This directory contains the infrastructure for the NRLF AWS Bastion. This is a host that is deployed into the NRLF AWS accounts and can be used to run operations tasks against the resources in that account. For example, to run a report that reads from the DynamoDB pointers table.

Before deploying a bastion, you will need:

- An AWS account that has already been bootstrapped, as described in [bootstrap/README.md](../bootstrap/README.md) and has the account-wide infrastructure deployed as described in [account-wide-infrastructure/README.md](../account-wide-infrastructure/README.md). This is a one-time account setup step.

- Your CLI configured to allow authentication to your AWS account

The bastions are emphemeral resources that should be deploy when you need them.

To deploy a bastion, you will first need to login to the AWS mgmt account on the CLI.

Then, initialise the Terraform workspace with:

If you want a read-only bastion (can only READ from the pointers table), plan the deployment like this:

If you want a read-write bastion (can READ and WRITE from the pointers table), plan the deployment like this:

Once you're happy with your planned changes, you can apply them with:

Once the bastion is deployed, you can connect to it via SSH with:

Once connected successfully, you will be at the SSM `$` prompt. To switch to the `nrlf_ops` user, run this command:

Once switched to the `nrlf_ops` user, you can use the bastion and the installed tooling:

- `cd ./NRLF` - the NRLF repo (cloned from Github `develop`)

- `aws`

- `git`

- `python` and `poetry`

see [user-data.sh](./scripts/user-data.sh) for exactly what's installed on there.

If you're running the `make ssh-connection` and are seeing this error:

If you've just created a new bastion, it may be that it hasn't started yet. Log in to the AWS console to see the state of the EC2 instance. Press the "Connect" button in the console and choose the SSM tab to see if things are working ok.

If the EC2 instance is running and the console looks ok, check you have defined the correct ENV param for the installed bastion.

If you're getting this error:

If you've just created a new bastion, you may need to wait a little until the cloud-init script has finished. You can check the status of this process with:

If you're trying to access an AWS resource from the bastion and are getting an access denied error, it may be that the bastion's IAM role does not have the required permissions.

You can check the role in the AWS console to work out if things are missing and can edit it there too for immediate access to the resources you need.

If you want to permenantly grant new access to the bastion, you can add a policy and attach it to the EC2 instance in [iam.tf](iam.tf)

If there's a tool missing from the instance, you can add it using `apt` or via `asdf` as/when you need it.

If you want a new tool to be deployed onto all bastions in the future too, add it to the [user-data.sh](./scripts/user-data.sh) script.

data "aws_caller_identity" "current" {}

data "aws_vpc" "bastion_vpc" {

filter {

name = "tag:Name"

values = [var.vpc_name]

}

}

data "aws_subnet" "bastion_subnet" {

filter {

name = "tag:Name"

values = [var.subnet_name]

}

filter {

name = "vpc-id"

values = [data.aws_vpc.bastion_vpc.id]

}

}

data "aws_dynamodb_table" "dynamodb-table" {

count = var.dynamodb_table_name != null ? 1 : 0

name = var.dynamodb_table_name

}

data "aws_kms_key" "dynamodb-table-key" {

count = var.dynamodb_table_name != null ? 1 : 0

key_id = "alias/${data.aws_dynamodb_table.dynamodb-table[0].name}-key"

}

data "aws_ami" "bastion_ubuntu_ami" {

most_recent = true

owners = ["amazon"]

filter {

name = "name"

values = [var.ami_name_match]

}

}

resource "aws_instance" "node" {

ami = data.aws_ami.bastion_ubuntu_ami.id

instance_type = var.instance_type

subnet_id = data.aws_subnet.bastion_subnet.id

key_name = aws_key_pair.ec2_key_pair.key_name

associate_public_ip_address = false

iam_instance_profile = aws_iam_instance_profile.instance-profile.name

user_data = file("./scripts/user-data.sh")

tags = {

Name = "${local.prefix}-node"

}

}

resource "aws_security_group" "node-sg" {

name = "${local.prefix}-node-sg"

description = "Security group for ${aws_instance.node.id} node host"

vpc_id = data.aws_vpc.bastion_vpc.id

egress {

from_port = 0

to_port = 0

protocol = "-1"

cidr_blocks = ["0.0.0.0/0"]

}

}

resource "tls_private_key" "instance_key_pair" {

algorithm = "RSA"

