Stacktape
Stacktape


Bastion Server

This example shows a basic bastion configuration.

Bastion resource

  • Bastion instance resource helps you access the resources of your stack protected in private network.
  • It leverages keyless SSH connections and tunnels for maximum security.

Basic example

resources:
myBastion:
type: bastion
properties:
# Host instance size
#
# - Instance size you wish to use for your bastion host
# - Default instance size is `t3.micro` (Free Tier eligible)
#
# - Type: string
# - Required: false
# - Default: t3.micro
instanceSize: t3.micro
# Commands to be ran on launch (creation) of the bastion instance
#
# - Commands are run as the root user (do not use sudo).
# - Modifying this list after bastion was already created will force replacement of the bastion instance.
# This means that any data that was manually created on the old bastion instance will be lost.
# - Use this if to install dependencies and packages that might be required for your bastion scripts
#
# - Type: array<string>
# - Required: false
runCommandsAtLaunch:
- example-value
# Configures logging for bastion host
#
# - Multiple log types are collected from you bastion host. You can specify log behaviour for each different log type.
#
# - Type: object
# - Required: false
logging:
# Configures log behavior for log group collecting logs from `/var/log/messages` of your bastion host
#
# - Logs contain global system messages, including the messages that are logged during system startup.
# There are several things that are logged in /var/log/messages including mail, cron, daemon, kern, auth, etc.
# - By default "messages" logs are retained for 30 days.
#
# - Type: object
# - Required: false
messages:
# Disables the collection of logs to CloudWatch
#
#
# - Type: boolean
# - Required: false
# - Default: false
disabled: false
# Amount of days the logs will be retained in the log group
#
# - Type: enum: [1, 120, 14, 150, 180, 1827, 3, 30, 365, 3653, 400, 5, 545, 60, 7, 731, 90]
# - Required: false
# - Allowed values: [1, 120, 14, 150, 180, 1827, 3, 30, 365, 3653, 400, 5, 545, 60, 7, 731, 90]
retentionDays: 1
# Configures forwarding of logs to specified destination
#
# - Log forwarding is done using [Amazon Kinesis Data Firehose](https://aws.amazon.com/kinesis/data-firehose/) delivery stream.
# - When using log forwarding, you will incur costs based on the amount of data being transferred to the destination (~$0.03 per transferred GB).
# Refer to [AWS Kinesis Firehose Pricing](https://aws.amazon.com/kinesis/data-firehose/pricing/?nc=sn&loc=3) page to see details.
# - Currently supported destinations for logs:
# - `http-endpoint`
# - delivers logs to any HTTP endpoint.
# - The endpoint must follow [Firehose request and response specifications](https://docs.aws.amazon.com/firehose/latest/dev/httpdeliveryrequestresponse.html).
# (Many of the third party vendors are compliant with this specifications out of the box.)
# - `datadog`
# - delivers logs to [Datadog](https://www.datadoghq.com/).
# - `highlight`
# - delivers logs to [Highlight.io](https://www.highlight.io/) project.
#
# Refer to [our docs](https://docs.stacktape.com/configuration/log-forwarding/) for more information.
#
# > Logs that fail to be delivered to the destination even after multiple retries (time spend on retries can be configured) are put into bucket with name `{stackName}-{resourceName}-logs-{generatedHash}`
#
# - Type: union (anyOf)
# - Required: false
#
# - Type: object
# - Required: false
logForwarding:
#
# - Type: string
# - Required: true
type: http-endpoint
#
# - Type: object
# - Required: true
properties:
# HTTPS endpoint where logs will be forwarded
#
# - Type: string
# - Required: true
endpointUrl: https://example.com
# Specifies whether to use GZIP compression for the request
#
# - When enabled, Firehose uses the content encoding to compress the body of a request before sending the request to the destination
#
# - Type: boolean
# - Required: false
gzipEncodingEnabled: true
# Parameters included in each call to HTTP endpoint
#
# - Key/Value pairs containing additional metadata you wish to send to the HTTP endpoint.
# - Parameters are delivered within **X-Amz-Firehose-Common-Attributes** header as a JSON object with following format: `{"commonAttributes":{"param1":"val1", "param2":"val2"}}`
#
# - Type: object
# - Required: false
# Amount of time spend on retries.
#
# - The total amount of time that Kinesis Data Firehose spends on retries.
# - This duration starts after the initial attempt to send data to the custom destination via HTTPS endpoint fails.
# - Logs that fail to be delivered to the HTTP endpoint even after multiple retries (time spend on retries can be configured) are put into bucket with name `{stackName}-{resourceName}-logs-{generatedHash}`
#
# - Type: number
# - Required: false
retryDuration: 100
