Use separate Dynamo tables for cluster state and audit event logs (#6)

cloudposse-archives · Mar 16, 2019 · eb78eb0 · eb78eb0
1 parent 9567827
commit eb78eb0
Show file tree

Hide file tree

Showing 5 changed files with 94 additions and 41 deletions.
diff --git a/README.md b/README.md
@@ -5,7 +5,7 @@
 This Terraform module provisions:
 
 * An S3 bucket for session logs in Gravitational [Teleport](https://gravitational.com/teleport)
-* A DynamoDB table to use as storage backend in Teleport
+* 2 DynamoDB tables to use as storage backend in Teleport
 
 
 ## Features

diff --git a/dynamodb.tf b/dynamodb.tf
@@ -1,20 +1,82 @@
-module "dynamodb_table" {
-  source                       = "git::https://github.com/cloudposse/terraform-aws-dynamodb.git?ref=tags/0.1.0"
-  namespace                    = "${var.namespace}"
-  stage                        = "${var.stage}"
-  name                         = "${var.name}"
-  delimiter                    = "${var.delimiter}"
-  attributes                   = ["${compact(concat(var.attributes, list("dynamodb")))}"]
-  tags                         = "${var.tags}"
-  region                       = "${var.region}"
-  hash_key                     = "${var.hash_key}"
-  range_key                    = "${var.range_key}"
-  ttl_attribute                = "${var.ttl_attribute}"
+# From https://github.com/gravitational/teleport/blob/b9813e3/examples/aws/terraform/dynamo.tf#L1-L36
+module "dynamodb_state_table" {
+  source            = "git::https://github.com/cloudposse/terraform-aws-dynamodb.git?ref=tags/0.7.0"
+  namespace         = "${var.namespace}"
+  stage             = "${var.stage}"
+  name              = "${var.name}"
+  delimiter         = "${var.delimiter}"
+  attributes        = ["${compact(concat(var.attributes, list("cluster_state")))}"]
+  tags              = "${var.tags}"
+  enable_encryption = "true"
+  hash_key          = "HashKey"
+  hash_key_type     = "S"
+  range_key         = "FullPath"
+  range_key_type    = "S"
+  ttl_attribute     = "Expires"
+
+  # min_read and min_write set the provisioned capacity even if the autoscaler is not enabled
+  autoscale_min_read_capacity  = "${var.autoscale_min_read_capacity}"
+  autoscale_min_write_capacity = "${var.autoscale_min_write_capacity}"
+
+  enable_autoscaler            = "true"
   autoscale_read_target        = "${var.autoscale_read_target}"
   autoscale_write_target       = "${var.autoscale_write_target}"
-  autoscale_min_read_capacity  = "${var.autoscale_min_read_capacity}"
   autoscale_max_read_capacity  = "${var.autoscale_max_read_capacity}"
+  autoscale_max_write_capacity = "${var.autoscale_max_write_capacity}"
+}
+
+# From https://github.com/gravitational/teleport/blob/b9813e3/examples/aws/terraform/dynamo.tf#L38-L91
+module "dynamodb_audit_table" {
+  source            = "git::https://github.com/cloudposse/terraform-aws-dynamodb.git?ref=tags/0.7.0"
+  namespace         = "${var.namespace}"
+  stage             = "${var.stage}"
+  name              = "${var.name}"
+  delimiter         = "${var.delimiter}"
+  attributes        = ["${compact(concat(var.attributes, list("events")))}"]
+  tags              = "${var.tags}"
+  enable_encryption = "true"
+  hash_key          = "SessionID"
+  hash_key_type     = "S"
+  range_key         = "EventIndex"
+  range_key_type    = "N"
+  ttl_attribute     = "Expires"
+
+  dynamodb_attributes = [
+    {
+      name = "SessionID"
+      type = "S"
+    },
+    {
+      name = "EventIndex"
+      type = "N"
+    },
+    {
+      name = "EventNamespace"
+      type = "S"
+    },
+    {
+      name = "CreatedAt"
+      type = "N"
+    },
+  ]
+
+  global_secondary_index_map = [{
+    name            = "timesearch"
+    hash_key        = "EventNamespace"
+    range_key       = "CreatedAt"
+    read_capacity   = "${var.autoscale_min_read_capacity}"
+    write_capacity  = "${var.autoscale_min_write_capacity}"
+    projection_type = "ALL"
+  }]
+
+  # min_read and min_write set the provisioned capacity even if the autoscaler is not enabled
+  autoscale_min_read_capacity  = "${var.autoscale_min_read_capacity}"
   autoscale_min_write_capacity = "${var.autoscale_min_write_capacity}"
+
+  enable_autoscaler            = "true"
+  autoscale_read_target        = "${var.autoscale_read_target}"
+  autoscale_write_target       = "${var.autoscale_write_target}"
+  autoscale_max_read_capacity  = "${var.autoscale_max_read_capacity}"
   autoscale_max_write_capacity = "${var.autoscale_max_write_capacity}"
 }
 
