The Project Factory module can be used to
provision a project with the necessary APIs enabled.
Permissions
This module only sets up permissions for the bastion service account, not the users who need access. To allow access, grant one of the following instance access roles.
roles/compute.osLogin Does not grant administrator permissions
If the user does not share the same domain as the org the bastion is in, you will also need to grant that user roles/compute.osLoginExternalUser. This is to prevent external SSH access from being granted at the project level. See the OS Login documentation for more information.
A list of additional ports/ranges to open access to on the instances from IAP.
list(string)
[]
no
create_firewall_rule
If we need to create the firewall rule or not.
bool
true
no
create_instance_from_template
Whether to create and instance from the template or not. If false, no instance is created, but the instance template is created and usable by a MIG
bool
true
no
disk_size_gb
Boot disk size in GB
number
100
no
disk_type
Boot disk type, can be either pd-ssd, local-ssd, or pd-standard
string
"pd-standard"
no
external_ip
Set to true if an ephemeral or static external IP/DNS is required, must also set access_config if true
bool
false
no
fw_name_allow_ssh_from_iap
Firewall rule name for allowing SSH from IAP
string
"allow-ssh-from-iap-to-tunnel"
no
host_project
The network host project ID
string
""
no
image
Source image for the Bastion. If image is not specified, image_family will be used (which is the default).
string
""
no
image_family
Source image family for the Bastion.
string
"debian-11"
no
image_project
Project where the source image for the Bastion comes from
string
"debian-cloud"
no
labels
Key-value map of labels to assign to the bastion host
map(any)
{}
no
machine_type
Instance type for the Bastion host
string
"n1-standard-1"
no
members
List of IAM resources to allow access to the bastion host
list(string)
[]
no
metadata
Key-value map of additional metadata to assign to the instances
map(string)
{}
no
name
Name of the Bastion instance
string
"bastion-vm"
no
name_prefix
Name prefix for instance template
string
"bastion-instance-template"
no
network
Self link for the network on which the Bastion should live
string
n/a
yes
preemptible
Allow the instance to be preempted
bool
false
no
project
The project ID to deploy to
string
n/a
yes
random_role_id
Enables role random id generation.
bool
true
no
scopes
List of scopes to attach to the bastion host
list(string)
[ "cloud-platform" ]
no
service_account_email
If set, the service account and its permissions will not be created. The service account being passed in should have at least the roles listed in the service_account_roles variable so that logging and OS Login work as expected.
string
""
no
service_account_name
Account ID for the service account
string
"bastion"
no
service_account_roles
List of IAM roles to assign to the service account.
请发表评论