Skip to content

Commit

Permalink
Add IAM roles and policies for S3 and DynamoDB (#2)
Browse files Browse the repository at this point in the history
* Add DynamoDB IAM role and policy

* Update DynamoDB IAM role and policy

* Update `README`

* Update `README`

* Update outputs

* Update description
  • Loading branch information
aknysh authored Mar 7, 2018
1 parent 77202e8 commit 23370f6
Show file tree
Hide file tree
Showing 6 changed files with 145 additions and 86 deletions.
18 changes: 14 additions & 4 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,12 +1,22 @@
# terraform-aws-teleport-storage [![Build Status](https://travis-ci.org/cloudposse/terraform-aws-teleport-storage.svg?branch=master)](https://travis-ci.org/cloudposse/terraform-aws-teleport-storage)

Terraform Module to provision an S3 bucket for session logs and a DynamoDB table as backend storage for Gravitational's Teleport
## Introduction

* https://gravitational.com/teleport
This Terraform module provisions:

Using DynamoDB as a storage backend allows highly available deployments.
* An S3 bucket for session logs in Gravitational [Teleport](https://gravitational.com/teleport)
* An IAM policy with permissions to create and access a DynamoDB table to use as storage backend in Teleport

Using S3 for session storage in Teleport has many advantages:
__NOTE:__ Teleport creates a DynamoDB table with the specified name automatically

https://gravitational.com/teleport/docs/admin-guide/


## Features

Using DynamoDB as a storage backend allows highly available deployments of Teleport Auth services.

Using S3 for Teleport session storage has many advantages:

* Encryption at rest
* Versioned objects
Expand Down
39 changes: 39 additions & 0 deletions dynamodb.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
module "label_dynamodb" {
source = "git::https://github.com/cloudposse/terraform-null-label.git?ref=tags/0.3.3"
namespace = "${var.namespace}"
stage = "${var.stage}"
name = "${var.name}"
delimiter = "${var.delimiter}"
attributes = ["${compact(concat(var.attributes, list("dynamodb")))}"]
tags = "${var.tags}"
}

data "aws_iam_policy_document" "dynamodb" {
statement {
effect = "Allow"
actions = ["dynamodb:*"]

resources = ["arn:aws:dynamodb:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:table/${var.dynamodb_table_name}"]
}
}

resource "aws_iam_role" "dynamodb" {
name = "${module.label_dynamodb.id}"
assume_role_policy = "${data.aws_iam_policy_document.assume_role.json}"
}

resource "aws_iam_policy" "dynamodb" {
name = "${module.label_dynamodb.id}"
description = "Allow Teleport Auth service full access to DynamoDB table"
policy = "${data.aws_iam_policy_document.dynamodb.json}"
}

resource "aws_iam_role_policy_attachment" "dynamodb" {
role = "${aws_iam_role.dynamodb.name}"
policy_arn = "${aws_iam_policy.dynamodb.arn}"
}

resource "aws_iam_instance_profile" "dynamodb" {
name = "${module.label_dynamodb.id}"
role = "${aws_iam_role.dynamodb.name}"
}
44 changes: 13 additions & 31 deletions main.tf
Original file line number Diff line number Diff line change
@@ -1,33 +1,15 @@
module "s3_bucket" {
source = "git::https://github.com/cloudposse/terraform-aws-s3-log-storage.git?ref=tags/0.1.3"
namespace = "${var.namespace}"
stage = "${var.stage}"
name = "${var.name}"
delimiter = "${var.delimiter}"
attributes = ["${compact(concat(var.attributes, list("logs")))}"]
tags = "${var.tags}"
prefix = "${var.prefix}"
standard_transition_days = "${var.standard_transition_days}"
glacier_transition_days = "${var.glacier_transition_days}"
expiration_days = "${var.expiration_days}"
}
data "aws_caller_identity" "current" {}

data "aws_region" "current" {}

data "aws_iam_policy_document" "assume_role" {
statement {
effect = "Allow"
actions = ["sts:AssumeRole"]

