bridgecrewio / terraform-aws-session-manager Goto Github PK

Terraform module for deploying AWS Session Manager

License: Apache License 2.0

HCL 100.00%

terraform-aws-session-manager's Introduction

Terraform AWS Session Manager

A Terraform module to setup AWS Systems Manager Session Manager.

This module creates the a SSM document to support encrypted session manager communication and logs. It also creates a KMS key, S3 bucket, and CloudWatch Log group to store logs. In addition, for EC2 instances without a public IP address it can create VPC endpoints to enable private session manager communication. However, the VPC endpoint creation can also be facilitated by other modules such as this. Be aware of the AWS PrivateLink pricing before deployment.

Usage

Update version to the latest release here: https://github.com/bridgecrewio/terraform-aws-session-manager/releases

Instances with Public IPs do not need VPC endpoints

module "ssm" {
  source                    = "bridgecrewio/session-manager/aws"
  version                   = "0.2.0"
  bucket_name               = "my-session-logs"
  access_log_bucket_name    = "my-session-access-logs"
  enable_log_to_s3          = true
  enable_log_to_cloudwatch  = true
  linux_shell_profile       = "date"
}

Private instances with VPC endpoints for S3 and CloudWatch logging

module "ssm" {
  source                    = "bridgecrewio/session-manager/aws"
  version                   = "0.2.0"
  bucket_name               = "my-session-logs"
  access_log_bucket_name    = "my-session-access-logs"
  vpc_id                    = "vpc-0dc9ef19c0c23aeaa"
  tags                      = {
                                Function = "ssm"
                              }
  enable_log_to_s3          = true
  enable_log_to_cloudwatch  = true
  vpc_endpoints_enabled     = true
}

This module does not create any IAM policies for access to session manager. To do that, look at example policies in the AWS Documentation

Requirements

Name	Version
terraform	>=0.14.8
aws	>= 4.6.0

Providers

Name	Version
aws	>= 4.6.0

Modules

No modules.

Resources

Name	Type
aws_cloudwatch_log_group.session_manager_log_group	resource
aws_iam_instance_profile.ssm_profile	resource
aws_iam_policy.ssm_s3_cwl_access	resource
aws_iam_role.ssm_role	resource
aws_iam_role_policy_attachment.SSM-role-policy-attach	resource
aws_iam_role_policy_attachment.SSM-s3-cwl-policy-attach	resource
aws_kms_alias.ssmkey	resource
aws_kms_key.ssmkey	resource
aws_s3_bucket.access_log_bucket	resource
aws_s3_bucket.session_logs_bucket	resource
aws_s3_bucket_acl.access_log_bucket	resource
aws_s3_bucket_acl.session_logs_bucket	resource
aws_s3_bucket_lifecycle_configuration.access_log_bucket	resource
aws_s3_bucket_lifecycle_configuration.session_logs_bucket	resource
aws_s3_bucket_logging.session_logs_bucket	resource
aws_s3_bucket_public_access_block.access_log_bucket	resource
aws_s3_bucket_public_access_block.session_logs_bucket	resource
aws_s3_bucket_server_side_encryption_configuration.access_log_bucket	resource
aws_s3_bucket_server_side_encryption_configuration.session_logs_bucket	resource
aws_s3_bucket_versioning.access_log_bucket	resource
aws_s3_bucket_versioning.session_logs_bucket	resource
aws_security_group.ssm_sg	resource
aws_ssm_document.session_manager_prefs	resource
aws_vpc_endpoint.ec2messages	resource
aws_vpc_endpoint.kms	resource
aws_vpc_endpoint.logs	resource
aws_vpc_endpoint.s3	resource
aws_vpc_endpoint.ssm	resource
aws_vpc_endpoint.ssmmessages	resource
aws_vpc_endpoint_route_table_association.private_s3_route	resource
aws_vpc_endpoint_route_table_association.private_s3_subnet_route	resource
aws_caller_identity.current	data source
aws_iam_policy.AmazonSSMManagedInstanceCore	data source
aws_iam_policy_document.kms_access	data source
aws_iam_policy_document.ssm_s3_cwl_access	data source
aws_partition.current	data source
aws_region.current	data source
aws_route_table.selected	data source
aws_subnet_ids.selected	data source
aws_vpc.selected	data source

