Fix iam permissions to access session recordings (#28)

Also adjusted variable defaults As per gravitational/teleport#3095
skyscrapers · Oct 22, 2019 · a20d2bf · a20d2bf
1 parent 3c65424
commit a20d2bf
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 8 deletions.
diff --git a/README.md b/README.md
@@ -103,9 +103,9 @@ These are the requirements to apply this module:
 | allowed_web_cidr_blocks | CIDR blocks that are allowed to access the web interface of the `proxy` server | list(string) | `["0.0.0.0/0"]` | no |
 | ami_id | AMI id for the EC2 instance | string | `""` | no |
 | environment | The environment where this setup belongs to. Only for naming reasons | string | - | yes |
-| instance_type | Instance type for the EC2 instance | string | `"t2.small"` | no |
-| key_name | SSH key name for the EC2 instance | string | - | yes |
-| letsencrypt_email | Email to use to register to letsencrypt | string | `"[email protected]"` | no |
+| instance_type | Instance type for the EC2 instance | string | `"t3.small"` | no |
+| key_name | SSH key name for the EC2 instance | string | `null` | no |
+| letsencrypt_email | Email to use to register to letsencrypt | string | - | yes |
 | project | A project where this setup belongs to. Only for naming reasons | string | - | yes |
 | r53_zone | The Route53 zone where to add the Teleport DNS record | string | - | yes |
 | root_vl_delete | Whether the root volume of the EC2 instance should be destroyed on instance termination | bool | `true` | no |

diff --git a/teleport-server/iam.tf b/teleport-server/iam.tf
@@ -24,7 +24,7 @@ EOF
 }
 
 resource "aws_iam_role_policy" "policy" {
-  role = aws_iam_role.role.id
+  role   = aws_iam_role.role.id
   policy = data.aws_iam_policy_document.teleport.json
 }
 
@@ -64,8 +64,10 @@ data "aws_iam_policy_document" "teleport" {
     resources = [
       "arn:aws:dynamodb:${data.aws_region.current.name}:*:table/${local.teleport_dynamodb_table}",
       "arn:aws:dynamodb:${data.aws_region.current.name}:*:table/${local.teleport_dynamodb_table}/*", # also allow operations on the table indexes
+      "arn:aws:dynamodb:${data.aws_region.current.name}:*:table/${local.teleport_dynamodb_table}/stream/*",
       "arn:aws:dynamodb:${data.aws_region.current.name}:*:table/${local.teleport_dynamodb_table}_events",
       "arn:aws:dynamodb:${data.aws_region.current.name}:*:table/${local.teleport_dynamodb_table}_events/*", # also allow operations on the table indexes
+      "arn:aws:dynamodb:${data.aws_region.current.name}:*:table/${local.teleport_dynamodb_table}_events/stream/*",
     ]
   }
 
@@ -92,8 +94,9 @@ data "aws_iam_policy_document" "teleport" {
     sid = "S3EventAccess"
 
     actions = [
-      "s3:Get*",
-      "s3:Put*",
+      "s3:PutObject",
+      "s3:GetObject",
+      "s3:GetObjectVersion"
     ]
 
     resources = [
@@ -106,6 +109,7 @@ data "aws_iam_policy_document" "teleport" {
 
     actions = [
       "s3:ListBucket",
+      "s3:ListBucketVersions"
     ]
 
     resources = [

diff --git a/teleport-server/variables.tf b/teleport-server/variables.tf
@@ -16,6 +16,7 @@ variable "subnet_id" {
 variable "key_name" {
   type        = string
   description = "SSH key name for the EC2 instance"
+  default     = null
 }
 
 variable "r53_zone" {
@@ -44,13 +45,12 @@ variable "teleport_dynamodb_table" {
 variable "instance_type" {
   type        = string
   description = "Instance type for the EC2 instance"
-  default     = "t2.small"
+  default     = "t3.small"
 }
 
 variable "letsencrypt_email" {
   type        = string
   description = "Email to use to register to letsencrypt"
-  default     = "[email protected]"
 }
 
 variable "teleport_log_output" {