Merge pull request #3 from onetwopunch/bastion-iap

Bastion Host Initial Release

.gitignore

@@ -0,0 +1,45 @@
+# OSX leaves these everywhere on SMB shares
+._*
+
+# OSX trash
+.DS_Store
+
+# Python
+*.pyc
+
+# Emacs save files
+*~
+\#*\#
+.\#*
+
+# Vim-related files
+[._]*.s[a-w][a-z]
+[._]s[a-w][a-z]
+*.un~
+Session.vim
+.netrwhist
+
+### https://raw.github.com/github/gitignore/90f149de451a5433aebd94d02d11b0e28843a1af/Terraform.gitignore
+
+# Local .terraform directories
+**/.terraform/*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+# Crash log files
+crash.log
+
+# Kitchen files
+**/inspec.lock
+**/.kitchen
+**/kitchen.local.yml
+**/Gemfile.lock
+
+# Ignore any .tfvars files that are generated automatically for each Terraform run. Most
+# .tfvars files are managed as part of configuration and so should be included in
+# version control.
+**/*.tfvars
+
+credentials.json

CHANGELOG.md

@@ -0,0 +1,17 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+The format is based on
+[Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
+and this project adheres to
+[Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [Unreleased]
+
+### Fixed
+### [0.1.0] - 2019-08-02
+
+- Initial release
+
+[0.1.0]: https://github.com/terraform-google-modules/terraform-google-bastion-host/releases/tag/v0.1.0

CONTRIBUTING.md

@@ -0,0 +1,110 @@
+# Contributing
+
+This document provides guidelines for contributing to the module.
+
+## Generating Documentation for Inputs and Outputs
+
+The Inputs and Outputs tables in the READMEs of the root module,
+submodules, and example modules are automatically generated based on
+the `variables` and `outputs` of the respective modules. These tables
+must be refreshed if the module interfaces are changed.
+
+### Dependencies
+
+The following dependencies must be installed on the development system:
+
+- [make]
+- [terraform-docs] v0.6.0
+
+### Execution
+
+Run `make generate_docs` to generate new Inputs and Outputs tables.
+
+## Integration Testing
+
+Integration tests are used to verify the behaviour of the root module,
+submodules, and example modules. Additions, changes, and fixes should
+be accompanied with tests.
+
+The integration tests are run using [Kitchen][kitchen],
+[Kitchen-Terraform][kitchen-terraform], and [InSpec][inspec]. These
+tools are packaged within a Docker image for convenience.
+
+The general strategy for these tests is to verify the behaviour of the
+[example modules](./examples), thus ensuring that the root module,
+submodules, and example modules are all functionally correct.
+
+### Dependencies
+
+The following dependencies must be installed on the development system:
+
+- [Docker Engine][docker-engine]
+- [Google Cloud SDK][google-cloud-sdk]
+- [make]
+
+### Inputs
+
+Test instances are defined in the
+[Kitchen configuration file](./kitchen.yml). The inputs of each Kitchen
+instance may be configured with the `driver.variables` key in a
+local Kitchen configuration file located at `./kitchen.local.yml` or in
+a Terraform variables file located at
+`./test/fixtures/<instance>/variables.tfvars`.
+
+### Credentials
+
+Download the key of a Service Account with the
+[required roles][required-roles] to `./credentials.json`.
+
+### Interactive Execution
+
+1. Run `make docker_run` to start the testing Docker container in
+   interactive mode.
+
+1. Run `kitchen create <EXAMPLE_NAME>` to initialize the working
+   directory for an example module.
+
+1. Run `kitchen converge <EXAMPLE_NAME>` to apply the example module.
+
+1. Run `kitchen verify <EXAMPLE_NAME>` to test the example module.
+
+1. Run `kitchen destroy <EXAMPLE_NAME>` to destroy the example module
+   state.
+
+### Noninteractive Execution
+
+Run `make test_integration_docker` to test all of the example modules
+noninteractively.
+
+## Linting and Formatting
+
+Many of the files in the repository can be linted or formatted to
+maintain a standard of quality.
+
+### Dependencies
+
+The following dependencies must be installed on the development system:
+
+- [flake8]
+- [gofmt]
+- [hadolint]
+- [make]
+- [shellcheck]
+- [Terraform][terraform] v0.11
+
+### Execution
+
+Run `make check`.
+
+[docker-engine]: https://www.docker.com/products/docker-engine
+[flake8]: http://flake8.pycqa.org/en/latest/
+[gofmt]: https://golang.org/cmd/gofmt/
+[google-cloud-sdk]: https://cloud.google.com/sdk/install
+[hadolint]: https://github.com/hadolint/hadolint
+[inspec]: https://inspec.io/
+[kitchen-terraform]: https://github.com/newcontext-oss/kitchen-terraform
+[kitchen]: https://kitchen.ci/
+[make]: https://en.wikipedia.org/wiki/Make_(software)
+[shellcheck]: https://www.shellcheck.net/
+[terraform-docs]: https://github.com/segmentio/terraform-docs
+[terraform]: https://terraform.io/

