From 850570faf5bafc91fb9b532f662a6759a7d69b57 Mon Sep 17 00:00:00 2001
From: shockrah <dev@shockrah.xyz>
Date: Mon, 16 Jun 2025 15:15:09 -0700
Subject: [PATCH] Creating simple bastion host for  testing deployment setup
 scripts

---
 infra/vultr-kubernetes/bastion.tf  | 27 +++++++++++++++++++++++++++
 infra/vultr-kubernetes/firewall.tf | 24 +++++++++++++++++++-----
 2 files changed, 46 insertions(+), 5 deletions(-)
 create mode 100644 infra/vultr-kubernetes/bastion.tf

diff --git a/infra/vultr-kubernetes/bastion.tf b/infra/vultr-kubernetes/bastion.tf
new file mode 100644
index 0000000..42d3bb6
--- /dev/null
+++ b/infra/vultr-kubernetes/bastion.tf
@@ -0,0 +1,27 @@
+resource tls_private_key bastion {
+  algorithm = "ED25519"
+}
+
+resource vultr_ssh_key bastion {
+  name = "bastion"
+  ssh_key = tls_private_key.bastion.public_key_openssh
+}
+
+resource vultr_instance bastion {
+  region  = var.cluster.region
+  vpc_ids = [ vultr_vpc.athens.id ]
+  plan    = var.bastion.plan
+  os_id   = var.bastion.os
+  label   = var.bastion.label
+
+  ssh_key_ids = [ vultr_ssh_key.bastion.id ]
+
+  enable_ipv6         = true
+  disable_public_ipv4 = false
+  activation_email    = false
+}
+
+output bastion_ssh {
+  value = tls_private_key.bastion.private_key_pem
+  sensitive = true
+}
diff --git a/infra/vultr-kubernetes/firewall.tf b/infra/vultr-kubernetes/firewall.tf
index d2706d9..8e9bd21 100644
--- a/infra/vultr-kubernetes/firewall.tf
+++ b/infra/vultr-kubernetes/firewall.tf
@@ -1,9 +1,23 @@
-resource vultr_firewall_rule web_inbound {
-  for_each = toset([for port in [80, 443, 6443] : tostring(port) ])
-  firewall_group_id = vultr_kubernetes.athens.firewall_group_id
+# resource vultr_firewall_rule web_inbound {
+#   for_each = toset([for port in [80, 443, 6443] : tostring(port) ])
+#   firewall_group_id = vultr_kubernetes.athens.firewall_group_id
+#   protocol = "tcp"
+#   ip_type = "v4"
+#   subnet = "0.0.0.0"
+#   subnet_size = 0
+#   port = each.value
+# }
+
+resource vultr_firewall_group bastion {
+  description = "For connections into and out of the bastion host"
+}
+
+resource vultr_firewall_rule bastion_inbound {
+  firewall_group_id = vultr_firewall_group.bastion.id
   protocol = "tcp"
   ip_type = "v4"
   subnet = "0.0.0.0"
   subnet_size = 0
-  port = each.value
-}
\ No newline at end of file
+  port = 22
+}
+