Skip to content

terraform-google-modules/terraform-google-bastion-host

Repository files navigation

terraform-google-bastion-host

This module will generate a bastion host vm compatible with OS Login and IAP Tunneling that can be used to access internal VMs.

This module will:

  • Create a dedicated service account for the bastion host
  • Create a GCE instance to be the bastion host
  • Create a firewall rule to allow TCP:22 SSH access from the IAP to the bastion
  • Necessary IAM bindings to allow IAP and OS Logins from specified members

Usage

Basic usage of this module is as follows:

module "iap_bastion" {
  source = "terraform-google-modules/bastion-host/google"
  version = 0.1.0

  project = var.project
  region = var.region
  zone = var.zone
  network = google_compute_network.net.self_link
  subnet = google_compute_subnetwork.net.self_link
  members = [
    "group:[email protected]",
    "user:[email protected]",
  ]
}

Functional example is included in the examples directory.

Requirements

These sections describe requirements for using this module.

Software

The following dependencies must be available:

APIs

A project with the following APIs enabled must be used to host the resources of this module:

  • Google Cloud Storage JSON API: storage-api.googleapis.com
  • Compute Engine API: compute.googleapis.com
  • Cloud Identity-Aware Proxy API: iap.googleapis.com
  • OS Login API: oslogin.googleapis.com

The Project Factory module can be used to provision a project with the necessary APIs enabled.

Contributing

Refer to the contribution guidelines for information on contributing to this module.