# Access key (credentials), needed for authenticating with endpoint
#
# - Access key is carried within a **X-Amz-Firehose-Access-Key** header
# - The configured key is copied verbatim into the value of this header.The contents can be arbitrary and can potentially represent a JWT token or an ACCESS_KEY.
# - It is recommended to use [secret](https://docs.stacktape.com/resources/secrets/) for storing your access key.
#
# - Type: string
# - Required: false
accessKey: example-value
# Configures log behavior for log group collecting logs from `/var/log/secure` of your bastion host
#
# - Logs contain information related to authentication and authorization privileges.
# For example, sshd logs all the messages here, including unsuccessful login.
# - By default "secure" logs are retained for 180 days.
#
# - Type: object
# - Required: false
secure:
# Disables the collection of logs to CloudWatch
#
#
# - Type: boolean
# - Required: false
# - Default: false
disabled: false
# Amount of days the logs will be retained in the log group
#
# - Type: enum: [1, 120, 14, 150, 180, 1827, 3, 30, 365, 3653, 400, 5, 545, 60, 7, 731, 90]
# - Required: false
# - Allowed values: [1, 120, 14, 150, 180, 1827, 3, 30, 365, 3653, 400, 5, 545, 60, 7, 731, 90]
retentionDays: 1
# Configures forwarding of logs to specified destination
#
# - Log forwarding is done using [Amazon Kinesis Data Firehose](https://aws.amazon.com/kinesis/data-firehose/) delivery stream.
# - When using log forwarding, you will incur costs based on the amount of data being transferred to the destination (~$0.03 per transferred GB).
# Refer to [AWS Kinesis Firehose Pricing](https://aws.amazon.com/kinesis/data-firehose/pricing/?nc=sn&loc=3) page to see details.
# - Currently supported destinations for logs:
# - `http-endpoint`
# - delivers logs to any HTTP endpoint.
# - The endpoint must follow [Firehose request and response specifications](https://docs.aws.amazon.com/firehose/latest/dev/httpdeliveryrequestresponse.html).
# (Many of the third party vendors are compliant with this specifications out of the box.)
# - `datadog`
# - delivers logs to [Datadog](https://www.datadoghq.com/).
# - `highlight`
# - delivers logs to [Highlight.io](https://www.highlight.io/) project.
#
# Refer to [our docs](https://docs.stacktape.com/configuration/log-forwarding/) for more information.
#
# > Logs that fail to be delivered to the destination even after multiple retries (time spend on retries can be configured) are put into bucket with name `{stackName}-{resourceName}-logs-{generatedHash}`
#
# - Type: union (anyOf)
# - Required: false
#
# - Type: object
# - Required: false
logForwarding:
#
# - Type: string
# - Required: true
type: http-endpoint
#
# - Type: object
# - Required: true
properties:
# HTTPS endpoint where logs will be forwarded
#
# - Type: string
# - Required: true
endpointUrl: https://example.com
# Specifies whether to use GZIP compression for the request
#
# - When enabled, Firehose uses the content encoding to compress the body of a request before sending the request to the destination
#
# - Type: boolean
# - Required: false
gzipEncodingEnabled: true
# Parameters included in each call to HTTP endpoint
#
# - Key/Value pairs containing additional metadata you wish to send to the HTTP endpoint.
# - Parameters are delivered within **X-Amz-Firehose-Common-Attributes** header as a JSON object with following format: `{"commonAttributes":{"param1":"val1", "param2":"val2"}}`
#
# - Type: object
# - Required: false
# Amount of time spend on retries.
#
# - The total amount of time that Kinesis Data Firehose spends on retries.
# - This duration starts after the initial attempt to send data to the custom destination via HTTPS endpoint fails.
# - Logs that fail to be delivered to the HTTP endpoint even after multiple retries (time spend on retries can be configured) are put into bucket with name `{stackName}-{resourceName}-logs-{generatedHash}`
#
# - Type: number
# - Required: false
retryDuration: 100
