Enable session recording with S3-compatible storage

25min
|
HCP
Terraform
Boundary

Deployment

Boundary 0.16 added SSH session recording support using the MinIO storage backend. This support enables users who want to integrate an S3-compatible storage backend for monitoring Boundary session activity. Session recording is available for HCP Boundary Plus and Boundary Enterprise users, and provides insight into user actions over remote SSH sessions to meet regulatory requirements for organizations and prevent malicious behavior. Administrators can enable session recording on SSH targets in their Boundary environment and replay recordings back within the Boundary admin UI.

The MinIO plugin is S3 compatible and enables session recording for other Amazon S3 compatible storage providers, such as Hitachi Object Storage.

This tutorial demonstrates enabling SSH session recording using MinIO as the storage backend and Boundary's native credential management features.

Tutorial overview

Prerequisites

Note

This tutorial was tested on in August 2024 using macOS 14.5, and in the Windows 11 Subsystem for Linux (WSL) with Ubuntu 20.04.

Before moving on, check that the following versions or greater are installed.

This tutorial recommends completing the HCP Boundary administration tutorials first. The learner should have a working Boundary cluster and org running on HCP, or a licensed Boundary Enterprise cluster.
Docker is installed (Note: Learners may also bring their own target, instead of using Docker)
A Boundary binary greater than 0.16.0 in your PATH
Terraform 0.14.9 or greater provides an optional workflow to complete the lab. The binary must be available in your PATH.
The jq utility is recommended to simplify the CLI workflow. It should be installed and in your PATH.
Installing the Boundary Desktop App provides an optional workflow for this tutorial. The 2.0.0 version or above is recommended.

Session recording background

A common requirement and challenge in highly regulated environments is having a system of record that archives actions taken on the network so that organizations can improve their security posture and enhance compliance.

Session recording allows administrators to get insight into user actions over remote SSH sessions to meet regulatory requirements for organizations and prevent malicious behavior. Administrators can enable session recording on SSH targets in their Boundary environment, store signed recordings in their storage bucket, and replay recordings back within the Boundary admin UI.

Recorded sessions get converted into a Boundary session recording (BSR) file, a binary file format and specification created to define the structure of Boundary recording files.

BSR files are designed to:

Support the recording of both multiplexed and non-multiplexed protocols
Allow recordings of independent byte streams in a session to be written in parallel
Support an optimal user experience during playback
Be extensible to support more protocols in the future

BSR contains all the data transmitted between a user and a target during a session and is available within your storage bucket. These files are signed to ensure they are tamper-proof.

SSH session recording is available as a part of the Plus tier in both HCP Boundary and Boundary Enterprise.

Get set up

The following components get configured in the lab environment for this tutorial:

HCP Boundary Plus or Boundary Enterprise cluster
MinIO storage bucket
SSH host
A worker instance to proxy & record your SSH session

Deploy an HCP Boundary Plus cluster

Session recording, credential injection, and SSH targets are features available in HCP Boundary Plus.

First, deploy an HCP Boundary cluster with the HCP Plus sku selected.

Launch the HCP Portal and login.
Select your organization and project. From within that project, select Boundary from the Services menu in the left navigation.
Click Deploy Boundary.
In the Instance Name text box, provide a name for your Boundary instance.
Under Choose a tier, select the Plus option to enable session recording.
Under the Create an administrator account section, enter the Username and Password for the initial Boundary administrator account.
Click Deploy. Wait for the instance to initialize before proceeding.

Note

The first 5 users for any HCP Boundary cluster are free, after which you are charged per additional user. You can delete the HCP Plus cluster after this tutorial without incurring any costs.

The following values will be used later on. Copy the Boundary Cluster URL from the HCP Boundary portal.

Boundary address: the BOUNDARY_ADDR variable
Boundary Cluster ID: the BOUNDARY_CLUSTER_ID variable
Boundary admin username: the BOUNDARY_USERNAME variable
Boundary admin password: the BOUNDARY_PASSWORD variable

Store these values in a safe location.

Note

The Boundary cluster ID is part of the Boundary address. For example, if your cluster URL is:

https://abcd1234-e567-f890-1ab2-cde345f6g789.boundary.hashicorp.cloud

Your cluster id is abcd1234-e567-f890-1ab2-cde345f6g789.

Next, click Open Admin UI.

Navigate to the Auth Methods page using the left navigation panel. Locate the password auth method, and copy its ID (such as ampw_AQSr776Hnm).

If you follow the Terraform workflow, you will use this value later on:

Boundary auth method ID: the BOUNDARY_AUTH_METHOD_ID variable

Deploy a target and worker

Deploy an open-ssh container as a target for Boundary.

Note

You may also bring your own target for this tutorial. You can follow this guide to create a publicly accessible EC2 instance to use for this tutorial. If using a privately accessible target for testing, you must deploy a Boundary worker with network access to the target.

Deploy the target

Ensure Docker is running, and then deploy an openssh container to use as a target.

$ docker run -d \
  --name openssh-server \
  -e USER_NAME=admin \
  -e PASSWORD_ACCESS=true \
  -e USER_PASSWORD=password \
  -p 2222:2222 \
  lscr.io/linuxserver/openssh-server:latest

Note that the username for the openssh server is admin, the password is password, and the target is available on your localhost at port 2222 (127.0.0.1:2222).

Export the openssh container password as an environment variable.

$ export OPENSSH_PASSWORD=password

Check that the container is running.

$ docker ps --format "table {{.ID}}\t{{.Names}}\t{{.Image}}\t{{.Status}}"
CONTAINER ID   NAMES            IMAGE                                       STATUS
6e63f8178576   openssh-server   lscr.io/linuxserver/openssh-server:latest   Up 20 seconds

Deploy a worker

Session recording requires HCP Boundary or Boundary Enterprise. This tutorial uses Docker to deploy a Boundary worker to provide access to the openssh target container.

When using this image as a worker with HCP Boundary or Boundary Enterprise, you do not need to provide the license using an environment variable or config, but the worker must connect with a licensed controller.

Create a new file in your working directory called config.hcl. Supply the hcp_boundary_cluster_id, which is the UUID in the HCP Boundary cluster URL.

Tip

If your cluster is configured for multi-hop sessions, add an upstream worker using initial_upstreams to the worker{} stanza.

config.hcl

hcp_boundary_cluster_id = "<YOUR_HCP_CLUSTER_ID>"

listener "tcp" {
  address = "127.0.0.1:9202"
  purpose = "proxy"
}

worker {
  public_addr = "minio-worker"
  auth_storage_path = "/boundary/minio-worker"
  recording_storage_path = "/tmp/boundary"
  tags {
    type = ["minio", "openssh"]
  }
}

Save the config file.

Open a new terminal and switch to the directory with the config.hcl file, then deploy the boundary-enterprise Docker container.

$ docker run \
  --network host \
  --hostname=minio-worker \
  -v "$(pwd)":/boundary/ \
  hashicorp/boundary-enterprise

The worker will start attempting to connect to the controller.

Scroll to the top of the output and copy the Worker Auth Registration Request value.

You can register the worker using the Admin Console Web UI or the CLI.

Authenticate to HCP Boundary as the admin user.

Log in to the HCP portal.
From the HCP Portal's Boundary page, click Open Admin UI - a new page will open.
Enter the admin username and password you created when you deployed the new instance and click Authenticate.

Once logged in, navigate to the Workers page.

Notice that only HCP workers are listed.

Click New.

HCP Workers

The new workers page can be used to construct the contents of the worker.hcl file.

Do not fill in any of the worker fields.

Providing the following details will construct the worker config file contents for you:

Boundary Cluster ID
Worker Public Address
Config file path
Worker Tags

The instructions on this page provide details for installing the Boundary Enterprise binary and deploying the constructed config file.

Because the worker has already been deployed, only the Worker Auth Registration Request key needs to be provided on this page.

Scroll down to the bottom of the New Worker page and paste the Worker Auth Registration Request key you copied earlier.

Click Register Worker.

HCP Workers

Click Done and notice the new worker on the Workers page.

HCP Workers

Ensure that the BOUNDARY_ADDR and BOUNDARY_AUTH_METHOD_ID environment variables are set.

$ export BOUNDARY_ADDR="https://c3a7a20a-f663-40f3-a8e3-1b2f69b36254.boundary.hashicorp.cloud"

$ export BOUNDARY_AUTH_METHOD_ID="ampw_KfLAjMS2CG"

Log into the CLI as the admin user, providing the admin login name and admin password when prompted.

$ boundary authenticate
Please enter the login name (it will be hidden):
Please enter the password (it will be hidden):
Authentication information:
  Account ID:      acctpw_VOeNSFX8pQ
  Auth Method ID:  ampw_ZbB6UXpW3B
  Expiration Time: Thu, 15 Aug 2023 12:35:32 MST
  User ID:         u_ogz79sV4sT
The token was successfully stored in the chosen keyring and is not displayed here.

Next, export the Worker Auth Request Token value as an environment variable.

$ export WORKER_TOKEN="<Worker Auth Registration Request Value>"

The token is used to issue a create worker request that authorizes the worker to Boundary and make it available.

Create a new worker:

$ boundary workers create worker-led -worker-generated-auth-token=$WORKER_TOKEN

Worker information:
  Active Connection Count:   0
  Created Time:              Mon, 12 Aug 2024 19:40:57 MDT
  ID:                        w_IPfR7jBVri
  Local Storage State:       unknown
  Type:                      pki
  Updated Time:              Mon, 12 Aug 2024 19:40:57 MDT
  Version:                   1

  Scope:
    ID:                      global
    Name:                    global
    Type:                    global

  Authorized Actions:
    update
    delete
    add-worker-tags
    set-worker-tags
    remove-worker-tags
    no-op
    read

Set up MinIO

This tutorial deploys MinIO using Docker. Alternatively, a MinIO server can be deployed locally on Linux, macOS, or Windows.

