├── .gitignore
├── .pre-commit-config.yaml
├── CHANGELOG.md
├── LICENSE
├── README.md
├── main.tf
├── outputs.tf
├── variables.tf
└── versions.tf
/.gitignore:
--------------------------------------------------------------------------------
1 | .terraform*
2 | terraform.tfstate*
3 |
--------------------------------------------------------------------------------
/.pre-commit-config.yaml:
--------------------------------------------------------------------------------
1 | repos:
2 | - repo: https://github.com/antonbabenko/pre-commit-terraform
3 | rev: v1.73.0
4 | hooks:
5 | - id: terraform_fmt
6 | - id: terraform_docs
7 |
--------------------------------------------------------------------------------
/CHANGELOG.md:
--------------------------------------------------------------------------------
1 |
2 | ## [v2.1.0] - 2022-06-03
3 |
4 | - Add various new Session Manager options
5 |
6 |
7 |
8 | ## [v2.0.0] - 2019-09-20
9 |
10 | - Tidy README.md
11 | - Add CHANGELOG.md
12 | - Upgrade module to support Terraform 0.12 ([#2](https://github.com/gazoakley/terraform-aws-session-manager-settings/pull/2))
13 |
14 |
15 |
16 | ## [v1.1.0] - 2017-10-06
17 |
18 | - Improved documentation and new outputs for document_name and document_arn
19 |
20 |
21 |
22 | ## v1.0.0 - 2017-10-04
23 |
24 | - Initial commit
25 |
26 |
27 |
28 | [v2.0.0]: https://github.com/terraform-aws-modules/terraform-aws-security-group/compare/v1.1.0...v2.0.0
29 | [v1.1.0]: https://github.com/terraform-aws-modules/terraform-aws-security-group/compare/v1.0.0...v1.1.0
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | Licensed under the Apache License, Version 2.0 (the "License");
2 | you may not use this file except in compliance with the License.
3 | You may obtain a copy of the License at
4 |
5 | http://www.apache.org/licenses/LICENSE-2.0
6 |
7 | Unless required by applicable law or agreed to in writing, software
8 | distributed under the License is distributed on an "AS IS" BASIS,
9 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
10 | See the License for the specific language governing permissions and
11 | limitations under the License.
12 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # terraform-aws-session-manager-settings
2 |
3 | This module creates an SSM document that stores preferences for AWS Systems Manager Session Manager.
4 |
5 | Session preferences let you specify a location to store log output for all sessions in your account. You can also enable server-side encryption using an AWS Key Management Service (KMS) key for a specified stream to ensure your session records are transferred securely.
6 |
7 | Requires `aws` provider >= 1.36.0
8 |
9 | ## Example Usage
10 |
11 | ```hcl
12 | module "session-manager-settings" {
13 | source = "gazoakley/session-manager-settings/aws"
14 |
15 | s3_bucket_name = "my-session-logs-bucket"
16 | cloudwatch_log_group_name = "/ssm/session-logs"
17 | }
18 | ```
19 |
20 |
21 | ## Requirements
22 |
23 | | Name | Version |
24 | |------|---------|
25 | | terraform | >= 0.12 |
26 | | aws | >= 1.36.0 |
27 |
28 | ## Providers
29 |
30 | | Name | Version |
31 | |------|---------|
32 | | aws | >= 1.36.0 |
33 |
34 | ## Inputs
35 |
36 | | Name | Description | Type | Default | Required |
37 | |------|-------------|------|---------|:--------:|
38 | | cloudwatch\_encryption\_enabled | Encrypt log data. | `bool` | `true` | no |
39 | | cloudwatch\_log\_group\_name | The name of the log group to upload session logs to. Specifying this enables sending session output to CloudWatch Logs. | `string` | `""` | no |
40 | | cloudwatch\_streaming\_enabled | Stream session log data to CloudWatch. Defaults to true. If false logs will be uploaded at the end of the session. | `bool` | `true` | no |
41 | | idle\_session\_timeout | Time until a session is closed when left idle. | `number` | `20` | no |
42 | | kms\_key\_id | The KMS key used to to encrypt SSM sessions. | `string` | `null` | no |
43 | | linux\_shell\_profile | A set of Linux commands to run when a Linux session is started. | `string` | `""` | no |
44 | | max\_session\_duration | The longest a session can stay open before it will be closed. | `number` | `null` | no |
45 | | run\_as\_enabled | Enables the option to start sessions using the credentials of a specified operating system user. | `bool` | `false` | no |
46 | | s3\_bucket\_name | The name of bucket to store session logs. Specifying this enables writing session output to an Amazon S3 bucket. | `string` | `""` | no |
47 | | s3\_encryption\_enabled | Encrypt log data. | `bool` | `true` | no |
48 | | s3\_key\_prefix | To write output to a sub-folder, enter a sub-folder name. | `string` | `""` | no |
49 | | windows\_shell\_profile | A set of Windows commands to run when a Windows session is started. | `string` | `""` | no |
50 | | ssm\_document\_name | The name of SSM Document that will be created on AWS Account. | `string` | `"SSM-SessionManagerRunShell"` | no |
51 |
52 | ## Outputs
53 |
54 | | Name | Description |
55 | |------|-------------|
56 | | document\_arn | ARN of the created document. You can use this to create IAM policies that prevent changes to Session Manager preferences. |
57 | | document\_name | Name of the created document. |
58 |
59 |
60 |
61 | ## License
62 |
63 | Apache 2 Licensed. See LICENSE for full details.
