This example configuration creates a small Azure Bastion environment using Terraform.
The environment includes a Windows 2022 Azure Edition server and an Ubuntu 20.04 server. Both have the AAD extensions configured and some basic Azure tools installed.
Terraform will output a set of commands you can then use to connect using native SSH and RDP clients.
The full lab for Azure Bastion using native clients and AAD authentication is https://azurecitadel.com/vm/bastion.
You will need
- to be Owner on an Azure subscription
- an SSH key pair, e.g.:
- It will use
~/.ssh/id_rsa.pub
by default
- It will use
May be run from Cloud Shell.
-
Clone the repo
git clone https://github.com/terraform-azurerm-examples/bastion
-
Change directory
cd bastion
-
Initialise
terraform init
-
Create a terraform.tfvars
Optional. You may override the default variable values in variables.tf or add in additional AAD object IDs for the Virtual Machine Administrator/User Login roles on the resource group. See variables.tf for details.
If a windows password is not specified for the admin account then one will be generated and stored in the key vault along with the private key for the SSH key pair. All access should be via AAD authentication, so these credentials are intended for break glass scenarios.
-
Plan
terraform plan
-
Apply
terraform apply
Terraform will start to create the resources and will then display the outputs. The resources take about 20 minutes to deploy.
admin_ssh_to_linux_server = "az network bastion ssh --name bastion --resource-group bastion --target-resource-id <linux_vmid> --username azureadmin --auth-type ssh-key --ssh-key ~/.ssh/id_rsa"
admin_username = <sensitive>
example_secret_cli = "az login --identity --allow-no-subscriptions --output none; az keyvault secret show --name sql --vault-name bastion-<uniq>-kv --query value --output tsv"
example_secret_powershell = "Connect-AzAccount -Identity | Out-Null; Get-AzKeyVaultSecret -Name sql -VaultName bastion-<uniq>-kv -AsPlainText"
rdp_to_windows_server = "az network bastion rdp --name bastion --resource-group bastion --target-resource-id <windows_vmid>"
tunnel_to_linux_server = "az network bastion tunnel --name bastion --resource-group bastion --target-resource-id <linux_vmid> --resource-port 80 --port 80"
user_ssh_to_linux_server = "az network bastion ssh --name bastion --resource-group bastion --target-resource-id <linux_vmid> --auth-type AAD"
windows_server_admin_password = <sensitive>