Inputs

Name	Description	Type	Default	Required
access_log_bucket_name	Name prefix of S3 bucket to store access logs from session logs bucket	`string`	n/a	yes
access_log_expire_days	Number of days to wait before deleting access logs	`number`	`30`	no
bucket_name	Name prefix of S3 bucket to store session logs	`string`	n/a	yes
cloudwatch_log_group_name	Name of the CloudWatch Log Group for storing SSM Session Logs	`string`	`"/ssm/session-logs"`	no
cloudwatch_logs_retention	Number of days to retain Session Logs in CloudWatch	`number`	`30`	no
enable_log_to_cloudwatch	Enable Session Manager to Log to CloudWatch Logs	`bool`	`true`	no
enable_log_to_s3	Enable Session Manager to Log to S3	`bool`	`true`	no
kms_key_alias	Alias prefix of the KMS key. Must start with alias/ followed by a name	`string`	`"alias/ssm-key"`	no
kms_key_deletion_window	Waiting period for scheduled KMS Key deletion. Can be 7-30 days.	`number`	`7`	no
linux_shell_profile	The ShellProfile to use for linux based machines.	`string`	`""`	no
log_archive_days	Number of days to wait before archiving to Glacier	`number`	`30`	no
log_expire_days	Number of days to wait before deleting	`number`	`365`	no
subnet_ids	Subnet Ids to deploy endpoints into	`set(string)`	`[]`	no
tags	A map of tags to add to all resources	`map(string)`	`{}`	no
vpc_endpoint_private_dns_enabled	Enable private dns for endpoints	`bool`	`true`	no
vpc_endpoints_enabled	Create VPC Endpoints	`bool`	`false`	no
vpc_id	VPC ID to deploy endpoints into	`string`	`null`	no
windows_shell_profile	The ShellProfile to use for windows based machines.	`string`	`""`	no

Outputs

Name	Description
access_log_bucket_name	n/a
cloudwatch_log_group_arn	n/a
iam_profile_name	n/a
iam_role_arn	n/a
kms_key_arn	n/a
session_logs_bucket_name	n/a
ssm_security_group	n/a
vpc_endpoint_ec2messages	n/a
vpc_endpoint_kms	n/a
vpc_endpoint_logs	n/a
vpc_endpoint_s3	n/a
vpc_endpoint_ssm	n/a
vpc_endpoint_ssmmessages	n/a

SSM Usage Example

Launch an instance using the ssm_profile created by Terraform
Install the session-manager-plugin and start a session

cd /tmp
curl "https://s3.amazonaws.com/session-manager-downloads/plugin/latest/mac/sessionmanager-bundle.zip" -o "sessionmanager-bundle.zip"
unzip sessionmanager-bundle.zip
sudo ./sessionmanager-bundle/install -i /usr/local/sessionmanagerplugin -b /usr/local/bin/session-manager-plugin

# Verify
session-manager-plugin

cd -

# Start an SSM session - Note the instance must have a public IP if you have not created VPC endpoints
aws ssm start-session --target <EC2 Instance ID>

Review session logs in your CloudWatch logs group
Review session logs in your S3 bucket

terraform-aws-session-manager's People

Contributors

Stargazers

Watchers

Forkers

erupare forumone jinhong- anthonyangel chrismazanec petrillic drewmullen patelronak savobit gbade-paystack alanyoshida darkedges mars-lan syllogy bewatec-berlin tirsen taliesins humn-ai albe6089 kitepipe mansab iamtoluakin harshasunkara azend xaynetwork inteliquent oruessel thulasya noibit benoitplouffe-qc 3u128 zhangyuanqiao perform-partners zeet-dev zeet-co r1ddl3 gresham-computing samcheng26 tklikifi distributed-platform-engineering jgrexa prtjohanson

terraform-aws-session-manager's Issues

cloudwatch does not initailized with encryption

error message on first initialization ssm session cannot start

Your session has been terminated for the following reasons: We couldn't start the session because encryption is not set up on the selected CloudWatch Logs log group. Either encrypt the log group or choose an option to enable logging without encryption.

Does anyone has the same problem ?

vpce.tf

Error: Invalid index
   on .terraform/modules/ssm/vpce.tf line 12, in locals:
   12:   subnet_ids_string = join(",", data.aws_subnet_ids.selected[0].ids)
     |----------------
     | data.aws_subnet_ids.selected is empty tuple
 The given key does not identify an element in this collection value.

first initialization of ssm with s3 ends with a conflict

First initialization of ssm with s3 bucket, you get a conflict operation. after second run it works.

Error: error creating S3 Lifecycle Configuration for bucket (my-session-logs-20221126162031752900000001): OperationAborted: A conflicting conditional operation is currently in progress against this resource. Please try again. │ status code: 409, request id: E2579P1ENNHT888H, host id: io+NlPIsZtlKWaFLzbC80EP7mcH34oPzeFmC+kLvmKuXgxdVqP69Z8ycH5bQbdTnGhkkCfnaHhk= │ │ with module.ssm.aws_s3_bucket_lifecycle_configuration.session_logs_bucket, │ on .terraform/modules/ssm/aws_s3_bucket.session_logs_bucket.tf line 39, in resource "aws_s3_bucket_lifecycle_configuration" "session_logs_bucket": │ 39: resource "aws_s3_bucket_lifecycle_configuration" "session_logs_bucket" {

I will work on a solution for that.