LICENSE

@@ -1,3 +1,4 @@
+
                                  Apache License
                            Version 2.0, January 2004
                         http://www.apache.org/licenses/

README.md

@@ -0,0 +1,68 @@
+# terraform-google-bastion-host
+
+This module will generate a bastion host vm compatible with [OS Login](https://cloud.google.com/compute/docs/oslogin/) and [IAP Tunneling](https://cloud.google.com/iap/) that can be used to access internal VMs.
+
+This module will:
+
+- Create a dedicated service account for the bastion host
+- Create a GCE instance to be the bastion host
+- Create a firewall rule to allow TCP:22 SSH access from the IAP to the bastion
+- Necessary IAM bindings to allow IAP and OS Logins from specified members
+
+## Usage
+
+Basic usage of this module is as follows:
+
+```hcl
+module "iap_bastion" {
+  source = "terraform-google-modules/bastion-host/google"
+  version = 0.1.0
+
+  project = var.project
+  region = var.region
+  zone = var.zone
+  network = google_compute_network.net.self_link
+  subnet = google_compute_subnetwork.net.self_link
+  members = [
+    "group:[email protected]",
+    "user:[email protected]",
+  ]
+}
+```
+
+Functional example is included in the
+[examples](./examples/) directory.
+
+## Requirements
+
+These sections describe requirements for using this module.
+
+### Software
+
+The following dependencies must be available:
+
+- [Terraform][terraform] v0.12
+- [Terraform Provider for GCP][terraform-provider-gcp]
+
+### APIs
+
+A project with the following APIs enabled must be used to host the
+resources of this module:
+
+- Google Cloud Storage JSON API: `storage-api.googleapis.com`
+- Compute Engine API: `compute.googleapis.com`
+- Cloud Identity-Aware Proxy API: `iap.googleapis.com`
+- OS Login API: `oslogin.googleapis.com`
+
+The [Project Factory module][project-factory-module] can be used to
+provision a project with the necessary APIs enabled.
+
+## Contributing
+
+Refer to the [contribution guidelines](./CONTRIBUTING.md) for
+information on contributing to this module.
+
+[iam-module]: https://registry.terraform.io/modules/terraform-google-modules/iam/google
+[project-factory-module]: https://registry.terraform.io/modules/terraform-google-modules/project-factory/google
+[terraform-provider-gcp]: https://www.terraform.io/docs/providers/google/index.html
+[terraform]: https://www.terraform.io/downloads.html

examples/simple_example/README.md

@@ -0,0 +1,31 @@
+# Simple Example
+
+This example will not set up the target hosts like the [Two Service Example](../two_service_example) but it will set up a basic network, subnet and bastion host for you to log into using IAP and OS Login. You'll notice that we create a firewall rule that allows the bastion to talk to the rest of the network on port 22 using the output of the bastion service account email for simplicity. This can and should be scoped down to allow access to specific hosts.
+
+## Deploy
+
+Create a `terraform.tfvars` file with required variables similar to:
+
+```
+members = ["user:[email protected]"]
+project = "my-project"
+```
+
+Run the apply
+
+```
+terraform apply -var-file terraform.tfvars
+```
+
+## Usage
+
+```
+gcloud auth login
+gcloud compute ssh bastion-vm
+```
+
+You should now be logged in as a user that looks like `ext_me_example_com` with the prefix of `ext` indicating you have logged in with OS Login. You should also notice the following line in standard out that indicates you are tunnelling through IAP instead of the public internet:
+
+```
+External IP address was not found; defaulting to using IAP tunneling.
+```

examples/simple_example/main.tf

@@ -0,0 +1,37 @@
+module "iap_bastion" {
+  source  = "../.."
+  project = var.project
+  zone    = var.zone
+  network = google_compute_network.network.self_link
+  subnet  = google_compute_subnetwork.subnet.self_link
+  members = var.members
+}
+
+resource "google_compute_network" "network" {
+  project                 = var.project
+  name                    = "test-network"
+  auto_create_subnetworks = false
+}
+
+resource "google_compute_subnetwork" "subnet" {
+  project                  = var.project
+  name                     = "test-subnet"
+  region                   = var.region
+  ip_cidr_range            = "10.127.0.0/20"
+  network                  = google_compute_network.network.self_link
+  private_ip_google_access = true
+}
+
+resource "google_compute_firewall" "allow_access_from_bastion" {
+  project = var.project
+  name    = "allow-bastion-ssh"
+  network = google_compute_network.network.self_link
+
+  allow {
+    protocol = "tcp"
+    ports    = ["22"]
+  }
+
+  # Allow SSH only from IAP Bastion
+  source_service_accounts = [module.iap_bastion.service_account]
+}

examples/simple_example/variables.tf

@@ -0,0 +1,12 @@
+variable "members" {
+  default = []
+}
+variable "project" {}
+
+variable "region" {
+  default = "us-west1"
+}
+
+variable "zone" {
+  default = "us-west1-a"
+}