Custom Session Duration (#9)

5e45e47c · Conor Maher · Anton Babenko · eaf730b8 · 5e45e47c · 5e45e47c
Commit 5e45e47c authored May 28, 2018 by Conor Maher Committed by Anton Babenko May 28, 2018
Hide whitespace changes
Inline Side-by-side

Showing with 14 additions and 6 deletions

main.tf modules/iam-assumable-roles/main.tf +9 -6

variables.tf modules/iam-assumable-roles/variables.tf +5 -0

No files found.
--- a/modules/iam-assumable-roles/main.tf
+++ b/modules/iam-assumable-roles/main.tf
@@ -40,8 +40,9 @@ data "aws_iam_policy_document" "assume_role_with_mfa" {
 resource "aws_iam_role" "admin" {
  count = "${var.create_admin_role ? 1 : 0}"

-  name = "${var.admin_role_name}"
-  path = "${var.admin_role_path}"
+  name                 = "${var.admin_role_name}"
+  path                 = "${var.admin_role_path}"
+  max_session_duration = "${var.max_session_duration}"

  assume_role_policy = "${var.admin_role_requires_mfa ? data.aws_iam_policy_document.assume_role_with_mfa.json : data.aws_iam_policy_document.assume_role.json}"
 }
@@ -64,8 +65,9 @@ resource "aws_iam_role_policy_attachment" "poweruser" {
 resource "aws_iam_role" "poweruser" {
  count = "${var.create_poweruser_role ? 1 : 0}"

-  name = "${var.poweruser_role_name}"
-  path = "${var.poweruser_role_path}"
+  name                 = "${var.poweruser_role_name}"
+  path                 = "${var.poweruser_role_path}"
+  max_session_duration = "${var.max_session_duration}"

  assume_role_policy = "${var.poweruser_role_requires_mfa ? data.aws_iam_policy_document.assume_role_with_mfa.json : data.aws_iam_policy_document.assume_role.json}"
 }
@@ -81,8 +83,9 @@ resource "aws_iam_role_policy_attachment" "readonly" {
 resource "aws_iam_role" "readonly" {
  count = "${var.create_readonly_role ? 1 : 0}"

-  name = "${var.readonly_role_name}"
-  path = "${var.readonly_role_path}"
+  name                 = "${var.readonly_role_name}"
+  path                 = "${var.readonly_role_path}"
+  max_session_duration = "${var.max_session_duration}"

  assume_role_policy = "${var.readonly_role_requires_mfa ?  data.aws_iam_policy_document.assume_role_with_mfa.json : data.aws_iam_policy_document.assume_role.json}"
 }
--- a/modules/iam-assumable-roles/variables.tf
+++ b/modules/iam-assumable-roles/variables.tf
@@ -85,3 +85,8 @@ variable "readonly_role_policy_arn" {
  description = "Policy ARN to use for admin role"
  default     = "arn:aws:iam::aws:policy/ReadOnlyAccess"
 }
+
+variable "max_session_duration" {
+  description = "Maximum CLI/API session duration in seconds between 3600 and 43200"
+  default     = 3600
+}