Enable bastion and add VPC endpoints for EC2, SSM, EC2 Messages, and …

…SSM Messages

live/core-networking/vpc-endpoints.tf

@@ -10,43 +10,43 @@ module "vpc_endpoints" {
       route_table_ids = module.vpc.public_route_table_ids
       policy          = null
       tags            = { Name = "${module.label.id}-s3-vpc-endpoint" }
-    },
-    ec2 = {
-      service             = "ec2"
-      service_type        = "Interface"
-      security_group_ids  = [module.vpc.default_security_group_id]
-      private_dns_enabled = true
-      subnet_ids          = module.vpc.private_subnets
-      policy              = null
-      tags                = { Name = "${module.label.id}-ec2-vpc-endpoint" }
-    },
-    ssm = {
-      service             = "ssm"
-      service_type        = "Interface"
-      security_group_ids  = [module.vpc.default_security_group_id]
-      private_dns_enabled = true
-      subnet_ids          = module.vpc.private_subnets
-      policy              = null
-      tags                = { Name = "${module.label.id}-ssm-vpc-endpoint" }
-    },
-    ec2messages = {
-      service             = "ec2messages"
-      service_type        = "Interface"
-      security_group_ids  = [module.vpc.default_security_group_id]
-      private_dns_enabled = true
-      subnet_ids          = module.vpc.private_subnets
-      policy              = null
-      tags                = { Name = "${module.label.id}-ec2messages-vpc-endpoint" }
-    },
-    ssmmessages = {
-      service             = "ssmmessages"
-      service_type        = "Interface"
-      security_group_ids  = [module.vpc.default_security_group_id]
-      private_dns_enabled = true
-      subnet_ids          = module.vpc.private_subnets
-      policy              = null
-      tags                = { Name = "${module.label.id}-ssmmessages-vpc-endpoint" }
     }
+    # ec2 = {
+    #   service             = "ec2"
+    #   service_type        = "Interface"
+    #   security_group_ids  = [module.vpc.default_security_group_id]
+    #   private_dns_enabled = true
+    #   subnet_ids          = module.vpc.private_subnets
+    #   policy              = null
+    #   tags                = { Name = "${module.label.id}-ec2-vpc-endpoint" }
+    # },
+    # ssm = {
+    #   service             = "ssm"
+    #   service_type        = "Interface"
+    #   security_group_ids  = [module.vpc.default_security_group_id]
+    #   private_dns_enabled = true
+    #   subnet_ids          = module.vpc.private_subnets
+    #   policy              = null
+    #   tags                = { Name = "${module.label.id}-ssm-vpc-endpoint" }
+    # },
+    # ec2messages = {
+    #   service             = "ec2messages"
+    #   service_type        = "Interface"
+    #   security_group_ids  = [module.vpc.default_security_group_id]
+    #   private_dns_enabled = true
+    #   subnet_ids          = module.vpc.private_subnets
+    #   policy              = null
+    #   tags                = { Name = "${module.label.id}-ec2messages-vpc-endpoint" }
+    # },
+    # ssmmessages = {
+    #   service             = "ssmmessages"
+    #   service_type        = "Interface"
+    #   security_group_ids  = [module.vpc.default_security_group_id]
+    #   private_dns_enabled = true
+    #   subnet_ids          = module.vpc.private_subnets
+    #   policy              = null
+    #   tags                = { Name = "${module.label.id}-ssmmessages-vpc-endpoint" }
+    # }
   }
 
   security_group_ids = [module.vpc.default_security_group_id]

modules/bastion/templates/cloud-init.yml

@@ -3,11 +3,10 @@
 apt:
   sources:
     docker.list:
-      source: deb [arch=amd64] https://download.docker.com/linux/ubuntu $RELEASE stable
+      source: deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable
       keyid: 9DC858229FC7DD38854AE2D88D81803C0EBFCD88
 
 package_update: true
-
 package_upgrade: true
 
 packages:
@@ -21,8 +20,9 @@ packages:
   - containerd.io
   - amazon-ecr-credential-helper
   - awscli
+  - amazon-ssm-agent  # Add SSM agent installation
 
-# Enable ipv4 forwarding, required on CIS hardened machines
+# Enable IPv4 forwarding, required on CIS hardened machines
 write_files:
   - path: /etc/sysctl.d/enabled_ipv4_forwarding.conf
     content: |
@@ -94,3 +94,5 @@ runcmd:
   - rm -f amazon-cloudwatch-agent.deb
   - chmod 644 /var/log/cloud-init-output.log
   - /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl -a fetch-config -m ec2 -s -c file:/opt/aws/amazon-cloudwatch-agent/bin/config.json
+  - systemctl enable amazon-ssm-agent
+  - systemctl start amazon-ssm-agent