kcp create-asset bastion-host
kcp create-asset bastion-host¶
Create assets for the bastion host
Synopsis¶
Create Terraform assets for deploying a bastion host in AWS within an existing VPC with the latest kcp binary pre-installed. Use this when your source Kafka cluster (MSK or Apache Kafka) is not reachable from the machine running kcp and you do not already have a jump server.
If you already have a bastion host inside the same VPC as the source Kafka cluster, you can skip this command — copy the kcp binary onto your existing bastion and run subsequent commands from there.
The generated Terraform provisions an Amazon Linux 2023 EC2 instance with SSH access in a public subnet of the specified VPC, plus the supporting security group, key pair, and route table. By default a new Internet Gateway is created in the VPC; pass --existing-internet-gateway to reuse an Internet Gateway already attached to the VPC.
Examples¶
# Provision a new bastion (and a new internet gateway) in an existing VPC
kcp create-asset bastion-host \
--region us-east-1 \
--vpc-id vpc-xxxxxxxx \
--bastion-host-cidr 10.0.255.0/24 \
--security-group-ids sg-xxxxxxxxxx \
--output-dir bastion_host
# Same, but reuse the existing internet gateway already attached to the VPC
kcp create-asset bastion-host \
--region us-east-1 \
--vpc-id vpc-xxxxxxxx \
--bastion-host-cidr 10.0.255.0/24 \
--existing-internet-gateway
Options¶
--bastion-host-cidr ipNet The bastion host CIDR (e.g. 10.0.255.0/24)
--existing-internet-gateway Whether to reuse the internet gateway already attached to the VPC. (default: false — a new internet gateway is created)
-h, --help help for bastion-host
--output-dir string Directory to output the generated Terraform files to (default "bastion_host")
--region string AWS region the bastion host is provisioned in
--security-group-ids strings Existing list of comma separated AWS security group ids
--vpc-id string VPC ID where the bastion host will be provisioned (typically the source Kafka cluster's VPC)
Options inherited from parent commands¶
AWS IAM Permissions¶
kcp create-asset bastion-host itself only reads local configuration. The generated Terraform provisions EC2, subnet, security group, route table and (optionally) internet gateway resources; the executor of terraform apply needs a policy equivalent to:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "EC2ReadOnlyAccess",
"Effect": "Allow",
"Action": [
"ec2:DescribeAvailabilityZones",
"ec2:DescribeImages",
"ec2:DescribeInstanceCreditSpecifications",
"ec2:DescribeInstanceTypes",
"ec2:DescribeInstances",
"ec2:DescribeInternetGateways",
"ec2:DescribeKeyPairs",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeRouteTables",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeTags",
"ec2:DescribeVolumes"
],
"Resource": "*"
},
{
"Sid": "MigrationKeyPairManagement",
"Effect": "Allow",
"Action": [
"ec2:DeleteKeyPair",
"ec2:DescribeKeyPairs",
"ec2:ImportKeyPair",
"ec2:RunInstances"
],
"Resource": "arn:aws:ec2:<AWS REGION>:<AWS ACCOUNT ID>:key-pair/migration-ssh-key"
},
{
"Sid": "InternetGatewayManagement",
"Effect": "Allow",
"Action": [
"ec2:AttachInternetGateway",
"ec2:CreateInternetGateway",
"ec2:CreateTags",
"ec2:DeleteInternetGateway"
],
"Resource": "arn:aws:ec2:<AWS REGION>:<AWS ACCOUNT ID>:internet-gateway/*"
},
{
"Sid": "VPCResourceCreation",
"Effect": "Allow",
"Action": [
"ec2:AttachInternetGateway",
"ec2:CreateRouteTable",
"ec2:CreateSecurityGroup",
"ec2:CreateSubnet"
],
"Resource": "arn:aws:ec2:<AWS REGION>:<AWS ACCOUNT ID>:vpc/*"
},
{
"Sid": "SubnetManagement",
"Effect": "Allow",
"Action": [
"ec2:AssociateRouteTable",
"ec2:CreateSubnet",
"ec2:CreateTags",
"ec2:DeleteSubnet",
"ec2:DisassociateRouteTable",
"ec2:ModifySubnetAttribute",
"ec2:RunInstances"
],
"Resource": "arn:aws:ec2:<AWS REGION>:<AWS ACCOUNT ID>:subnet/*"
},
{
"Sid": "SecurityGroupManagement",
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateSecurityGroup",
"ec2:CreateTags",
"ec2:DeleteSecurityGroup",
"ec2:RevokeSecurityGroupEgress",
"ec2:RunInstances"
],
"Resource": "arn:aws:ec2:<AWS REGION>:<AWS ACCOUNT ID>:security-group/*"
},
{
"Sid": "RouteTableManagement",
"Effect": "Allow",
"Action": [
"ec2:AssociateRouteTable",
"ec2:CreateRoute",
"ec2:CreateRouteTable",
"ec2:CreateTags",
"ec2:DeleteRouteTable",
"ec2:DisassociateRouteTable"
],
"Resource": "arn:aws:ec2:<AWS REGION>:<AWS ACCOUNT ID>:route-table/*"
},
{
"Sid": "InstanceLifecycleManagement",
"Effect": "Allow",
"Action": [
"ec2:CreateTags",
"ec2:DescribeInstanceAttribute",
"ec2:RunInstances",
"ec2:TerminateInstances"
],
"Resource": "arn:aws:ec2:<AWS REGION>:<AWS ACCOUNT ID>:instance/*"
},
{
"Sid": "InstanceLaunchNetworkInterface",
"Effect": "Allow",
"Action": [
"ec2:RunInstances"
],
"Resource": "arn:aws:ec2:<AWS REGION>:<AWS ACCOUNT ID>:network-interface/*"
},
{
"Sid": "InstanceLaunchVolume",
"Effect": "Allow",
"Action": [
"ec2:RunInstances"
],
"Resource": "arn:aws:ec2:<AWS REGION>:<AWS ACCOUNT ID>:volume/*"
},
{
"Sid": "InstanceLaunchAMI",
"Effect": "Allow",
"Action": [
"ec2:RunInstances"
],
"Resource": "arn:aws:ec2:<AWS REGION>::image/*"
}
]
}
SEE ALSO¶
- kcp create-asset - Generate infrastructure and migration assets