Google Cloud bastion with IAP tunneling

setup_gcp_bastion.sh

#!/usr/bin/env bash

# set vars
export PROJECT_ID=$(gcloud config get-value project)
export PROJECT_USER=$(gcloud config get-value core/account) # set current user
export PROJECT_NUMBER=$(gcloud projects describe $PROJECT_ID --format="value(projectNumber)")
export IDNS=${PROJECT_ID}.svc.id.goog # workflow identity domain

export REGION="us-central1"
export ZONE="us-central1-a"
export NETWORK_NAME="default"
export BASTION_TEMPLATE_NAME="bastion-template"
export BASTION_GROUP_NAME="bastion"

export CLOUD_ROUTER_NAME="router-1"
export CLOUD_ROUTER_ASN="64520"
export NAT_GW_NAME="internet-gw"

# confirm they are installing in right project
while true; do
    read -p "Create bastion on project ${PROJECT_ID} as user ${PROJECT_USER}? " -n 1 -r yn
    echo
    case $yn in
        [Yy]* ) break;;
        [Nn]* ) exit;;
        * ) echo "Please answer yes or no.";;
    esac
done

# enable APIs
gcloud services enable compute.googleapis.com \
    iap.googleapis.com

# grant SSH access
gcloud compute firewall-rules create allow-ssh-ingress-from-iap \
    --direction=INGRESS \
    --action=allow \
    --rules=tcp:22 \
    --source-ranges=35.235.240.0/20

# grant user tunneling (one for each user or group [preferred])
gcloud projects add-iam-policy-binding $PROJECT_ID \
    --member=user:$PROJECT_USER \
    --role=roles/iap.tunnelResourceAccessor

# create cloud router and nat gateway
gcloud compute routers create $CLOUD_ROUTER_NAME \
    --network $NETWORK_NAME \
    --asn $CLOUD_ROUTER_ASN \
    --region $REGION

gcloud compute routers nats create $NAT_GW_NAME \
    --router=$CLOUD_ROUTER_NAME \
    --region=$REGION \
    --auto-allocate-nat-external-ips \
    --nat-all-subnet-ip-ranges \
    --enable-logging

# create bastion jump host instance template (with NO external IP)
gcloud beta compute --project=$PROJECT_ID instance-templates create $BASTION_TEMPLATE_NAME \
    --machine-type=e2-micro \
    --subnet=projects/${PROJECT_ID}/regions/${REGION}/subnetworks/${NETWORK_NAME} \
    --network-tier=STANDARD \
    --no-address \
    --maintenance-policy=MIGRATE \
    --service-account=${PROJECT_NUMBER}[email protected] \
    --scopes=https://www.googleapis.com/auth/cloud-platform \
    --region=$REGION \
    --tags=bastion \
    --image=ubuntu-2004-focal-v20201028 \
    --image-project=ubuntu-os-cloud \
    --boot-disk-size=10GB \
    --boot-disk-type=pd-standard \
    --boot-disk-device-name=$BASTION_TEMPLATE_NAME \
    --shielded-secure-boot \
    --shielded-vtpm \
    --shielded-integrity-monitoring \
    --labels=role=bastion \
    --reservation-affinity=any

# create bastion jump host managed instance group (1)
gcloud compute --project=$PROJECT_ID instance-groups managed create $BASTION_GROUP_NAME \
    --base-instance-name=$BASTION_GROUP_NAME \
    --template=$BASTION_TEMPLATE_NAME \
    --size=1 \
    --zone=$ZONE

# wait for instance to start
sleep 45

# fetch bastion instance name
export BASTION_NAME=$(gcloud compute instance-groups managed list-instances $BASTION_GROUP_NAME --zone $ZONE --format="value(instance)")

# connect to bastion via IAP tunnel
gcloud beta compute ssh $BASTION_NAME \
    --project $PROJECT_ID \
    --zone $ZONE \
    --tunnel-through-iap

teardown_gcp_bastion.sh

#!/usr/bin/env bash

# set vars
export PROJECT_ID=$(gcloud config get-value project)
export PROJECT_USER=$(gcloud config get-value core/account) # set current user
export PROJECT_NUMBER=$(gcloud projects describe $PROJECT_ID --format="value(projectNumber)")
export IDNS=${PROJECT_ID}.svc.id.goog # workflow identity domain

export REGION="us-central1"
export ZONE="us-central1-a"
export NETWORK_NAME="default"
export BASTION_TEMPLATE_NAME="bastion-template"
export BASTION_GROUP_NAME="bastion"

export CLOUD_ROUTER_NAME="router-1"
export CLOUD_ROUTER_ASN="64520"
export NAT_GW_NAME="internet-gw"

# confirm they are deleting from right project
while true; do
    read -p "Do you wish to delete bastion from ${PROJECT_ID}? " -n 1 -r yn
    echo
    case $yn in
        [Yy]* ) break;;
        [Nn]* ) exit;;
        * ) echo "Please answer yes or no.";;
    esac
done

# grant SSH access
gcloud compute firewall-rules delete allow-ssh-ingress-from-iap

# grant user tunneling (one for each user or group [preferred])
gcloud projects remove-iam-policy-binding $PROJECT_ID \
    --member=user:$PROJECT_USER \
    --role=roles/iap.tunnelResourceAccessor

# create cloud router and nat gateway
gcloud compute routers delete $CLOUD_ROUTER_NAME \
    --region $REGION

gcloud compute routers nats delete $NAT_GW_NAME \
    --router=$CLOUD_ROUTER_NAME \
    --region=$REGION

# create bastion jump host instance template (with NO external IP)
gcloud beta compute --project=$PROJECT_ID instance-templates delete $BASTION_TEMPLATE_NAME

# create bastion jump host managed instance group (1)
gcloud compute --project=$PROJECT_ID instance-groups managed delete $BASTION_GROUP_NAME \
    --zone=$ZONE

echo "Bastion resources removed"