A Terraform module for setting up and configuring logging for AWS Session Manager access in an AWS account. After applying this module users can create the following types of sessions:
- Interactive command sessions
- Non-interactive command sessions
- Port forwarding sessions
- Port forwarding to socket sessions
- Shell sessions
module "example" {
source = "github.com/cisagov/session-manager-tf-module"
}| Name | Version |
|---|---|
| terraform | >= 1.1 |
| aws | >= 4.9 |
| Name | Version |
|---|---|
| aws | >= 4.9 |
No modules.
| Name | Type |
|---|---|
| aws_cloudwatch_log_group.ssm_sessions | resource |
| aws_iam_policy.ssm_session_policy | resource |
| aws_iam_role.ssm_session_role | resource |
| aws_iam_role_policy_attachment.ssm_session_policy_attachment | resource |
| aws_ssm_document.session_manager_preferences | resource |
| aws_caller_identity.current | data source |
| aws_iam_policy_document.assume_role_doc | data source |
| aws_iam_policy_document.ssm_session_doc | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| aws_region | The AWS region to deploy into (e.g. us-east-1). | string |
"us-east-1" |
no |
| cloudwatch_log_group_name | The name of the log group into which session logs are to be uploaded. | string |
"/ssm/session-logs" |
no |
| cloudwatch_log_group_retention | The number of days that SSM session logs will be retained in CloudWatch. | number |
365 |
no |
| linux_shell_profile | The shell setup to run when connecting to a Linux instance. Note that this string cannot be empty. | string |
"exec bash; cd" |
no |
| other_accounts | A list of account IDs, each of which corresponds to an account to which access to the IAM role that allows creation of SSM Session Manager sessions to any EC2 instance in this account will be delegated. | list(string) |
[] |
no |
| ssm_session_role_description | The description to associate with the IAM role (and policy) that allows creation of SSM Session Manager sessions to any EC2 instance in this account. | string |
"Allows creation of SSM Session Manager sessions to any EC2 instance in this account." |
no |
| ssm_session_role_name | The name to assign the IAM role (and policy) that allows creation of SSM Session Manager sessions to any EC2 instance in this account. | string |
"StartStopSSMSession" |
no |
| windows_shell_profile | The shell setup to run when connecting to a Windows instance. Note that this string cannot be empty. | string |
"date" |
no |
| Name | Description |
|---|---|
| ssm_document | The SSM document that can be used to create SSM Session Manager sessions in this account. |
| ssm_session_log_group | The CloudWatch log group where SSM session logs will be stored. |
| ssm_session_role | The IAM role that allows creation of SSM Session Manager sessions to any EC2 instance in this account. Users will assume this role in order to create sessions to EC2 instances. |
Running pre-commit requires running terraform init in every directory that
contains Terraform code. In this repository, these are the main directory and
every directory under examples/.
We welcome contributions! Please see CONTRIBUTING.md for
details.
This project is in the worldwide public domain.
This project is in the public domain within the United States, and copyright and related rights in the work worldwide are waived through the CC0 1.0 Universal public domain dedication.
All contributions to this project will be released under the CC0 dedication. By submitting a pull request, you are agreeing to comply with this waiver of copyright interest.