Unable to use terraform init

I've used the template in Terraform registry but when I perform a terraform init, all I get back is:

Error: Module not found

Module "terraform-aws-session-manager" (from SSM.tf:1) cannot be found in the
module registry at registry.terraform.io.

connection fails due to cloudwatch encryption

Your session has been terminated for the following reasons: We couldn't start the session because encryption is not set up on the selected CloudWatch Logs log group. Either encrypt the log group or choose an option to enable logging without encryption.

no VPC endpoint, public subnet

confirmed CW Encryption is enabled:

AWS console gui unresponsive when editing Session Manager config

Issue:

AWS console gui unresponsive when editing Session Manager config

Steps:

apply config using terraform module
in AWS Console: [AWS Systems Manager] -> [Session Manager] -> [Preferences] -> Click "Edit"
get grey screen

Requires explicit idleSessionTimeout setting and no-quote for true/false triggers:

FIX:

--- a/main.tf
+++ b/main.tf
@@ -36,10 +36,11 @@ resource "aws_ssm_document" "session_manager_prefs" {
     sessionType   = "Standard_Stream"
     inputs = {
       s3BucketName                = var.enable_log_to_s3 ? aws_s3_bucket.session_logs_bucket.id : ""
-      s3EncryptionEnabled         = var.enable_log_to_s3 ? "true" : "false"
+      s3EncryptionEnabled         = var.enable_log_to_s3 ? true : false
       cloudWatchLogGroupName      = var.enable_log_to_cloudwatch ? aws_cloudwatch_log_group.session_manager_log_group.name : ""
-      cloudWatchEncryptionEnabled = var.enable_log_to_cloudwatch ? "true" : "false"
+      cloudWatchEncryptionEnabled = var.enable_log_to_cloudwatch ? true : false
       kmsKeyId                    = aws_kms_key.ssmkey.key_id
+      idleSessionTimeout          = "20"
       shellProfile = {
         linux   = var.linux_shell_profile == "" ? var.linux_shell_profile : ""
         windows = var.windows_shell_profile == "" ? var.windows_shell_profile : ""

Can't configure a value for "region"

Hello,
Using this module i am getting error
Error: Value for unconfigurable attribute
on .terraform\modules\ssm\main.tf line 58, in resource "aws_s3_bucket" "access_log_bucket":
58: region = data.aws_region.current.name
Can't configure a value for "region": its value will be decided
automatically based on the result of applying this configuration.

Is this a known issue?

Warning: Deprecated Resource `aws_subnet_ids data source has been deprecated`

Version: 0.4.2

Config

module "ssm" {
  source                    = "bridgecrewio/session-manager/aws"
  version                   = "0.4.2"

  enable_log_to_cloudwatch  = true
  enable_log_to_s3          = true
  vpc_endpoints_enabled     = true
  vpc_endpoint_private_dns_enabled = true

  access_log_bucket_name    = jssm-access-logs"
  bucket_name               = ssm-sm-logs
  kms_key_alias             = ssm-sm
  kms_key_deletion_window   = var.delete_wait_timeout
  vpc_id                    = module.vpc.vpc_id
}

Output

│ Warning: Deprecated Resource
│ 
│   with module.ssm.data.aws_subnet_ids.selected,
│   on .terraform/modules/ssm/vpce.tf line 6, in data "aws_subnet_ids" "selected":
│    6: data "aws_subnet_ids" "selected" {
│ 
│ The aws_subnet_ids data source has been deprecated and will be removed in a future version. Use the aws_subnets data source instead.
│ 
│ (and one more similar warning elsewhere)
╵

Module Doesn't Support Version 4.x of the AWS Provider

apply bombs when attempting to create S3 resources and instead needs to use the new S3 resources found here, here, here, and here.

Here are the respective errors thrown as these attributes are read only in aws provider v4 as outlined here.

Can't configure a value for "server_side_encryption_configuration": its value will be decided automatically based on the result of applying this configuration.

Can't configure a value for "lifecycle_rule": its value will be decided automatically based on the result of applying this configuration.

Can't configure a value for "versioning": its value will be decided automatically based on the result of applying this configuration.

Can't configure a value for "acl": its value will be decided automatically based on the result of applying this configuration.

Module doesn't work with subnet_ids

When I deploy version 0.3.0 with subnet_ids (which i need in order to ensure that endpoints are actually deployed into private subnets), I get an error:

module "ssm-session-manager" {
source = "bridgecrewio/session-manager/aws"
version = "0.3.0"
bucket_name = "my-session-logs"
access_log_bucket_name = "my-session-access-logs"
vpc_id = "vpc-XXXXXXXXXXXXXX"
subnet_ids = ["subnet-XXXXXXXXXXXXXX"]
tags = {
Function = "ssm"
}
enable_log_to_s3 = true
enable_log_to_cloudwatch = true
vpc_endpoints_enabled = true
}

│ Error: query returned no results. Please change your search criteria and try again
│
│ with module.ssm-session-manager.data.aws_route_table.selected[0],
│ on .terraform/modules/ssm-session-manager/vpce.tf line 11, in data "aws_route_table" "selected":
│ 11: data "aws_route_table" "selected" {

Would appreciate your help in resolving this.

Thanks,

please publish your .terraform-docs.yml config

Hi - im writing an PR for you but i cannot update docs with your format unless you publish a terraform docs yaml config :)