@@ -33,7 +95,10 @@ data "aws_iam_policy_document" "dynamodb" {
     effect  = "Allow"
     actions = ["dynamodb:*"]
 
-    resources = ["${module.dynamodb_table.table_arn}"]
+    resources = [
+      "${module.dynamodb_audit_table.table_arn}",
+      "${module.dynamodb_state_table.table_arn}",
+    ]
   }
 }
 

diff --git a/outputs.tf b/outputs.tf
@@ -10,10 +10,18 @@ output "s3_bucket_arn" {
   value = "${module.s3_bucket.bucket_arn}"
 }
 
-output "dynamodb_table_id" {
-  value = "${module.dynamodb_table.table_id}"
+output "dynamodb_audit_table_id" {
+  value = "${module.dynamodb_audit_table.table_id}"
 }
 
-output "dynamodb_table_arn" {
-  value = "${module.dynamodb_table.table_arn}"
+output "dynamodb_audit_table_arn" {
+  value = "${module.dynamodb_audit_table.table_arn}"
+}
+
+output "dynamodb_state_table_id" {
+  value = "${module.dynamodb_state_table.table_id}"
+}
+
+output "dynamodb_state_table_arn" {
+  value = "${module.dynamodb_state_table.table_arn}"
 }
diff --git a/s3.tf b/s3.tf
@@ -4,7 +4,7 @@ module "s3_bucket" {
   stage                    = "${var.stage}"
   name                     = "${var.name}"
   delimiter                = "${var.delimiter}"
-  attributes               = ["${compact(concat(var.attributes, list("logs")))}"]
+  attributes               = ["${compact(concat(var.attributes, list("sessions")))}"]
   tags                     = "${var.tags}"
   prefix                   = "${var.prefix}"
   standard_transition_days = "${var.standard_transition_days}"
@@ -18,7 +18,7 @@ module "label_s3" {
   stage      = "${var.stage}"
   name       = "${var.name}"
   delimiter  = "${var.delimiter}"
-  attributes = ["${compact(concat(var.attributes, list("logs")))}"]
+  attributes = ["${compact(concat(var.attributes, list("sessions")))}"]
   tags       = "${var.tags}"
 }
 

diff --git a/variables.tf b/variables.tf
@@ -31,11 +31,6 @@ variable "tags" {
   description = "Additional tags (e.g. map('BusinessUnit`,`XYZ`)"
 }
 
-variable "region" {
-  type        = "string"
-  description = "AWS Region"
-}
-
 variable "prefix" {
   type        = "string"
   description = "S3 bucket prefix"
@@ -60,21 +55,6 @@ variable "expiration_days" {
   default     = "90"
 }
 
-variable "hash_key" {
-  type    = "string"
-  default = "HashKey"
-}
-
-variable "range_key" {
-  type    = "string"
-  default = "FullPath"
-}
-
-variable "ttl_attribute" {
-  type    = "string"
-  default = "Expires"
-}
-
 variable "autoscale_write_target" {
   default = 50
 }