IaC Bazaar
Get started
AzureLive-tested

Azure Bastion + Hardened Jumpbox

Bastion (Developer/Basic/Standard SKU) with optional hardened Linux VM, JIT-style NSG rules and boot diagnostics for secure VM access without public IPs.

terraformAzure#azure
azure-bastion-jumpboxterraform v1.7

Verification

Live-tested

Really deployed, verified, idempotent and destroyed in a cloud sandbox.

Conformance

  • Static validation (fmt · validate · tflint)
  • Security scan: findings disclosed (Checkov)
  • Plan tests (mocked: validation rules · outputs)

Provenance

  • SHA-256 checksum
  • Signature (pending)

Functional

  • Live-tested — applied, verified, destroyed

Last verified 2026-06-29 · how we verify

Documentation

azure-bastion-jumpbox

Status: static-validated, live-test pending. Ships under live-test quarantine — provisioning a Bastion needs a real VNet with an AzureBastionSubnet (>= /26) and a jumpbox image pull, and the Trusted Launch / encryption-at-host features must be registered on the subscription, none of which exist in a CI sandbox yet. The full apply → verify → destroy gate runs once an Azure sandbox subscription is wired up. Schema is validated against the azurerm v4 provider docs (built against 4.76).

Secure VM access without public IPs: an Azure Bastion host (Developer / Basic / Standard) plus an optional hardened Linux jumpbox reachable only through the Bastion. Works with Terraform and OpenTofu (>= 1.6), azurerm provider >= 4.0, < 5.0.

The Developer SKU is the free-tier-friendly option for short-lived tests (it references the VNet directly and provisions no dedicated public IP or subnet); Basic/Standard attach to an AzureBastionSubnet with a Standard public IP, and Standard unlocks native-client tunneling, IP-connect and file-copy.

Secure defaults

  • Jumpbox has no public IP — it is reachable only by going through Bastion.
  • SSH-key auth only; password authentication is disabled (a precondition requires jumpbox_ssh_public_key).
  • Trusted Launch: Secure Boot + vTPM on, plus encryption at host.
  • Deny-by-default NSG on the jumpbox NIC: an explicit catch-all denies all inbound, and a single allow rule permits SSH from jumpbox_allowed_ssh_source_address. This defaults to the VirtualNetwork tag — the whole VNet (which contains Bastion, but also any other VM/workload in the VNet). For strict Bastion-only SSH, set it to the AzureBastionSubnet CIDR (see Requirements & notes).
  • System-assigned managed identity on the jumpbox for least-privilege role grants; boot diagnostics on a managed storage account by default.
  • Bastion public IP is Standard / static / zone-deployable.

Verification

Static-validated (tofu fmt, tofu validate, tflint). Live apply/verify/ destroy testing pending an Azure sandbox subscription — see catalog status.

License

Commercial — LicenseRef-IaCBazaar-Commercial

Usage code & full reference unlock after purchase

The complete copy-paste usage, the full input/output reference, and operational notes ship with your licence — shown here and bundled in the download.

  • Usage
  • Inputs
  • Outputs
  • Requirements & notes