Add the ability to allow access based on security group ID (#29)

* Adding allowed_cidr var This should allow us to pass CIDR blocks to the Security Group, which lets us use this module for internal bastion hosts, or bastion hosts that shouldn't be open to the world. * Splitting SG and SG Rule * Adding the ability to pass a SG ID * Making the readme more verbose * Updated CHANGELOG for new release
terraform-community-modules · Jun 9, 2017 · fdd5270 · fdd5270
1 parent 76fe03d
commit fdd5270
Show file tree

Hide file tree

Showing 4 changed files with 28 additions and 5 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,8 +1,14 @@
+## 1.2.3
+
+FEATURES:
+
+ * [GH-29] - Added Ability to pass a list of security groups to allow SSH access (tfhartmann)
+
 ## 1.2.2
 
 FEATURES:
 
- * [GH-28] - Added possibility to customize CIDR networks for SSH access
+ * [GH-28] - Added possibility to customize CIDR networks for SSH access (tfhartmann)
 
 ## 1.2.1
 
@@ -22,19 +28,19 @@ FEATURES:
 
  * [GH-6] - Ensure each key is on a newline (crumley)
  * [GH-5] - Allows specifying security group ids to be added to the bastion box(es) (crumley)
- 
+
 ## 1.1.0
 
 FEATURES:
 
  * [GH-4] - Bastion host is now starting in auto-scaling group (antonbabenko)
- 
+
 ## 1.0.1
 
 FEATURES:
 
- * [GH-3] - Allow specifying update frequency and S3 URI (bnordbo) 
- 
+ * [GH-3] - Allow specifying update frequency and S3 URI (bnordbo)
+
 ## 1.0.0
 
 FEATURES:

diff --git a/README.md b/README.md
@@ -27,6 +27,7 @@ Only SSH access is allowed to the bastion host.
   * `eip` - EIP to put into EC2 tag (can be used with scripts like https://github.com/skymill/aws-ec2-assign-elastic-ip, default - empty value)
   * `key_name` - Launch configuration key name to be applied to created instance(s).
   * `allowed_cidr` - A list of CIDR Networks to allow ssh access to. Defaults to 0.0.0.0/0
+  * `allowed_security_groups` - A list of Security Group ID's to allow access to the bastion host (useful if bastion is deployed internally) Defaults to empty list
 
 ## Outputs:
 

diff --git a/main.tf b/main.tf
@@ -17,6 +17,16 @@ resource "aws_security_group_rule" "ssh_ingress" {
   security_group_id = "${aws_security_group.bastion.id}"
 }
 
+resource "aws_security_group_rule" "ssh_sg_ingress" {
+  count                    = "${length(var.allowed_security_groups)}"
+  type                     = "ingress"
+  from_port                = "22"
+  to_port                  = "22"
+  protocol                 = "tcp"
+  source_security_group_id = "${element(var.allowed_security_groups, count.index)}"
+  security_group_id        = "${aws_security_group.bastion.id}"
+}
+
 resource "aws_security_group_rule" "bastion_all_egress" {
   type              = "egress"
   from_port         = "0"

diff --git a/variables.tf b/variables.tf
@@ -4,6 +4,12 @@ variable "allowed_cidr" {
   description = "A list of CIDR Networks to allow ssh access to."
 }
 
+variable "allowed_security_groups" {
+  type        = "list"
+  default     = []
+  description = "A list of Security Group ID's to allow access to."
+}
+
 variable "name" {
   default = "bastion"
 }