Merge pull request #7916 from zalando-incubator/session-manager-logging

Add Session Manager logging CF

Author: gargravarr

cluster/cluster.yaml

@@ -482,6 +482,13 @@ Resources:
                 - "ssmmessages:OpenDataChannel"
                 Effect: Allow
                 Resource: "*"
+              - Action:
+                - "logs:CreateLogStream"
+                - "logs:PutLogEvents"
+                - "logs:DescribeLogGroups"
+                - "logs:DescribeLogStreams"
+                Effect: Allow
+                Resource: "*"
 {{ if eq .Cluster.Environment "e2e" }}
 # Add extra permissions to worker IAM role to test that if a pod manages to get
 # the WorkerIAMRole assigned it can list a specific s3 bucket.
@@ -1417,6 +1424,13 @@ Resources:
                 - "ssmmessages:OpenDataChannel"
                 Effect: Allow
                 Resource: "*"
+              - Action:
+                - "logs:CreateLogStream"
+                - "logs:PutLogEvents"
+                - "logs:DescribeLogGroups"
+                - "logs:DescribeLogStreams"
+                Effect: Allow
+                Resource: "*"
             Version: 2012-10-17
           PolicyName: root
     Type: 'AWS::IAM::Role'
@@ -2108,6 +2122,66 @@ Resources:
                 - BucketArn: !GetAtt AuditTrailBucket.Arn
 {{- end }}
 
+  SessionManagerLogGroup:
+    Type: AWS::Logs::LogGroup
+    Properties:
+      LogGroupName: "SessionManagerLogGroup-{{accountID .Cluster.InfrastructureAccount}}"
+      RetentionInDays: 30
+
+  SessionManagerPreferencesDocument:
+    Type: AWS::SSM::Document
+    Properties:
+      UpdateMethod: NewVersion
+      Name: SSM-SessionManagerRunShell
+      DocumentFormat: YAML
+      DocumentType: Session
+      Content:
+        schemaVersion: '1.0'
+        description: Document to hold regional settings for Session Manager
+        sessionType: Standard_Stream
+        inputs:
+          cloudWatchLogGroupName: !Ref SessionManagerLogGroup
+          cloudWatchEncryptionEnabled: false
+          cloudWatchStreamingEnabled: true
+          runAsEnabled: false
+          idleSessionTimeout: '20'
+          shellProfile:
+            linux: 'bash'
+
+  SessionManagerSubscriptionFilter:
+    Type: AWS::Logs::SubscriptionFilter
+    Properties:
+      LogGroupName: !Ref SessionManagerLogGroup
+      RoleArn: !GetAtt SessionManagerSubscriptionFilterRole.Arn
+      FilterName: "SessionManagerSubscriptionFilter-{{accountID .Cluster.InfrastructureAccount}}"
+      FilterPattern: ""
+      DestinationArn: "{{.Cluster.ConfigItems.session_manager_destination_arn}}"
+
+  SessionManagerSubscriptionFilterRole:
+    Type: AWS::IAM::Role
+    Properties:
+      AssumeRolePolicyDocument:
+        Version: "2012-10-17"
+        Statement:
+          - Effect: Allow
+            Principal:
+              Service:
+                - logs.amazonaws.com
+            Action:
+              - "sts:AssumeRole"
+      Path: /
+      Policies:
+        - PolicyName: root
+          PolicyDocument:
+            Version: "2012-10-17"
+            Statement:
+              - Effect: Allow
+                Action:
+                  - "logs:PutLogEvents"
+                Resource:
+                  - !GetAtt SessionManagerLogGroup.Arn
+      RoleName: "SessionManagerSubscriptionFilterRole"
+
   AWSNodeDecommissionerIAMRole:
     Type: 'AWS::IAM::Role'
     Properties:

delivery.yaml

@@ -105,6 +105,11 @@ pipeline:
               secretKeyRef:
                 name: kubernetes-e2e-config-secret
                 key: "AUDITTRAIL_ROOT_ACCOUNT_ROLE"
+          - name: SESSION_MANAGER_DESTINATION_ARN
+            valueFrom:
+              secretKeyRef:
+                name: kubernetes-e2e-config-secret
+                key: "SESSION_MANAGER_DESTINATION_ARN"
           - name: APISERVER_BUSINESS_PARTNER_IDS
             valueFrom:
               secretKeyRef:

