diff --git a/website/content/docs/configuration/session-recording/configure-storage-policy.mdx b/website/content/docs/configuration/session-recording/configure-storage-policy.mdx
index ad7e26eb50..6b924097d0 100644
--- a/website/content/docs/configuration/session-recording/configure-storage-policy.mdx
+++ b/website/content/docs/configuration/session-recording/configure-storage-policy.mdx
@@ -7,7 +7,7 @@ description: |-
# Configure storage bucket policies
-This feature requires HCP Boundary or Boundary Enterprise
+This feature requires HCP Boundary Plus or Boundary Enterprise
As of Boundary 0.15.0, retention policies can codify storage bucket lifecycle management for [session recordings][].
A Boundary resource known as a [storage bucket][] is used to store recorded sessions.
@@ -100,6 +100,25 @@ Complete the following steps to create a storage policy in Boundary for session
- `delete-after-days`: (Optional) The number of days after creation when a session recording should be deleted.
- `delete-after-overridable`: (Optional) Indicates that a lower scope can override the `delete_after_days` attribute value. Defaults to `true`.
+
+
+
+Apply the following Terraform policy:
+
+```hcl
+resource "boundary_policy_storage" "example" {
+ name = "soc2-policy"
+ description = "SOC 2 compliant storage policy for session recordings"
+ scope_id = data.boundary_scope.org.id
+
+ retain_for_days = 2557
+ retain_for_overridable = false
+
+ delete_after_days = 2657
+ delete_after_overridable = true
+}
+```
+
@@ -220,6 +239,18 @@ The following example applies the policy created above to an org named `prod-dat
-storage-policy-id pst_WZ3SQSSYJY
```
+
+
+
+Apply the following Terraform policy:
+
+```hcl
+resource "boundary_scope_policy_attachment" "example" {
+ policy_id = boundary_policy_storage.example.id
+ scope_id = data.boundary_scope.org.id
+}
+```
+
@@ -665,4 +696,4 @@ After the storage policy is configured in Boundary, new recordings within the ap
[storage bucket]: /boundary/docs/concepts/domain-model/storage-buckets
[storage policy]: /boundary/docs/concepts/domain-model/storage-policy
-[session recordings]: /boundary/docs/concepts/domain-model/session-recordings
\ No newline at end of file
+[session recordings]: /boundary/docs/concepts/domain-model/session-recordings
diff --git a/website/content/docs/configuration/session-recording/create-storage-bucket.mdx b/website/content/docs/configuration/session-recording/create-storage-bucket.mdx
index e8e7c717b5..6ad1fdf5b9 100644
--- a/website/content/docs/configuration/session-recording/create-storage-bucket.mdx
+++ b/website/content/docs/configuration/session-recording/create-storage-bucket.mdx
@@ -7,7 +7,7 @@ description: |-
# Create a storage bucket
-This feature requires HCP Boundary or Boundary Enterprise
+This feature requires HCP Boundary Plus or Boundary Enterprise
User sessions can be recorded and audited using Boundary 0.13 or greater. A Boundary resource known as a [storage bucket](/boundary/docs/concepts/domain-model/storage-buckets) is used to store the recorded sessions.
The storage bucket represents a bucket in an external storage provider.
@@ -67,7 +67,6 @@ Complete the following steps to create a storage bucket in Boundary.
After rotation, only Boundary knows the client secret the plugin uses.
-
- **Role ARN**: (Required) The ARN (Amazon Resource Name) role that is attached to the EC2 instance that the self-managed worker runs on.
@@ -96,6 +95,12 @@ The required fields for creating a storage bucket depend on whether you configur
+
+
+ The preferred way to authenticate to the S3 bucket is by using dynamic credentials. The example below uses static credentials instead.
+
+
+
1. Log in to Boundary.
1. Use the following command to create a storage bucket in Boundary:
@@ -164,6 +169,76 @@ The required fields for creating a storage bucket depend on whether you configur
+
+
+
+The HCL code for creating a storage bucket is different depending on whether you configured the AWS S3 bucket with static or dynamic credentials.
