Inital commit for AWS Session Manager module

Author: Rajeev Jaggavarapu

.github/workflows/checkov.yml

@@ -0,0 +1,23 @@
+  
+name: Static security analysis for Terraform
+
+on:
+  push:
+    branches:
+    - master
+  pull_request:
+    branches:
+    - master
+jobs:
+  checkov-job:
+    runs-on: ubuntu-latest
+    name: checkov-action
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v2
+
+      - name: Run Checkov action
+        id: checkov
+        uses: bridgecrewio/checkov-action@master
+        with:
+          directory: ./

.gitignore

@@ -0,0 +1,5 @@
+.terraform
+*.tfstate*
+*.tfvars*
+other_vars.tf
+provider.tf

README.md

@@ -0,0 +1,54 @@
+# Terraform AWS Session Manager Resources
+
+## Use as a Module
+
+```hcl
+module "ssm_resources" {
+    source = "./"
+    kms_key = {
+    name                    = "ssm-cmk-key"
+    description             = "CMK for cloudwath logs and session"
+    deletion_window_in_days = 7
+  }
+  cloudwatch_log_group_name =  "/ssm/session-logs"
+  enable_log_to_cloudwatch = true
+}
+```
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| terraform | ~> 0.12.24 |
+| aws | ~> 2.60 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| aws | ~> 2.60 |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| cloudwatch\_log\_group\_name | Name of the CloudWatch Log Group for storing SSM Session Logs | `string` | `"/ssm/session-logs"` | no |
+| cloudwatch\_logs\_retention | Number of days to retain Session Logs in CloudWatch | `number` | `30` | no |
+| create\_ssm\_document | Do you want to create SSM Document | `bool` | `true` | no |
+| default\_user | operating system user name for starting sessions | `string` | `"ec2-user"` | no |
+| enable\_log\_to\_cloudwatch | Enable Session Manager to Log to CloudWatch Logs | `bool` | `true` | no |
+| kms\_key | KMS Key Details | `map(string)` | <pre>{<br>  "deletion_window_in_days": 7,<br>  "description": "CMK for cloudwath logs and session",<br>  "name": "ssm-cmk-key"<br>}</pre> | no |
+| run\_as\_enabled | Do you want to use Specify Operating System user for sessions | `bool` | `true` | no |
+| tags | A map of tags to add to all resources | `map(string)` | `{}` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| cloudwatch\_log\_group\_arn | n/a |
+| ssm\_cloudwatch\_log\_group\_arn | The Amazon Resource Name (ARN) specifying the log group for SSM |
+| ssm\_kms\_key\_arn | KMS key used for SSM |
+| ssm\_role\_arn | n/a |
+
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

data.tf

@@ -0,0 +1,96 @@
+data "aws_caller_identity" "current" {
+
+}
+
+data "aws_region" "current" {
+
+}
+
+
+data "aws_iam_policy_document" "kms_access" {
+  statement {
+    sid = "KMS Key Default"
+    principals {
+      type        = "AWS"
+      identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
+    }
+    actions = [
+      "kms:*",
+    ]
+
+    resources = ["*"]
+
+  }
+
+  statement {
+    sid = "CloudWatchLogsEncryption"
+    principals {
+      type        = "Service"
+      identifiers = ["logs.${data.aws_region.current.name}.amazonaws.com"]
+    }
+    actions = [
+      "kms:Encrypt*",
+      "kms:Decrypt*",
+      "kms:ReEncrypt*",
+      "kms:GenerateDataKey*",
+      "kms:Describe*",
+    ]
+
+    resources = ["*"]
+  }
+
+}
+
+
+data "aws_iam_policy" "AmazonSSMManagedInstanceCore" {
+  arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
+}
+
+data "aws_iam_policy" "AmazonEC2RoleforSSM" {
+  arn = "arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM"
+}
+
+data "aws_iam_policy_document" "ssm_s3_cwl_access" {
+
+  # A custom policy for CloudWatch Logs access
+  # https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/permissions-reference-cwl.html
+  statement {
+    sid = "SSMAccess"
+
+    actions = [
+      "ssmmessages:CreateControlChannel",
+      "ssmmessages:CreateDataChannel",
+      "ssmmessages:OpenControlChannel",
+      "ssmmessages:OpenDataChannel",
+      "ssm:UpdateInstanceInformation"
+    ]
+
+    resources = ["*"]
+  }
+  statement {
+    sid = "CloudWatchLogsAccessForSessionManager"
+
+    actions = [
+      "logs:PutLogEvents",
+      "logs:CreateLogStream",
+      "logs:DescribeLogGroups",
+      "logs:DescribeLogStreams",
+    ]
+
+    resources = aws_cloudwatch_log_group.session_manager_log_group.*.arn
+  }
+
+  statement {
+    sid = "KMSEncryptionForSessionManager"
+
+    actions = [
+      "kms:DescribeKey",
+      "kms:GenerateDataKey",
+      "kms:Decrypt",
+      "kms:Encrypt",
+    ]
+
+    resources = ["${module.kms.arn}"]
+  }
+
+}

