add ability to provide your own security group. I ahve also added sup…

…port for attaching additional security groups to the launch template
Guimove · Aug 21, 2020 · 951280f · 951280f
1 parent d6a9ce2
commit 951280f
Show file tree

Hide file tree

Showing 4 changed files with 20 additions and 5 deletions.
diff --git a/locals.tf b/locals.tf
@@ -2,6 +2,7 @@ locals {
   tags_asg_format = null_resource.tags_as_list_of_maps.*.triggers
 
   name_prefix = var.bastion_launch_template_name
+  security_group = join("", flatten([aws_security_group.bastion_host_security_group[*].id, var.bastion_security_group_id]))
 }
 
 resource "null_resource" "tags_as_list_of_maps" {

diff --git a/main.tf b/main.tf
@@ -76,6 +76,7 @@ resource "aws_s3_bucket_object" "bucket_public_keys_readme" {
 }
 
 resource "aws_security_group" "bastion_host_security_group" {
+  count       = var.bastion_security_group_id == "" ? 1 : 0
   description = "Enable SSH access to the bastion host from external via SSH port"
   name        = "${local.name_prefix}-host"
   vpc_id      = var.vpc_id
@@ -84,25 +85,27 @@ resource "aws_security_group" "bastion_host_security_group" {
 }
 
 resource "aws_security_group_rule" "ingress_bastion" {
+  count       = var.bastion_security_group_id == "" ? 1 : 0
   description = "Incoming traffic to bastion"
   type        = "ingress"
   from_port   = var.public_ssh_port
   to_port     = var.public_ssh_port
   protocol    = "TCP"
   cidr_blocks = concat(data.aws_subnet.subnets.*.cidr_block, var.cidrs)
 
-  security_group_id = aws_security_group.bastion_host_security_group.id
+  security_group_id = local.security_group
 }
 
 resource "aws_security_group_rule" "egress_bastion" {
+  count       = var.bastion_security_group_id == "" ? 1 : 0
   description = "Outgoing traffic from bastion to instances"
   type        = "egress"
   from_port   = "0"
   to_port     = "65535"
   protocol    = "-1"
   cidr_blocks = ["0.0.0.0/0"]
 
-  security_group_id = aws_security_group.bastion_host_security_group.id
+  security_group_id = local.security_group
 }
 
 resource "aws_security_group" "private_instances_security_group" {
@@ -120,7 +123,7 @@ resource "aws_security_group_rule" "ingress_instances" {
   to_port     = var.private_ssh_port
   protocol    = "TCP"
 
-  source_security_group_id = aws_security_group.bastion_host_security_group.id
+  source_security_group_id = local.security_group
 
   security_group_id = aws_security_group.private_instances_security_group.id
 }
@@ -257,7 +260,7 @@ resource "aws_launch_template" "bastion_launch_template" {
   }
   network_interfaces {
     associate_public_ip_address = var.associate_public_ip_address
-    security_groups             = [aws_security_group.bastion_host_security_group.id]
+    security_groups             = concat([local.security_group], var.bastion_additional_security_groups)
     delete_on_termination       = true
   }
   iam_instance_profile {

diff --git a/outputs.tf b/outputs.tf
@@ -1,5 +1,5 @@
 output "bastion_host_security_group" {
-  value = aws_security_group.bastion_host_security_group.id
+  value = aws_security_group.bastion_host_security_group[*].id
 }
 
 output "bucket_kms_key_alias" {

diff --git a/variables.tf b/variables.tf
@@ -57,6 +57,17 @@ variable "bastion_launch_template_name" {
   default     = "bastion-lt"
 }
 
+variable "bastion_security_group_id" {
+  description = "Custom security group to use"
+  default = ""
+}
+
+variable "bastion_additional_security_groups" {
+ description = "List of additional security groups to attach to the launch template"
+ type = list(string)
+ default = []
+}
+
 variable "bastion_ami" {
   type        = string
   description = "The AMI that the Bastion Host will use."