v0.14.0

Automated updates for Terraform 0.14 support and improved PR automation @joe-niland (#47)

what

• Run make tf14-upgrade and make pr/auto-format

why

• Support Terraform 0.14, AWS provider 3+, etc
• Support new PR automation

references

• None

v0.13.0

Skip user data if the module is disabled @alexandrusavin (#43)

what

• Skip the import of the user data file if the module is disabled

why

• It triggers unnecessary plan changes even if the module is disabled
• Pollutes the state when using different workspaces

references

• #20

v0.12.0

Use private DNS record when not associating public IP @tyronedd (#42)

What

• Use private DNS record when var.associate_public_address = false.

Why

• When not associating public IP the record would be empty. This fixes that.

v0.11.0

Fix flapping security groups @syphernl (#39)

what

• Added explicit description to the ingress

why

• AWS stores the unset description as "" but Terraform turns this into a null value, therefor triggering to make changes.
  Example:

  # module.bastion.aws_security_group.default[0] will be updated in-place
~ resource "aws_security_group" "default" {
        arn                    = "arn:aws:ec2:eu-west-1:xxxxxxxxxxxx:security-group/sg-xxxxxxxxxxxxxxxxx"
        description            = "Bastion security group (only SSH inbound access is allowed)"
        egress                 = []
        id                     = "sg-xxxxxxxxxxxxxxxxx"
    ~ ingress                = [
        - {
            - cidr_blocks      = [
                - "0.0.0.0/0",
                ]
            - description      = ""
            - from_port        = 22
            - ipv6_cidr_blocks = []
            - prefix_list_ids  = []
            - protocol         = "tcp"
            - security_groups  = []
            - self             = false
            - to_port          = 22
            },
        + {
            + cidr_blocks      = [
                + "0.0.0.0/0",
                ]
            + description      = null
            + from_port        = 22
            + ipv6_cidr_blocks = []
            + prefix_list_ids  = []
            + protocol         = "tcp"
            + security_groups  = []
            + self             = false
            + to_port          = 22
            },
        + {
            + cidr_blocks      = []
            + description      = ""
            + from_port        = 0
            + ipv6_cidr_blocks = []
            + prefix_list_ids  = []
            + protocol         = "-1"
            + security_groups  = []
            + self             = false
            + to_port          = 0
            },
        ]
        name                   = "xxx-staging-bastion"
        owner_id               = "xxxxxxxxxxxx"
        revoke_rules_on_delete = false
        tags                   = {
            "Name"      = "xxx-staging-bastion"
            "Namespace" = "xxx"
            "Stage"     = "staging"
        }
        vpc_id                 = "vpc-xxxxxxxxxxxxxxxxx"
    }

v0.10.0

Convert to context @syphernl (#38)

what

• Converted this module to use context.tf

why

• To follow the new standard applied across the other modules.

refs

• closes #30

v0.9.0

Update default AMI ID @syphernl (#40)

what

• Update the default / example AMI ID to the most recent version
• Added an example on how to always obtain the latest AMI ID within the Terraform configuration

why

• Out of the box (without an explicit AMI ID set) the provisioning will fail

references

• closes #37

v0.8.0

Fix format of outputs @tyronedd (#36)

What

• Fix format of outputs so no trailing 0 is needed

Why

• Currently I have to suffix the instance_id with a 0: module.bastion.instance_id[0]. This PR will fix this.

v0.7.0

Allow toggleable public IP @syphernl (#35)

what

• Adds a flag to turn off public IP association

why

• It may not always be desirable to have the Bastion host reachable from the internet (e.g. when using SSH over Session Manager)

v0.6.0

Add security customizations to the bastion instance @syphernl (#34)

what

• Added the ability to encrypt the root block device, off by default.
• Added the ability to change the size of the root block device
• Added the ability to change the HTTP Metadata endpoint settings (e.g. disable it, force it to IMSv2)
• Example modified to encrypt the EBS + turn off IMSv2 per recommendations

why

• Checkov recommends to have the root block device encrypted and IMSv1 disabled. See references below for the rationale behind this recommendation.
  With the changes in this PR one can configure their Bastion to follow these recommendations.

references

• CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled". Rationale behind this can be found in this AWS blog post.
• CKV_AWS_8: "Ensure all data stored in the Launch configuration EBS is securely encrypted" (https://docs.bridgecrew.io/docs/general_13)

v0.5.2

🐛 Bug Fixes

Additional TF 0.13 Fixes @osterman (#33)

what

• upgrade chatops
• add automatic releasing
• upgrade to go modules
• update any version pinning
• (locally verififed) no terraform init errors using cli

why

• Support Terraform 0.13