Deploy MinIO

Open a new terminal session and create a local config directory for MinIO.

$ mkdir -p ${HOME}/minio/data

Next, deploy a MinIO container using Docker. These instructions come from the MinIO container documentation.

$ docker run \
   -p 9000:9000 \
   -p 9001:9001 \
   --name minio \
   -e "MINIO_ROOT_USER=ROOTUSER" \
   -e "MINIO_ROOT_PASSWORD=CHANGEME123" \
   -v ${HOME}/minio/data:/data \
   quay.io/minio/minio server /data --console-address ":9001"

Open a new terminal session and verify that all three containers are running.

$ docker ps --format "table {{.ID}}\t{{.Names}}\t{{.Image}}\t{{.Status}}"
CONTAINER ID   NAMES            IMAGE                                       STATUS
3af7a93654d3   minio           quay.io/minio/minio                         Up 3 minutes
49f1ec39b3d8   great_keller     hashicorp/boundary-enterprise               Up 11 minutes
6e63f8178576   openssh-server   lscr.io/linuxserver/openssh-server:latest   Up 17 minutes

Configure a MinIO storage bucket

Open the MinIO Console by visiting the following address in a web browser:

http://127.0.0.1:9001

Username: ROOTUSER
Password: CHANGEME123

Complete the following steps to configure a storage bucket:

Create a bucket.
Under the Administrator panel in the sidebar, click on Buckets.
Click the Create Bucket button.
Give the bucket a name, such as boundary-recordings.
Click Create Bucket.
If you're following the CLI workflow, export the bucket name as a variable in your terminal session.
```
$ export MINIO_BUCKET_NAME=boundary-recordings
```

Create an access policy.

Under the User panel in the sidebar, click on Access Keys.

Click Create access key.

In the Create Access Key page, toggle the switch for Restrict beyond user policy to On.

Paste in the following IAM policy document:

1 2 3 4 5 6 7 8 9 1011121314151617181920{
  "Version": "2012-10-17",
  "Statement": [
     {
        "Action": [
          "s3:PutObject",
          "s3:GetObject",
          "s3:GetObjectAttributes",
          "s3:DeleteObject"
        ],
        "Effect": "Allow",
        "Resource": "arn:aws:s3:::boundary-recordings/*"
     },
     {
        "Action": "s3:ListBucket",
        "Effect": "Allow",
        "Resource": "arn:aws:s3:::boundary-recordings"
     }
  ]
}

Ensure that lines 12 and 17 contain the correct name of your bucket, such as boundary-recordings.

Enter an access key name in the Name field, such as boundary-admin.

Click Create.

Copy the Access Key and Secret Key. You will not be able to view the Secret Key again, so you should also consider downloading the key.
If you are following the CLI workflow, export the bucket name as a variable in your terminal session.
```
$ export MINIO_ACCESS_KEY_ID=<your-copied-minio-access-key-id>;
export MINIO_SECRET_ACCESS_KEY=<your-copied-minio-secret-access-key>
```

Set up Boundary

The following resources are used in Boundary to enable session recording for an SSH target:

A credential store
A credential library
A Boundary storage bucket
An SSH target type with credential injection enabled

These resources can be configured using the Admin Console UI, the CLI, or Terraform. Select a workflow below to continue setting up Boundary.

Tip

Boundary storage bucket lifecycle management is still under development. To prevent unintentional loss of session recordings, orgs that contain storage buckets with recordings cannot currently be deleted. Before continuing, please note that the org created for this tutorial cannot be deleted until the session recordings it contains are deleted.

Start by logging in to the HCP Boundary Admin UI.

Log in to the HCP portal.
From the HCP Portal's Boundary page, click Open Admin UI - a new page will open.
Enter the admin username and password you created when you deployed the new instance and click Authenticate.

Next, set up a new testing org and project scope.

Note

Please use a new test org for this tutorial, because orgs that contain session recordings cannot currently be deleted.

Navigate to the Orgs page and click New Org.
Fill out the new org form with a Name of ssh-recording-org and Description of SSH test org. Click Save.
From within the new org, click New Project.
Fill out the new project form with a Name of ssh-recording-project and Description of Secure Socket Handling recordings. Click Save.

Create a credential store

Credential injection is required to enable session recording. You manage credentials using a Boundary credential store.

Navigate back to the ssh-recording-org, and select the ssh-recording-project.
Select the Credential Stores page, and click New.
Enter the Name SSH Credentials.
Select the type Static, and click Save.
Click the Credentials tab in the new credential store. Click New.
Under the New Credential page, enter the following details:
- Name: openssh-creds
- Type: Username & Password
- Username & Password: admin
- Password: password
Click Save.

Open a new terminal session.

Start by logging in to Boundary as the admin user.

$ boundary authenticate
Please enter the login name (it will be hidden):
Please enter the password (it will be hidden):
Authentication information:
  Account ID:      acctpw_VOeNSFX8pQ
  Auth Method ID:  ampw_wxzojlKJLN
  Expiration Time: Mon, 13 Feb 2023 12:35:32 MST
  User ID:         u_1vUkf5fPs9
The token was successfully stored in the chosen keyring and is not displayed here.

Set up a new org and project

Create a new org named ssh-recording-org. The following command executes boundary scopes create, prints the result, selects the org ID with jq, and stores the value as an environment variable. The jq utility is used to reduce the amount of copy-paste for IDs for the rest of this tutorial.

$ ORG_ID=$(boundary scopes create \
  -scope-id=global \
  -name=ssh-recording-org \
  -description="SSH test org" \
  -format json | tee /dev/tty | jq -r '.item | .id') && echo "ORG_ID=$ORG_ID"

Example output:

$ ORG_ID=$(boundary scopes create \
  -scope-id=global \
  -name=ssh-recording-org \
  -description="SSH test org" \
  -format json | tee /dev/tty | jq -r '.item | .id') && echo "ORG_ID=$ORG_ID"
{"status_code":200,"item":{"id":"o_NQXs2ZNyKc","scope_id":"global","scope":{"id":"global","type":"global","name":"global","description":"Global Scope"},"name":"ssh-recording-org","description":"SSH test org","created_time":"2024-08-13T01:58:52.696850Z","updated_time":"2024-08-13T01:58:52.696850Z","version":1,"type":"org","authorized_actions":["detach-storage-policy","no-op","read","update","delete","attach-storage-policy"]}}
ORG_ID=o_NQXs2ZNyKc

Create a new project scope named ssh-recording-project within the ssh-recording-org. The following command also exports the PROJECT_ID environment variable.

$ PROJECT_ID=$(boundary scopes create \
  -scope-id=$ORG_ID \
  -name=ssh-recording-project \
  -description="SSH test machines" \
  -format json | tee /dev/tty | jq -r '.item | .id') && echo "PROJECT_ID=$PROJECT_ID"

Example output:

$ PROJECT_ID=$(boundary scopes create \
  -scope-id=$ORG_ID \
  -name=ssh-recording-project \
  -description="SSH test machines" \
  -format json | tee /dev/tty | jq -r '.item | .id') && echo "PROJECT_ID=$PROJECT_ID"
{"status_code":200,"item":{"id":"p_0yVhHmWAT4","scope_id":"o_NQXs2ZNyKc","scope":{"id":"o_NQXs2ZNyKc","type":"org","name":"ssh-recording-org","description":"SSH test org","parent_scope_id":"global"},"name":"ssh-recording-project","description":"SSH test machines","created_time":"2024-08-13T02:01:24.805966Z","updated_time":"2024-08-13T02:01:24.805966Z","version":1,"type":"project","authorized_actions":["delete","no-op","read","update"]}}
PROJECT_ID=p_0yVhHmWAT4

Create a credential store

Credential injection is required to enable session recording. Credentials are created using a Boundary credential store.

Create the static credential store. The following command also exports the BOUNDARY_CRED_STORE_ID environment variable.

$ BOUNDARY_CRED_STORE_ID=$(boundary credential-stores create static \
  -name "SSH Credentials" \
  -scope-id $PROJECT_ID \
  -format json | tee /dev/tty | jq -r '.item | .id') && echo "BOUNDARY_CRED_STORE_ID=$BOUNDARY_CRED_STORE_ID"

Example output:

$ BOUNDARY_CRED_STORE_ID=$(boundary credential-stores create static \
  -name "SSH Credentials" \
  -scope-id $PROJECT_ID \
  -format json | tee /dev/tty | jq -r '.item | .id') && echo "BOUNDARY_CRED_STORE_ID=$BOUNDARY_CRED_STORE_ID"
{"status_code":200,"item":{"id":"csst_xNlFeo0sIb","scope_id":"p_0yVhHmWAT4","scope":{"id":"p_0yVhHmWAT4","type":"project","name":"ssh-recording-project","description":"SSH test machines","parent_scope_id":"o_NQXs2ZNyKc"},"name":"SSH Credentials","created_time":"2024-08-13T02:02:08.810621Z","updated_time":"2024-08-13T02:02:08.810621Z","version":1,"type":"static","authorized_actions":["update","delete","no-op","read"],"authorized_collection_actions":{"credentials":["create","list"]}}}
BOUNDARY_CRED_STORE_ID=csst_xNlFeo0sIb

Create a target credential

Next, add a credential to the credential store. The following command also exports the TARGET_CREDENTIAL_ID environment variable.

The password attribute must be passed as an environment variable, from a file. If you do not have the OPENSSH_PASSWORD variable defined in your current shell session, refer back to the Deploy a target section to set the variable.

