Added IAM role session duration (#9)

* Added IAM role session duration

* Added IAM role session duration

* Added descriptions

* Update README

* Update README

.gitignore

@@ -7,3 +7,8 @@
 
 .idea
 *.iml
+
+.envrc
+
+.build-harness
+build-harness

Makefile

@@ -1,6 +1,10 @@
 SHELL := /bin/bash
 
+# List of targets the `readme` target should call before generating the readme
+export README_DEPS ?= docs/targets.md docs/terraform.md
+
 -include $(shell curl -sSL -o .build-harness "https://git.io/build-harness"; echo .build-harness)
 
+## Lint terraform code
 lint:
-	$(SELF) terraform:install terraform:get-modules terraform:get-plugins terraform:lint terraform:validate
+	$(SELF) terraform/install terraform/get-modules terraform/get-plugins terraform/lint terraform/validate

README.yaml

@@ -0,0 +1,74 @@
+---
+#
+# This is the canonical configuration for the `README.md`
+# Run `make readme` to rebuild the `README.md`
+#
+
+# Name of this project
+name: terraform-aws-teleport-storage
+
+# Tags of this project
+tags:
+  - aws
+  - terraform
+  - terraform-modules
+  - kubernetes
+  - teleport
+
+# Logo for this project
+#logo: docs/logo.png
+
+# License of this project
+license: "APACHE2"
+
+# Canonical GitHub repo
+github_repo: cloudposse/terraform-aws-teleport-storage
+
+# Badges to display
+badges:
+  - name: "Codefresh Build Status"
+    image: "https://g.codefresh.io/api/badges/pipeline/cloudposse/terraform-modules%2Fterraform-aws-teleport-storage?type=cf-1"
+    url: "https://g.codefresh.io/public/accounts/cloudposse/pipelines/5d04407b1fc622c0cf6d3df8"
+  - name: "Latest Release"
+    image: "https://img.shields.io/github/release/cloudposse/terraform-aws-teleport-storage.svg"
+    url: "https://github.com/cloudposse/terraform-aws-teleport-storage/releases/latest"
+  - name: "Slack Community"
+    image: "https://slack.cloudposse.com/badge.svg"
+    url: "https://slack.cloudposse.com"
+
+# Short description of this project
+description: |-
+  This Terraform module provisions:
+
+    * An S3 bucket for session logs in Gravitational [Teleport](https://gravitational.com/teleport)
+    * 2 DynamoDB tables to use as storage backend in Teleport
+
+  ## Features
+
+  Using DynamoDB as a storage backend allows highly available deployments of Teleport Auth services.
+
+  Using S3 for Teleport session storage has many advantages:
+
+  * Encryption at rest
+  * Versioned objects
+  * Lifecycle Support to expunge old sessions (e.g. after 2 years)
+  * Extreme Availability & Durability
+  * Zero Maintenance
+  * Glacier
+  * Cross Region Replication
+  * S3 Bucket could be owned by tamper-proof AWS Audit Account
+  * Easily prevent deletions
+  * Audit Trails, Access Logs via Cloud Trails
+
+include:
+  - "docs/targets.md"
+  - "docs/terraform.md"
+
+# Contributors to this project
+contributors:
+  - name: "Erik Osterman"
+    github: "osterman"
+  - name: "Andriy Knysh"
+    github: "aknysh"
+  - name: "Igor Rodionov"
+    github: "goruha"

docs/targets.md

@@ -0,0 +1,10 @@
+## Makefile Targets
+```
+Available targets:
+
+  help                                Help screen
+  help/all                            Display help for all targets
+  help/short                          This help short screen
+  lint                                Lint terraform code
+
+```