test/e2e/apply/secret.yaml

@@ -18,3 +18,4 @@ data:
   ETCD_CLIENT_CA_KEY: "deployment-secret:2:stups-test:AQICAHjXIrc66g/+P4X1Gl4MKcInWmwpFxivAqFGMI0fr9DvCwHWyDkwaYDmxRgfUvn0YVYKAAAJKDCCCSQGCSqGSIb3DQEHBqCCCRUwggkRAgEAMIIJCgYJKoZIhvcNAQcBMB4GCWCGSAFlAwQBLjARBAzBVMiL27+lwcxLKPcCARCAggjbcFg+L58f3iKzwl4YYktzv8yJyC6uYvXylIzz8SOqaSLO4w+7Oxd/eeBgTchz4w8OgpgY13xOEr2SXPme21sbLuAtBX/Iwj7wJZwUrf+R847jkvgIUTmOSi6M5FNJsA/JlHpfvhnMbv98MKerNdfQPJb2xmnScxAWp8a6iWtWZK/xmtFopKeciuaW8zaofOzU/4aI3FO7wnEmWj9d3NOqSCHx5/RYZHi0XDNe2zRShnGATgnx9NE7lBEFHnX5w0Q5+WSOLJVjX5vbuL9tnFz+erbT/KXCgY8yla6vtyN+QbXtBA8dwhiRk5y4d2OGTHfl4QHcdvziOWuP08hN074JQ5rJJj2oHKMArxkYmOEnBy6Pv+f2f3rRlvGDpbsY4cDrlM2BkUr8Om7q6PktK63vUPLhjJcXVGqXxV5BTvMvxtspjQSpwWIyPY0w7DWwoR0TxrnYX5bbDsqd2J/fW3r3Ijau9iVw606Lkh6Bf3EkV3fnvoNrFJPnVUKTTaoWxfRd+5iANXzktB6CgQlgivFj4LNMLlOZdEX7NuOwYgJbmk5aM1/BaVuQmwaQbZNl/9vkY6TcLV5ViMHYGyH4IcVsgSRQzjQFqTaN33Psunl2dHq8WHE//VXkDIW9Ue4f1Hm2miKynJBa1sh8k0aZjlCIxPd1Tw0bJOCKhLLixgU6cFWwGjRjlTdjY3fe30UBtGGwmrXVg0SzhTOioQgp3PAa7fsAbdDztZh6NPDBR6ptZbeQXNgIhs3C5L7AJvONmyyw8Q3IRwWM9+AmAa6VlZmUnaoXSM7wsVabq+K8eWnUmlaIrxrA2B9WmWCHERcHmBYDotXaWTIEc6YE5b49C0xgDXPiL2n43LKSfyx7yKuKlrHRlg0UiNSIheRRobwXWfCJnEDbQlH+WTGXCCsBo86phpAWkTN9Xn46wB5sHVSmu98uyma4jb8GZLyxizB6kNghJhsEejVb0QkQLTqgJHQPzValXGgRp0GO49AwdG+FLMlb0LqykftCodD15In7eauv4mJsUIeBQZ0ccrA0k6GM3lK0H8XA+qsY+VzOTZ8ov6pVgFAh2QUAD2pgWHbfvld5Hc+oLzGO3YhY82AQ/7UAYt+FvLYm1iAX+5dX1BIYR3eBo+bqSWhSvg5KofpgSNF45/45XI0ui02jtB0pcRZJcHVmdnP8nA51Qfnj/GBrxCck3rnMV6rURQ42UoXsk6ifATQgyJlwe3Na15g3hP7WqWRtNq1YGFSUU1FGS9wzvuM2nXq0dTtJzNvJ950gr0/j5N25da1TGITqaB7YA31QJh7ZYtICiS1vYscw7fZgh2I81a5y9QttXHOOquu62dHaFS5YclDR00PnLyjWOzd0uKhJUHEE8w6tPVPFOOAoLn3bXUwlOxVrqEdow5dnF0LBqeNqMLJyIn933YGZBUjrI2fuSYzOtGXz1xglgWZCfoB23t6pXouj/AMogb6zDiJN8clXPhhk7f/i7uitdTloZblKtJeKe0dJOm1U/uA+OYZ8yYT777F84iOBwqDFHdx/ZnPkFljJGXGXzkTDvBJYulAdmiFqUrMsEAdTxnRcBys099mI5mX114WeFzcnvkrGlgXcrm7QY5xBiZyVHSnKdhWWHA4MxS1CtQ1Gzm7mad1FpGcCKOVyqfuv417IdiAwZoxRAC1mxcI4ZTdDJ/SPPE7wDdlSN9BChc0UAEJMkqEYZTUpr2PuFETBg2IUBe4jrtfvmGtmQPC8hpPrXXUdbOyhRSPMmvKQ4ZweXd/8tBJKrRGefy63rb5S0zghkuDcXKj2svi0GnEyr2p+z1LEKgBLaU4MvNRFBgum7cs3BRmZiVKML87f1HI3IrPs4+gtATfZ515zE3/1xbKyGOP9pOuaZfD8hBxcey8Ofb3g1AVEoB0n5chQP/yN/uGrUvwBIrUGB59StZus5ZEOusFuk82xBzu4UsmzA+SngThqWlxwygAz/U1ywlCNN9eh6yOaPCBL6lLZLH6GzqsgB/tcXZW11UnP3HXKOvYlRdEMoYkuBpanfRAD+LbbC5RT15eL2ckyUFVKX18u5s9p16FaaoSlK6KIhH6/FQBxF+wY7DMsqRoWpftt1sv70LkBNq/ZBKVTISbIxSmJjPvm++G0Y6eJfrRxE4bCGMSfoAoyK9