Question 1

How to assign an Elastic IP to the bastion host with tf_aws_bastion_s3_keys?

Accepted Answer

Provide the EIP address in the eip variable and use an additional_user_data_script with aws ec2 associate-address command, as shown in the README example. Ensure the IAM instance profile has ec2:AssociateAddress permission.

Question 2

tf_aws_bastion_s3_keys vs terraform-aws-modules/bastion-host: which is better?

Accepted Answer

tf_aws_bastion_s3_keys excels at S3-based centralized key management and high availability via auto-scaling, while terraform-aws-modules/bastion-host may offer broader features like session management. Choose based on your priority for key sync vs. other functionalities.

Question 3

Can I use a custom AMI with this bastion module?

Accepted Answer

Yes, specify a custom AMI ID in the ami input variable, but you may need to override the user_data_file to ensure compatibility with the key sync scripts, as the default is optimized for Ubuntu.

Question 4

What happens if the S3 bucket with keys is deleted?

Accepted Answer

The bastion won't be able to update keys, and existing authorized_keys entries might persist unless manually cleaned. Set up S3 bucket lifecycle policies and monitor access to prevent disruptions.

Question 5

How to set up cron-based key updates for automatic revocation?

Accepted Answer

Set the keys_update_frequency variable to a cron timespec like '*/5 * * * *' for updates every 5 minutes. Removing a key from the S3 bucket will then automatically delete it from the bastion on the next sync.

Question 6

Does this module support IPv6 for SSH access control?

Accepted Answer

Yes, it supports IPv6 via the allowed_ipv6_cidr input variable, allowing you to restrict or allow IPv6 connections, as mentioned in the flexible network access features.

Question 7

How to integrate this bastion with Route53 for DNS?

Accepted Answer

Use the EIP assignment method from the example to get a stable IP, then create a Route53 A record pointing to that EIP. This ensures DNS always resolves to the active bastion instance.

tf_aws_bastion_s3_keys

What is tf_aws_bastion_s3_keys?

Overview

Use Cases

Best For

Related Projects

Found a gem we're missing?

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions