sap_vm_provision: amend bastion boolean default based on feedback

Author: sean-freeman

roles/sap_vm_provision/PLATFORM_GUIDANCE.md

@@ -21,8 +21,8 @@ The subsequent provisioned Virtual Machine, must be accessible too - this can ut
 
 The Ansible Control Node AKA Controller (i.e. device where Ansible Playbook is executed), must be able to SSH to the Ansible Target Node (i.e. Virtual Machine) using:
 
+- DEFAULT: SSH Proxy connection from Ansible control node, via Bastion host, to target node (`sap_vm_provision_bastion_execution: true`); with SSH Private Keys for the host and the bastion (`sap_vm_provision_ssh_host_private_key_file_path: "/path"` and `sap_vm_provision_ssh_bastion_private_key_file_path: "/path"`)
 - Direct SSH connection from Ansible control node to target node (`sap_vm_provision_bastion_execution: false`); with SSH Private Key for the host (`sap_vm_provision_ssh_host_private_key_file_path: "/path"`).
-- SSH Proxy connection from Ansible control node, via Bastion host, to target node (`sap_vm_provision_bastion_execution: true`); with SSH Private Keys for the host and the bastion (`sap_vm_provision_ssh_host_private_key_file_path: "/path"` and `sap_vm_provision_ssh_bastion_private_key_file_path: "/path"`)
 
 
 ## Required resources when Ansible provisioning VMs

roles/sap_vm_provision/defaults/main.yml

@@ -30,7 +30,10 @@ sap_vm_provision_group_anydb_secondary: anydb_secondary
 # Only for use when 'ansible' is value provided for variable sap_vm_provision_iac_type
 ####
 
-sap_vm_provision_bastion_execution: false # for Cloud IaaS, this is usually true
+# For security purposes, assume usage of SSH Proxy connection from Ansible control node, via Bastion host to the Target host/s:
+# - This is a common pattern for Cloud IaaS, using a Bastion for connectivity
+# - When using VPN or in On-Premise/Hosted Datacenters, this can be disabled if there is direct connectivity
+sap_vm_provision_bastion_execution: true
 
 sap_vm_provision_bastion_public_ip: ""