Skip to main content

Create and access bastion node.

The traditional method of node access is to SSH in via a bastion. This was used to access kOps cluster nodes, this also involves a shared ssh key. A bastion node is no longer a permanent feature/resource. If the cloud-platform team would like to have a bastion node within a VPC, this run book can be used to create one.

Create bastion node

To create a bastion node, use the Terraform module to create a bastion within an existing VPC. Follow the steps below:

Step 1:

Copy the module code below into the eks main.tf file. There is a dependency on the aws_route53_zone of the cluster

module "bastion" {
  source = "github.com/ministryofjustice/cloud-platform-terraform-bastion?ref=1.5.0"

  vpc_name            = terraform.workspace
  route53_zone        = aws_route53_zone.cluster.name
  cluster_domain_name = "${terraform.workspace}.cloud-platform.service.justice.gov.uk."
  depends_on = [
    aws_route53_zone.cluster
  ]
}

Step 2:

In the bastion module, update the below arguments:

  • vpc_name: Update the name to the VPC you like to create the bastion module on. This is normally the terraform workspace name
  • route53_zone: This will be the name of the route53 zone created for the cluster in here
  • cluster_domain_name: This will be the cluster domain name.

Step 3:

Now it’s time to apply the module, we change the directory to terraform/aws-accounts/cloud-platform-aws/vpc/eks and follow below terraform workflow:

terraform init
terraform workspace select <WorkspaceName>
terraform plan
terraform apply

Once terraform finishes you should be able to view the bastion node in the Amazon EC2 console.

Access bastion node

Make sure your public key is added to this authorized_keys file

Once the bastion is created successfully and the key is added to the authorized_keys file, ssh to bastion instance:

In the Amazon EC2 console, on the Instances page, search using ${CLUSTER_NAME}to locate the bastion instance (bastion.<cluster_name>.cloud-platform.service.justice.gov.uk). Use Public DNS (IPv4) In the description of the Instance to login into bastion as below:

ssh -A admin@ec2-xx-xx-xx-xx.eu-west-2.compute.amazonaws.com -p 50422
This page was last reviewed on 18 May 2022. It needs to be reviewed again on 18 August 2022 by the page owner #cloud-platform .
This page was set to be reviewed before 18 August 2022 by the page owner #cloud-platform. This might mean the content is out of date.