From bb92e26adefd56ce87ace3e5c226a65aa3408322 Mon Sep 17 00:00:00 2001 From: Brian Manifold Date: Wed, 12 Jun 2024 13:08:55 -0400 Subject: [PATCH] chore(infra): Add EC2 instance connect and remove bastion host (#5339) Why: * As part of the SOC2 process, rather than having a bastion host to connect to EC2 instances in our AWS infra, this PR removes the bastion host and replaces it with an EC2 instance connect endpoint. This will allow SSH connections to use AWS IAM credentials rather than static SSH keys. Closes #5215 --- terraform/environments/staging/aws.tf | 69 +++++++++++++-------------- 1 file changed, 33 insertions(+), 36 deletions(-) diff --git a/terraform/environments/staging/aws.tf b/terraform/environments/staging/aws.tf index 0b7a07152..c183a9695 100644 --- a/terraform/environments/staging/aws.tf +++ b/terraform/environments/staging/aws.tf @@ -55,29 +55,29 @@ resource "aws_route" "private_nat_instance" { } } +################################################################################ +# EC2 Instance Connect Endpoint +################################################################################ + +resource "aws_ec2_instance_connect_endpoint" "this" { + subnet_id = module.vpc.public_subnets[0] + preserve_client_ip = false + security_group_ids = [ + module.sg_allow_vpc_egress.security_group_id + ] + + tags = merge( + local.tags, + { + Name = "staging-ec2-instance-connect" + } + ) +} ################################################################################ # Compute ################################################################################ -module "aws_bastion" { - source = "../../modules/aws/bastion" - - ami = data.aws_ami.ubuntu.id - name = "bastion - ${local.environment}" - - associate_public_ip_address = true - instance_type = "t3.micro" - key_name = aws_key_pair.staging.id - vpc_security_group_ids = [ - module.sg_allow_all_egress.security_group_id, - module.sg_allow_ssh_ingress.security_group_id - ] - subnet_id = element(module.vpc.public_subnets, 0) - - tags = local.tags -} - module "aws_nat" { source = "../../modules/aws/nat" @@ -231,6 +231,21 @@ module "sg_allow_all_egress" { ] } +module "sg_allow_vpc_egress" { + source = "terraform-aws-modules/security-group/aws" + + name = "allow egress to all vpc subnets" + description = "Security group to egress to all vpc subnets. Created for use with EC2 Instance Connect Endpoint." + vpc_id = module.vpc.vpc_id + + egress_with_cidr_blocks = [ + { + rule = "all-all" + cidr_blocks = local.vpc_cidr + }, + ] +} + module "sg_allow_subnet_ingress" { source = "terraform-aws-modules/security-group/aws" @@ -250,24 +265,6 @@ module "sg_allow_subnet_ingress" { ] } -module "sg_allow_ssh_ingress" { - source = "terraform-aws-modules/security-group/aws" - - name = "allow SSH ingress from the internet" - description = "Security group to allow SSH ingress from the internet" - vpc_id = module.vpc.vpc_id - - ingress_with_cidr_blocks = [ - { - from_port = 22 - to_port = 22 - protocol = "tcp" - description = "SSH access from the internet" - cidr_blocks = "0.0.0.0/0" - } - ] -} - ################################################################################ # SSH Keys ################################################################################