$ TARGET_CREDENTIAL_ID=$(boundary credentials create username-password \
  -name "openssh credentials" \
  -credential-store-id $BOUNDARY_CRED_STORE_ID \
  -username admin \
  -password env://OPENSSH_PASSWORD \
  -format json | tee /dev/tty | jq -r '.item | .id') && echo "TARGET_CREDENTIAL_ID=$TARGET_CREDENTIAL_ID"

Example output:

$ TARGET_CREDENTIAL_ID=$(boundary credentials create username-password \
  -name "openssh credentials" \
  -credential-store-id $BOUNDARY_CRED_STORE_ID \
  -username admin \
  -password env://OPENSSH_PASSWORD \
  -format json | tee /dev/tty | jq -r '.item | .id') && echo "TARGET_CREDENTIAL_ID=$TARGET_CREDENTIAL_ID"
{"status_code":200,"item":{"id":"credup_d0vdR0XxCw","credential_store_id":"csst_xNlFeo0sIb","scope":{"id":"p_0yVhHmWAT4","type":"project","name":"ssh-recording-project","description":"SSH test machines","parent_scope_id":"o_NQXs2ZNyKc"},"name":"openssh credentials","created_time":"2024-08-13T17:22:59.347950Z","updated_time":"2024-08-13T17:22:59.347950Z","version":1,"type":"username_password","attributes":{"password_hmac":"wXlCmxOWfoYGkMmTDFbz7n-v8sjLwqATJVNkT_463oc","username":"admin"},"authorized_actions":["no-op","read","update","delete"]}}
TARGET_CREDENTIAL_ID=credup_d0vdR0XxCw

This configuration references Terraform resources documented in the Boundary Terraform provider.

To simplify lab cleanup, create a new directory to store the lab configuration.

$ mkdir learn-boundary-session-rec-minio && cd learn-boundary-session-rec-minio

Terraform configuration file called boundary.tf in the top of the learn-boundary-session-rec-minio/ directory.

$ touch boundary.tf

Next, open boundary.tf in your text editor.

Set up the provider

Start by defining Boundary as a required provider, and setting up the provider's input variables.

/learn-boundary-session-rec-minio/boundary.tf

provider "boundary" {
  addr                   = var.BOUNDARY_ADDR
  auth_method_id         = var.BOUNDARY_AUTH_METHOD_ID
  auth_method_login_name = var.BOUNDARY_USERNAME
  auth_method_password   = var.BOUNDARY_PASSWORD
}

terraform {
  required_version = ">= 1.3.0"
  required_providers {
    boundary = {
      source  = "hashicorp/boundary",
      version = ">= 1.1.15"
    }
  }
}

Define the input variables

The following variables will be passed to Terraform, so no default values are required. Define all these variables within the boundary.tf config file.

variable "BOUNDARY_ADDR" {
    type = string
}

variable "BOUNDARY_AUTH_METHOD_ID" {
    type = string
}

variable "BOUNDARY_USERNAME" {
    type = string
}

variable "BOUNDARY_PASSWORD" {
    type = string
}

variable "MINIO_ADDR" {
    type = string
}

variable "MINIO_BUCKET_NAME" {
    type = string
}

variable "MINIO_ACCESS_KEY_ID" {
    type = string
}

variable "MINIO_SECRET_ACCESS_KEY" {
    type = string
}

Next, locate the values of the following input variables used by the provider, including:

Locate the following values in your shell session:

$ echo $BOUNDARY_ADDR ; \
  echo $BOUNDARY_USERNAME ; \
  echo $BOUNDARY_PASSWORD

All of the variables except the BOUNDARY_AUTH_METHOD_ID were previously defined.

You can locate the admin password auth method ID using the CLI or the Admin Web UI.

Navigate to the global scope.
Navigate to the Auth Methods page.
Copy the ID beside the password auth method (such as ampw_AQSr776Hnm).

Authenticate to Boundary as the admin user.

$ boundary authenticate

List the available auth methods.

$ boundary auth-methods list

Auth Method information:
  ID:                     ampw_AQSr776Hnm
    Version:              1
    Type:                 password
    Name:                 password
    Description:          Password auth method
    Is Primary For Scope: true
    Authorized Actions:
      no-op
      read
      update
      delete
      authenticate

Copy the ID of the password auth method.

Create a new file called boundary.tfvars in ~/learn-boundary-session-rec-minio. This file will pass the required variables to Terraform.

learn-boundary-session-rec-minio/boundary.tfvars

BOUNDARY_ADDR = "<YOUR_BOUNDARY_ADDR>"

BOUNDARY_USERNAME = "<YOUR_ADMIN_USERNAME>"

BOUNDARY_PASSWORD = "<YOUR_ADMIN_PASSWORD>"

BOUNDARY_AUTH_METHOD_ID = "<YOUR_AUTH_METHOD_ID>"

MINIO_ADDR = "http://127.0.0.1:9000"

MINIO_BUCKET_NAME = "<YOUR_MINIO_BUCKET_NAME>"

MINIO_ACCESS_KEY_ID = "<YOUR_MINIO_ACCESS_KEY_ID>"

MINIO_SECRET_ACCESS_KEY = "<YOUR_MINIO_SECRET_ACCESS_KEY>"

The following environment variables were copied from the MinIO console:

YOUR_MINIO_BUCKET_NAME
YOUR_MINIO_ACCESS_KEY_ID
YOUR_MINIO_SECRET_ACCESS_KEY

Set up a new org and project

Define the global scope ID, then create a new org named ssh-recording-org with an associated password auth method.

resource "boundary_scope" "global" {
  global_scope = true
  scope_id     = "global"
}

resource "boundary_scope" "org" {
  name        = "ssh-recording-org"
  description = "SSH test org"
  scope_id    = boundary_scope.global.id
  auto_create_admin_role   = true
  auto_create_default_role = true
}

resource "boundary_auth_method_password" "password" {
  name        = "org-password-auth"
  description = "Password auth method for org"
  type        = "password"
  scope_id    = boundary_scope.org.id
}

Create a new project scope named ssh-recording-project within the ssh-recording-org.

resource "boundary_scope" "ssh" {
  name                   = "ssh-recording-project"
  description            = "Secure Socket Handling recordings"
  scope_id               = boundary_scope.org.id
  auto_create_admin_role = true
}

Create a credential store

Next, set up a static credential store.

resource "boundary_credential_store_static" "openssh_cred_store" {
  name        = "openssh-cred-store"
  scope_id    = boundary_scope.ssh_recording_project.id
}

Create an openssh credential

Static credentials can be added to the credential store, such as username/password, SSH private key, or JSON credentials.

Create a username/password credential associated with the openssh_cred_store credential store. These credentials were defined when the openssh Docker container was deployed.

resource "boundary_credential_username_password" "openssh_creds" {
  name                = "openssh-creds"
  credential_store_id = boundary_credential_store_static.openssh_cred_store.id
  username            = "admin"
  password            = "password"
}

Enable session recordings

To finish setting up session recordings you need to:

Set up a Boundary storage bucket
Create an SSH target

The SSH target requires the injected application credentials (supplied from the static credential store), and the Boundary storage bucket it should associate recordings with.

Create a storage bucket

Within Boundary, a storage bucket resource is used to store the recorded sessions. A storage bucket represents a bucket in an external store, in this case, MinIO. You must create a Boundary storage bucket associated with an external store before enabling session recording.

Navigate to the Global scope, and then the Storage Buckets page.
Click New Storage Bucket. Fill out the following details:
- Name: ssh-test-bucket
- Scope: ssh-recording-org
- Provider: MinIO
- Endpoint URL: http://127.0.0.1:9000
- Bucket name: boundary-recordings Note: this must match the name of the bucket in MinIO.
- Access key ID: YOUR_MINIO_ACCESS_KEY_ID
- Secret access key: YOUR_MINIO_SECRET_ACCESS_KEY
- Worker filter: "minio" in "/tags/type"
The YOUR_MINIO_ACCESS_KEY_ID and YOUR_MINIO_SECRET_ACCESS_KEY values were copied from the MinIO console.
For the Worker Filter, a worker with access to the MinIO storage bucket is needed. For this tutorial, the minio-worker was deployed locally using Docker to access the MinIO server, which is running in a separate containter.
Select the worker tagged with "type" = ["minio", "openssh"], which provides access to MinIO. The following filter will select this worker:
```
"minio" in "/tags/type"
```
Lastly, check the box next to Disable credential rotation.
Click Save.
If there are errors, double-check the Endpoint URL, Bucket name, Access keys, and Worker filter. If there are still problems, check the Access Key Policy for the MinIO bucket, and ensure the bucket name matches the Resource ARN.

Create an SSH target

To finish setting up recordings, create a target for the openssh-server container.

Navigate to the ssh-recording-org scope, and select the ssh-recording-project project.
Select the Targets page and click New.
Fill out the New Target form. Select a Type of SSH.
- Name: openssh-target
- Type: SSH
- Target Address: 127.0.0.1
- Default Port: 2222
- Maximum Connections: -1
- Aliases: openssh.target
Click Save.
Click the Workers tab. Click Edit worker filter for Egress workers.
When you create a target, you can specify an egress worker filter. The filter tells Boundary which worker is deployed in the same network as the target. An ingress worker is not used in this example.
Recall the tags associated with the minio-worker, which provides access to the openssh-server container:
```
Tags:
  Configuration:
    type: ["minio" "openssh"]
  Canonical:
    type: ["minio" "openssh"]
```
The tags for this worker are:
"type" = ["minio", "openssh"]
An appropriate filter to select this worker is:
```
"openssh" in "/tags/type"
```
Paste in the following worker filter: "openssh" in "/tags/type"
Click Save.

Next, add credential injection for the target.

Select the Injected Application Credentials tab for openssh-target.
Click +Add Injected Application Credentials.
Check the box next to the credential named openssh-creds, then click Add Injected Application Credentials.

