Skip to content

Bastion Abstractions

cloudspells.core.abstractions.bastion

Cloud-neutral bastion abstractions for CloudSpells multi-cloud support.

Different providers implement secure shell access differently:

  • OCI — Bastion uses the OCI Bastion Service (managed endpoint with ephemeral session tokens).
  • AWS — AWS Systems Manager Session Manager or EC2 Instance Connect.
  • GCP — Identity-Aware Proxy (IAP) TCP forwarding.

All implementations satisfy AbstractBastion.

Exports

AbstractBastion: Interface for a secure shell access mechanism.

AbstractBastion

Bases: ABC

Interface for a provider-agnostic secure shell access mechanism.

Provider implementations (OCI Bastion, AWS AwsSessionManagerBastion, GCP GcpIapBastion) satisfy this interface.

Attributes:

Name Type Description
id Output[str]

Provider resource ID of the bastion resource.
Example 
def export_bastion(b: AbstractBastion, label: str) -> None:
    pulumi.export(f"{label}_bastion_endpoint",
                  b.get_access_endpoint())

export_bastion(oci_bastion, "mgmt")
Source code in packages/cloudspells-core/src/cloudspells/core/abstractions/bastion.py 
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
class AbstractBastion(ABC):
    """Interface for a provider-agnostic secure shell access mechanism.

    Provider implementations (OCI `Bastion`,
    AWS `AwsSessionManagerBastion`, GCP `GcpIapBastion`) satisfy this
    interface.

    Attributes:
        id: Provider resource ID of the bastion resource.

    Example:
        ```python
        def export_bastion(b: AbstractBastion, label: str) -> None:
            pulumi.export(f"{label}_bastion_endpoint",
                          b.get_access_endpoint())

        export_bastion(oci_bastion, "mgmt")
        ```
    """

    id: pulumi.Output[str]

    @abstractmethod
    def get_access_endpoint(self) -> pulumi.Output[str]:
        """Return the access endpoint for establishing SSH proxy sessions.

        For OCI this is the bastion's private endpoint IP.  For AWS it may
        be the SSM endpoint URL.  For GCP it is the IAP tunnel address.

        Returns:
            `pulumi.Output[str]` resolving to the endpoint address.
        """

    @abstractmethod
    def export(self) -> None:
        """Publish standard bastion stack outputs."""

get_access_endpoint() -> pulumi.Output[str] abstractmethod

Return the access endpoint for establishing SSH proxy sessions.

For OCI this is the bastion's private endpoint IP. For AWS it may be the SSM endpoint URL. For GCP it is the IAP tunnel address.

Returns:

Type Description
Output[str]

pulumi.Output[str] resolving to the endpoint address.
Source code in packages/cloudspells-core/src/cloudspells/core/abstractions/bastion.py 
45
46
47
48
49
50
51
52
53
54
@abstractmethod
def get_access_endpoint(self) -> pulumi.Output[str]:
    """Return the access endpoint for establishing SSH proxy sessions.

    For OCI this is the bastion's private endpoint IP.  For AWS it may
    be the SSM endpoint URL.  For GCP it is the IAP tunnel address.

    Returns:
        `pulumi.Output[str]` resolving to the endpoint address.
    """

export() -> None abstractmethod

Publish standard bastion stack outputs.

Source code in packages/cloudspells-core/src/cloudspells/core/abstractions/bastion.py 
56
57
58
@abstractmethod
def export(self) -> None:
    """Publish standard bastion stack outputs."""