Terraform module that creates a bastion VM you can connect to through IAP using the outputted command_to_connect
This module uses the OSLogin feature of GCP, this makes the legacy SSH Metadata setup stop working on the bastion VM.
ℹ️ the OSLogin 2FA option to connect to bastion instance is enabled by default. Set variable
two_factortofalseif not needed.
⚠️ For users external to your organization you will need to give them at org-level this roleroles/compute.osLoginExternalUser
ℹ️ You can also use shuttle by piping the command like that
sshuttle -e 'gcloud compute ssh --tunnel-through-iap --project <GCP-PROJECT> --zone europe-west1-b' -r bastion 10.0.0.0/16
module "bastion" {
source = "https://github.com/padok-team/terraform-google-bastion"
project_id = "project"
name = "bastion"
subnet_self_link = "projects/<project>/regions/<region>/subnetworks/<subnet_name>"
members = ["user:test@padok.fr", "group:test-group@padok.fr"]
}No modules.
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| name | Name to give the bastion VM. | string |
n/a | yes |
| network_self_link | Network self_link used for firewall configuration. | string |
n/a | yes |
| project_id | ID of the project in which the bastion VM will be deployed. | string |
n/a | yes |
| region | Region to deploy the bastion in. | string |
n/a | yes |
| subnet_self_link | Subnet self_link in which the bastion VM will be deployed. | string |
n/a | yes |
| labels | Labels to add to the bastion VM. | map(string) |
{} |
no |
| members | List of members inside the organization that can connect to the bastion VM through IAP. | list(string) |
[] |
no |
| tags | Network tags to add to the bastion VM. | list(string) |
[] |
no |
| two_factor | Enable the 2FA option to connect to bastion instance. | bool |
true |
no |
| Name | Description |
|---|---|
| command_to_connect | Command to connect to the bastion instance |