}

resource "aws_key_pair" "ec2_key_pair" {

key_name = "${local.prefix}-ec2-key-pair"

public_key = tls_private_key.instance_key_pair.public_key_openssh

}

resource "aws_secretsmanager_secret" "bastion_ssh_key_secret" {

name_prefix = "${local.prefix}-ssh-key"

description = "Private SSH key for accessing the bastion host"

}

resource "aws_secretsmanager_secret_version" "bastion_ssh_key_secret_version" {

secret_id = aws_secretsmanager_secret.bastion_ssh_key_secret.id

secret_string = tls_private_key.instance_key_pair.private_key_pem

}

resource "aws_iam_role" "instance-role" {

name = "${local.prefix}-instance-role"

assume_role_policy = jsonencode({

Version = "2012-10-17"

Statement = [

{

Action = "sts:AssumeRole"

Effect = "Allow"

Principal = {

Service = "ec2.amazonaws.com"

}

}

]

})

}

resource "aws_iam_instance_profile" "instance-profile" {

name = "${local.prefix}-instance-profile"

role = aws_iam_role.instance-role.name

}

resource "aws_iam_policy" "dynamodb-table-read" {

count = var.dynamodb_table_name != null ? 1 : 0

name = "${local.prefix}-allow-table-read"

description = "Read the ${var.dynamodb_table_name} table"

policy = jsonencode({

Version = "2012-10-17"

Statement = [

{

Action = [

"kms:Decrypt",

"kms:DescribeKey"

]

Effect = "Allow"

Resource = [

data.aws_kms_key.dynamodb-table-key[0].arn

]

},

{

Effect = "Allow"

Action = [

"dynamodb:Query",

"dynamodb:Scan",

"dynamodb:GetItem",

],

Resource = [

"${data.aws_dynamodb_table.dynamodb-table[0].arn}"

]

}

]

})

}

resource "aws_iam_policy" "dynamodb-table-write" {

count = var.allow_dynamodb_table_write && var.dynamodb_table_name != null ? 1 : 0

name = "${local.prefix}-allow-table-write"

description = "Write to the ${var.dynamodb_table_name} table"

policy = jsonencode({

Version = "2012-10-17"

Statement = [

{

Action = [

"kms:Encrypt",

"kms:GenerateDataKey"

]

Effect = "Allow"

Resource = [

data.aws_kms_key.dynamodb-table-key[0].arn

]

},

{

Effect = "Allow"

Action = [

"dynamodb:PutItem",

"dynamodb:UpdateItem",

"dynamodb:DeleteItem",

"dynamodb:BatchWriteItem"

],

Resource = [

"${data.aws_dynamodb_table.dynamodb-table[0].arn}"

]

}

]

})

}

resource "aws_iam_policy" "s3-metadata-bucket-readwrite" {

name = "${local.prefix}-allow-s3-metadata-bucket-readwrite"

description = "Read and write access to the S3 metadata bucket"

policy = jsonencode({

Version = "2012-10-17"

Statement = [

{

Effect = "Allow"

Action = [

"s3:GetObject",

"s3:ListBucket",

"s3:HeadObject",

"s3:PutObject",

"s3:PutObjectAcl",

"s3:DeleteObject"

],

Resource = [

"arn:aws:s3:::${var.s3_metadata_bucket_name}",

"arn:aws:s3:::${var.s3_metadata_bucket_name}/*"

]

}

]

})

}

resource "aws_iam_role_policy_attachment" "ec2_role_policy_ssm" {

role = aws_iam_role.instance-role.name

policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"

}

resource "aws_iam_role_policy_attachment" "dynamodb-table-read-attachment" {

count = var.dynamodb_table_name != null ? 1 : 0

role = aws_iam_role.instance-role.name

policy_arn = aws_iam_policy.dynamodb-table-read[0].arn

}

resource "aws_iam_role_policy_attachment" "dynamodb-table-write-attachment" {

count = var.allow_dynamodb_table_write && var.dynamodb_table_name != null ? 1 : 0

role = aws_iam_role.instance-role.name

policy_arn = aws_iam_policy.dynamodb-table-write[0].arn

}

resource "aws_iam_role_policy_attachment" "s3-metadata-bucket-readwrite-attachment" {

role = aws_iam_role.instance-role.name

policy_arn = aws_iam_policy.s3-metadata-bucket-readwrite.arn

}

locals {

region = "eu-west-2"

project = "nhsd-nrlf--${var.bastion_name}-bastion"

prefix = local.project

}