terraform-bastion

partial bastion.tf module file

variable "env"              {}
variable "instance_type"    {}
variable "bastion_key_name" {}
variable "bastion_key_path" {}
variable "vpc_id"           {}
variable "vpc_cidr"         {}
variable "peered_vpc_cidr"  {}
variable "subnet_ids"       {}
variable "shell_username"   {}
variable "public_zone_id"   {}
variable "public_domain"    {}
variable "private_zone_id"  {}
variable "private_domain"   {}
variable "tier"             {}
variable "region"           {}

// Get us the newest base ami to update our launch configurations
data "aws_ami" "bastion" {
    most_recent   = true
    owners        = ["self"]
    filter {
        name    = "tag:OS_Version"
        values  = ["CentOS"]
    }
    filter {
        name    = "tag:Release"
        values  = ["7"]
    }
    filter {
        name    = "architecture"
        values  = ["x86_64"]
    }
    filter {
        name    = "virtualization-type"
        values  = ["hvm"]
    }
}

resource "aws_iam_role" "instance_role" {
    name                = "${var.env}-${var.tier}-bastion-instance-role"
    path                = "/"
    assume_role_policy  = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Effect": "Allow",
      "Sid": ""
    }
  ]
}
EOF
}

provider.tf

variable "region"                       {}
variable "aws_access_key"               {}
variable "aws_secret_key"               {}
variable "env"                          {}
variable "tier"                         {}
variable "vpc_cidr"                     {}
variable "peered_vpc_cidr"              {}
variable "key_path"                     {}
variable "key_name"                     {}

variable "ec2_bastion_instance_type"    {}
variable "ec2_bastion_user"             {}
variable "ec2_bastion_key_path"         {}
variable "ec2_bastion_key_name"         {}

data "terraform_remote_state" "dns" {
    backend = "s3"
    config {
        region = "${var.region}"
        bucket = "${var.env}-${replace(var.region,"-","")}-tf-state"
        key = "dns/${var.env}.tfstate"
    }
}

data "terraform_remote_state" "build-vpc" {
    backend = "s3"
    config {
        region = "${var.region}"
        bucket = "${var.env}-${replace(var.region,"-","")}-tf-state"
        key = "vpc/${var.env}.tfstate"
    }
}

provider "aws" {
    region      = "${var.region}"
    access_key  = "${var.aws_access_key}"
    secret_key  = "${var.aws_secret_key}"
}

module "bastion" {
    source              = "modules/bastion"
    env                 = "${var.env}"
    tier                = "${var.tier}"
    region              = "${var.region}"
    instance_type       = "${var.ec2_bastion_instance_type}"
    bastion_key_name    = "${var.ec2_bastion_key_name}"
    bastion_key_path    = "${var.ec2_bastion_key_path}"
    vpc_id              = "${data.terraform_remote_state.build-vpc.vpc_id}"
    vpc_cidr            = "${var.vpc_cidr}"
    peered_vpc_cidr     = "${var.peered_vpc_cidr}"
    subnet_ids          = "${data.terraform_remote_state.build-vpc.public_subnet_ids}"
    shell_username      = "${var.ec2_bastion_user}"
    public_zone_id      = "${data.terraform_remote_state.dns.public_zone_id}"
    public_domain       = "${data.terraform_remote_state.dns.public_domain}"
    private_zone_id     = "${data.terraform_remote_state.dns.private_zone_id}"
    private_domain      = "${data.terraform_remote_state.dns.private_domain}"
}

// VPC outputs
output "environment"                { value = "${var.env}" }
output "tier"                       { value = "${var.tier}" }

// EC2 outputs
output "bastion_public_address"     { value = "${module.bastion.public_address}" }
output "bastion_private_address"    { value = "${module.bastion.private_address}" }