gravitational · hugoShaka · Apr 26, 2024 · Apr 4, 2024
diff --git a/examples/athena/README.md b/examples/athena/README.md
@@ -0,0 +1,43 @@
+## Athena Teleport Backend  IaC Setup
+This directory contains the IaC setup for the Athena Teleport Backend and Athena Access Monitoring.
+
+#### Configuration for Athena Audit Events Teleport Backend
+
+```bash
+cat > variables.auto.tfvars << EOF
+aws_region            = "eu-central-1"
+sns_topic_name        = "example-sns_topic"
+sqs_queue_name        = "example-sns_queue"
+sqs_dlq_name          = "example-sns_dlq"
+kms_key_alias         = "example-kms_key"
+long_term_bucket_name = "example-long-term-bucket"
+transient_bucket_name = "example-transient-bucket"
+database_name         = "example_db"
+table_name            = "example_table"
+workgroup             = "example_workgroup"
+EOF
+```
+
+#### Configuration for Teleport Audit Event Backend and Athena Access Monitoring
+
+```bash
+cat > variables.auto.tfvars << EOF
+aws_region            = "eu-central-1"
+sns_topic_name        = "example-sns_topic"
+sqs_queue_name        = "example-sns_queue"
+sqs_dlq_name          = "example-sns_dlq"
+kms_key_alias         = "example-kms_key"
+long_term_bucket_name = "example-long-term-bucket"
+transient_bucket_name = "example-transient-bucket"
+database_name         = "example_db"
+table_name            = "example_table"
+workgroup             = "example_workgroup"
+
+access_monitoring                               = true
+access_monitoring_prefix                        = "example_"
+access_monitoring_trusted_relationship_role_arn = "arn:aws:iam::123456789012:role/example-teleport-role"
+EOF
+```
+
+
+where `access_monitoring_trusted_relationship_role_arn` can be omitted. Terraform Access Monitoring setup will use the current caller identity role arn as the trusted relationship role arn.
diff --git a/examples/athena/accessmonitoring.tf b/examples/athena/accessmonitoring.tf
@@ -0,0 +1,135 @@
+resource "aws_iam_role" "access_monitoring_role" {
+  count = var.access_monitoring ? 1 : 0
+  name  = "${var.access_monitoring_prefix}AccessMonitoringRole"
+  assume_role_policy = jsonencode({
+    "Version" : "2012-10-17",
+    "Statement" : [
+      {
+        "Sid" : "IamPrincipal",
+        "Effect" : "Allow",
+        "Principal" : {
+          "AWS" : [
+            var.access_monitoring_trusted_relationship_role_arn != "" ? var.access_monitoring_trusted_relationship_role_arn : data.aws_caller_identity.current.arn
+          ]
+        },
+        "Action" : [
+          "sts:AssumeRole",
+          "sts:TagSession"
+        ]
+      }
+    ]
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "role_policy_attachment" {
+  count      = var.access_monitoring ? 1 : 0
+  role       = aws_iam_role.access_monitoring_role[0].name
+  policy_arn = aws_iam_policy.access_monitoring_policy[0].arn
+}
+
+resource "aws_iam_policy" "access_monitoring_policy" {
+  count  = var.access_monitoring ? 1 : 0
+  name   = "${var.access_monitoring_prefix}AccessMonitoringPolicy"
+  path   = "/"
+  policy = data.aws_iam_policy_document.access_monitoring_policy[0].json
+}
+
+resource "aws_athena_workgroup" "access_monitoring_workgroup" {
+  count         = var.access_monitoring ? 1 : 0
+  name          = "${var.access_monitoring_prefix}access_monitoring_workgroup"
+  force_destroy = true
+  configuration {
+    publish_cloudwatch_metrics_enabled = true
+    bytes_scanned_cutoff_per_query     = 322122547200
+    engine_version {
+      selected_engine_version = "Athena engine version 3"
+    }
+    result_configuration {
+      output_location = format("s3://%s/results", aws_s3_bucket.transient_storage.bucket)
+      encryption_configuration {
+        encryption_option = "SSE_KMS"
+        kms_key_arn       = aws_kms_key.audit_key.arn
+      }
+    }
+  }
+  tags = {
+    Name = "${var.access_monitoring_prefix}access_monitoring_workgroup"
+  }
+}
+
+data "aws_iam_policy_document" "access_monitoring_policy" {
+  count = var.access_monitoring ? 1 : 0
+  statement {
+    actions = [
+      "s3:ListBucketMultipartUploads",
+      "s3:GetBucketLocation",
+      "s3:ListBucketVersions",
+      "s3:ListBucket"
+    ]
+    resources = [
+      aws_s3_bucket.transient_storage.arn,
+      aws_s3_bucket.long_term_storage.arn,
+    ]
+  }
+  statement {
+    actions = [
+      "s3:GetObject",
+      "s3:GetObjectVersion",
+      "s3:PutObject"
+    ]
+    resources = [
+      "${aws_s3_bucket.long_term_storage.arn}/report_results/*",
+      "${aws_s3_bucket.transient_storage.arn}/results/*"
+    ]
+  }
+
+  statement {
+    actions = [
+      "s3:ListMultipartUploadParts",
+      "s3:GetObjectVersion",
+      "s3:GetObject",
+      "s3:AbortMultipartUpload"
+    ]
+    resources = [
+      "${aws_s3_bucket.transient_storage.arn}/results/*",
+      "${aws_s3_bucket.long_term_storage.arn}/events/*",
+      "${aws_s3_bucket.long_term_storage.arn}/report_results/*"
+    ]
+  }
+  statement {
+    actions = [
+      "glue:GetTable",
+      "athena:StartQueryExecution",
+      "athena:GetQueryResults",
+      "athena:GetQueryExecution"
+    ]
+    resources = [
+      aws_glue_catalog_table.audit_table.arn,
+      aws_glue_catalog_database.audit_db.arn,
+      "arn:aws:glue:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:catalog",
+      aws_athena_workgroup.access_monitoring_workgroup[0].arn,
+    ]
+  }
+  statement {
+    actions = [
+      "kms:GenerateDataKey",
+      "kms:Decrypt"
+    ]
+    resources = [
+      aws_kms_key.audit_key.arn,
+    ]
+  }
+}
+
+data "aws_region" "current" {}
+
+output "access_monitoring_configuration" {
+  value = var.access_monitoring ? replace(yamlencode({
+    "access_monitoring" : {
+      enabled : true,
+      role_arn : aws_iam_role.access_monitoring_role[0].arn,
+      report_results : format("s3://%s/report_results", aws_s3_bucket.long_term_storage.bucket),
+      workgroup : aws_athena_workgroup.access_monitoring_workgroup[0].name
+    }
+  }), "\"", "") : null
+}
diff --git a/examples/athena/variables.tf b/examples/athena/variables.tf
@@ -69,3 +69,19 @@ variable "search_event_limiter_amount" {
   description = "Number of tokens added to the bucket during specific interval for rate limit used on top of search event API"
   default     = 5
 }
+
+variable "access_monitoring_trusted_relationship_role_arn" {
+  description = "AWS Role ARN that will be used to configure trusted relationship between provided role and Access Monitoring role allowing to assume Access Monitoring role by the provided role"
+  default     = ""
+}
+
+variable "access_monitoring" {
+  description = "Enabled Access Monitoring"
+  type        = bool
+  default     = false
+}
+
+variable "access_monitoring_prefix" {
+  description = "Prefix for resources created by Access Monitoring"
+  default     = ""
+}