Optional
allowfalse
Optional
allowWhether to allow shell access to the proxy user. When enabled, they will be able to run arbitrary commands on the bastion. When disabled, they will be able to use SSH tunneling, but not run arbitrary commands.
false
Optional
allowedThe CIDRs to allow SSH access from
- No access from the internet
Optional
instanceThe instance type to use for the bastion
t3.nano
Optional
keyThe key name from EC2 to use for the EC2 instance default user (eg, ec2-user)
Optional
machineThe machine image to use for the bastion
latest Amazon Linux 2023
Optional
openWhether to allow SSH access from the internet
false
Optional
proxyThe unix username for the proxy user. This must be different to the default user of the AMI.
- proxyuser
Optional
publicThe public keys to add to the bastion as strings. Must be given in a format that ssh-keygen -l -f can understand, otherwise the key will be ignored.
- No public keys
Optional
serverOptions for setting host keys from SecretsManager secrets.
Note that the key should be the whole body of the secret, and in OpenSSH format, ie would be expected to start with -----BEGIN OPENSSH PRIVATE KEY----- and end with -----END OPENSSH PRIVATE KEY-----.
Optional
ecdsaECDSA private key that is stored at /etc/ssh/ssh_host_ecdsa_key
Key must be the whole body of the secret.
Optional
ed25519Ed25519 private key that is stored at /etc/ssh/ssh_host_ed25519_key
Key must be the whole body of the secret.
The VPC to deploy the bastion into
Generated using TypeDoc
Whether to allow the proxy user to access the EC2 metadata service at 192.168.192.168, allowing access to any IAM permissions granted to the instance profile.
Note that when serverKeys are set, this protection is set after the server keys are retrieved, but before the proxyUserName user is created and the provided publicKeys are added for that user.
Beware that if this is set to true, and serverKeys are set, proxy users would be able to retrieve the server keys from secretsmanager.