+
+
+
+
+
+
+ The preferred way to authenticate to the S3 bucket is by using dynamic credentials. The code below uses static credentials instead.
+
+
+
+Apply the following Terraform policy:
+
+```hcl
+resource "boundary_storage_bucket" "aws_static_credentials_example" {
+ name = "My aws storage bucket with static credentials"
+ description = "My first storage bucket"
+ scope_id = "o_1234567890"
+ plugin_name = "aws"
+ bucket_name = "mybucket1"
+ attributes_json = jsonencode({ "region" = "us-east-1" })
+
+ # recommended to pass in aws secrets using a file() or using environment variables
+ # the secrets below must be generated in aws using an iam user with programmatic access
+ secrets_json = jsonencode({
+ "access_key_id" = "aws_access_key_id_value",
+ "secret_access_key" = "aws_secret_access_key_value"
+ })
+ worker_filter = "\"dev\" in \"/tags/type\""
+}
+
+output "storage_bucket_id" {
+ value = boundary_storage_bucket.aws_static_credentials_example.id
+}
+```
+
+
+
+
+Apply the following Terraform policy:
+
+```hcl
+resource "boundary_storage_bucket" "aws_dynamic_credentials_example" {
+ name = "My aws storage bucket with dynamic credentials"
+ description = "My first storage bucket"
+ scope_id = "o_1234567890"
+ plugin_name = "aws"
+ bucket_name = "mybucket1"
+
+ # the role_arn value should be the same arn used in the instance profile attached to the ec2 instance
+ # https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html
+ attributes_json = jsonencode({
+ "region" = "us-east-1"
+ "role_arn" = "arn:aws:iam::123456789012:role/S3Access"
+ "disable_credential_rotation" = true
+ })
+ worker_filter = "\"dev\" in \"/tags/type\""
+}
+
+output "storage_bucket_id" {
+ value = boundary_storage_bucket.aws_dynamic_credentials_example.id
+}
+```
+
+
+
+
diff --git a/website/content/docs/configuration/session-recording/enable-session-recording.mdx b/website/content/docs/configuration/session-recording/enable-session-recording.mdx
index d0f76d1954..5934d9054f 100644
--- a/website/content/docs/configuration/session-recording/enable-session-recording.mdx
+++ b/website/content/docs/configuration/session-recording/enable-session-recording.mdx
@@ -7,7 +7,7 @@ description: |-
# Enable session recording on a target
-This feature requires HCP Boundary or Boundary Enterprise
+This feature requires HCP Boundary Plus or Boundary Enterprise
You must enable session recording for any targets that you want to record sessions on.
When you [create a storage bucket](/boundary/docs/configuration/session-recording/create-storage-bucket), Boundary provides you with an ID.
@@ -56,15 +56,15 @@ The following setting is required for session recording:
1. Click **Save**.
-
+
1. Log in to Boundary.
1. Do one of the following:
- To enable an existing SSH target for session recording, run the following commmand:
- ```bash
- boundary targets update ssh -scope-id p_1234567890 -id tssh_1234567890 -enable-session-recording true -storage-bucket-id sb_1234567890
+ ```shell-session
+ $ boundary targets update ssh -scope-id p_1234567890 -id tssh_1234567890 -enable-session-recording true -storage-bucket-id sb_1234567890
```
Make sure to add the `-enable-session-recording true` flag to turn on session recording for the target.
@@ -72,8 +72,8 @@ The following setting is required for session recording:
- To create a new target and enable it for session recording, run the following command:
- ```bash
- boundary targets create ssh -scope-id p_1234567890 -default -port 22 -name test1 -address 99.12.345.67 -enable-session-recording true -storage-bucket-id sb_1234567890
+ ```shell-session
+ $ boundary targets create ssh -scope-id p_1234567890 -default -port 22 -name test1 -address 99.12.345.67 -enable-session-recording true -storage-bucket-id sb_1234567890
```
Make sure to add the `-enable-session-recording true` flag to turn on session recording for the target.
