Bastion Hosts in terraform.tvars file [Quick Start]

Hi everyone,

As part of my Snowplow quick start journey I would love to learn more about the ssh_ip_allowlist section in the terraform.tvars file for setting up the Iglu Server.

The accompanying remark on row 15 says: # Update this to the internal IP of your Bastion Host

As part of the quick start, I have not setup any dedicated bastion host(s) so I am a bit confused what value(s) to enter here. My guess is that entering the external IP (not internal IP) of my current internet connection is ok for now. This would allow my local machine to access the EC2 instance(s).

Is this assumption correct?

And are there any best practices / recommendations regarding setting up Bastion Hosts for managing a Snowplow production pipeline? I know AWS has a quick start for setting it up so perhaps that’s the route to go. All your feedback on this topic is very welcome.

Thanks!
Alex

Hey @alexv

Thats exactly right, you can place your own external IP address in there if you’re running the quick start from your local machine, we could probably update that remark to make it clearer.

Best practice however is to use a bastion host, following the AWS guide seems like the right place to start from my point of view

Thank you for your feedback Paul

Just for future reference: if you only add your IP address in the ssh_ip_allowlist section, terraform throws an error during terraform plan:

Error: “x.x.x.x” is not a valid CIDR block: invalid CIDR address: x.x.x.x

The solution is to add a mask of /32 to the IP in your terraform.tvars file, e.g. x.x.x.x/32

Best regards,
Alex