# Access key (credentials), needed for authenticating with endpoint
#
# - Access key is carried within a **X-Amz-Firehose-Access-Key** header
# - The configured key is copied verbatim into the value of this header.The contents can be arbitrary and can potentially represent a JWT token or an ACCESS_KEY.
# - It is recommended to use [secret](https://docs.stacktape.com/resources/secrets/) for storing your access key.
#
# - Type: string
# - Required: false
accessKey: example-value
# Configures log behavior for log group collecting logs from `/var/log/audit/audit.log` of your bastion host
#
# - Logs contain a detailed record of security-related events generated by the Linux audit system.
# The log may contain various types of logs such as process, file, network, user, and security logs.
# - By default "audit" logs are retained for 365 days.
#
# - Type: object
# - Required: false
audit:
# Disables the collection of logs to CloudWatch
#
#
# - Type: boolean
# - Required: false
# - Default: false
disabled: false
# Amount of days the logs will be retained in the log group
#
# - Type: enum: [1, 120, 14, 150, 180, 1827, 3, 30, 365, 3653, 400, 5, 545, 60, 7, 731, 90]
# - Required: false
# - Allowed values: [1, 120, 14, 150, 180, 1827, 3, 30, 365, 3653, 400, 5, 545, 60, 7, 731, 90]
retentionDays: 1
# Configures forwarding of logs to specified destination
#
# - Log forwarding is done using [Amazon Kinesis Data Firehose](https://aws.amazon.com/kinesis/data-firehose/) delivery stream.
# - When using log forwarding, you will incur costs based on the amount of data being transferred to the destination (~$0.03 per transferred GB).
# Refer to [AWS Kinesis Firehose Pricing](https://aws.amazon.com/kinesis/data-firehose/pricing/?nc=sn&loc=3) page to see details.
# - Currently supported destinations for logs:
# - `http-endpoint`
# - delivers logs to any HTTP endpoint.
# - The endpoint must follow [Firehose request and response specifications](https://docs.aws.amazon.com/firehose/latest/dev/httpdeliveryrequestresponse.html).
# (Many of the third party vendors are compliant with this specifications out of the box.)
# - `datadog`
# - delivers logs to [Datadog](https://www.datadoghq.com/).
# - `highlight`
# - delivers logs to [Highlight.io](https://www.highlight.io/) project.
#
# Refer to [our docs](https://docs.stacktape.com/configuration/log-forwarding/) for more information.
#
# > Logs that fail to be delivered to the destination even after multiple retries (time spend on retries can be configured) are put into bucket with name `{stackName}-{resourceName}-logs-{generatedHash}`
#
# - Type: union (anyOf)
# - Required: false
#
# - Type: object
# - Required: false
logForwarding:
#
# - Type: string
# - Required: true
type: http-endpoint
#
# - Type: object
# - Required: true
properties:
# HTTPS endpoint where logs will be forwarded
#
# - Type: string
# - Required: true
endpointUrl: https://example.com
# Specifies whether to use GZIP compression for the request
#
# - When enabled, Firehose uses the content encoding to compress the body of a request before sending the request to the destination
#
# - Type: boolean
# - Required: false
gzipEncodingEnabled: true
# Parameters included in each call to HTTP endpoint
#
# - Key/Value pairs containing additional metadata you wish to send to the HTTP endpoint.
# - Parameters are delivered within **X-Amz-Firehose-Common-Attributes** header as a JSON object with following format: `{"commonAttributes":{"param1":"val1", "param2":"val2"}}`
#
# - Type: object
# - Required: false
# Amount of time spend on retries.
#
# - The total amount of time that Kinesis Data Firehose spends on retries.
# - This duration starts after the initial attempt to send data to the custom destination via HTTPS endpoint fails.
# - Logs that fail to be delivered to the HTTP endpoint even after multiple retries (time spend on retries can be configured) are put into bucket with name `{stackName}-{resourceName}-logs-{generatedHash}`
#
# - Type: number
# - Required: false
retryDuration: 100
# Access key (credentials), needed for authenticating with endpoint
#
# - Access key is carried within a **X-Amz-Firehose-Access-Key** header
# - The configured key is copied verbatim into the value of this header.The contents can be arbitrary and can potentially represent a JWT token or an ACCESS_KEY.
# - It is recommended to use [secret](https://docs.stacktape.com/resources/secrets/) for storing your access key.
#
# - Type: string
# - Required: false
accessKey: example-value