module "dynamodb_table" {
source = "git::https://github.com/cloudposse/terraform-aws-dynamodb.git?ref=tags/0.1.0"
namespace = "${var.namespace}"
stage = "${var.stage}"
name = "${var.name}"
delimiter = "${var.delimiter}"
attributes = ["${compact(concat(var.attributes, list("dynamodb")))}"]
tags = "${var.tags}"
region = "${var.region}"
hash_key = "${var.hash_key}"
range_key = "${var.range_key}"
ttl_attribute = "${var.ttl_attribute}"
autoscale_read_target = "${var.autoscale_read_target}"
autoscale_write_target = "${var.autoscale_write_target}"
autoscale_min_read_capacity = "${var.autoscale_min_read_capacity}"
autoscale_max_read_capacity = "${var.autoscale_max_read_capacity}"
autoscale_min_write_capacity = "${var.autoscale_min_write_capacity}"
autoscale_max_write_capacity = "${var.autoscale_max_write_capacity}"
principals = {
type = "Service"
identifiers = ["ec2.amazonaws.com"]
}
}
}
10 changes: 1 addition & 9 deletions outputs.tf
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
output "s3_bucket_id" {
value = "${module.s3_bucket.id}"
value = "${module.s3_bucket.bucket_id}"
}

output "s3_bucket_domain_name" {
Expand All @@ -9,11 +9,3 @@ output "s3_bucket_domain_name" {
output "s3_bucket_arn" {
value = "${module.s3_bucket.bucket_arn}"
}

output "dynamodb_table_id" {
value = "${module.dynamodb_table.table_id}"
}

output "dynamodb_table_arn" {
value = "${module.dynamodb_table.table_arn}"
}
73 changes: 73 additions & 0 deletions s3.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,73 @@
module "s3_bucket" {
source = "git::https://github.com/cloudposse/terraform-aws-s3-log-storage.git?ref=tags/0.1.3"
namespace = "${var.namespace}"
stage = "${var.stage}"
name = "${var.name}"
delimiter = "${var.delimiter}"
attributes = ["${compact(concat(var.attributes, list("logs")))}"]
tags = "${var.tags}"
prefix = "${var.prefix}"
standard_transition_days = "${var.standard_transition_days}"
glacier_transition_days = "${var.glacier_transition_days}"
expiration_days = "${var.expiration_days}"
}

module "label_s3" {
source = "git::https://github.com/cloudposse/terraform-null-label.git?ref=tags/0.3.3"
namespace = "${var.namespace}"
stage = "${var.stage}"
name = "${var.name}"
delimiter = "${var.delimiter}"
attributes = ["${compact(concat(var.attributes, list("logs")))}"]
tags = "${var.tags}"
}

# Allow Read and Write access to the bucket
# https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_s3_rw-bucket.html
data "aws_iam_policy_document" "s3" {
statement {
effect = "Allow"

actions = [
"s3:ListBucket",
]

resources = [
"arn:aws:s3:::${module.s3_bucket.bucket_id}",
]
}

statement {
effect = "Allow"

actions = [
"s3:PutObject",
"s3:GetObject",
]

resources = [
"arn:aws:s3:::${module.s3_bucket.bucket_id}/*",
]
}
}

resource "aws_iam_role" "s3" {
name = "${module.label_s3.id}"
assume_role_policy = "${data.aws_iam_policy_document.assume_role.json}"
}

resource "aws_iam_policy" "s3" {
name = "${module.label_s3.id}"
description = "Allow Teleport Auth service read/write access to S3 bucket"
policy = "${data.aws_iam_policy_document.s3.json}"
}

resource "aws_iam_role_policy_attachment" "s3" {
role = "${aws_iam_role.s3.name}"
policy_arn = "${aws_iam_policy.s3.arn}"
}

resource "aws_iam_instance_profile" "s3" {
name = "${module.label_s3.id}"
role = "${aws_iam_role.s3.name}"
}
47 changes: 5 additions & 42 deletions variables.tf
Original file line number Diff line number Diff line change
@@ -1,7 +1,3 @@
variable "region" {
type = "string"
}

variable "name" {
type = "string"
}
Expand Down Expand Up @@ -30,7 +26,8 @@ variable "delimiter" {
}

variable "prefix" {
default = ""
description = "S3 bucket prefix"
default = ""
}

variable "standard_transition_days" {
Expand All @@ -48,41 +45,7 @@ variable "expiration_days" {
default = "90"
}

variable "hash_key" {
type = "string"
default = "HashKey"
}

variable "range_key" {
type = "string"
default = "FullPath"
}

variable "ttl_attribute" {
type = "string"
default = "Expires"
}

variable "autoscale_write_target" {
default = 50
}

variable "autoscale_read_target" {
default = 50
}

variable "autoscale_min_read_capacity" {
default = 10
}

variable "autoscale_max_read_capacity" {
default = 100
}

variable "autoscale_min_write_capacity" {
default = 10
}

variable "autoscale_max_write_capacity" {
default = 100
variable "dynamodb_table_name" {
type = "string"
description = "DynamoDB table name"
}

0 comments on commit 23370f6

Please sign in to comment.