Enable session recording

To enable session recording for the openssh-target:

Navigate back to the openssh-target Details page.
Under Session Recording, click Enable recording.
On the Enable Session Recording for Target page, toggle the switch next to Record sessions for this target.
For the Storage buckets, select the ssh-test-bucket.
Click Save.

Under the openssh-target Details page, the ssh-test-bucket should now be listed under Session Recording.

Create a storage bucket

The following details are needed to set up a Boundary storage bucket:

Name: ssh-test-bucket
Scope: ssh-recording-org
Bucket name: YOUR_MINIO_BUCKET_NAME
Access key ID: YOUR_MINIO_ACCESS_KEY_ID
Secret access key: YOUR_MINIO_SECRET_ACCESS_KEY
Worker filter: "minio" in "/tags/type"

For the Worker Filter, a worker with access to the MinIO storage bucket is needed.

Select the worker tagged with "type" = ["minio", "openssh"], which also provides access to the openssh target. The following filter will select this worker:

"minio" in "/tags/type"

Create a new storage bucket named ssh-test-bucket. Set the plugin name to minio, the MinIO bucket name, and the worker filter. Pass disable_credential_rotation=true as an attribute, and the MINIO_ACCESS_KEY_ID and MINIO_SECRET_ACCESS_KEY as secrets.

$ boundary storage-buckets create -scope-id $ORG_ID \
  -name "ssh-test-bucket" \
  -plugin-name minio \
  -bucket-name ${MINIO_BUCKET_NAME} \
  -worker-filter '"minio" in "/tags/type"' \
  -attr endpoint_url="http://127.0.0.1:9000" \
  -attr disable_credential_rotation=true \
  -secret access_key_id=${MINIO_ACCESS_KEY_ID} \
  -secret secret_access_key=${MINIO_SECRET_ACCESS_KEY}

Example output:

$ boundary storage-buckets create -scope-id $ORG_ID \
  -name "ssh-test-bucket" \
  -plugin-name minio \
  -bucket-name ${MINIO_BUCKET_NAME} \
  -worker-filter '"minio" in "/tags/type"' \
  -attr endpoint_url="http://127.0.0.1:9000" \
  -attr disable_credential_rotation=true \
  -secret access_key_id=${MINIO_ACCESS_KEY_ID} \
  -secret secret_access_key=${MINIO_SECRET_ACCESS_KEY}

Storage Bucket information:
  Bucket Name:                   boundary-recordings2
  Created Time:                  Tue, 13 Aug 2024 10:59:29 MDT
  ID:                            sb_zAE4dX0RuV
  Name:                          ssh-test-bucket
  Plugin ID:                     pl_gSoQdUzNGB
  Secrets HMAC:                  4iG2sruGQaRtqPgWNCUvnnf34FEyH1RewGTwKbqyfEYg
  Updated Time:                  Tue, 13 Aug 2024 10:59:29 MDT
  Version:                       1
  Worker Filter:                 "minio" in "/tags/type"

  Scope:
    ID:                          o_NQXs2ZNyKc
    Name:                        ssh-recording-org
    Parent Scope ID:             global
    Type:                        org

  Plugin:
    ID:                          pl_gSoQdUzNGB
    Name:                        minio

  Attributes:
    disable_credential_rotation: true
    endpoint_url:                http://127.0.0.1:9000

  Authorized Actions:
    read
    update
    delete
    no-op

Copy the ID from the output and export it as the $STORAGE_BUCKET_ID variable.

$ export STORAGE_BUCKET_ID=sb_nzFv30oX2E

Tip

If you have the jq utility installed, you can copy the output and export it in a single step with this command:

$ export STORAGE_BUCKET_ID=`boundary storage-buckets create -scope-id $ORG_ID -name "ssh-test-bucket" -plugin-name minio -bucket-name $MINIO_BUCKET_NAME -worker-filter '"minio" in "/tags/type"' -attr endpoint_url="http://127.0.0.1:9000" -attr disable_credential_rotation=true  -secret access_key_id=${MINIO_ACCESS_KEY_ID} -secret secret_access_key=${MINIO_SECRET_ACCESS_KEY} -format json | jq -r '.item.id'`

Create an SSH target

To finish setting up recordings, create a target for the openssh host.

When you create a target, you can specify an egress worker filter. The filter tells Boundary which worker is deployed in the same network as the target. An ingress worker is not used in this example.

Recall the tags associated with the minio-worker, which also provides access to the openssh host:

Tags:
  Configuration:
    type: ["minio" "openssh"]
  Canonical:
    type: ["minio" "openssh"]

The tags for this worker are:

"type" = ["minio", "openssh"]

An appropriate filter to select this worker is:

"openssh" in "/tags/type"

Create a new target of type ssh named openssh-target. Set the default port to 2222, enable session recording, and pass the storage bucket ID and egress worker filter.

$ boundary targets create ssh -scope-id $PROJECT_ID \
  -name "openssh-target" \
  -alias "openssh.target" \
  -session-connection-limit -1 \
  -address "127.0.0.1" \
  -default-port 2222 \
  -egress-worker-filter '"openssh" in "/tags/type"' \
  -storage-bucket-id=$STORAGE_BUCKET_ID \
  -enable-session-recording=true

Example output:

$ boundary targets create ssh -scope-id $PROJECT_ID \
  -name "openssh-target" \
  -alias "openssh.target" \
  -session-connection-limit -1 \
  -address "127.0.0.1" \
  -default-port 2222 \
  -egress-worker-filter '"openssh" in "/tags/type"' \
  -storage-bucket-id=$STORAGE_BUCKET_ID \
  -enable-session-recording=true


Target information:
  Address:                    127.0.0.1
  Created Time:               Tue, 13 Aug 2024 14:47:27 MDT
  Egress Worker Filter:       "openssh" in "/tags/type"
  ID:                         tssh_4B5TnVtlbb
  Name:                       openssh-target
  Session Connection Limit:   -1
  Session Max Seconds:        28800
  Type:                       ssh
  Updated Time:               Tue, 13 Aug 2024 14:47:27 MDT
  Version:                    1

  Scope:
    ID:                       p_0yVhHmWAT4
    Name:                     ssh-recording-project
    Parent Scope ID:          o_NQXs2ZNyKc
    Type:                     project

  Authorized Actions:
    add-host-sources
    remove-credential-sources
    update
    add-credential-sources
    set-credential-sources
    delete
    authorize-session
    read
    remove-host-sources
    no-op
    set-host-sources

  Attributes:
    Default Port:             2222
    Enable Session Recording: true
    Storage Bucket ID:        sb_zAE4dX0RuV

Copy the ID from the output and export it as the $TARGET_ID variable.

$ export TARGET_ID=tssh_4B5TnVtlbb

Tip

If you have the jq utility installed, you can copy the output and export it in a single step with this command:

$ export TARGET_ID=`boundary targets create ssh -scope-id $PROJECT_ID -name "openssh-target" -session-connection-limit -1 -address "127.0.0.1" -default-port 2222 -egress-worker-filter '"openssh" in "/tags/type"' -storage-bucket-id=$STORAGE_BUCKET_ID -enable-session-recording=true -format json | jq -r '.item.id'`

Now associate openssh-target with the credential library.

$ boundary targets add-credential-sources -id $TARGET_ID -injected-application-credential-source $TARGET_CREDENTIAL_ID


Target information:
  Address:                    127.0.0.1
  Created Time:               Tue, 13 Aug 2024 14:47:27 MDT
  Egress Worker Filter:       "openssh" in "/tags/type"
  ID:                         tssh_4B5TnVtlbb
  Name:                       openssh-target
  Session Connection Limit:   -1
  Session Max Seconds:        28800
  Type:                       ssh
  Updated Time:               Tue, 13 Aug 2024 14:49:00 MDT
  Version:                    2

  Scope:
    ID:                       p_0yVhHmWAT4
    Name:                     ssh-recording-project
    Parent Scope ID:          o_NQXs2ZNyKc
    Type:                     project

  Authorized Actions:
    delete
    remove-host-sources
    add-credential-sources
    no-op
    add-host-sources
    set-host-sources
    read
    remove-credential-sources
    authorize-session
    update
    set-credential-sources

  Injected Application Credential Sources:
    Credential Store ID:      csst_xNlFeo0sIb
    ID:                       credup_d0vdR0XxCw

  Attributes:
    Default Port:             2222
    Enable Session Recording: true
    Storage Bucket ID:        sb_zAE4dX0RuV

The SSH target now has a host source, injected credentials, and a storage bucket configured. Session recording is fully enabled.

Create a storage bucket

To create a storage bucket, the following details are required:

Name: ssh-test-bucket
Scope: ssh-recording-org
Bucket name: YOUR_MINIO_BUCKET_NAME
Endpoint URL: http://127.0.0.1:9000
Access key ID: YOUR_MINIO_ACCESS_KEY_ID
Secret access key: YOUR_MINIO_SECRET_ACCESS_KEY
Worker filter: "minio" in "/tags/type"

The name of the MinIO bucket, YOUR_MINIO_ACCESS_KEY_ID, and YOUR_MINIO_SECRET_ACCESS_KEY were gathered from the MinIO console.

These values should be defined in your boundary.tfvars file.

learn-boundary-session-rec-minio/boundary.tfvars

MINIO_ADDR = "http://127.0.0.1:9000"

MINIO_BUCKET_NAME = "<YOUR_MINIO_BUCKET_NAME>"

MINIO_ACCESS_KEY_ID = "<YOUR_MINIO_ACCESS_KEY_ID>"

MINIO_SECRET_ACCESS_KEY = "<YOUR_MINIO_SECRET_ACCESS_KEY>"

Save the boundary.tfvars file.

For the Worker Filter, a worker with access to the MinIO storage bucket is needed.