@@ -82,6 +82,27 @@ The following setting is required for session recording:
You can now view the target from the **Targets** page in the Boundary console.
+
+
+
+Apply the following Terraform policy:
+
+```hcl
+resource "boundary_target" "address_foo" {
+ name = "address_foo"
+ description = "Foo target with an address"
+ type = "tcp"
+ default_port = "22"
+ scope_id = boundary_scope.project.id
+ address = "127.0.0.1"
+
+ # Add the next two lines to an existing target to enable session recording.
+ # Modify the value of storage_bucket_id as appropriate
+ enable_session_recording = true
+ storage_bucket_id = boundary_storage_bucket.aws_example.id
+}
+```
+
diff --git a/website/content/docs/configuration/session-recording/index.mdx b/website/content/docs/configuration/session-recording/index.mdx
index b2a4dd652e..857b30c52a 100644
--- a/website/content/docs/configuration/session-recording/index.mdx
+++ b/website/content/docs/configuration/session-recording/index.mdx
@@ -7,7 +7,7 @@ description: |-
# Overview
-This feature requires HCP Boundary or Boundary Enterprise
+This feature requires HCP Boundary Plus or Boundary Enterprise
Boundary provides auditing capabilities using a feature called session recording.
diff --git a/website/content/docs/configuration/session-recording/update-storage-policy.mdx b/website/content/docs/configuration/session-recording/update-storage-policy.mdx
index 38495d708b..febda9084e 100644
--- a/website/content/docs/configuration/session-recording/update-storage-policy.mdx
+++ b/website/content/docs/configuration/session-recording/update-storage-policy.mdx
@@ -7,7 +7,7 @@ description: |-
# Update storage bucket policies
-This feature requires HCP Boundary or Boundary Enterprise
+This feature requires HCP Boundary Plus or Boundary Enterprise
A [storage policy][] codifies [storage bucket][] lifecycle management for [session recordings][].
@@ -35,7 +35,7 @@ The policies mentioned here demonstrate how to apply an updated storage policy t
## Storage policy changes
-A storage policy defines how long the recording within a scope should retain its session recordings.
+A storage policy defines how long the recording within a scope should retain its session recordings.
Over time, you may update storage policies to reflect new organizational requirements, compliance changes, or cost management strategies. While updated policies automatically apply to new session recordings within the scopes associated with that policy, existing recordings maintain the previous policies unless you apply the new policy directly to those recordings.
@@ -112,6 +112,25 @@ The following is an example of updating the `soc2-policy` policy.
-delete-after-overridable false
```
+
+
+
+Due to the declarative nature of Terraform, you update policies by modifying your existing Terraform configuration. To perform the requested changes, update your existing block of code as shown below, and then execute `terraform apply`.
+
+```hcl
+resource "boundary_policy_storage" "example" {
+ name = "soc2-policy"
+ v2"
+ scope_id = data.boundary_scope.org.id
+
+ retain_for_days = 2557
+ retain_for_overridable = false
+
+ delete_after_days = 2757
+ delete_after_overridable = false
+}
+```
+
@@ -262,6 +281,11 @@ In the event that an updated policy should be retroactively applied to existing
Verify that the `Delete After` attribute reflects the updated storage policy.
+
+
+
+Once the policy changes have been applied with Terraform, you can reapply the policy as needed by following the CLI instructions in this section.
+
@@ -323,4 +347,4 @@ Existing session recordings will maintain their existing storage policy attribut
[storage bucket]: /boundary/docs/concepts/domain-model/storage-buckets
[storage policy]: /boundary/docs/concepts/domain-model/storage-policy
-[session recordings]: /boundary/docs/concepts/domain-model/session-recordings
\ No newline at end of file
+[session recordings]: /boundary/docs/concepts/domain-model/session-recordings