Blog

AWS SSM tunnels in Terraform Cloud

Stephen Demjanenko
By Stephen Demjanenko ·

Constantly securing and managing cloud infrastructure is critical but also challenging because of continuous evolution of cloud computing and its security practices. At ComplyCo, we believe in the power of community and the impact of open-source contributions on the tech ecosystem. Today, we're thrilled to share our first contribution to this collective effort: an open-source Terraform provider designed to enhance security and manageability of cloud resources.

A Commitment to Security and Open Source

At ComplyCo we are committed to not only adhere to security best practices but to also forge new paths that elevate the entire field. It’s a journey that’s not just about addressing our own needs but about lifting up the community that has given us so much. The open-source and security communities are reservoirs of innovation and resilience, and it’s from these communities that we draw our inspiration and to which we hope to continue contributing.

Why Terraform, and Why Now?

Infrastructure as code (IaC) isn't just a methodology for us; it's a philosophy. It stands at the core of how we build resilient, scalable, and secure compliance solutions for banks and fintechs. Terraform, in particular, has been a cornerstone in this approach, offering us the tools we need to efficiently manage infrastructure while documenting every step for future developers. However, as much as we value Terraform Cloud for its powerful infrastructure management capabilities, we encountered a gap when it came to managing AWS resources that needed to stay private, such as RDS and EKS clusters.

This gap became especially poignant in light of tfsec's critical guidance on AWS EKS clusters. The default public accessibility of EKS clusters poses significant security risks, and tfsec recommends explicitly disabling this in the vpc_config of the EKS cluster resource to prevent unintended internet access. Coupled with the recent update from Vanta in March 2024, announcing pre-built automated tests to verify Kubernetes alignment to the CIS AWS EKS benchmark, it’s clear that the industry is moving toward more rigorous, continuous monitoring and validation of cloud security practices.

Introducing the AWS SSM Tunnels Terraform Provider

Our exploration for solutions led us to leverage AWS SSM, specifically the AWS-StartPortForwardingSessionToRemoteHost document, for securely managing these private resources. Yet, we faced a hurdle: the lack of native support for this method in Terraform Cloud due to the required session manager plugin not being pre-installed.

Inspired by the community’s efforts and AWS’s open-source session manager plugin, we created our Terraform provider. This provider facilitates SSM tunnels in Terraform Cloud, enabling secure and private configuration of EKS, RDS, and a broad range of other resources. By bridging this gap, we’re not only solving a problem for ourselves but for any team facing similar challenges.

A Timely Contribution

Our release is particularly timely, as Vanta is set to enforce a new compliance check for AWS EKS tomorrow. This provider isn’t just a tool; it’s a testament to our belief in proactive security and compliance measures.

Getting Started with the Provider

provider "awsssmtunnels" {
  region     = "us-east-1"
  access_key = var.aws_access_key
  secret_key = var.aws_secret_key
  token      = var.aws_token
}

provider "kubernetes" {
  host                   = "https://${data.awsssmtunnels_remote_tunnel.eks.local_host}:${data.awsssmtunnels_remote_tunnel.eks.local_port}"
  tls_server_name        = replace(aws_eks_cluster.example.endpoint, "https://", "")
  cluster_ca_certificate = base64decode(aws_eks_cluster.example.certificate_authority.0.data)
  token                  = data.aws_eks_cluster_auth.example.token
}

data "aws_eks_cluster_auth" "example" {
  name = aws_eks_cluster.example.name
}

data "awsssmtunnels_remote_tunnel" "eks" {
  target      = "i-123456789"
  remote_host = replace(aws_eks_cluster.example.endpoint, "https://", "")
  remote_port = 443
  region      = "us-east-1"
}

data "awsssmtunnels_keepalive" "eks" {
  depends_on = [
    kubernetes_secret.one,
    kubernetes_secret.two,
    kubernetes_config_map.one,
    kubernetes_config_map.two,
    helm_release.example_operator,
  ]
}

Our provider is designed to be intuitive for those familiar with Terraform, integrating seamlessly into existing workflows while opening new doors for secure cloud management. Explore more examples and detailed documentation here.

Looking Ahead

As we release this provider to the community, we do so with an open invitation: join us in improving, expanding, and challenging the ways we secure and manage cloud infrastructure. This is just the beginning of our journey in open-source contributions. We look forward to building more bridges within the community, guided by our shared commitment to security, innovation, and collaboration.

To everyone who has inspired, supported, and contributed to this project, thank you. Let’s continue to strengthen the fabric of our cloud security ecosystem together.

Curious about what we're building?