Select the worker tagged with "type" = ["minio", "openssh"], which also provides access to the openssh target. The following filter will select this worker:

"minio" in "/tags/type"

When using HCL, this filter must be rewritten using escape syntax:

"\"minio\" in \"/tags/type\""

Create a new storage bucket with a plugin_name of minio and pass in the MINIO_BUCKET_NAME. Pass endpoint_url and disable_credential_rotation=trueas a JSON attributes, and MINIO_ACCESS_KEY_ID and MINIO_SECRET_ACCESS_KEY as JSON secrets. Lastly, supply the worker filter.

resource "boundary_storage_bucket" "minio_bucket" {
  name            = "ssh-test-bucket"
  description     = "SSH session recording test bucket"
  scope_id        = boundary_scope.org.id
  plugin_name     = "minio"
  bucket_name     = var.MINIO_BUCKET_NAME
  attributes_json = jsonencode({
    "endpoint_url" = "${var.MINIO_ADDR}",
    "disable_credential_rotation" = true
  })

  secrets_json = jsonencode({
    "access_key_id"     = "${var.MINIO_ACCESS_KEY_ID}",
    "secret_access_key" = "${var.MINIO_SECRET_ACCESS_KEY}"
  })
  
  worker_filter = "\"minio\" in \"/tags/type\""
}

Create an SSH target

To finish setting up recordings, create a target for the openssh host.

When you create a target, you can specify an egress worker filter. An egress worker is required for targets with session recording enabled, because the worker stores the recording and uploads it to the storage bucket. The filter tells Boundary which worker is deployed in the same network as the target. An ingress worker is not used in this example.

Recall the tags associated with the minio, which also provides access to the openssh host:

Tags:
  Configuration:
    type: ["minio" "openssh"]
  Canonical:
    type: ["minio" "openssh"]

The tags for this worker are:

"type" = ["minio", "openssh"]

An appropriate filter to select this worker is:

"openssh" in "/tags/type"

When using HCL, this filter must be rewritten using escape syntax:

"\"openssh\" in \"/tags/type\""

Create a new target with the following parameters:

type: ssh
name: openssh-target
default_port: 2222
address: 127.0.0.1
egress_worker_filter: "\"openssh\" in \"/tags/type\""
injected_application_credential_source_ids = [boundary_credential_username_password.openssh_creds.id]
enable_session_recording: true
storage_bucket_id: boundary_storage_bucket.minio_bucket.id

resource "boundary_target" "openssh_target" {
  name         = "openssh-target"
  description  = "SSH target"
  type         = "ssh"
  address      = "127.0.0.1"
  default_port = "2222"
  scope_id     = boundary_scope.ssh_recording_project.id
  egress_worker_filter     = "\"openssh\" in \"/tags/type\""
  injected_application_credential_source_ids = [
    boundary_credential_username_password.openssh_creds.id
  ]
  enable_session_recording = true
  storage_bucket_id        = boundary_storage_bucket.minio_bucket.id
}

Once all the Boundary provider resources have been added, save this file.

Expand the accordion below to see a completed version of the Terraform configuration files for Boundary. For reference, an example of these files with all resources commented out is also included with the lab repository, at learn-boundary-session-rec-minio/boundary-example.tf and learn-boundary-session-rec-minio/boundary-example.tfvars.

Completed Boundary provider config

This is a completed version of the boundary.tf file.

learn-boundary-session-rec-minio/boundary.tf

provider "boundary" {
  addr                   = var.BOUNDARY_ADDR
  auth_method_id         = var.BOUNDARY_AUTH_METHOD_ID
  auth_method_login_name = var.BOUNDARY_USERNAME
  auth_method_password   = var.BOUNDARY_PASSWORD
}

terraform {
  required_version = ">= 1.3.0"
  required_providers {
    boundary = {
      source  = "hashicorp/boundary",
      version = ">= 1.1.15"
    }
  }
}

variable "BOUNDARY_ADDR" {
    type = string
}

variable "BOUNDARY_AUTH_METHOD_ID" {
    type = string
}

variable "BOUNDARY_USERNAME" {
    type = string
}

variable "BOUNDARY_PASSWORD" {
    type = string
}

variable "MINIO_ADDR" {
    type = string
}

variable "MINIO_BUCKET_NAME" {
    type = string
}

variable "MINIO_ACCESS_KEY_ID" {
    type = string
}

variable "MINIO_SECRET_ACCESS_KEY" {
    type = string
}

resource "boundary_scope" "global" {
  global_scope = true
  scope_id     = "global"
}

resource "boundary_scope" "ssh_org" {
  name        = "ssh-recording-org"
  description = "SSH test org"
  scope_id    = boundary_scope.global.id
  auto_create_admin_role   = true
  auto_create_default_role = true
}

resource "boundary_auth_method_password" "password" {
  name        = "org-password-auth"
  description = "Password auth method for org"
  type        = "password"
  scope_id    = boundary_scope.ssh_org.id
}

resource "boundary_scope" "ssh_recording_project" {
  name                   = "ssh-recording-project"
  description            = "Secure Socket Handling recordings"
  scope_id               = boundary_scope.ssh_org.id
  auto_create_admin_role = true
}

resource "boundary_credential_store_static" "openssh_cred_store" {
  name        = "openssh-cred-store"
  scope_id    = boundary_scope.ssh_recording_project.id
}

resource "boundary_credential_username_password" "openssh_creds" {
  name                = "openssh-creds"
  credential_store_id = boundary_credential_store_static.openssh_cred_store.id
  username            = "admin"
  password            = "password"
}

resource "boundary_storage_bucket" "minio_bucket" {
  name            = "ssh-test-bucket"
  description     = "SSH session recording test bucket"
  scope_id        = boundary_scope.ssh_org.id
  plugin_name     = "minio"
  bucket_name     = var.MINIO_BUCKET_NAME
  attributes_json = jsonencode({
    "endpoint_url" = "${var.MINIO_ADDR}",
    "disable_credential_rotation" = true
  })

  secrets_json = jsonencode({
    "access_key_id"     = "${var.MINIO_ACCESS_KEY_ID}",
    "secret_access_key" = "${var.MINIO_SECRET_ACCESS_KEY}"
  })
  
  worker_filter = "\"minio\" in \"/tags/type\""
}

resource "boundary_target" "openssh_target" {
  name         = "openssh-target"
  description  = "SSH target"
  type         = "ssh"
  address      = "127.0.0.1"
  default_port = "2222"
  scope_id     = boundary_scope.ssh_recording_project.id
  egress_worker_filter     = "\"openssh\" in \"/tags/type\""
  injected_application_credential_source_ids = [
    boundary_credential_username_password.openssh_creds.id
  ]
  enable_session_recording = true
  storage_bucket_id        = boundary_storage_bucket.minio_bucket.id
}

This is a completed version of the boundary.tfvars file.

learn-boundary-session-rec-minio/boundary.tfvars

BOUNDARY_ADDR = "<YOUR_BOUNDARY_ADDR>"

BOUNDARY_USERNAME = "<YOUR_ADMIN_USERNAME>"

BOUNDARY_PASSWORD = "<YOUR_ADMIN_PASSWORD>"

BOUNDARY_AUTH_METHOD_ID = "<YOUR_AUTH_METHOD_ID>"

MINIO_ADDR = "http://127.0.0.1:9000"

MINIO_BUCKET_NAME = "<YOUR_MINIO_BUCKET_NAME>"

MINIO_ACCESS_KEY_ID = "<YOUR_MINIO_ACCESS_KEY_ID>"

MINIO_SECRET_ACCESS_KEY = "<YOUR_MINIO_SECRET_ACCESS_KEY>"

Apply Terraform

From the root of the learn-boundary-session-rec-minio, initialize Terraform.

$ terraform init

Initializing the backend...

Initializing provider plugins...
- Finding hashicorp/boundary versions matching ">= 1.1.15"...
- Installing hashicorp/boundary v1.1.15...
- Installed hashicorp/boundary v1.1.15 (signed by HashiCorp)

Terraform has created a lock file .terraform.lock.hcl to record the provider
selections it made above. Include this file in your version control repository
so that Terraform can guarantee to make the same selections by default when
you run "terraform init" in the future.

Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.

Apply Terraform, passing in the required environment variables using the boundary.tfvars file.

$ terraform apply -var-file="boundary.tfvars"

Example output:

$ terraform apply -var-file="boundary.tfvars"

Terraform used the selected providers to generate the following execution plan.
Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # boundary_auth_method_password.password will be created
  + resource "boundary_auth_method_password" "password" {
      + description           = "Password auth method for org"
      + id                    = (known after apply)
      + min_login_name_length = (known after apply)
      + min_password_length   = (known after apply)
      + name                  = "org_password_auth"
      + scope_id              = (known after apply)
      + type                  = "password"
    }

  # boundary_credential_store_static.openssh_cred_store will be created
  + resource "boundary_credential_store_static" "openssh_cred_store" {
      + id       = (known after apply)
      + name     = "openssh-cred-store"
      + scope_id = (known after apply)
    }

  # boundary_credential_username_password.openssh_creds will be created
  + resource "boundary_credential_username_password" "openssh_creds" {
      + credential_store_id = (known after apply)
      + id                  = (known after apply)
      + name                = "openssh-creds"
      + password            = (sensitive value)
      + password_hmac       = (known after apply)
      + username            = "admin"
    }

  # boundary_scope.global will be created
  + resource "boundary_scope" "global" {
      + global_scope = true
      + id           = (known after apply)
      + scope_id     = "global"
    }

  # boundary_scope.ssh_org will be created
  + resource "boundary_scope" "ssh_org" {
      + auto_create_admin_role   = true
      + auto_create_default_role = true
      + description              = "SSH test org"
      + id                       = (known after apply)
      + name                     = "ssh-recording-org"
      + scope_id                 = (known after apply)
    }

