This module will generate a bastion host vm compatible with OS Login and IAP Tunneling that can be used to access internal VMs.
This module will:
- Create a dedicated service account for the bastion host
- Create a GCE instance to be the bastion host
- Create a firewall rule to allow TCP:22 SSH access from the IAP to the bastion
- Necessary IAM bindings to allow IAP and OS Logins from specified members
Basic usage of this module is as follows:
module "iap_bastion" {
source = "terraform-google-modules/bastion-host/google"
version = 0.1.0
project = var.project
region = var.region
zone = var.zone
network = google_compute_network.net.self_link
subnet = google_compute_subnetwork.net.self_link
members = [
"group:[email protected]",
"user:[email protected]",
]
}
Functional example is included in the examples directory.
These sections describe requirements for using this module.
The following dependencies must be available:
A project with the following APIs enabled must be used to host the resources of this module:
- Google Cloud Storage JSON API:
storage-api.googleapis.com
- Compute Engine API:
compute.googleapis.com
- Cloud Identity-Aware Proxy API:
iap.googleapis.com
- OS Login API:
oslogin.googleapis.com
The Project Factory module can be used to provision a project with the necessary APIs enabled.
Refer to the contribution guidelines for information on contributing to this module.