64 |
--------------------------------------------------------------------------------
/main.tf:
--------------------------------------------------------------------------------
1 | resource "aws_ssm_document" "session_manager_prefs" {
2 | name = var.ssm_document_name
3 | document_type = "Session"
4 | document_format = "JSON"
5 |
6 | content = jsonencode({
7 | schemaVersion = "1.0"
8 | description = "Document to hold regional settings for Session Manager"
9 | sessionType = "Standard_Stream"
10 | inputs = {
11 | kmsKeyId = var.kms_key_id
12 | s3BucketName = var.s3_bucket_name
13 | s3KeyPrefix = var.s3_key_prefix
14 | s3EncryptionEnabled = var.s3_encryption_enabled
15 | cloudWatchLogGroupName = var.cloudwatch_log_group_name
16 | cloudWatchEncryptionEnabled = var.cloudwatch_encryption_enabled
17 | cloudWatchStreamingEnabled = var.cloudwatch_streaming_enabled
18 | idleSessionTimeout = var.idle_session_timeout
19 | maxSessionDuration = var.max_session_duration
20 | runAsEnabled = var.run_as_enabled
21 | shellProfile = {
22 | linux = var.linux_shell_profile
23 | windows = var.windows_shell_profile
24 | }
25 | }
26 | })
27 | }
28 |
--------------------------------------------------------------------------------
/outputs.tf:
--------------------------------------------------------------------------------
1 | output "document_name" {
2 | description = "Name of the created document."
3 | value = aws_ssm_document.session_manager_prefs.name
4 | }
5 |
6 | output "document_arn" {
7 | description = "ARN of the created document. You can use this to create IAM policies that prevent changes to Session Manager preferences."
8 | value = aws_ssm_document.session_manager_prefs.arn
9 | }
10 |
--------------------------------------------------------------------------------
/variables.tf:
--------------------------------------------------------------------------------
1 | variable "ssm_document_name" {
2 | type = string
3 | default = "SSM-SessionManagerRunShell"
4 | description = "The name for SSM Document"
5 | }
6 |
7 | variable "kms_key_id" {
8 | type = string
9 | default = null
10 | description = "The KMS key used to to encrypt SSM sessions."
11 | }
12 |
13 | variable "s3_bucket_name" {
14 | type = string
15 | default = ""
16 | description = "The name of bucket to store session logs. Specifying this enables writing session output to an Amazon S3 bucket."
17 | }
18 |
19 | variable "s3_key_prefix" {
20 | type = string
21 | default = ""
22 | description = "To write output to a sub-folder, enter a sub-folder name."
23 | }
24 |
25 | variable "s3_encryption_enabled" {
26 | type = bool
27 | default = true
28 | description = "Encrypt log data."
29 | }
30 |
31 | variable "cloudwatch_log_group_name" {
32 | type = string
33 | default = ""
34 | description = "The name of the log group to upload session logs to. Specifying this enables sending session output to CloudWatch Logs."
35 | }
36 |
37 | variable "cloudwatch_encryption_enabled" {
38 | type = bool
39 | default = true
40 | description = "Encrypt log data."
41 | }
42 |
43 | variable "cloudwatch_streaming_enabled" {
44 | type = bool
45 | default = true
46 | description = "Stream session log data to CloudWatch. Defaults to true. If false logs will be uploaded at the end of the session."
47 | }
48 |
49 | variable "idle_session_timeout" {
50 | type = number
51 | default = 20
52 | description = "Time until a session is closed when left idle."
53 | }
54 |
55 | variable "max_session_duration" {
56 | type = number
57 | default = null
58 | description = "The longest a session can stay open before it will be closed."
59 | }
60 |
61 | variable "run_as_enabled" {
62 | type = bool
63 | default = false
64 | description = "Enables the option to start sessions using the credentials of a specified operating system user."
65 | }
66 |
67 | variable "linux_shell_profile" {
68 | type = string
69 | default = ""
70 | description = "A set of Linux commands to run when a Linux session is started."
71 | }
72 |
73 | variable "windows_shell_profile" {
74 | type = string
75 | default = ""
76 | description = "A set of Windows commands to run when a Windows session is started."
77 | }
78 |
--------------------------------------------------------------------------------
/versions.tf:
--------------------------------------------------------------------------------
1 | terraform {
2 | required_version = ">= 0.12"
3 |
4 | required_providers {
5 | aws = ">= 1.36.0"
6 | }
7 | }
8 |
--------------------------------------------------------------------------------