  # boundary_scope.ssh_recording_project will be created
  + resource "boundary_scope" "ssh_recording_project" {
      + auto_create_admin_role = true
      + description            = "Secure Socket Handling recordings"
      + id                     = (known after apply)
      + name                   = "ssh_recording_project"
      + scope_id               = (known after apply)
    }

  # boundary_storage_bucket.minio_bucket will be created
  + resource "boundary_storage_bucket" "minio_bucket" {
      + attributes_json                            = jsonencode(
            {
              + disable_credential_rotation = true
              + endpoint_url                = "http://127.0.0.1:9000"
            }
        )
      + bucket_name                                = "boundary-recordings"
      + description                                = "SSH session recording test bucket"
      + id                                         = (known after apply)
      + internal_force_update                      = (known after apply)
      + internal_hmac_used_for_secrets_config_hmac = (known after apply)
      + internal_secrets_config_hmac               = (known after apply)
      + name                                       = "ssh-test-bucket"
      + plugin_id                                  = (known after apply)
      + plugin_name                                = "minio"
      + scope_id                                   = (known after apply)
      + secrets_hmac                               = (known after apply)
      + secrets_json                               = (sensitive value)
      + worker_filter                              = "\"minio\" in \"/tags/type\""
    }

  # boundary_target.openssh_target will be created
  + resource "boundary_target" "openssh_target" {
      + address                                    = "127.0.0.1"
      + default_port                               = 2222
      + description                                = "SSH target"
      + egress_worker_filter                       = "\"openssh\" in \"/tags/type\""
      + enable_session_recording                   = true
      + id                                         = (known after apply)
      + injected_application_credential_source_ids = (known after apply)
      + name                                       = "openssh-target"
      + scope_id                                   = (known after apply)
      + session_connection_limit                   = (known after apply)
      + session_max_seconds                        = (known after apply)
      + storage_bucket_id                          = (known after apply)
      + type                                       = "ssh"
    }

Plan: 8 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

boundary_scope.global: Creating...
boundary_scope.global: Creation complete after 0s [id=global]
boundary_scope.ssh_org: Creating...
boundary_scope.ssh_org: Creation complete after 0s [id=o_JKfcH1eisv]
boundary_auth_method_password.password: Creating...
boundary_scope.ssh_recording_project: Creating...
boundary_storage_bucket.minio_bucket: Creating...
boundary_auth_method_password.password: Creation complete after 0s [id=ampw_5RRQMBpeBu]
boundary_scope.ssh_recording_project: Creation complete after 0s [id=p_wi24fEDJfy]
boundary_credential_store_static.openssh_cred_store: Creating...
boundary_storage_bucket.minio_bucket: Creation complete after 0s [id=sb_sDFtHIl6A1]
boundary_credential_store_static.openssh_cred_store: Creation complete after 0s [id=csst_64n6J8FOxU]
boundary_credential_username_password.openssh_creds: Creating...
boundary_credential_username_password.openssh_creds: Creation complete after 1s [id=credup_EddHoBnrTs]
boundary_target.openssh_target: Creating...
boundary_target.openssh_target: Creation complete after 0s [id=tssh_2xEc0ObHTM]

Apply complete! Resources: 8 added, 0 changed, 0 destroyed.

Record a session

Now you are ready to test session recording for the openssh-target.

To log into Boundary using the Desktop app, you must gather the BOUNDARY_ADDR values from the HCP Boundary Admin Console.

Check the value of BOUNDARY_ADDR in the terminal session where Terraform was applied.

$ echo $BOUNDARY_ADDR
https://d2a6e010-ba05-431a-b7f2-5cbc4e1e9f06.boundary.hashicorp.cloud

Open the Boundary Desktop app.

Enter the Boundary cluster URL (for example, https://d2a6e010-ba05-431a-b7f2-5cbc4e1e9f06.boundary.hashicorp.cloud) and click Submit.

Authenticate using your HCP Boundary admin credentials.

Boundary Desktop Login

On the Targets page, notice the target details for openssh-target.

Boundary Desktop Target Details

Click Connect to initiate a session.

The Successfully Connected page displays the target ID (Target Connection details) and Proxy URL.

To start a session, click on the Shell tab, or open your terminal or SSH client of choice. You can start a session using SSH and the Proxy URL from the Boundary Desktop app.

If you use your own client, connect on 127.0.0.1 and provide the proxy port using the -p option. Enter yes when prompted to establish a connection.

$ ssh 127.0.0.1 -p 53361 -o NoHostAuthenticationForLocalhost=yes
~ % ssh 127.0.0.1 -p 53361 -o NoHostAuthenticationForLocalhost=yes
Welcome to OpenSSH Server
a7f717a4cee9:~

Type some simple commands you will recognize when playing back the recording, like pwd or whoami. When finished, you can close the connection to the server by entering exit, or you can cancel the session directly from the Boundary Desktop app under the Sessions view.

Execute boundary connect, which has a helper called ssh.

Enter yes when prompted to establish the connection.

$ boundary connect ssh -target-id $TARGET_ID
Welcome to OpenSSH Server
3fe7e57f5505:~$

Enter some commands, such as whoami.

When finished, close the connection to the server using exit.

View the recording

You can view a list of all recorded sessions, or if you know the ID of a specific recorded session, you can find any channels associated with that recording.

To play back a session, open the Admin Console Web UI, and re-authenticate as the admin user if necessary.

From the global scope, navigate to the Session Recordings page.

The following details are listed for each recording:

Time
Status
User
Target
Duration

Click View next to the openssh-target recording.

Within the Session Playback page, click Play for Channel 1.

After the recording loads, click the Play button to start playback for Channel 1.

Note the Channel details on the right, which display the duration and bytes up / bytes down.

Validate the recording (optional)

A session recording represents a directory structure of files in an external object store that together are the recording of a single session between a user and a target.

To validate a session recording and download it, you can use the CLI.

First, set the BOUNDARY_ADDR and BOUNDARY_AUTH_METHOD_ID environment variables in your shell session. Replace the example address and auth method ID with the values for your cluster.

$ export BOUNDARY_ADDR="https://c3a7a20a-f663-40f3-a8e3-1b2f69b36254.boundary.hashicorp.cloud"

$ export BOUNDARY_AUTH_METHOD_ID="ampw_KfLAjMS2CG"

Log into the CLI as the admin user, providing the admin login name and admin password when prompted.

$ boundary authenticate
Please enter the login name (it will be hidden):
Please enter the password (it will be hidden):
Authentication information:
  Account ID:      acctpw_VOeNSFX8pQ
  Auth Method ID:  ampw_ZbB6UXpW3B
  Expiration Time: Thu, 15 Aug 2023 12:35:32 MST
  User ID:         u_ogz79sV4sT
The token was successfully stored in the chosen keyring and is not displayed here.

Verify that the recording exists.

$ boundary session-recordings list -scope-id $ORG_ID

Session Recording information:
  ID:                    sr_UzDy6yvXlL
    Session ID:          s_n9VGCnGbHT
    Storage Bucket ID:   sb_zAE4dX0RuV
    Created Time:        Tue, 13 Aug 2024 15:04:21 MDT
    Updated Time:        Tue, 13 Aug 2024 15:04:33 MDT
    Start Time:          Tue, 13 Aug 2024 15:04:21 MDT
    End Time:            Tue, 13 Aug 2024 15:04:33 MDT
    Type:                ssh
    State:               available
    Retain Until:        Forever
    Authorized Actions:
      download
      delete
      reapply-storage-policy
      no-op
      read

Read the recording's details.

$ boundary session-recordings read -id sr_UzDy6yvXlL

Session Recording information:
  Bytes Down:           128
  Bytes Up:             18
  Created Time:         Tue, 13 Aug 2024 15:04:21 MDT
  Duration (Seconds):   11.741338
  Endpoint:             ssh://127.0.0.1:2222
  ID:                   sr_UzDy6yvXlL
  Retain Until:         Forever
  Scope ID:             o_NQXs2ZNyKc
  Session ID:           s_n9VGCnGbHT
  Start Time:           Tue, 13 Aug 2024 15:04:21 MDT
  State:                available
  Storage Bucket ID:    sb_zAE4dX0RuV
  Type:                 ssh
  Updated Time:         Tue, 13 Aug 2024 15:04:33 MDT

  Scope:
    ID:                 o_NQXs2ZNyKc
    Name:               ssh-recording-org
    Parent Scope ID:    global
    Type:               org

  Authorized Actions:
    reapply-storage-policy
    no-op
    read
    download
    delete

  User Info:
    Description:         Global admin user
    ID:                  u_7fORXeejz0
    Name:                admin_user
    Scope:
      ID:                global
      Name:              global
      Type:              global

  Target Info:
    Default Port:               2222
    Egress Worker Filter:       "openssh" in "/tags/type"
    ID:                         tssh_4B5TnVtlbb
    Name:                       openssh-target
    Session Connection Limit:   -1
    Session Max Seconds:        28800
    Scope:
      ID:                       p_0yVhHmWAT4
      Name:                     ssh_recording_project
      Parent Scope ID:          o_NQXs2ZNyKc
      Type:                     project

  Credentials:
    ID:                credup_mOdG1kgB1q
    Name:              openssh credentials4
    Purpose:           injected_application
    Type:              username_password
    Username:          admin

    Credential Store:
      ID:                csst_xNlFeo0sIb
      Name:              SSH Credentials
      Scope ID:          p_0yVhHmWAT4
      Type:              static


  Connections Recordings:
    Bytes Down:         128
    Bytes Up:           18
    Created Time:       Tue, 13 Aug 2024 15:04:22 MDT
    Duration (Seconds): 10.917253
    End Time:           Tue, 13 Aug 2024 15:04:33 MDT
    ID:                 cr_DXEdEZJJve
    Start Time:         Tue, 13 Aug 2024 15:04:22 MDT
    Updated Time:       Tue, 13 Aug 2024 15:04:33 MDT


    Channel Recordings:
      Bytes Down:         128
      Bytes Up:           18
      Created Time:       Tue, 13 Aug 2024 15:04:33 MDT
      Duration (Seconds): 10.428897
      End Time:           Tue, 13 Aug 2024 15:04:33 MDT
      ID:                 chr_Mgkj7JkB7e
      Mime Types:         application/x-asciicast
      Start Time:         Tue, 13 Aug 2024 15:04:22 MDT
      Updated Time:       Tue, 13 Aug 2024 15:04:33 MDT

Note the Channel Recordings, labeled Mime Types: application/x-asciicast (ID chr_Mgkj7JkB7e in this example). Downloading this recording would produces a .cast file, which can be played back locally using asciinema.

