Identity Aware proxy with ssh tunnel about terraform-google-vault HOT 3 CLOSED

Hi @jasonbisson

Thank you for opening an issue. It's unclear what you are asking. Are you asking for a new feature or a change to the existing behavior?

from terraform-google-vault.

Hi @sethvargo

Thanks for the quick response. The ask is related to the README where a bastion is called out to access the Vault node, but Identity aware proxy with TCP forwarding could be an option to eliminate the bastion host. Also, might be an optional resource deploy by Terraform.

https://cloud.google.com/iap/docs/using-tcp-forwarding

from terraform-google-vault.

@jasonbisson The bast practice is to not give SSH access to Vault nodes themselves, since that node holds senstitive information that could be accessed if a privilege escalation vulnerability is exploited on the host. Rather access over HTTPS is preferred, hence the bastion host with firewall at 443 open to Vault for admin tasks. If you'd like to use IAP for the bastion, take a look at https://github.com/terraform-google-modules/terraform-google-bastion-host

However if you still want to enable IAP SSH to the Vault node, simply add a firewall rule on the Vault network that allows port 22 access to the vault service account from the IAP CIDR range.

module "iap_tunneling" {
  source = "terraform-google-modules/bastion-host/google//modules/iap-tunneling"

  project = var.project
  network  = var.network
  service_accounts = [module.vault.service_account_email]

  instances = [{
    name = var.vault_node1
    zone = var.vault_node2
  }]

  members = [
    "group:[email protected]",
    "user:[email protected]",
  ]
}

from terraform-google-vault.