LogForwarding alternatives

http-endpoint

This example shows how to configure logforwarding using http-endpoint.

resources:
myBastion:
type: bastion
properties:
logging:
messages:
# Configures forwarding of logs to specified destination
#
# - Log forwarding is done using [Amazon Kinesis Data Firehose](https://aws.amazon.com/kinesis/data-firehose/) delivery stream.
# - When using log forwarding, you will incur costs based on the amount of data being transferred to the destination (~$0.03 per transferred GB).
# Refer to [AWS Kinesis Firehose Pricing](https://aws.amazon.com/kinesis/data-firehose/pricing/?nc=sn&loc=3) page to see details.
# - Currently supported destinations for logs:
# - `http-endpoint`
# - delivers logs to any HTTP endpoint.
# - The endpoint must follow [Firehose request and response specifications](https://docs.aws.amazon.com/firehose/latest/dev/httpdeliveryrequestresponse.html).
# (Many of the third party vendors are compliant with this specifications out of the box.)
# - `datadog`
# - delivers logs to [Datadog](https://www.datadoghq.com/).
# - `highlight`
# - delivers logs to [Highlight.io](https://www.highlight.io/) project.
#
# Refer to [our docs](https://docs.stacktape.com/configuration/log-forwarding/) for more information.
#
# > Logs that fail to be delivered to the destination even after multiple retries (time spend on retries can be configured) are put into bucket with name `{stackName}-{resourceName}-logs-{generatedHash}`
#
# - Type: object
# - Required: true
logForwarding:
#
# - Type: string
# - Required: true
type: http-endpoint
#
# - Type: object
# - Required: true
properties:
# HTTPS endpoint where logs will be forwarded
#
# - Type: string
# - Required: true
endpointUrl: https://example.com
# Specifies whether to use GZIP compression for the request
#
# - When enabled, Firehose uses the content encoding to compress the body of a request before sending the request to the destination
#
# - Type: boolean
# - Required: false
gzipEncodingEnabled: true
# Parameters included in each call to HTTP endpoint
#
# - Key/Value pairs containing additional metadata you wish to send to the HTTP endpoint.
# - Parameters are delivered within **X-Amz-Firehose-Common-Attributes** header as a JSON object with following format: `{"commonAttributes":{"param1":"val1", "param2":"val2"}}`
#
# - Type: object
# - Required: false
# Amount of time spend on retries.
#
# - The total amount of time that Kinesis Data Firehose spends on retries.
# - This duration starts after the initial attempt to send data to the custom destination via HTTPS endpoint fails.
# - Logs that fail to be delivered to the HTTP endpoint even after multiple retries (time spend on retries can be configured) are put into bucket with name `{stackName}-{resourceName}-logs-{generatedHash}`
#
# - Type: number
# - Required: false
retryDuration: 100
# Access key (credentials), needed for authenticating with endpoint
#
# - Access key is carried within a **X-Amz-Firehose-Access-Key** header
# - The configured key is copied verbatim into the value of this header.The contents can be arbitrary and can potentially represent a JWT token or an ACCESS_KEY.
# - It is recommended to use [secret](https://docs.stacktape.com/resources/secrets/) for storing your access key.
#
# - Type: string
# - Required: false
accessKey: example-value

highlight

This example shows how to configure logforwarding using highlight.

