add ssh config file

.gitignore

@@ -11,3 +11,5 @@
 
 # render files
 **/conf.render/**
+
+.DS_Store

configs/bastion/sshd_config

@@ -0,0 +1,144 @@
+#       $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $
+
+# This is the sshd server system-wide configuration file.  See
+# sshd_config(5) for more information.
+
+# This sshd was compiled with PATH=/usr/local/bin:/usr/bin
+
+# The strategy used for options in the default sshd_config shipped with
+# OpenSSH is to specify options with their default value where
+# possible, but leave them commented.  Uncommented options override the
+# default value.
+
+# If you want to change the port on a SELinux system, you have to tell
+# SELinux about this change.
+# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
+Port ${ssh_port}
+#AddressFamily any
+#ListenAddress 0.0.0.0
+#ListenAddress ::
+
+HostKey /etc/ssh/ssh_host_rsa_key
+#HostKey /etc/ssh/ssh_host_dsa_key
+HostKey /etc/ssh/ssh_host_ecdsa_key
+HostKey /etc/ssh/ssh_host_ed25519_key
+
+# Ciphers and keying
+#RekeyLimit default none
+
+# Logging
+#SyslogFacility AUTH
+SyslogFacility AUTHPRIV
+#LogLevel INFO
+
+# Authentication:
+
+#LoginGraceTime 2m
+#PermitRootLogin yes
+#StrictModes yes
+#MaxAuthTries 6
+#MaxSessions 10
+
+#PubkeyAuthentication yes
+
+# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
+# but this is overridden so installations will only check .ssh/authorized_keys
+AuthorizedKeysFile .ssh/authorized_keys
+
+#AuthorizedPrincipalsFile none
+
+
+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
+#HostbasedAuthentication no
+# Change to yes if you don't trust ~/.ssh/known_hosts for
+# HostbasedAuthentication
+#IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+#IgnoreRhosts yes
+
+# To disable tunneled clear text passwords, change to no here!
+#PasswordAuthentication yes
+#PermitEmptyPasswords no
+PasswordAuthentication no
+
+# Change to no to disable s/key passwords
+#ChallengeResponseAuthentication yes
+ChallengeResponseAuthentication no
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+#KerberosGetAFSToken no
+#KerberosUseKuserok yes
+
+# GSSAPI options
+GSSAPIAuthentication yes
+GSSAPICleanupCredentials no
+#GSSAPIStrictAcceptorCheck yes
+#GSSAPIKeyExchange no
+#GSSAPIEnablek5users no
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+# WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several
+# problems.
+UsePAM yes
+
+#AllowAgentForwarding yes
+#AllowTcpForwarding yes
+#GatewayPorts no
+X11Forwarding yes
+#X11DisplayOffset 10
+#X11UseLocalhost yes
+#PermitTTY yes
+#PrintMotd yes
+#PrintLastLog yes
+#TCPKeepAlive yes
+#UseLogin no
+#UsePrivilegeSeparation sandbox
+#PermitUserEnvironment no
+#Compression delayed
+#ClientAliveInterval 0
+#ClientAliveCountMax 3
+#ShowPatchLevel no
+#UseDNS yes
+#PidFile /var/run/sshd.pid
+#MaxStartups 10:30:100
+#PermitTunnel no
+#ChrootDirectory none
+#VersionAddendum none
+
+# no default banner path
+#Banner none
+
+# Accept locale-related environment variables
+AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
+AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
+AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
+AcceptEnv XMODIFIERS
+
+# override default of no subsystems
+Subsystem sftp  /usr/libexec/openssh/sftp-server
+
+# Example of overriding settings on a per-user basis
+#Match User anoncvs
+#       X11Forwarding no
+#       AllowTcpForwarding no
+#       PermitTTY no
+#       ForceCommand cvs server
+
+
+
+ClientAliveInterval 120
+ClientAliveCountMax 720
+
+AuthorizedKeysCommand /opt/aws/bin/eic_run_authorized_keys %u %f
+AuthorizedKeysCommandUser ec2-instance-connect