If you want to download this file, execute the following command:

$ boundary session-recordings download -id chr_Mgkj7JkB7e

BSR files

The Boundary Session Recording (BSR) file defines a hierarchical directory structure of files and a binary file format. It contains all the data transmitted between a user and a target during a single session.

Boundary stores the recordings within the external storage bucket as BSR files.

A BSR connections directory contains a summary of connections, as well as inbound and outbound requests. If you use a multiplexed protocol, there are subdirectories for the channels.

The asciicast format is well suited for the playback of interactive shell activity, but some aspects of the recording cannot be translated into asciicast. For example, if an SSH session uses the RemoteCommand option, or is used to exec a command, the command is not displayed in the asciicast. The output of the command may be displayed, though.

If you use SSH for something other than an interactive shell, such as for file transfer, X11 forwarding, or port forwarding, Boundary does not attempt to create an asciicast.

In all cases, the SSH session is still recorded in the BSR file and you can view the BSR file in the external storage bucket.

Cleanup and teardown

Stop the openssh-server, minio, and boundary-enterprise worker containers.
Open the Docker Desktop app and locate the containers used in this tutorial. These include:
- openssh-server
- minio
- hashicorp/boundary-enterprise
Click the trash icon next to each, and confirm to stop and remove them.
Alternatively, open a shell session and destroy each container individually:
```
$ docker rm -f openssh-server
```

Destroy the Boundary resources.

Note

Recall that Boundary storage bucket lifecycle management is still under development. In order to prevent unintentional loss of session recordings, orgs that contain storage buckets with recordings cannot currently be deleted. When destroying your Boundary resources, you will receive an error if you attempt to delete the storage bucket, or the scopes that contain the bucket, without deleting the recordings from the bucket first.

From the Admin Console Web UI, destroy the following resources:

Session recordings
Target
Storage bucket
Org (also deletes credential store)
Boundary worker

Orgs cannot be deleted until the session recordings they contain are deleted.

To delete a recording, it must have a storage policy applied that allows deletion. By default, a recording has its retention policy set to Forever.

Create a new session recording retention policy that allows for deletion.

Select the ssh-recording-org org from the top navigation bar.
Select Storage Policies from the left navigation panel. Click Create a new storage policy.
Fill in the form details:
- Name: do-not-retain
- Description: delete after 1 day
- Retention Policy: Do not protect, allow deletion at any time
- Deletion Policy: Custom
- Delete after: 1 days
Click Save.
Add the storage policy to the org.
From the left navigation panel, select Org Settings.
Click Add Storage Policy.
From the Add Storage Policy page, select the do-not-retain policy. Click Save.
Re-apply the storage policy to the session recording.
Navigate back to the Global scope and select Session Recordings from the left navigation panel.
Open a recording by clicking on View next to the recording. Under the Manage dropdown, select Re-apply storage policy.
Delete the session recording.
Click the Manage dropdown again, then select Delete recording and confirm the operation by clicking OK.
Follow this process for any remaining recordings.
Delete the target resource, or disable session recording for it. A storage bucket cannot be deleted if a target is configured to save sessions to it.
Storage buckets cannot currently be cleaned up within the UI. Switch to the CLI tab to delete the storage bucket, and then use the UI to continue cleanup.
Continue deleting the other resources.

Clean up the following Boundary resources:

Session recordings
Target
Storage bucket
Org (also deletes credential store)
Boundary worker

Orgs cannot be deleted until the session recordings they contain are deleted.

To delete a recording, it must have a storage policy applied that allows deletion. By default, a recording has its retention policy set to Forever.

Create a new session recording retention policy that allows for deletion, then delete the session recordings.

Create a new storage policy in the ssh-recording-org that sets retention to 0 days, and deletes recordings after 1 day.

$ boundary policies create storage \
  -name do-not-retain \
  -description 'delete after 1 day' \
  -scope-id $ORG_ID \
  -retain-for-days 0 \
  -delete-after-days 1

Copy the storage policy ID (such as pst_EmhvwISAec). Then attach the storage policy to the org.

$ boundary scopes attach-storage-policy \
  -id $ORG_ID \
  -storage-policy-id pst_EmhvwISAec

Re-apply the storage policy to a session recording.

Read the details of an existing session recording.

List the session recordings in the ssh-recording-org.

$ boundary session-recordings list -scope-id $ORG_ID

Session Recording information:
  ID:                    sr_TF3tuvZJoj
    Session ID:          s_EARppWYAOv
    Storage Bucket ID:   sb_vzUMCqf6K0
    Created Time:        Thu, 05 Sep 2024 11:38:16 MDT
    Updated Time:        Thu, 05 Sep 2024 12:12:24 MDT
    Start Time:          Thu, 05 Sep 2024 11:38:16 MDT
    End Time:            Thu, 05 Sep 2024 11:38:31 MDT
    Type:                ssh
    State:               available
    Retain Until:        Forever
    Authorized Actions:
      reapply-storage-policy
      no-op
      read
      download
      delete

Copy the ID of the recording and read its details.

$ boundary session-recordings read -id sr_TF3tuvZJoj

Session Recording information:
  Bytes Down:           141
  Bytes Up:             24
  Created Time:         Thu, 05 Sep 2024 11:38:16 MDT
  Duration (Seconds):   15.273479
  Endpoint:             ssh://127.0.0.1:2222
  ID:                   sr_TF3tuvZJoj
  Retain Until:         Forever
  Scope ID:             o_PI6UJeyjus
  Session ID:           s_EARppWYAOv
  Start Time:           Thu, 05 Sep 2024 11:38:16 MDT
  State:                available
  Storage Bucket ID:    sb_vzUMCqf6K0
  Type:                 ssh
  Updated Time:         Thu, 05 Sep 2024 11:38:31 MDT

  Scope:
    ID:                 o_PI6UJeyjus
    Name:               ssh-recording-org
    Parent Scope ID:    global
    Type:               org

  Authorized Actions:
    read
    download
    delete
    reapply-storage-policy
    no-op

  User Info:
    Description:         Global admin user
    ID:                  u_Jr4X5wDEvs
    Name:                admin_user
    Scope:
      ID:                global
      Name:              global
      Type:              global

  Target Info:
    Default Port:               2222
    Egress Worker Filter:       "openssh" in "/tags/type"
    ID:                         tssh_ogra1crcMZ
    Name:                       openssh-target
    Session Connection Limit:   -1
    Session Max Seconds:        28800
    Scope:
      ID:                       p_iZCOgTKEa7
      Name:                     ssh_recording_project
      Parent Scope ID:          o_PI6UJeyjus
      Type:                     project

  Credentials:
    ID:                credup_4N9174DKNt
    Name:              openssh credentials
    Purpose:           injected_application
    Type:              username_password
    Username:          admin

    Credential Store:
      ID:                csst_b5Xsw6TnCA
      Name:              SSH Credentials
      Scope ID:          p_iZCOgTKEa7
      Type:              static


  Connections Recordings:
    Bytes Down:         141
    Bytes Up:           24
    Created Time:       Thu, 05 Sep 2024 11:38:17 MDT
    Duration (Seconds): 12.171847
    End Time:           Thu, 05 Sep 2024 11:38:29 MDT
    ID:                 cr_281bdAx1XL
    Start Time:         Thu, 05 Sep 2024 11:38:17 MDT
    Updated Time:       Thu, 05 Sep 2024 11:38:29 MDT


    Channel Recordings:
      Bytes Down:         141
      Bytes Up:           24
      Created Time:       Thu, 05 Sep 2024 11:38:29 MDT
      Duration (Seconds): 11.640203
      End Time:           Thu, 05 Sep 2024 11:38:29 MDT
      ID:                 chr_fIcsKIhxpt
      Mime Types:         application/x-asciicast
      Start Time:         Thu, 05 Sep 2024 11:38:17 MDT
      Updated Time:       Thu, 05 Sep 2024 11:38:29 MDT

Notice the Retain until: Forever attribute in the output.

Now re-apply the new do-not-retain policy.

