| 1 | import { IPrincipal, IRole } from '@aws-cdk/aws-iam';
|
| 2 | import { Resource, Stack } from '@aws-cdk/core';
|
| 3 | import { Construct } from 'constructs';
|
| 4 | import { InstanceType } from '.';
|
| 5 | import { CloudFormationInit } from './cfn-init';
|
| 6 | import { Connections } from './connections';
|
| 7 | import { ApplyCloudFormationInitOptions, IInstance, Instance } from './instance';
|
| 8 | import { IMachineImage } from './machine-image';
|
| 9 | import { IPeer } from './peer';
|
| 10 | import { ISecurityGroup } from './security-group';
|
| 11 | import { BlockDevice } from './volume';
|
| 12 | import { IVpc, SubnetSelection } from './vpc';
|
| 13 | /**
|
| 14 | * Properties of the bastion host
|
| 15 | *
|
| 16 | *
|
| 17 | */
|
| 18 | export interface BastionHostLinuxProps {
|
| 19 | /**
|
| 20 | * In which AZ to place the instance within the VPC
|
| 21 | *
|
| 22 | * @default - Random zone.
|
| 23 | */
|
| 24 | readonly availabilityZone?: string;
|
| 25 | /**
|
| 26 | * VPC to launch the instance in.
|
| 27 | */
|
| 28 | readonly vpc: IVpc;
|
| 29 | /**
|
| 30 | * The name of the instance
|
| 31 | *
|
| 32 | * @default 'BastionHost'
|
| 33 | */
|
| 34 | readonly instanceName?: string;
|
| 35 | /**
|
| 36 | * Select the subnets to run the bastion host in.
|
| 37 | * Set this to PUBLIC if you need to connect to this instance via the internet and cannot use SSM.
|
| 38 | * You have to allow port 22 manually by using the connections field
|
| 39 | *
|
| 40 | * @default - private subnets of the supplied VPC
|
| 41 | */
|
| 42 | readonly subnetSelection?: SubnetSelection;
|
| 43 | /**
|
| 44 | * Security Group to assign to this instance
|
| 45 | *
|
| 46 | * @default - create new security group with no inbound and all outbound traffic allowed
|
| 47 | */
|
| 48 | readonly securityGroup?: ISecurityGroup;
|
| 49 | /**
|
| 50 | * Type of instance to launch
|
| 51 | * @default 't3.nano'
|
| 52 | */
|
| 53 | readonly instanceType?: InstanceType;
|
| 54 | /**
|
| 55 | * The machine image to use, assumed to have SSM Agent preinstalled.
|
| 56 | *
|
| 57 | * @default - An Amazon Linux 2 image which is kept up-to-date automatically (the instance
|
| 58 | * may be replaced on every deployment) and already has SSM Agent installed.
|
| 59 | */
|
| 60 | readonly machineImage?: IMachineImage;
|
| 61 | /**
|
| 62 | * Specifies how block devices are exposed to the instance. You can specify virtual devices and EBS volumes.
|
| 63 | *
|
| 64 | * Each instance that is launched has an associated root device volume,
|
| 65 | * either an Amazon EBS volume or an instance store volume.
|
| 66 | * You can use block device mappings to specify additional EBS volumes or
|
| 67 | * instance store volumes to attach to an instance when it is launched.
|
| 68 | *
|
| 69 | * @see https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/block-device-mapping-concepts.html
|
| 70 | *
|
| 71 | * @default - Uses the block device mapping of the AMI
|
| 72 | */
|
| 73 | readonly blockDevices?: BlockDevice[];
|
| 74 | /**
|
| 75 | * Apply the given CloudFormation Init configuration to the instance at startup
|
| 76 | *
|
| 77 | * @default - no CloudFormation init
|
| 78 | */
|
| 79 | readonly init?: CloudFormationInit;
|
| 80 | /**
|
| 81 | * Use the given options for applying CloudFormation Init
|
| 82 | *
|
| 83 | * Describes the configsets to use and the timeout to wait
|
| 84 | *
|
| 85 | * @default - default options
|
| 86 | */
|
| 87 | readonly initOptions?: ApplyCloudFormationInitOptions;
|
| 88 | /**
|
| 89 | * Whether IMDSv2 should be required on this instance
|
| 90 | *
|
| 91 | * @default - false
|
| 92 | */
|
| 93 | readonly requireImdsv2?: boolean;
|
| 94 | }
|
| 95 | /**
|
| 96 | * This creates a linux bastion host you can use to connect to other instances or services in your VPC.
|
| 97 | * The recommended way to connect to the bastion host is by using AWS Systems Manager Session Manager.
|
| 98 | *
|
| 99 | * The operating system is Amazon Linux 2 with the latest SSM agent installed
|
| 100 | *
|
| 101 | * You can also configure this bastion host to allow connections via SSH
|
| 102 | *
|
| 103 | *
|
| 104 | * @resource AWS::EC2::Instance
|
| 105 | */
|
| 106 | export declare class BastionHostLinux extends Resource implements IInstance {
|
| 107 | readonly stack: Stack;
|
| 108 | /**
|
| 109 | * Allows specify security group connections for the instance.
|
| 110 | */
|
| 111 | readonly connections: Connections;
|
| 112 | /**
|
| 113 | * The IAM role assumed by the instance.
|
| 114 | */
|
| 115 | readonly role: IRole;
|
| 116 | /**
|
| 117 | * The principal to grant permissions to
|
| 118 | */
|
| 119 | readonly grantPrincipal: IPrincipal;
|
| 120 | /**
|
| 121 | * The underlying instance resource
|
| 122 | */
|
| 123 | readonly instance: Instance;
|
| 124 | /**
|
| 125 | * @attribute
|
| 126 | */
|
| 127 | readonly instanceId: string;
|
| 128 | /**
|
| 129 | * @attribute
|
| 130 | */
|
| 131 | readonly instanceAvailabilityZone: string;
|
| 132 | /**
|
| 133 | * @attribute
|
| 134 | */
|
| 135 | readonly instancePrivateDnsName: string;
|
| 136 | /**
|
| 137 | * @attribute
|
| 138 | */
|
| 139 | readonly instancePrivateIp: string;
|
| 140 | /**
|
| 141 | * @attribute
|
| 142 | */
|
| 143 | readonly instancePublicDnsName: string;
|
| 144 | /**
|
| 145 | * @attribute
|
| 146 | */
|
| 147 | readonly instancePublicIp: string;
|
| 148 | constructor(scope: Construct, id: string, props: BastionHostLinuxProps);
|
| 149 | /**
|
| 150 | * Returns the AmazonLinuxCpuType corresponding to the given instance architecture
|
| 151 | * @param architecture the instance architecture value to convert
|
| 152 | */
|
| 153 | private toAmazonLinuxCpuType;
|
| 154 | /**
|
| 155 | * Allow SSH access from the given peer or peers
|
| 156 | *
|
| 157 | * Necessary if you want to connect to the instance using ssh. If not
|
| 158 | * called, you should use SSM Session Manager to connect to the instance.
|
| 159 | */
|
| 160 | allowSshAccessFrom(...peer: IPeer[]): void;
|
| 161 | }
|