From 659be6917bdf4600a3fbc5d4fab2150255527cf5 Mon Sep 17 00:00:00 2001
From: Vladimirs Kovalovs <vladimirs.kovalovs@digital.justice.gov.uk>
Date: Mon, 9 Dec 2024 11:42:24 +0000
Subject: [PATCH 1/3] [TM-810] added bastion

---
 terraform/environments/oas/bastion.tf | 32 +++++++++++++++++++++++++++
 1 file changed, 32 insertions(+)
 create mode 100644 terraform/environments/oas/bastion.tf

diff --git a/terraform/environments/oas/bastion.tf b/terraform/environments/oas/bastion.tf
new file mode 100644
index 00000000000..a7c2059b20b
--- /dev/null
+++ b/terraform/environments/oas/bastion.tf
@@ -0,0 +1,32 @@
+locals {
+  public_key_data = jsondecode(file("./files/bastion_linux.json"))
+}
+
+module "bastion_linux" {
+  source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0"
+
+  providers = {
+    aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
+    aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
+  }
+  # s3 - used for logs and user ssh public keys
+  bucket_name = "bastion-${local.application_name}"
+  # public keys
+  public_key_data = local.public_key_data.keys[local.environment]
+  # logs
+  log_auto_clean       = "Enabled"
+  log_standard_ia_days = 30  # days before moving to IA storage
+  log_glacier_days     = 60  # days before moving to Glacier
+  log_expiry_days      = 180 # days before log expiration
+  # bastion
+  allow_ssh_commands = false
+  app_name           = var.networking[0].application
+  business_unit      = local.vpc_name
+  subnet_set         = local.subnet_set
+  environment        = local.environment
+  region             = "eu-west-2"
+
+  # Tags
+  tags_common = local.tags
+  tags_prefix = terraform.workspace
+}
\ No newline at end of file

From 28d65bb3958f86059f819ff8c995b931e2ced87a Mon Sep 17 00:00:00 2001
From: Vladimirs Kovalovs <vladimirs.kovalovs@digital.justice.gov.uk>
Date: Mon, 9 Dec 2024 13:13:59 +0000
Subject: [PATCH 2/3] [TM-810] added keys for bastion

---
 terraform/environments/oas/files/bastion_linux.json | 9 +++++++++
 1 file changed, 9 insertions(+)
 create mode 100644 terraform/environments/oas/files/bastion_linux.json

diff --git a/terraform/environments/oas/files/bastion_linux.json b/terraform/environments/oas/files/bastion_linux.json
new file mode 100644
index 00000000000..81537ee722b
--- /dev/null
+++ b/terraform/environments/oas/files/bastion_linux.json
@@ -0,0 +1,9 @@
+{
+  "keys": {
+    "development": {
+      "vladimir": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ3DUNjSOe4NHpbJFMCn7AAmM39vrtNQ0BsoB0ttziBI vladimirs.kovalovs@L0854"
+    },
+    "preproduction": {},
+    "production": {}
+  }
+}

From bb189b49eaab162ebd8bf173969ffd8601db2d7e Mon Sep 17 00:00:00 2001
From: Vladimirs Kovalovs <vladimirs.kovalovs@digital.justice.gov.uk>
Date: Mon, 9 Dec 2024 13:16:56 +0000
Subject: [PATCH 3/3] [TM-810] added ssh allow to sg from bastion

---
 terraform/environments/oas/ec2.tf | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/terraform/environments/oas/ec2.tf b/terraform/environments/oas/ec2.tf
index d61c31e4431..a7b2f8da0b2 100644
--- a/terraform/environments/oas/ec2.tf
+++ b/terraform/environments/oas/ec2.tf
@@ -141,6 +141,13 @@ resource "aws_security_group" "ec2" {
     protocol    = "tcp"
     cidr_blocks = [local.application_data.accounts[local.environment].inbound_cidr_lz]
   }
+  ingress {
+    description = "SSH from the Bastion"
+    from_port   = 22
+    to_port     = 22
+    protocol    = "tcp"
+    security_groups = [module.bastion_linux.bastion_security_group]
+  }
 
   egress {
     description = "Allow AWS SSM Session Manager"