scripts/config_bastion.sh.tpl

@@ -26,6 +26,11 @@ function check_internet_connect {
     esac
 }
 
+function update_ssh_config {
+    mv -f /tmp/sshd_config /etc/ssh/sshd_config
+    service sshd restart
+}
+
 function main {
     if [[ $EUID -ne 0 ]]; then
         echo "This script must be run as root" 1>&2  >> $LOG_INSTALL
@@ -34,6 +39,8 @@ function main {
 
     if [[ $OS == "centos" || $OS == "amazon" ]];
     then
+        update_ssh_config
+        echo "[SUCCESS] Update SSH configuration complete!"  >> $LOG_INSTALL
         config_proxy
         echo "[SUCCESS] Configuration Proxy complete!"  >> $LOG_INSTALL
         check_internet_connect

terraform/data_template.tf

@@ -25,7 +25,7 @@ data "template_file" "jira_properties" {
   template = file("../scripts/install_jira.sh.tpl")
 
   vars = {
-    jira_version  = var.jira_version
+    jira_version = var.jira_version
   }
 }
 
@@ -34,10 +34,10 @@ resource "template_dir" "jira_config" {
   destination_dir = "../configs/jira/conf.render/"
 
   vars = {
-    db_endpoint   = aws_db_instance.jira.endpoint
-    db_name       = var.jira_db_name
-    db_password   = var.jira_password
-    db_username   = var.jira_username
+    db_endpoint = aws_db_instance.jira.endpoint
+    db_name     = var.jira_db_name
+    db_password = var.jira_password
+    db_username = var.jira_username
   }
 }
 
@@ -46,7 +46,7 @@ data "template_file" "confluence_properties" {
   template = file("../scripts/install_confluence.sh.tpl")
 
   vars = {
-    confluence_version  = var.confluence_version
+    confluence_version = var.confluence_version
   }
 }
 
@@ -56,13 +56,13 @@ resource "template_dir" "nginx_conf" {
   destination_dir = "../configs/nginx/conf.render/"
 
   vars = {
-    jenkins_domain_name     = aws_route53_record.jenkins.name
-    sonar_domain_name       = aws_route53_record.sonar.name
-    nexus_domain_name       = aws_route53_record.nexus.name
-    gitlab_domain_name      = aws_route53_record.gitlab.name
-    jira_domain_name        = aws_route53_record.jira.name
-    confluence_domain_name  = aws_route53_record.confluence.name
-    monitor_domain_name     = aws_route53_record.monitor.name
+    jenkins_domain_name    = aws_route53_record.jenkins.name
+    sonar_domain_name      = aws_route53_record.sonar.name
+    nexus_domain_name      = aws_route53_record.nexus.name
+    gitlab_domain_name     = aws_route53_record.gitlab.name
+    jira_domain_name       = aws_route53_record.jira.name
+    confluence_domain_name = aws_route53_record.confluence.name
+    monitor_domain_name    = aws_route53_record.monitor.name
   }
 }
 
@@ -106,6 +106,15 @@ data "template_file" "bastion_config" {
   }
 }
 
+resource "template_dir" "bastion_ssh_config" {
+  source_dir      = "../configs/bastion/"
+  destination_dir = "../configs/bastion/conf.render/"
+
+  vars = {
+    ssh_port = var.bastion_ssh_port
+  }
+}
+
 # Squid
 data "template_file" "squid_install" {
   template = file("../scripts/install_squid.sh.tpl")
@@ -144,7 +153,7 @@ resource "template_dir" "prometheus_config" {
   destination_dir = "../configs/prometheus/conf.render/"
 
   vars = {
-    prometheus_url     = "localhost:9090"
+    prometheus_url = "localhost:9090"
   }
 }
 
@@ -162,6 +171,6 @@ resource "template_dir" "grafana_config" {
   destination_dir = "../configs/grafana/conf.render/"
 
   vars = {
-    prometheus_url     = "http://${var.prometheus_ip}:9090"
+    prometheus_url = "http://${var.prometheus_ip}:9090"
   }
 }

terraform/ec2_instances.tf

@@ -16,11 +16,6 @@ resource "aws_instance" "bastion-server" {
   key_name      = aws_key_pair.bastion.id
   user_data     = data.template_file.bastion_config.rendered
 
