[feature] Allow overwriting the IAM Role max session duration (#208)

### Summary Allows us to overwrite the iam role max_role session duration. ### Test Plan ### References
chanzuckerberg · Jun 30, 2020 · fe0d030 · fe0d030
1 parent 1fe821e
commit fe0d030
Show file tree

Hide file tree

Showing 7 changed files with 26 additions and 9 deletions.
diff --git a/aws-iam-role-crossacct/README.md b/aws-iam-role-crossacct/README.md
@@ -32,6 +32,7 @@ No requirements.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | iam\_path | The IAM path to put this role in. | `string` | `"/"` | no |
+| max\_session\_duration | The maximum session duration (in seconds) for the role. | `number` | `3600` | no |
 | oidc | A list of AWS OIDC IDPs to establish a trust relationship for this role. | <pre>list(object(<br>    {<br>      idp_arn : string,          # the AWS IAM IDP arn<br>      client_ids : list(string), # a list of oidc client ids<br>      provider : string          # your provider url, such as foo.okta.com<br>    }<br>  ))</pre> | `[]` | no |
 | role\_name | The name of the role. | `string` | n/a | yes |
 | saml\_idp\_arn | The AWS SAML IDP arn to establish a trust relationship. Ignored if empty or not provided. | `string` | `""` | no |

diff --git a/aws-iam-role-crossacct/main.tf b/aws-iam-role-crossacct/main.tf
@@ -61,10 +61,11 @@ data "aws_iam_policy_document" "assume-role" {
 }
 
 resource "aws_iam_role" "role" {
-  name               = var.role_name
-  path               = var.iam_path
-  assume_role_policy = data.aws_iam_policy_document.assume-role.json
-  tags               = var.tags
+  name                 = var.role_name
+  path                 = var.iam_path
+  assume_role_policy   = data.aws_iam_policy_document.assume-role.json
+  tags                 = var.tags
+  max_session_duration = var.max_session_duration
 
   # We have to force detach policies in order to recreate roles.
   # The other option would be to use name_prefix and create_before_destroy, but that

diff --git a/aws-iam-role-crossacct/variables.tf b/aws-iam-role-crossacct/variables.tf
@@ -44,3 +44,10 @@ variable tags {
   default     = {}
   description = "A map of tags to assign this IAM Role."
 }
+
+
+variable max_session_duration {
+  type        = number
+  default     = 60 * 60 // 1 hour
+  description = "The maximum session duration (in seconds) for the role."
+}
diff --git a/aws-iam-role-poweruser/README.md b/aws-iam-role-poweruser/README.md
@@ -33,6 +33,7 @@ No requirements.
 |------|-------------|------|---------|:--------:|
 | authorize\_iam | Indicates if we should augment the PowerUserAccess policy with certain IAM actions. | `bool` | `true` | no |
 | iam\_path | n/a | `string` | `"/"` | no |
+| max\_session\_duration | The maximum session duration (in seconds) for the role. | `number` | `3600` | no |
 | oidc | A list of AWS OIDC IDPs to establish a trust relationship for this role. | <pre>list(object(<br>    {<br>      idp_arn : string,          # the AWS IAM IDP arn<br>      client_ids : list(string), # a list of oidc client ids<br>      provider : string          # your provider url, such as foo.okta.com<br>    }<br>  ))</pre> | `[]` | no |
 | role\_name | n/a | `string` | `"poweruser"` | no |
 | saml\_idp\_arn | The AWS SAML IDP arn to establish a trust relationship. Ignored if empty or not provided. | `string` | `""` | no |

diff --git a/aws-iam-role-poweruser/main.tf b/aws-iam-role-poweruser/main.tf
@@ -61,10 +61,11 @@ data "aws_iam_policy_document" "assume-role" {
 }
 
 resource "aws_iam_role" "poweruser" {
-  name               = var.role_name
-  path               = var.iam_path
-  assume_role_policy = data.aws_iam_policy_document.assume-role.json
-  tags               = var.tags
+  name                 = var.role_name
+  path                 = var.iam_path
+  assume_role_policy   = data.aws_iam_policy_document.assume-role.json
+  max_session_duration = var.max_session_duration
+  tags                 = var.tags
 }
 
 resource "aws_iam_role_policy_attachment" "poweruser" {

diff --git a/aws-iam-role-poweruser/variables.tf b/aws-iam-role-poweruser/variables.tf
@@ -45,6 +45,12 @@ variable authorize_iam {
   description = "Indicates if we should augment the PowerUserAccess policy with certain IAM actions."
 }
 
+variable max_session_duration {
+  type        = number
+  default     = 60 * 60 // 1 hour
+  description = "The maximum session duration (in seconds) for the role."
+}
+
 variable tags {
   type        = map(string)
   default     = {}

diff --git a/aws-s3-private-bucket/README.md b/aws-s3-private-bucket/README.md
@@ -49,7 +49,7 @@ No requirements.
 | bucket\_policy | n/a | `string` | `""` | no |
 | enable\_versioning | Keep old versions of overwritten S3 objects. | `bool` | `true` | no |
 | env | n/a | `string` | n/a | yes |
-| grants | List of objects with the canonical user id and permissions, used when defining the grant acl. | <pre>list(object(<br>    {<br>      canonical_user_id : string,      <br>      permissions : list(string), # a list of permissions granted to the AWS account with the canonical user      <br>    }<br>  ))</pre> | `[]` | no |
+| grants | A list of canonical user ID to permissions pairs. Used when we want to grant permissions to AWS accounts via the S3 ACL system. | `list(object({ canonical_user_id : string, permissions : list(string) }))` | `[]` | no |
 | lifecycle\_rules | List of maps containing configuration of object lifecycle management. | `any` | <pre>[<br>  {<br>    "enabled": true,<br>    "expiration": {<br>      "expired_object_delete_marker": true<br>    },<br>    "noncurrent_version_expiration": {<br>      "days": 365<br>    },<br>    "noncurrent_version_transition": {<br>      "days": 30,<br>      "storage_class": "STANDARD_IA"<br>    }<br>  }<br>]</pre> | no |
 | owner | n/a | `string` | n/a | yes |
 | project | n/a | `string` | n/a | yes |