Interface Ec2HaBastionProps

interface Ec2HaBastionProps {
    allowEc2MetadataServiceAccess?: boolean;
    allowShell?: boolean;
    allowedCidrs?: string[];
    instanceType?: InstanceType;
    keyName?: string;
    machineImage?: IMachineImage;
    openToInternet?: boolean;
    proxyUserName?: string;
    publicKeys?: string[];
    serverKeys?: {
        ecdsaSecret?: ISecret;
        ed25519Secret?: ISecret;
    };
    vpc: IVpc;
}

Properties

allowEc2MetadataServiceAccess?: boolean

Whether to allow the proxy user to access the EC2 metadata service at 192.168.192.168, allowing access to any IAM permissions granted to the instance profile.

Note that when serverKeys are set, this protection is set after the server keys are retrieved, but before the proxyUserName user is created and the provided publicKeys are added for that user.

Beware that if this is set to true, and serverKeys are set, proxy users would be able to retrieve the server keys from secretsmanager.

Default

false
allowShell?: boolean

Whether to allow shell access to the proxy user. When enabled, they will be able to run arbitrary commands on the bastion. When disabled, they will be able to use SSH tunneling, but not run arbitrary commands.

Default

false
allowedCidrs?: string[]

The CIDRs to allow SSH access from

Default

- No access from the internet
instanceType?: InstanceType

The instance type to use for the bastion

Default

t3.nano
keyName?: string

The key name from EC2 to use for the EC2 instance default user (eg, ec2-user)

machineImage?: IMachineImage

The machine image to use for the bastion

Default

latest Amazon Linux 2023
openToInternet?: boolean

Whether to allow SSH access from the internet

Default

false
proxyUserName?: string

The unix username for the proxy user. This must be different to the default user of the AMI.

Default

- proxyuser
publicKeys?: string[]

The public keys to add to the bastion as strings. Must be given in a format that ssh-keygen -l -f can understand, otherwise the key will be ignored.

Default

- No public keys
serverKeys?: {
    ecdsaSecret?: ISecret;
    ed25519Secret?: ISecret;
}

Options for setting host keys from SecretsManager secrets.

Note that the key should be the whole body of the secret, and in OpenSSH format, ie would be expected to start with -----BEGIN OPENSSH PRIVATE KEY----- and end with -----END OPENSSH PRIVATE KEY-----.

Type declaration

  • Optional ecdsaSecret?: ISecret

    ECDSA private key that is stored at /etc/ssh/ssh_host_ecdsa_key

    Key must be the whole body of the secret.

  • Optional ed25519Secret?: ISecret

    Ed25519 private key that is stored at /etc/ssh/ssh_host_ed25519_key

    Key must be the whole body of the secret.

vpc: IVpc

The VPC to deploy the bastion into

Generated using TypeDoc