r56KTU5uqMMOV5dhURjgc6aw8oLR+f1yskqFFuSob/ZGpCbzRb1ksE2z1zm5L7j5cY5KYlNouwMnXMVqvdpB6jbXDxg4f9HFuz4vGxWPJn244Fb0xkQ4jBHwFPlq66zvGMu6MhnqCkibU4am+vjvsg+mny+/Bau9LETkg+JI8iPon/rLTj9ZdicIV0p5aqTaHzMas7uLC9NAO4KhBKMXCfXPj4n0qoYFMTU6YibR8IpaGSctVkISnufiVJQEZ/7ZOeGrKUlTbTpNucRVdleudYX13TrRvAVwzHHTY1Wz/WUMUJBKZAj+mjplW2NkbQCyq1SINJLdWrPeiRRAuxdG1c5+YtpqQQJPWxve71MGj1H4//0daPxlkOw6oujmqqSa1T5VxZO2cawOKqc5oCW8Lv/FkX+YtJ1O/Bu6lN3NOpX8azvmlv5lF1i9dTaegsJ2O0yaeka5hIuLB4EpF+8EgA5HPtMPTv3kMCsm+WiUUR3pjTE/RZ8ipkqe1h8yMHPstPWS3B4Rk6/BBiLZD65B6qxccVAU+ySbk33IMOeUqOsSgRLwat0ZUReMI7ug6yykzVVkm7aK5yxIAzvFQOSs7WBo/mpQRCmjV5c0uW/UUMeJ6Fww+isKYRTfogDuAZXhcRqmbBMX9XFcHzCFJz4W9XIqIQPeBIK3Tw+E/suDqj55SCOi/z228A64Jb1K/QxXW5Ee5gSXuOEtFKuwxFBMZuW1FU0OCGB7eFkKoGZMt5HVIhCAlgas579Kbr6Jmx+WMt8WC/ceJ8QlBReYvaDPkH21UYTDpon3gr0wH01cMwLomsqnYmA9cRPl5X1icNeh7yodneWB0mLTTlc048DY3d2hkBXwHMhwWsfuw="
   ETCD_SCALYR_KEY: "deployment-secret:2:stups-test:AQICAHjXIrc66g/+P4X1Gl4MKcInWmwpFxivAqFGMI0fr9DvCwETRzvm1hGplyUn23FEXUVtAAAAnjCBmwYJKoZIhvcNAQcGoIGNMIGKAgEAMIGEBgkqhkiG9w0BBwEwHgYJYIZIAWUDBAEuMBEEDOfPJJJy60sDkZEIHgIBEIBXiANNciEqpcuZ3hFPCt6NkFtk0WBTSasDQHHbyuR8O+n5iM9k8/nUTLUrFlhba8blArq/ALE8vuKNdlS17q6PxGlvwJFFXQn/McohMpdyfnfQYKW8MPCu"
   OKTA_AUTH_ISSUER_URL: "deployment-secret:2:stups-test:AQICAHjXIrc66g/+P4X1Gl4MKcInWmwpFxivAqFGMI0fr9DvCwGmCMhSN2Er1sw2ofYnI44EAAAApDCBoQYJKoZIhvcNAQcGoIGTMIGQAgEAMIGKBgkqhkiG9w0BBwEwHgYJYIZIAWUDBAEuMBEEDO2IC+r/zcUzXoQEHAIBEIBdrFchwu9i7LpMbyDbslu/lBxvfyh+nCGK33jtcxT3RdxuTXWuSJhkX+gU4cgFXAI5LLnXh4M20jHUEEPU78MJWR47HLTPGPJcKQj5fOpPqpD3duuKIrZDRm5ba6AN"
+  SESSION_MANAGER_DESTINATION_ARN: "deployment-secret:2:stups-test:AQICAHjXIrc66g/+P4X1Gl4MKcInWmwpFxivAqFGMI0fr9DvCwF7fOZ9i6BDvWdNEddR7LZOAAAArjCBqwYJKoZIhvcNAQcGoIGdMIGaAgEAMIGUBgkqhkiG9w0BBwEwHgYJYIZIAWUDBAEuMBEEDBJwU/Zns+mzOBgczQIBEIBn/86xpnVO2Apr5nG3waPEAGCFYDWdOXcaS7pFKdNIhpXaADtODQtEd874HcE0W2I3bjKr3d3ghJFdN8r0BZiSmTbgc0fn+5ZiBTyGBfzWP4BCzxjRMvURl/7MX8ygwL78hpSxyRypAQ=="

test/e2e/cluster_config.sh

@@ -11,6 +11,7 @@ clusters:
     zmon_root_account_role: ${ZMON_ROOT_ACCOUNT_ROLE}
     experimental_new_etcd_stack: "true"
     audittrail_root_account_role: ${AUDITTRAIL_ROOT_ACCOUNT_ROLE}
+    session_manager_destination_arn: ${SESSION_MANAGER_DESTINATION_ARN}
     apiserver_etcd_prefix: /registry-${LOCAL_ID}
     apiserver_business_partner_ids: ${APISERVER_BUSINESS_PARTNER_IDS}
     etcd_s3_backup_bucket: zalando-kubernetes-etcd-${AWS_ACCOUNT}-${REGION}