docs/terraform.md

@@ -0,0 +1,34 @@
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|:----:|:-----:|:-----:|
+| attributes | Additional attributes (e.g. `policy` or `role`) | list | `<list>` | no |
+| autoscale_max_read_capacity | DynamoDB autoscale read max capacity | string | `100` | no |
+| autoscale_max_write_capacity | DynamoDB autoscale write max capacity | string | `100` | no |
+| autoscale_min_read_capacity | DynamoDB autoscale read min capacity | string | `10` | no |
+| autoscale_min_write_capacity | DynamoDB autoscale write min capacity | string | `10` | no |
+| autoscale_read_target | DynamoDB autoscale read target | string | `50` | no |
+| autoscale_write_target | DynamoDB autoscale write target | string | `50` | no |
+| delimiter | Delimiter to be used between `name`, `namespace`, `stage`, etc. | string | `-` | no |
+| expiration_days | Number of days after which to expunge the objects | string | `90` | no |
+| glacier_transition_days | Number of days after which to move the data to the glacier storage tier | string | `60` | no |
+| iam_role_max_session_duration | The maximum session duration (in seconds) for the role. Can have a value from 1 hour to 12 hours | string | `3600` | no |
+| name | Name  (e.g. `bastion` or `db`) | string | - | yes |
+| namespace | Namespace (e.g. `cp` or `cloudposse`) | string | - | yes |
+| prefix | S3 bucket prefix | string | `` | no |
+| stage | Stage (e.g. `prod`, `dev`, `staging`) | string | - | yes |
+| standard_transition_days | Number of days to persist in the standard storage tier before moving to the glacier tier | string | `30` | no |
+| tags | Additional tags (e.g. map('BusinessUnit`,`XYZ`) | map | `<map>` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| dynamodb_audit_table_arn | DynamoDB audit table ARN |
+| dynamodb_audit_table_id | DynamoDB audit table id |
+| dynamodb_state_table_arn | DynamoDB state table ARN |
+| dynamodb_state_table_id | DynamoDB state table id |
+| s3_bucket_arn | Session storage S3 bucket ARN |
+| s3_bucket_domain_name | Session storage S3 bucket domain name |
+| s3_bucket_id | Session storage S3 bucket id |
+

dynamodb.tf

@@ -107,6 +107,8 @@ data "aws_iam_policy_document" "dynamodb" {
 resource "aws_iam_role" "dynamodb" {
   name               = "${module.label_dynamodb.id}"
   assume_role_policy = "${data.aws_iam_policy_document.assume_role.json}"
+
+  max_session_duration = "${var.iam_role_max_session_duration}"
 }
 
 resource "aws_iam_policy" "dynamodb" {

outputs.tf

@@ -1,27 +1,34 @@
 output "s3_bucket_id" {
-  value = "${module.s3_bucket.bucket_id}"
+  value       = "${module.s3_bucket.bucket_id}"
+  description = "Session storage S3 bucket id"
 }
 
 output "s3_bucket_domain_name" {
-  value = "${module.s3_bucket.bucket_domain_name}"
+  value       = "${module.s3_bucket.bucket_domain_name}"
+  description = "Session storage S3 bucket domain name"
 }
 
 output "s3_bucket_arn" {
-  value = "${module.s3_bucket.bucket_arn}"
+  value       = "${module.s3_bucket.bucket_arn}"
+  description = "Session storage S3 bucket ARN"
 }
 
 output "dynamodb_audit_table_id" {
-  value = "${module.dynamodb_audit_table.table_id}"
+  value       = "${module.dynamodb_audit_table.table_id}"
+  description = "DynamoDB audit table id"
 }
 
 output "dynamodb_audit_table_arn" {
-  value = "${module.dynamodb_audit_table.table_arn}"
+  value       = "${module.dynamodb_audit_table.table_arn}"
+  description = "DynamoDB audit table ARN"
 }
 
 output "dynamodb_state_table_id" {
-  value = "${module.dynamodb_state_table.table_id}"
+  value       = "${module.dynamodb_state_table.table_id}"
+  description = "DynamoDB state table id"
 }
 
 output "dynamodb_state_table_arn" {
-  value = "${module.dynamodb_state_table.table_arn}"
+  value       = "${module.dynamodb_state_table.table_arn}"
+  description = "DynamoDB state table ARN"
 }

s3.tf

@@ -54,6 +54,8 @@ data "aws_iam_policy_document" "s3" {
 resource "aws_iam_role" "s3" {
   name               = "${module.label_s3.id}"
   assume_role_policy = "${data.aws_iam_policy_document.assume_role.json}"
+
+  max_session_duration = "${var.iam_role_max_session_duration}"
 }
 
 resource "aws_iam_policy" "s3" {

variables.tf

@@ -56,25 +56,36 @@ variable "expiration_days" {
 }
 
 variable "autoscale_write_target" {
-  default = 50
+  default     = 50
+  description = "DynamoDB autoscale write target"
 }
 
 variable "autoscale_read_target" {
-  default = 50
+  default     = 50
+  description = "DynamoDB autoscale read target"
 }
 
 variable "autoscale_min_read_capacity" {
-  default = 10
+  default     = 10
+  description = "DynamoDB autoscale read min capacity"
 }
 
 variable "autoscale_max_read_capacity" {
-  default = 100
+  default     = 100
+  description = "DynamoDB autoscale read max capacity"
 }
 
 variable "autoscale_min_write_capacity" {
-  default = 10
+  default     = 10
+  description = "DynamoDB autoscale write min capacity"
 }
 
 variable "autoscale_max_write_capacity" {
-  default = 100
+  default     = 100
+  description = "DynamoDB autoscale write max capacity"
+}
+
+variable "iam_role_max_session_duration" {
+  default     = 3600
+  description = "The maximum session duration (in seconds) for the role. Can have a value from 1 hour to 12 hours"
 }