Add some readme

.github/workflows/bootstrap.yaml

@@ -23,6 +23,7 @@ on: # yamllint disable-line rule:truthy
         options:
           - github
           - gke_and_state_bucket
+          - bastion_host
           - application_infrastructure
 
 run-name: Bootstrapping ${{ inputs.scope }} for @${{ inputs.environment }}
@@ -112,6 +113,44 @@ jobs:
           terraform -chdir="$TF_WORK_DIR" apply -input=false tfplan
           terraform output
 
+  bastion_host:
+    name: Plan and potentially apply for scope github
+    if: ${{ github.event.inputs.environment == 'dev' && github.event.inputs.scope == 'bastion_host'}}
+    runs-on:
+      - ubuntu-latest
+    env:
+      TF_WORK_DIR: ./scopes/ssh-bastion
+      #TF_STATE_FILE: '-> Handled by bucket backend prefix'
+    permissions:
+      contents: read
+      id-token: write
+    steps:
+      - uses: actions/checkout@v4
+      - uses: 'google-github-actions/auth@v2'
+        with:
+          project_id: ${{ vars.GOOGLE_PROJECT_ID }}
+          credentials_json: ${{ secrets.AUTOMATION_SA_KEY_JSON }}
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v3
+      - name: terraform init
+        run: terraform -chdir="$TF_WORK_DIR" init
+      - name: terraform plan
+        env:
+          PROJECT_ID: ${{ vars.GOOGLE_PROJECT_ID }}
+          GH_API_TOKEN: ${{ secrets.API_ACCESS_TOKEN }}
+        run: |
+          terraform -chdir="$TF_WORK_DIR" plan -input=false -out=tfplan \
+            -var-file "../../environments/dev.tfvars" \
+            -var "github_token=$GH_API_TOKEN" \
+            -var "project_id=$PROJECT_ID"
+      - name: terraform apply
+        if: ${{ github.event.inputs.apply == 'apply!' }}
+        run: |
+          terraform -chdir="$TF_WORK_DIR" apply -input=false tfplan
+          terraform output
+
+
   plan-apply-application:
     name: Plan and potentially apply for scope github
     if: ${{ github.event.inputs.environment == 'dev' && github.event.inputs.scope == 'application_infrastructure'}}

scopes/ssh-bastion/00_ssh_bastion.tf

@@ -0,0 +1,65 @@
+data "google_project" "project" {
+  project_id = var.project_id
+}
+
+data " google_compute_network" "gke_vpc" {
+  name = var.vpc_name
+  project = data.google_project.project.id
+}
+
+data " google_compute_subnetwork" "master_subnet" {
+  name = var.subnet_name
+  project = data.google_project.project.id
+}
+
+
+resource "google_compute_instance" "bastion_host" {
+  name         = "bastion-host"
+  machine_type = "n1-standard-1"
+  zone         = var.gcp_region
+
+  boot_disk {
+    initialize_params {
+      image = "debian-cloud/debian-10"
+    }
+  }
+
+  network_interface {
+    network    = data.google_compute_network.gke_vpc.name #google_compute_network.vpc_network.name
+    subnetwork = data.google_compute_subnetwork.master_subnet.name # google_compute_subnetwork.vpc_subnet.name
+    access_config {} # Allows external SSH access to the bastion host.
+  }
+
+  metadata = {
+    user-data = file("${path.module}/cloud-config.yaml")
+    ssh-keys = "lpt:${var.ssh_pub}"
+  }
+
+  tags = ["bastion"]
+}
+
+resource "google_compute_firewall" "allow_bastion_ssh_from_public" {
+  name    = "allow-bastion-ssh"
+  network = data.google_compute_network.gke_vpc.name
+
+  allow {
+    protocol = "tcp"
+    ports    = ["22"]
+  }
+
+  source_ranges = ["0.0.0.0/0"]
+  target_tags   = ["bastion"]
+}
+
+resource "google_compute_firewall" "allow_bastion_to_gke" {
+  name    = "allow-bastion-to-gke"
+  network = data.google_compute_network.gke_vpc.name
+
+  allow {
+    protocol = "tcp"
+    ports    = ["443"] # Port for GKE control plane
+  }
+
+  source_tags = ["bastion"]
+  destination_ranges = [data.google_compute_subnetwork.master_subnet.ip_cidr_range] # GKE master CIDR
+}

scopes/ssh-bastion/cloud-config.yaml

@@ -0,0 +1,12 @@
+groups:
+  - lpt
+
+users:
+  - default
+  - name: terraform
+    gecos: lpt
+    shell: /bin/bash
+    primary_group: lpt
+    sudo: ALL=(ALL) NOPASSWD:ALL
+    groups: users
+    lock_passwd: false

scopes/ssh-bastion/provider.tf

@@ -0,0 +1,18 @@
+terraform {
+  required_providers {
+    google = {
+      source  = "hashicorp/google"
+      version = "~> 6"
+    }
+  }
+
+  backend "gcs" {
+    bucket = "lpt-schulung-bucket-tfstate"
+    prefix = "gke_and_state_bucket"
+  }
+}
+
+provider "google" {
+  project = var.project_id
+  region  = var.gcp_region
+}

scopes/ssh-bastion/variables.tf

@@ -0,0 +1,30 @@
+
+variable "project_id" {
+  description = "Project ID to apply and identify infrastructure code"
+  type        = string
+}
+
+variable "gcp_region" {
+  description = "Region the infrastructure should be deployed in"
+  type        = string
+  default     = "europe-west1"
+}
+
+variable "vpc_name" {
+  description = "VPC Name"
+  type        = string
+  default     = "simple-autopilot-private-network"
+}
+
+variable "subnet_name" {
+  description = "Subnet Name"
+  type        = string
+  default     = "simple-autopilot-private-master-subnet"
+}
+
+
+variable "ssh_pub" {
+  description = "VPC ID"
+  type        = string
+  default     = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDD7/3NuwKwsZpNZUAq5tWDluX6KaLRq50W8CzWC83zzjS0wjswKUJRUZQy/RQRjQaOmtbnIh30buXGveUSV+pMkkTYLnZii7G3GmXnthDHRk3AhS+SirkhRwMCVeexRrQa+ezq0NVxxpAMGCChtWYO4EQ5ehjI858wnEai+fYm+imOsREt6QOPVbFMvOz1SytpHKG2d0De4+rC/hMToWZ5HED5Ib2o7CtgcdHyPESAYQmSMjt2ZMtOON3RqVdkQNRn+iETWEIDvvSfauDl2tGxUmomLTI8g4JnjGxWGfLTQ0zjXDeNuY4EameWXnZ9mxRJEo2iC5c1DyDPecO3JI4QCWw5sB6nAcaZjTnKi3n0t1Mz3rCUhrjCHCY+7QBVslri+XpB/RqXs359Qifv6CNGFz3JWI9KBr4CDapxF0DN71G9WsiH0HAXUasDmMjP4gVxnkhnED5xgndXWurVuhqIf0E/Q46rRCG1YpyN1exkEwaxC/V0i6zprFGrHymJ5Bs= [email protected]"
+}