Skip to content

Feat: Bastion component#6553

Open
jamesgibbons92 wants to merge 2 commits intoanomalyco:devfrom
jamesgibbons92:6364
Open

Feat: Bastion component#6553
jamesgibbons92 wants to merge 2 commits intoanomalyco:devfrom
jamesgibbons92:6364

Conversation

@jamesgibbons92
Copy link
Copy Markdown
Collaborator

@jamesgibbons92 jamesgibbons92 commented Mar 7, 2026
edited
Loading

Closes #6364

Summary:

  • Adds a new component 'Bastion' which is a standalone component for deploying an ec2 bastion acting as a tunnel into VPC protected resources. This is functionally equivalent to the bastion created in the VPC component, but has some additional improvements and can support a non-sst vpc by passing in the required props.
  • Adds a version number to sst tunnel which prompts the user to run sudo sst tunnel install again if the binary code changes, this is just a hardcoded version variable which needs to be bumped when changes are made.
  • sst tunnel now supports multiple bastions in a stack, this is probably a very small use case - but previously the command would just use the last _tunnel it found in the stack.

SSM Support

The tunnel code has been extended to support session-manager port forwarding, this is more secure than ssh as it does not require any public facing server. https://aws.amazon.com/blogs/aws/new-port-forwarding-using-aws-system-manager-sessions-manager/

  • By default the bastion will deploy in 'ssh' mode, similar to the existing bastion.
  • Opt in to ssm by passing an arg into the component.
  • The only caveat to this mode is that it requires the aws-cli session-manager-plugin to be installed on the client system.

Notes:

  • The existing bastion behaviour in VPC component is unchanged. I left this untouched to reduce the risk of regression issues, this new component is more useful for people needing to tunnel into a non-sst vpc, or if they want to use the more secure ssm tunnel mechanism.

Test plan:

Vpc with bastion: true (regression test, ensure the new tunnel code is backwards compatible):
image

Vpc with Bastion component in SSH mode:
image

Vpc with Bastion component in SSM mode:
image

Vpc with Shared Bastion component:
image

SST Dev:
image

Tunnel needs upgrade:
image

SSM mode but session manager plugin not installed:
image

Todo:

  • Test MacOS

@jamesgibbons92 jamesgibbons92 force-pushed the 6364 branch 2 times, most recently from 4c655a3 to eb3ef85 Compare March 10, 2026 00:31
@jamesgibbons92 jamesgibbons92 marked this pull request as ready for review March 10, 2026 23:04
@jamesgibbons92 jamesgibbons92 requested a review from vimtor March 10, 2026 23:04
@jamesgibbons92 jamesgibbons92 mentioned this pull request Mar 11, 2026
Open
@jamesgibbons92
Copy link
Copy Markdown
Collaborator Author

jamesgibbons92 commented Apr 7, 2026

@vimtor circling back to this now,
apart from the merge conflicts, are there any other changes you think I should make to this pr to get it merged?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vimtor vimtor Awaiting requested review from vimtor

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Request: Allow for the creation of a bastion for an existing VPC.

1 participant

@jamesgibbons92