Improved Bastion Host Module.

It outputs the host, port and user information for later plugin into terraform's connection map. It can't take advantage of Triton's CNS because of issue hashicorp/terraform#2143. It will not "converge" because the system fails to detect the firewall_enabled flag from Triton's CloudAPI, issue hashicorp/terraform#6109. # Please enter the commit message for your changes. Lines starting # with '#' will be ignored, and an empty message aborts the commit. # On branch master # Your branch is up-to-date with 'origin/master'. # # Changes to be committed: # deleted: bastion/bastion-user-script.sh # modified: bastion/main.tf # new file: bastion/ssh.config.in # new file: bastion/user-script.sh #
zeroae · Apr 10, 2016 · 34c8bdd · 34c8bdd
1 parent 673f47f
commit 34c8bdd
Show file tree

Hide file tree

Showing 4 changed files with 64 additions and 8 deletions.
diff --git a/bastion/bastion-user-script.sh b/bastion/bastion-user-script.sh
diff --git a/bastion/main.tf b/bastion/main.tf
@@ -1,6 +1,16 @@
 /*
  * Creates a simple bastion host.
  */
+output "host" {
+  value = "${triton_machine.bastion.primaryip}"
+}
+output "port" {
+  value = "22"
+}
+output "user" {
+  value = "admin"
+}
+
 resource "triton_firewall_rule" "inet-to-bastion" {
   rule = "FROM any TO tag role=bastion ALLOW tcp PORT 22"
   enabled = true
@@ -13,19 +23,26 @@ resource "triton_firewall_rule" "bastion-to-vms" {
 
 resource "triton_machine" "bastion" {
   count = 1
-  name = "bastion-${count.index}"
+  name = "bastion${count.index}"
   package = "sample-128M"
 
   # Using minimal-64-lts
   image = "eb9fc1ea-e19a-11e5-bb27-8b954d8c125c"
 
+  firewall_enabled = true
+
   # User-script
-  user_script = "${file("bastion-user-script.sh")}"
+  user_script = "${file("${path.module}/user-script.sh")}"
 
-  tags = {
+  tags {
+    # TODO enable once hashicorp/terraform#2143 is implemented
+    #"triton.cns.services" = "bastion"
+    env  = "prod"
     role = "bastion"
-    triton.cns.services = "bastion"
   }
 
-  firewall_enabled = true
+  provisioner "local-exec" {
+    command = "sed -E -e 's/BASTION_IP/${self.primaryip}/' ${path.module}/ssh.config.in > ssh.config"
+  }
+
 }
diff --git a/bastion/ssh.config.in b/bastion/ssh.config.in
@@ -0,0 +1,19 @@
+# Loosely based on https://medium.com/@paulskarseth/ansible-bastion-host-proxycommand-e6946c945d30#.gdb1u6bjg
+UserKnownHostsFile=/dev/null
+StrictHostKeyChecking=no
+
+Host bastion
+    User                   admin
+    HostName               BASTION_IP
+    IdentityFile           ~/.ssh/id_rsa
+    BatchMode              yes
+    PasswordAuthentication no
+
+Host *
+    ServerAliveInterval    60
+    TCPKeepAlive           yes
+    ProxyCommand           ssh -W %h:%p -A admin@BASTION_IP
+    ControlMaster          auto
+    ControlPath            ~/.ssh/mux-%r@%h:%p
+    ControlPersist         8h
+    IdentityFile           ~/.ssh/id_rsa
diff --git a/bastion/user-script.sh b/bastion/user-script.sh
@@ -0,0 +1,23 @@
+#!/bin/bash
+
+# Disable the admin's shell
+usermod -s /bin/false admin
+
+# Disable SFTP
+sed -E -i .bck \
+    -e "s/^Subsystem(.*)/#Subsystem\1/" \
+    /etc/ssh/sshd_config
+
+# Disable root login in prod
+environment = $(mdata-get env)
+if [ "$environment" == "prod" ]; then
+    sed -E -i .bck \
+        -e "s/PermitRootLogin.*/PermitRootLogin no/" \
+        /etc/ssh/sshd_config
+else
+    sed -E -i .bck \
+        -e "s/PermitRootLogin.*/PermitRootLogin without-password/" \
+        /etc/ssh/sshd_config
+fi
+
+svcadm refresh ssh