Secure Landing Zone can provision the solution that is described in Setting up a bastion host that uses Teleport. This solution configures a bastion host in your VPC using Teleport Enterprise Edition, and provisions a Cloud Object Storage bucket and App ID for enhanced security.
App ID is used to authenticate users to Teleport. Teleport session recordings are stored in the Object Storage bucket. The cloud-init file file installs teleport and configures App ID and Object Storage. The Teleport variables.tf file is used for the configuration.
You need the following items to deploy and configure a bastion host that uses Teleport:
- A Teleport Enterprise Edition license
- A generated SSL certificate and key for each of the provisioned virtual server instances or a wildcard certificate
SLZ can provision the bastion host in two locations. You can place the bastion either within the management VPC or in the edge VPC if you're using BIG-IP from F5.
| Management VPC | Edge or Transit VPC |
|---|---|
 |
 |
To provision Teleport within the management zone, you must set teleport_management_zones to the number of bastion hosts to deploy, up to a maximum of 3. For example, if you set the number to 1, it provisions a bastion host in zone-1 of your management VPC. If you set the number to 2, it provisions a bastion within zone-1 and zone-2 of your management VPC. Other variables that are needed for the setup and configuration of Teleport are mentioned in the following sections.
The provision_teleport_in_f5 and add_edge_vpc variables must both be set to true. For more information about F5 deployment, see Provisioning a F5 BIG-IP host by using Secure Landing Zone and the following variables that are needed for the setup and configuration of Teleport.
Don't set both create_f5_network_on_management_vpc to true and teleport_management_zones to a value greater than 0.
The following variables need to be set to provision the bastion host using Teleport.
provision_teleport_in_f5 # Provision Teleport in the Edge VPC alongside the F5
use_existing_appid # Use an existing appid instance. If this is false, one will be automatically
appid_name # Name of appid instance.
appid_resource_group # Resource group for existing appid instance. This value is ignored if a new instance is created.
teleport_instance_profile # Machine type for Teleport VSI instances. Use the IBM Cloud CLI command `ibmcloud is instance-profiles` to see available image profiles.
teleport_vsi_image_name # Teleport VSI image name. Use the IBM Cloud CLI command `ibmcloud is images` to see available images.
teleport_license # The contents of the PEM license file
https_cert # The https certificate used by bastion host for teleport
https_key # The https private key used by bastion host for teleport
teleport_hostname # The name of the instance or bastion host
teleport_domain # The domain of the bastion host
teleport_version # Version of Teleport Enterprise to use
message_of_the_day # Banner message that is exposed to the user at authentication time
teleport_admin_email # Email for teleport vsi admin.
teleport_management_zones # Number of zones to create teleport VSI on Management VPC if not using F5. If you are using F5, ignore this value
For more details about specifying input variables, see Customizing your environment. For more information about the Teleport configuration variables, see the following documentation for the pattern:
After App ID is successfully configured to Teleport, you can log in to Teleport through a web console or tsh client. Tsh is the Teleport client tool that is the command-line tool for Teleport. For more information, see Installing tsh. You need the fully qualified domain name (FQDN) of the Teleport server to log in.
- Access the web console on port 3080. (
https://<User defined FQDN of teleport server>:3080). - Start a terminal session under Servers. Look for a single server with a connect button. Click Connect and select the user that you would like to log in with.
-
Install the Teleport client tool tsh.
-
tsh login --proxy=<User defined FQDN of teleport server>:3080
-
Run the shell or run a command on a remote SSH node by using the tsh ssh command.
tsh ssh <[user@]host>
You might not be able to access Teleport that is installed on your virtual server after the bastion host is provisioned by the Secure Landing Zone. Follow these steps to login and verify the configuration of your virtual server through SSH.
-
Connect to your bastion host VSI by using SSH.
ℹ️ Tip: SSH is not allowed by default. You must add rules to the security groups and ACLs on our virtual server.
-
Run each of the following commands and check whether the values match the ones that you configured:
-
Verify whether the content of the file matches your
teleport_license:cat ~/license.pem -
Verify whether the content of the file matches your
https_cert:cat ~/cert.pem -
Verify whether the content of the file equals your
https_key:cat ~/key.pem -
Verify both that the
redirect_urlvalue equalshttps://<HOSTNAME>.<DOMAIN>:3080/v1/webapi/oidc/callbackand that theclaims_to_rolesvalue is- {claim: "email", value: "<TELEPORT_ADMIN_EMAIL>", roles: ["teleport-admin"]}:cat ~/oidc.yaml -
Verify whether the
audit_sessions_urivalue contains yourcos_bucket_name:cat ~/../etc/teleport.yaml -
Verify that Teleport is running:
systemctl status teleport
-
-
After you verify that Teleport is configured correctly, remove the security group and ACL rules you added in Step 1. Alternatively, you can run the script
/root/install.shto run the installation again.
By default, Secure Landing Zone provisions ACLs and security groups that are more open and not customer dependent. Use the override.json file to change, add, or delete rules for your environment.