main.tf

@@ -0,0 +1,98 @@
+module "kms" {
+  source                  = "app.terraform.io/foss-cafe/kms/aws"
+  version                 = "1.0.0"
+  enabled                 = true
+  name                    = lookup(var.kms_key, "name")
+  description             = lookup(var.kms_key, "description", "CMK for cloudwath logs and session")
+  policy                  = data.aws_iam_policy_document.kms_access.json
+  deletion_window_in_days = lookup(var.kms_key, "deletion_window_in_days", 7)
+  tags                    = var.tags
+
+}
+
+resource "aws_cloudwatch_log_group" "session_manager_log_group" {
+  count             = var.enable_log_to_cloudwatch ? 1 : 0
+  name              = var.cloudwatch_log_group_name
+  retention_in_days = var.cloudwatch_logs_retention
+  kms_key_id        = module.kms.arn
+
+  tags = var.tags
+}
+#### This Document is not working as expected need rework
+# resource "aws_ssm_document" "session_manager_prefs" {
+#   count = var.create_ssm_document ? 1: 0
+#   name            = "SSM-SessionManagerRunShell"
+#   document_type   = "Session"
+#   document_format = "JSON"
+#   tags            = var.tags
+
+#   content = <<DOC
+# {
+#   "schemaVersion": "1.0",
+#   "description": "Document to hold regional settings for Session Manager",
+#   "sessionType": "Standard_Stream",
+#   "inputs": {
+#     "s3BucketName": "",
+#     "s3KeyPrefix": "",
+#     "s3EncryptionEnabled": true,
+#     "cloudWatchLogGroupName": "${var.enable_log_to_cloudwatch ? var.cloudwatch_log_group_name : ""}",
+#     "cloudWatchEncryptionEnabled": "${var.enable_log_to_cloudwatch ? "true" : "false"}",
+#     "kmsKeyId": "${module.kms.key_id}",
+#     "runAsEnabled": "false",
+#     "runAsDefaultUser": ""
+#   }
+# }
+# DOC
+# }
+
+
+# Create EC2 Instance Role for SSM
+resource "aws_iam_role" "ssm_role" {
+  name = "SessionManagerRole"
+  path = "/"
+  tags = var.tags
+
+  assume_role_policy = <<EOF
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Action": "sts:AssumeRole",
+            "Principal": {
+               "Service": "ec2.amazonaws.com"
+            },
+            "Effect": "Allow",
+            "Sid": ""
+        }
+    ]
+}
+EOF
+}
+
+
+
+resource "aws_iam_policy" "ssm_s3_cwl_access" {
+  name   = "SessionManagerPermissions"
+  path   = "/"
+  policy = data.aws_iam_policy_document.ssm_s3_cwl_access.json
+}
+
+resource "aws_iam_role_policy_attachment" "SSM_role_managed_instace_policy_attach" {
+  role       = aws_iam_role.ssm_role.name
+  policy_arn = data.aws_iam_policy.AmazonSSMManagedInstanceCore.arn
+}
+
+resource "aws_iam_role_policy_attachment" "SSM_role_for_ec2_policy_attach" {
+  role       = aws_iam_role.ssm_role.name
+  policy_arn = data.aws_iam_policy.AmazonEC2RoleforSSM.arn
+}
+
+resource "aws_iam_role_policy_attachment" "SSM_s3_cwl_policy_attach" {
+  role       = aws_iam_role.ssm_role.name
+  policy_arn = aws_iam_policy.ssm_s3_cwl_access.arn
+}
+
+resource "aws_iam_instance_profile" "ssm_profile" {
+  name = "ssm_profile"
+  role = aws_iam_role.ssm_role.name
+}

outputs.tf

@@ -0,0 +1,18 @@
+
+output "cloudwatch_log_group_arn" {
+  value = aws_cloudwatch_log_group.session_manager_log_group.arn
+}
+
+output "ssm_kms_key_arn" {
+  description = "KMS key used for SSM"
+  value       = module.kms.arn
+}
+
+output "ssm_cloudwatch_log_group_arn" {
+  description = "The Amazon Resource Name (ARN) specifying the log group for SSM"
+  value       = join("", aws_cloudwatch_log_group.session_manager_log_group.*.arn)
+}
+
+output "ssm_role_arn" {
+  value = aws_iam_role.ssm_role.arn
+}

variables.tf

@@ -0,0 +1,51 @@
+variable "kms_key" {
+  type        = map(string)
+  description = "KMS Key Details"
+  default = {
+    name                    = "ssm-cmk-key"
+    description             = "CMK for cloudwath logs and session"
+    deletion_window_in_days = 7
+  }
+}
+
+variable "cloudwatch_logs_retention" {
+  description = "Number of days to retain Session Logs in CloudWatch"
+  type        = number
+  default     = 30
+}
+
+variable "cloudwatch_log_group_name" {
+  description = "Name of the CloudWatch Log Group for storing SSM Session Logs"
+  type        = string
+  default     = "/ssm/session-logs"
+}
+
+variable "tags" {
+  description = "A map of tags to add to all resources"
+  type        = map(string)
+  default     = {}
+}
+
+variable "enable_log_to_cloudwatch" {
+  description = "Enable Session Manager to Log to CloudWatch Logs"
+  type        = bool
+  default     = true
+}
+
+variable "run_as_enabled" {
+  type        = bool
+  description = "Do you want to use Specify Operating System user for sessions"
+  default     = true
+}
+
+variable "default_user" {
+  type        = string
+  description = "operating system user name for starting sessions"
+  default     = "ec2-user"
+}
+
+variable "create_ssm_document" {
+  type        = bool
+  description = "Do you want to create SSM Document"
+  default     = true
+}

versions.tf

@@ -0,0 +1,7 @@
+terraform {
+  required_version = "~> 0.12.24"
+
+  required_providers {
+    aws = "~> 2.60"
+  }
+}