resources:
myBastion:
type: bastion
properties:
logging:
messages:
# Configures forwarding of logs to specified destination
#
# - Log forwarding is done using [Amazon Kinesis Data Firehose](https://aws.amazon.com/kinesis/data-firehose/) delivery stream.
# - When using log forwarding, you will incur costs based on the amount of data being transferred to the destination (~$0.03 per transferred GB).
# Refer to [AWS Kinesis Firehose Pricing](https://aws.amazon.com/kinesis/data-firehose/pricing/?nc=sn&loc=3) page to see details.
# - Currently supported destinations for logs:
# - `http-endpoint`
# - delivers logs to any HTTP endpoint.
# - The endpoint must follow [Firehose request and response specifications](https://docs.aws.amazon.com/firehose/latest/dev/httpdeliveryrequestresponse.html).
# (Many of the third party vendors are compliant with this specifications out of the box.)
# - `datadog`
# - delivers logs to [Datadog](https://www.datadoghq.com/).
# - `highlight`
# - delivers logs to [Highlight.io](https://www.highlight.io/) project.
#
# Refer to [our docs](https://docs.stacktape.com/configuration/log-forwarding/) for more information.
#
# > Logs that fail to be delivered to the destination even after multiple retries (time spend on retries can be configured) are put into bucket with name `{stackName}-{resourceName}-logs-{generatedHash}`
#
# - Type: object
# - Required: true
logForwarding:
#
# - Type: string
# - Required: true
type: highlight
#
# - Type: object
# - Required: true
properties:
# Id of a [highlight.io](https://www.highlight.io/) project.
#
# - You can get the id of your project in your [highlight.io console](https://app.highlight.io/).
#
# - Type: string
# - Required: true
projectId: example-value
# HTTPS endpoint where logs will be forwarded
#
# - By default Stacktape uses `https://pub.highlight.io/v1/logs/firehose`
#
# - Type: string
# - Required: false
# - Default: https://pub.highlight.io/v1/logs/firehose
endpointUrl: https://pub.highlight.io/v1/logs/firehose

datadog

This example shows how to configure logforwarding using datadog.

resources:
myBastion:
type: bastion
properties:
logging:
messages:
# Configures forwarding of logs to specified destination
#
# - Log forwarding is done using [Amazon Kinesis Data Firehose](https://aws.amazon.com/kinesis/data-firehose/) delivery stream.
# - When using log forwarding, you will incur costs based on the amount of data being transferred to the destination (~$0.03 per transferred GB).
# Refer to [AWS Kinesis Firehose Pricing](https://aws.amazon.com/kinesis/data-firehose/pricing/?nc=sn&loc=3) page to see details.
# - Currently supported destinations for logs:
# - `http-endpoint`
# - delivers logs to any HTTP endpoint.
# - The endpoint must follow [Firehose request and response specifications](https://docs.aws.amazon.com/firehose/latest/dev/httpdeliveryrequestresponse.html).
# (Many of the third party vendors are compliant with this specifications out of the box.)
# - `datadog`
# - delivers logs to [Datadog](https://www.datadoghq.com/).
# - `highlight`
# - delivers logs to [Highlight.io](https://www.highlight.io/) project.
#
# Refer to [our docs](https://docs.stacktape.com/configuration/log-forwarding/) for more information.
#
# > Logs that fail to be delivered to the destination even after multiple retries (time spend on retries can be configured) are put into bucket with name `{stackName}-{resourceName}-logs-{generatedHash}`
#
# - Type: object
# - Required: true
logForwarding:
#
# - Type: string
# - Required: true
type: datadog
#
# - Type: object
# - Required: true
properties:
# API key required to enable delivery of logs to Datadog
#
# - You can get your Datadog API key in [Datadog console](https://app.datadoghq.com/organization-settings/api-keys)
# - It is recommended to use [secret](https://docs.stacktape.com/resources/secrets/) for storing your api key.
#
# - Type: string
# - Required: true
apiKey: example-value
# HTTPS endpoint where logs will be forwarded
#
# - By default Stacktape uses `https://aws-kinesis-http-intake.logs.datadoghq.com/v1/input`
# - If your Datadog site is in EU you should probably use `https://aws-kinesis-http-intake.logs.datadoghq.eu/v1/input`
#
# - Type: string
# - Required: false
# - Default: https://aws-kinesis-http-intake.logs.datadoghq.com/v1/input
endpointUrl: https://aws-kinesis-http-intake.logs.datadoghq.com/v1/input

Contents