viggin543 · July 31, 2021 18:10
diff --git a/bastion.tf b/bastion.tf
 resource "google_service_account" "bastion" {
  project      = var.project
  account_id   = "bastion"
  display_name = "ssh bastion"
 }

 locals {
  bastion = "bastion"
 }

 resource "google_compute_instance" "bastion" {
  name         = "bastion"
  machine_type = "e2-micro"
  zone         = "${var.region}-a"
  project = var.project

  tags = [local.bastion]

  boot_disk {
    initialize_params {
      image = "debian-cloud/debian-9"
      type  = "pd-standard"
      size = 10
    }
  }

  network_interface {
    network = module.vpc_network.network_name
    subnetwork = module.vpc_network.private_subnetwork_name


    access_config {
      nat_ip = google_compute_address.bastion_ip_address.address
    }
  }

  metadata = {
    env = var.project
    ssh-keys = (var.project == "staging" ?
    "github:ssh-rsa ... user@local" :
    "github:ssh-rsa ... user@local"
    )
  }

  metadata_startup_script = "cho done > /etc/done.txt"

  service_account {
    email  = google_service_account.bastion.email
    scopes = ["cloud-platform"]
  }
 }

 resource "google_compute_firewall" "bastion_allow_ssh" {
  name = "bastion-allow-ssh"

  project = var.project
  network = module.vpc_network.network_name

  target_tags   = [local.bastion]
  direction     = "INGRESS"
  source_ranges = ["0.0.0.0/0"]

  priority = "1000"

  allow {
    protocol = "tcp"
    ports    = ["22"]
  }
 }


 resource "google_compute_address" "bastion_ip_address" {
  name = "bastion-static-ip"
  address_type = "EXTERNAL"
 }
	resource "google_service_account" "bastion" {
	project = var.project
	account_id = "bastion"
	display_name = "ssh bastion"
	}

	locals {
	bastion = "bastion"
	}

	resource "google_compute_instance" "bastion" {
	name = "bastion"
	machine_type = "e2-micro"
	zone = "${var.region}-a"
	project = var.project

	tags = [local.bastion]

	boot_disk {
	initialize_params {
	image = "debian-cloud/debian-9"
	type = "pd-standard"
	size = 10
	}
	}

	network_interface {
	network = module.vpc_network.network_name
	subnetwork = module.vpc_network.private_subnetwork_name


	access_config {
	nat_ip = google_compute_address.bastion_ip_address.address
	}
	}

	metadata = {
	env = var.project
	ssh-keys = (var.project == "staging" ?
	"github:ssh-rsa ... user@local" :
	"github:ssh-rsa ... user@local"
	)
	}

	metadata_startup_script = "cho done > /etc/done.txt"

	service_account {
	email = google_service_account.bastion.email
	scopes = ["cloud-platform"]
	}
	}

	resource "google_compute_firewall" "bastion_allow_ssh" {
	name = "bastion-allow-ssh"

	project = var.project
	network = module.vpc_network.network_name

	target_tags = [local.bastion]
	direction = "INGRESS"
	source_ranges = ["0.0.0.0/0"]

	priority = "1000"

	allow {
	protocol = "tcp"
	ports = ["22"]
	}
	}


	resource "google_compute_address" "bastion_ip_address" {
	name = "bastion-static-ip"
	address_type = "EXTERNAL"
	}