: https://terraform.io/

LICENSE

@@ -1,3 +1,4 @@
+
                                  Apache License
                            Version 2.0, January 2004
                         http://www.apache.org/licenses/

README.md

@@ -0,0 +1,68 @@
+# terraform-google-bastion-host
+
+This module was generated from [terraform-google-module-template](https://github.com/terraform-google-modules/terraform-google-module-template/).
+
+This module will generate a bastion host vm compatible with os login and IAP tunneling that can be used to access internal VMs.
+
+The resources/services/activations/deletions that this module will create/trigger are:
+
+- Creates a dedicated service account for the bastion host VM
+- Creates a GCE instance of n1-standard to be the bastion
+- Firewall to allow TCP:22 ssh access from the IAP to the bastion
+- Firewall to allow TCP:22 ssh acccess from the bastion to other instances on the network
+- IAM binding to allow members to utilize the IAP Tunnel
+- IAM binding granting os login to members through the bastion host
+- IAM binding granting the usage of the dedicated bastion host service account
+- Creates a custom role that has limited privileges to enable OS Login on an instance level
+- IAM binding to the custom role
+
+## Usage
+
+Basic usage of this module is as follows:
+
+```hcl
+module "iap_bastion" {
+  source = "terraform-google-modules/terraform-google-bastion-host/"
+  project_id  = "<PROJECT ID>"
+  subnet = "<VPC_SUBNET>"
+  network = "<VPC_NETWORK>"
+  zone = "<ZONE>"
+  members = "<MEMBERS>"
+}
+```
+
+Functional example is included in the
+[examples](./examples/) directory.
+
+## Requirements
+
+These sections describe requirements for using this module.
+
+### Software
+
+The following dependencies must be available:
+
+- [Terraform][terraform] v0.11
+- [Terraform Provider for GCP][terraform-provider-gcp] plugin v2.0
+
+### APIs
+
+A project with the following APIs enabled must be used to host the
+resources of this module:
+
+- Google Cloud Storage JSON API: `storage-api.googleapis.com`
+- Compute Engine API: `compute.googleapis.com`
+- Cloud Identity-Aware Proxy API: `iap.googleapis.com`
+
+The [Project Factory module][project-factory-module] can be used to
+provision a project with the necessary APIs enabled.
+
+## Contributing
+
+Refer to the [contribution guidelines](./CONTRIBUTING.md) for
+information on contributing to this module.
+
+[iam-module]: https://registry.terraform.io/modules/terraform-google-modules/iam/google
+[project-factory-module]: https://registry.terraform.io/modules/terraform-google-modules/project-factory/google
+[terraform-provider-gcp]: https://www.terraform.io/docs/providers/google/index.html
+[terraform]: https://www.terraform.io/downloads.html

examples/two_service_example/README.md

@@ -0,0 +1,41 @@
+# Two Service Example
+
+This example illustrates how to use the `iap-bastion` module. It illustrate an example where there are two services being deployed in a single project. Service A is deployed to two VMS (priv-host-a-1 and priv-host-a-2) and Service B is deployed to a single VM (priv-host-b-1). The bastion host module is deployed that will allow User A to access VM's for Service A, and User B to access Service B through the shared bastion host.
+
+After this module is deployed, you can test ssh-ing to the private hosts by following these steps:
+
+1. Login as User A:
+
+- `gcloud auth login` login as user A
+
+2. If you have existing google_compute_engine ssh keys, ( ~/.ssh/google_compute_engine.pub ) back them up, otherwise continue to step 3
+
+- `cd ~/.ssh` change working directory to ssh directory
+- `mv google_compute_engine.pub google_compute_engine_backup.pub` backup public key
+- `mv google_compute_engine google_compute_engine_backup_backup` backup private key
+
+3. Change project to sample project
+
+- `gcloud config set project <project-id>` change to project id that you used
+
+4. Generate new google compute engine keys and ssh over to bastion host
+
+- `gcloud compute ssh bastion-vm --zone=<zone you used>` zone defaults to us-central1-a
+
+5. Exit out from bastion
+
+- `exit` should return to local terminal
+
+6. Start SSH Agent
+
+- `eval "$(ssh-agent -s)"`
+
+7. Add SSH key to the ssh-agent
+
+- `ssh-add ~/.ssh/google_compute_engine`
+
+8. SSH to private VM through bastion host
+
+- `gcloud compute ssh bastion-vm --zone=us-central1-a --ssh-flag="-A" --command "ssh priv-host-a-1" -- -t`
+
+9. Can also try sshing to the other host, priv-host-a-2. Should work. Try sshing to the B host, (priv-host-b-2) should fail. Try using user B, get another user to follow above steps. If you have access to a test account, you can use that as well, but make sure to backup the ssh keys from the steps above.

examples/two_service_example/example.tf

@@ -0,0 +1,31 @@
+/**
+ * Copyright 2018 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+provider "google" {
+  project = "${var.project_id}"
+  zone    = "${var.zone}"
+}
+
+provider "google-beta" {}
+
+module "iap_bastion" {
+  source     = "../.."
+  project_id = "${var.project_id}"
+  subnet     = "${var.subnet}"
+  network    = "${var.network}"
+  zone       = "${var.zone}"
+  members    = ["${var.user-a}", "${var.user-b}"]
+}

examples/two_service_example/iam.tf

@@ -0,0 +1,29 @@
+resource "google_compute_instance_iam_member" "alice_oslogin_1" {
+  instance_name = "${google_compute_instance.priv_host_a_1.name}"
+  role          = "roles/compute.osLogin"
+  member        = "${var.user-a}"
+}
+
+resource "google_compute_instance_iam_member" "alice_oslogin_2" {
+  instance_name = "${google_compute_instance.priv_host_a_2.name}"
+  role          = "roles/compute.osLogin"
+  member        = "${var.user-a}"
+}
+
+resource "google_service_account_iam_member" "gce-default-account-iam" {
+  service_account_id = "${google_service_account.service-a.id}"
+  role               = "roles/iam.serviceAccountUser"
+  member             = "${var.user-a}"
+}
+
+resource "google_compute_instance_iam_member" "bdole_oslogin" {
+  instance_name = "${google_compute_instance.priv_host_b_1.name}"
+  role          = "roles/compute.osLogin"
+  member        = "${var.user-b}"
+}
+
+resource "google_service_account_iam_member" "bdole_use_sa" {
+  service_account_id = "${google_service_account.service-b.id}"
+  role               = "roles/iam.serviceAccountUser"
+  member             = "${var.user-b}"
+}