-  network_interface {
-    network_interface_id = aws_network_interface.bastion.id
-    device_index         = 0
-  }
-
   # Copies the internal-key to /home/ec2-user
   provisioner "file" {
     source      = "../keypair/internal-key"
@@ -32,6 +27,22 @@ resource "aws_instance" "bastion-server" {
     }
   }
 
+  # Copies the SSH config files to /etc/ssh.
+  provisioner "file" {
+    source      = template_dir.bastion_ssh_config.destination_dir
+    destination = "/tmp/"
+    connection {
+      user        = "ec2-user"
+      host        = self.public_ip
+      private_key = file(var.bastion_private_key_path)
+    }
+  }
+
+  network_interface {
+    network_interface_id = aws_network_interface.bastion.id
+    device_index         = 0
+  }
+
   # provisioner "local-exec" {
   #   command = "chmod -R 400 internal-key"
   #   interpreter = ["/bin/bash", "-c"]
@@ -95,6 +106,7 @@ resource "aws_instance" "squid" {
       host                = aws_instance.squid.private_ip
       private_key         = file(var.internal_private_key_path)
       bastion_host        = aws_instance.bastion-server.public_ip
+      bastion_port        = var.bastion_ssh_port
       bastion_host_key    = file(var.bastion_key_path)
       bastion_private_key = file(var.bastion_private_key_path)
     }
@@ -138,6 +150,7 @@ resource "aws_instance" "nginx" {
       host                = aws_instance.nginx.private_ip
       private_key         = file(var.internal_private_key_path)
       bastion_host        = aws_instance.bastion-server.public_ip
+      bastion_port        = var.bastion_ssh_port
       bastion_host_key    = file(var.bastion_key_path)
       bastion_private_key = file(var.bastion_private_key_path)
     }
@@ -151,6 +164,7 @@ resource "aws_instance" "nginx" {
       host                = aws_instance.nginx.private_ip
       private_key         = file(var.internal_private_key_path)
       bastion_host        = aws_instance.bastion-server.public_ip
+      bastion_port        = var.bastion_ssh_port
       bastion_host_key    = file(var.bastion_key_path)
       bastion_private_key = file(var.bastion_private_key_path)
     }
@@ -255,6 +269,7 @@ resource "aws_instance" "jira" {
       host                = aws_instance.jira.private_ip
       private_key         = file(var.internal_private_key_path)
       bastion_host        = aws_instance.bastion-server.public_ip
+      bastion_port        = var.bastion_ssh_port
       bastion_host_key    = file(var.bastion_key_path)
       bastion_private_key = file(var.bastion_private_key_path)
     }
@@ -273,7 +288,7 @@ resource "aws_instance" "confluence" {
     device_index         = 0
   }
 
-  user_data = data.template_file.confluence_properties.rendered 
+  user_data = data.template_file.confluence_properties.rendered
 
   tags = {
     Name = var.project_name != "" ? "${var.project_name}-Confluence-Server" : "Confluence-Server"
@@ -315,6 +330,7 @@ resource "aws_instance" "gitlab" {
       host                = aws_instance.gitlab.private_ip
       private_key         = file(var.internal_private_key_path)
       bastion_host        = aws_instance.bastion-server.public_ip
+      bastion_port        = var.bastion_ssh_port
       bastion_host_key    = file(var.bastion_key_path)
       bastion_private_key = file(var.bastion_private_key_path)
     }
@@ -351,6 +367,7 @@ resource "aws_instance" "grafana" {
       host                = aws_instance.grafana.private_ip
       private_key         = file(var.internal_private_key_path)
       bastion_host        = aws_instance.bastion-server.public_ip
+      bastion_port        = var.bastion_ssh_port
       bastion_host_key    = file(var.bastion_key_path)
       bastion_private_key = file(var.bastion_private_key_path)
     }
@@ -387,6 +404,7 @@ resource "aws_instance" "prometheus" {
       host                = aws_instance.prometheus.private_ip
       private_key         = file(var.internal_private_key_path)
       bastion_host        = aws_instance.bastion-server.public_ip
+      bastion_port        = var.bastion_ssh_port
       bastion_host_key    = file(var.bastion_key_path)
       bastion_private_key = file(var.bastion_private_key_path)
     }