diff --git a/CHANGELOG.md b/CHANGELOG.md index d1979a0..32f20ea 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,8 +1,14 @@ +## 1.2.3 + +FEATURES: + + * [GH-29] - Added Ability to pass a list of security groups to allow SSH access (tfhartmann) + ## 1.2.2 FEATURES: - * [GH-28] - Added possibility to customize CIDR networks for SSH access + * [GH-28] - Added possibility to customize CIDR networks for SSH access (tfhartmann) ## 1.2.1 @@ -22,19 +28,19 @@ FEATURES: * [GH-6] - Ensure each key is on a newline (crumley) * [GH-5] - Allows specifying security group ids to be added to the bastion box(es) (crumley) - + ## 1.1.0 FEATURES: * [GH-4] - Bastion host is now starting in auto-scaling group (antonbabenko) - + ## 1.0.1 FEATURES: - * [GH-3] - Allow specifying update frequency and S3 URI (bnordbo) - + * [GH-3] - Allow specifying update frequency and S3 URI (bnordbo) + ## 1.0.0 FEATURES: diff --git a/README.md b/README.md index 8f5698e..d7b3743 100644 --- a/README.md +++ b/README.md @@ -27,6 +27,7 @@ Only SSH access is allowed to the bastion host. * `eip` - EIP to put into EC2 tag (can be used with scripts like https://github.com/skymill/aws-ec2-assign-elastic-ip, default - empty value) * `key_name` - Launch configuration key name to be applied to created instance(s). * `allowed_cidr` - A list of CIDR Networks to allow ssh access to. Defaults to 0.0.0.0/0 + * `allowed_security_groups` - A list of Security Group ID's to allow access to the bastion host (useful if bastion is deployed internally) Defaults to empty list ## Outputs: diff --git a/main.tf b/main.tf index 2b69381..61c959c 100644 --- a/main.tf +++ b/main.tf @@ -17,6 +17,16 @@ resource "aws_security_group_rule" "ssh_ingress" { security_group_id = "${aws_security_group.bastion.id}" } +resource "aws_security_group_rule" "ssh_sg_ingress" { + count = "${length(var.allowed_security_groups)}" + type = "ingress" + from_port = "22" + to_port = "22" + protocol = "tcp" + source_security_group_id = "${element(var.allowed_security_groups, count.index)}" + security_group_id = "${aws_security_group.bastion.id}" +} + resource "aws_security_group_rule" "bastion_all_egress" { type = "egress" from_port = "0" diff --git a/variables.tf b/variables.tf index 3eae789..7c3c819 100644 --- a/variables.tf +++ b/variables.tf @@ -4,6 +4,12 @@ variable "allowed_cidr" { description = "A list of CIDR Networks to allow ssh access to." } +variable "allowed_security_groups" { + type = "list" + default = [] + description = "A list of Security Group ID's to allow access to." +} + variable "name" { default = "bastion" }