$ boundary session-recordings reapply-storage-policy -id sr_TF3tuvZJoj

Session Recording information:
  Bytes Down:           141
  Bytes Up:             24
  Created Time:         Thu, 05 Sep 2024 11:38:16 MDT
  Delete After:         Fri, 06 Sep 2024 11:38:31 MDT
  Duration (Seconds):   15.273479
  Endpoint:             ssh://127.0.0.1:2222
  ID:                   sr_TF3tuvZJoj
  Scope ID:             o_PI6UJeyjus
  Session ID:           s_EARppWYAOv
  Start Time:           Thu, 05 Sep 2024 11:38:16 MDT
  State:                available
  Storage Bucket ID:    sb_vzUMCqf6K0
  Type:                 ssh
  Updated Time:         Thu, 05 Sep 2024 11:38:31 MDT

  Scope:
    ID:                 o_PI6UJeyjus
    Name:               ssh-recording-org
    Parent Scope ID:    global
    Type:               org

  Authorized Actions:
    no-op
    read
    download
    delete
    reapply-storage-policy

  User Info:
    Description:         Global admin user
    ID:                  u_Jr4X5wDEvs
    Name:                admin_user
    Scope:
      ID:                global
      Name:              global
      Type:              global

  Target Info:
    Egress Worker Filter:       "openssh" in "/tags/type"
    ID:                         tssh_ogra1crcMZ
    Name:                       openssh-target
    Session Connection Limit:   -1
    Session Max Seconds:        28800
    Scope:
      ID:                       p_iZCOgTKEa7
      Name:                     ssh_recording_project
      Parent Scope ID:          o_PI6UJeyjus
      Type:                     project

  Credentials:
    ID:                credup_4N9174DKNt
    Name:              openssh credentials
    Purpose:           injected_application
    Type:              username_password

    Credential Store:
      ID:                csst_b5Xsw6TnCA
      Name:              SSH Credentials
      Scope ID:          p_iZCOgTKEa7
      Type:              static


  Connections Recordings:
    Bytes Down:         141
    Bytes Up:           24
    Created Time:       Thu, 05 Sep 2024 11:38:17 MDT
    Duration (Seconds): 12.171847
    End Time:           Thu, 05 Sep 2024 11:38:29 MDT
    ID:                 cr_281bdAx1XL
    Start Time:         Thu, 05 Sep 2024 11:38:17 MDT
    Updated Time:       Thu, 05 Sep 2024 11:38:29 MDT


    Channel Recordings:
      Bytes Down:         141
      Bytes Up:           24
      Created Time:       Thu, 05 Sep 2024 11:38:29 MDT
      Duration (Seconds): 11.640203
      End Time:           Thu, 05 Sep 2024 11:38:29 MDT
      ID:                 chr_fIcsKIhxpt
      Mime Types:         application/x-asciicast
      Start Time:         Thu, 05 Sep 2024 11:38:17 MDT
      Updated Time:       Thu, 05 Sep 2024 11:38:29 MDT

The Delete After line should now be set for 1 day after the date listed for the Created Time.

Read the recording details again.

$ boundary session-recordings read -id sr_TF3tuvZJoj

Session Recording information:
  Bytes Down:           141
  Bytes Up:             24
  Created Time:         Thu, 05 Sep 2024 11:38:16 MDT
  Delete After:         Fri, 06 Sep 2024 11:38:31 MDT
  Duration (Seconds):   15.273479
  Endpoint:             ssh://127.0.0.1:2222
  ID:                   sr_TF3tuvZJoj
  Scope ID:             o_PI6UJeyjus
  Session ID:           s_EARppWYAOv
  Start Time:           Thu, 05 Sep 2024 11:38:16 MDT
  State:                available
  Storage Bucket ID:    sb_vzUMCqf6K0
  Type:                 ssh
  Updated Time:         Thu, 05 Sep 2024 11:38:31 MDT

  Scope:
    ID:                 o_PI6UJeyjus
    Name:               ssh-recording-org
    Parent Scope ID:    global
    Type:               org

  Authorized Actions:
    read
    download
    delete
    reapply-storage-policy
    no-op

  User Info:
    Description:         Global admin user
    ID:                  u_Jr4X5wDEvs
    Name:                admin_user
    Scope:
      ID:                global
      Name:              global
      Type:              global

  Target Info:
    Default Port:               2222
    Egress Worker Filter:       "openssh" in "/tags/type"
    ID:                         tssh_ogra1crcMZ
    Name:                       openssh-target
    Session Connection Limit:   -1
    Session Max Seconds:        28800
    Scope:
      ID:                       p_iZCOgTKEa7
      Name:                     ssh_recording_project
      Parent Scope ID:          o_PI6UJeyjus
      Type:                     project

  Credentials:
    ID:                credup_4N9174DKNt
    Name:              openssh credentials
    Purpose:           injected_application
    Type:              username_password
    Username:          admin

    Credential Store:
      ID:                csst_b5Xsw6TnCA
      Name:              SSH Credentials
      Scope ID:          p_iZCOgTKEa7
      Type:              static


  Connections Recordings:
    Bytes Down:         141
    Bytes Up:           24
    Created Time:       Thu, 05 Sep 2024 11:38:17 MDT
    Duration (Seconds): 12.171847
    End Time:           Thu, 05 Sep 2024 11:38:29 MDT
    ID:                 cr_281bdAx1XL
    Start Time:         Thu, 05 Sep 2024 11:38:17 MDT
    Updated Time:       Thu, 05 Sep 2024 11:38:29 MDT


    Channel Recordings:
      Bytes Down:         141
      Bytes Up:           24
      Created Time:       Thu, 05 Sep 2024 11:38:29 MDT
      Duration (Seconds): 11.640203
      End Time:           Thu, 05 Sep 2024 11:38:29 MDT
      ID:                 chr_fIcsKIhxpt
      Mime Types:         application/x-asciicast
      Start Time:         Thu, 05 Sep 2024 11:38:17 MDT
      Updated Time:       Thu, 05 Sep 2024 11:38:29 MDT

The Delete after line should now show the same date from the storage policy re-application. You can now delete the session recording.

Delete the session recordings.

$ boundary session-recordings delete -id sr_TF3tuvZJoj
The delete operation completed successfully.

Complete this process for all the session recordings in the org.

Delete the target, or disable session recording for it. A storage bucket cannot be deleted if a target is configured to save sessions to it.
```
$ boundary targets delete -id $TARGET_ID
```

Now you can continue cleaning up the other resources.

Next, delete the storage bucket.

$ boundary storage-buckets delete -id $STORAGE_BUCKET_ID

Now you can safely delete the org, which also deletes the credential store.
```
$ boundary scopes delete -id $ORG_ID
```

Delete the Boundary workers.

First, list the workers.

$ boundary workers list

Worker information:
  ID:                        w_NdnBI7xXKC
    Version:                 1
    Name:                    hcp-managed-worker-0
    Address:
    bf816161-7f49-eb18-fd2d-38f68c66b713.proxy.boundary.hashicorp.cloud:9202
    ReleaseVersion:          Boundary v0.17.0+ent
    Last Status Time:        Tue, 13 Aug 2024 21:20:47 UTC
    Directly Connected Downstream Workers:
      w_IPfR7jBVri
    Authorized Actions:
      add-worker-tags
      set-worker-tags
      remove-worker-tags
      no-op
      read

  ID:                        w_IPfR7jBVri
    Version:                 1
    Address:                 minio-worker:9202
    ReleaseVersion:          Boundary v0.17.0+ent
    Last Status Time:        Tue, 13 Aug 2024 21:20:49 UTC
    Authorized Actions:
      add-worker-tags
      set-worker-tags
      remove-worker-tags
      no-op
      read
      update
      delete
...
... more output ...
...

Copy the ID of the worker created for this tutorial and delete it.

Example:

$ boundary workers delete -id w_IPfR7jBVri
The delete operation completed successfully

To clean up the environment, a storage policy needs to be created, and a dependency placed on the storage bucket.

Orgs cannot be deleted until the session recordings they contain are deleted.

To delete a recording, it must have a storage policy applied that allows deletion. By default, a recording has its retention policy set to Forever.

Create a new session recording retention policy that allows for deletion, then delete the session recordings.

Add the boundary_policy_storage resource to the boundary.tf file. Set the retain_for_days to 0 and delete_after_days to 1.

learn-boundary-session-rec-minio/boundary.tf

resource "boundary_policy_storage" "ssh_recordings" {
  name              = "do-not-retain"
  description       = "delete after 1 day"
  scope_id          = boundary_scope.ssh_org.id
  retain_for_days   = 0
  delete_after_days = 1
}

Now add a dependency on the storage bucket to the boundary_target resource using Terraform's depends_on meta argument.

learn-boundary-session-rec-minio/boundary.tf

resource "boundary_target" "openssh_target" {
  name         = "openssh-target"
  description  = "SSH target"
  type         = "ssh"
  address      = "127.0.0.1"
  default_port = "2222"
  scope_id     = boundary_scope.ssh_recording_project.id
  egress_worker_filter     = "\"openssh\" in \"/tags/type\""
  injected_application_credential_source_ids = [
    boundary_credential_username_password.openssh_creds.id
  ]
  enable_session_recording = true
  storage_bucket_id        = boundary_storage_bucket.minio_bucket.id
  depends_on = [
    boundary_storage_bucket.minio_bucket
  ]
}

Using depends_on ensures that the target, which must have recording disabled to delete the storage bucket, is cleaned up first.

Execute terraform destroy and pass in the tfvars file to clean up the Boundary resources. Enter yes when prompted to confirm the deletion.

$ terraform destroy -var-file="boundary.tfvars"

This will produce an error when attempting to delete the storage bucket resource, and the scopes containing the storage bucket will not be deleted.

This is because scopes cannot be deleted until the session recordings they contain are deleted. Terraform cannot currently manage session recordings.

To finish cleaning up the lab resources, open the UI or CLI tab and follow the instructions for removing the session recordings. Then finish removing the storage bucket and org to complete the cleanup.

Unset the environment variables used in any active terminal windows for this tutorial.

$ unset BOUNDARY_ADDR; \
  unset BOUNDARY_AUTH_METHOD_ID; \
  unset BOUNDARY_USERNAME; \
  unset BOUNDARY_PASSWORD; \
  unset MINIO_ADDR; \
  unset MINIO_BUCKET_NAME; \
  unset MINIO_ACCESS_KEY_ID; \
  unset MINIO_SECRET_ACCESS_KEY

Help and reference

Collection Overview

Host management

Session recording with AWS and Vault

This tutorial also appears in:

5 tutorials

Boundary Enterprise
Learn operational tasks specific to creating and operating a Boundary Enterprise environment.
- Boundary