Comments (3)
Hi @jasonbisson
Thank you for opening an issue. It's unclear what you are asking. Are you asking for a new feature or a change to the existing behavior?
from terraform-google-vault.
Hi @sethvargo
Thanks for the quick response. The ask is related to the README where a bastion is called out to access the Vault node, but Identity aware proxy with TCP forwarding could be an option to eliminate the bastion host. Also, might be an optional resource deploy by Terraform.
https://cloud.google.com/iap/docs/using-tcp-forwarding
from terraform-google-vault.
@jasonbisson The bast practice is to not give SSH access to Vault nodes themselves, since that node holds senstitive information that could be accessed if a privilege escalation vulnerability is exploited on the host. Rather access over HTTPS is preferred, hence the bastion host with firewall at 443 open to Vault for admin tasks. If you'd like to use IAP for the bastion, take a look at https://github.com/terraform-google-modules/terraform-google-bastion-host
However if you still want to enable IAP SSH to the Vault node, simply add a firewall rule on the Vault network that allows port 22 access to the vault service account from the IAP CIDR range.
module "iap_tunneling" {
source = "terraform-google-modules/bastion-host/google//modules/iap-tunneling"
project = var.project
network = var.network
service_accounts = [module.vault.service_account_email]
instances = [{
name = var.vault_node1
zone = var.vault_node2
}]
members = [
"group:[email protected]",
"user:[email protected]",
]
}
from terraform-google-vault.
Related Issues (20)
- Use backend service for external balancer HOT 1
- Remove google project reference so module can be used with count HOT 2
- Provide existing KMS Key for init keys encryption HOT 1
- Unable to use module on Apply M1. HOT 2
- google_compute_instance_group_manager HOT 1
- Tls provider compatibility issue with M1 chip HOT 1
- The root ca and server cert validity_period is hardcoded HOT 1
- Usage of deprecated template_file
- Autoscaling on active/standby node HOT 1
- Dependency Dashboard
- Examples do not work - circular dependency? HOT 1
- Allow tls_save_ca_to_disk to also chose the filename of the full path of the local CA public certificate copy HOT 3
- Recreate MIG VMs after TLS cert update HOT 1
- compute router bgp keepalive_interval is not set HOT 2
- Support deployment to shared VPC with allow_public_egress
- Is bullseye officially supported yet for this module? HOT 1
- Permission 'cloudkms.cryptoKeys.get' denied on init setup HOT 3
- Autohealing port doesn't align with firewall rule port when not using internal LB HOT 1
- Permission 'cloudkms.cryptoKeys.get' denied on init setup HOT 2
- Googleapi error 403 Required 'compute.zones.list' permission for 'projects/XXX', forbidden
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from terraform-google-vault.