From 09dd280e0cbcad8553517c50d42f8214fd795588 Mon Sep 17 00:00:00 2001 From: Scott Guymer Date: Mon, 10 Oct 2022 14:12:32 +0200 Subject: [PATCH] feat: Added max_session_duration configuration for role (#47) * feat: Added max_session_duration configuration for role * Updated docs * Make default null to defer to build in standards --- README.md | 61 +++++++++++++++++++++++++++------------------------- main.tf | 1 + variables.tf | 8 ++++++- 3 files changed, 40 insertions(+), 30 deletions(-) diff --git a/README.md b/README.md index 3be7d0e..7a650e4 100644 --- a/README.md +++ b/README.md @@ -61,21 +61,21 @@ module "oidc_repo_s3" { Check out the [example](examples/default/README.md) for a full example of using the module. - + ## Requirements -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | >= 1 | -| [aws](#requirement\_aws) | >= 3 | +| Name | Version | +| ------------------------------------------------------------------------ | ------- | +| [terraform](#requirement_terraform) | >= 1 | +| [aws](#requirement_aws) | >= 3 | ## Providers -| Name | Version | -|------|---------| -| [aws](#provider\_aws) | >= 3 | -| [random](#provider\_random) | n/a | +| Name | Version | +| --------------------------------------------------------- | ------- | +| [aws](#provider_aws) | >= 3 | +| [random](#provider_random) | n/a | ## Modules @@ -83,33 +83,36 @@ No modules. ## Resources -| Name | Type | -|------|------| -| [aws_iam_role.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | -| [aws_iam_role_policy_attachment.custom](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | -| [random_string.random](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource | +| Name | Type | +| --------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------- | +| [aws_iam_role.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_iam_role_policy_attachment.custom](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [random_string.random](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource | | [aws_iam_policy_document.github_actions_assume_role_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | ## Inputs -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [conditions](#input\_conditions) | (Optional) Additonal conditions for checking the OIDC claim. |
list(object({
test = string
variable = string
values = list(string)
}))
| `[]` | no | -| [default\_conditions](#input\_default\_conditions) | (Optional) Default condtions to apply, at least one of the following is madatory: 'allow\_main', 'allow\_environment', 'deny\_pull\_request' and 'allow\_all'. | `list(string)` |
[
"allow_main",
"deny_pull_request"
]
| no | -| [github\_environments](#input\_github\_environments) | (Optional) Allow GitHub action to deploy to all (default) or to one of the environments in the list. | `list(string)` |
[
"*"
]
| no | -| [openid\_connect\_provider\_arn](#input\_openid\_connect\_provider\_arn) | Set the openid connect provider ARN when the provider is not managed by the module. | `string` | n/a | yes | -| [repo](#input\_repo) | (Optional) GitHub repository to grant access to assume a role via OIDC. When the repo is set, a role will be created. | `string` | `null` | no | -| [role\_name](#input\_role\_name) | (Optional) role name of the created role, if not provided the `namespace` will be used. | `string` | `null` | no | -| [role\_path](#input\_role\_path) | (Optional) Path for the created role, requires `repo` is set. | `string` | `"/github-actions/"` | no | -| [role\_permissions\_boundary](#input\_role\_permissions\_boundary) | (Optional) Boundary for the created role, requires `repo` is set. | `string` | `null` | no | -| [role\_policy\_arns](#input\_role\_policy\_arns) | List of ARNs of IAM policies to attach to IAM role | `list(string)` | `[]` | no | +| Name | Description | Type | Default | Required | +| ------------------------------------------------------------------------------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------- | ----------------------------------------------------------- | :------: | +| [account_ids](#input_account_ids) | Root users of these Accounts (id) would be given the permissions to assume the role created by this module. | `list(string)` | `[]` | no | +| [conditions](#input_conditions) | (Optional) Additonal conditions for checking the OIDC claim. |
list(object({
test = string
variable = string
values = list(string)
}))
| `[]` | no | +| [default_conditions](#input_default_conditions) | (Optional) Default condtions to apply, at least one of the following is madatory: 'allow_main', 'allow_environment', 'deny_pull_request' and 'allow_all'. | `list(string)` |
[
"allow_main",
"deny_pull_request"
]
| no | +| [github_environments](#input_github_environments) | (Optional) Allow GitHub action to deploy to all (default) or to one of the environments in the list. | `list(string)` |
[
"*"
]
| no | +| [openid_connect_provider_arn](#input_openid_connect_provider_arn) | Set the openid connect provider ARN when the provider is not managed by the module. | `string` | n/a | yes | +| [repo](#input_repo) | (Optional) GitHub repository to grant access to assume a role via OIDC. When the repo is set, a role will be created. | `string` | `null` | no | +| [role_max_session_duration](#input_role_max_session_duration) | Maximum session duration (in seconds) that you want to set for the specified role. | `number` | `null` | no | +| [role_name](#input_role_name) | (Optional) role name of the created role, if not provided the `namespace` will be used. | `string` | `null` | no | +| [role_path](#input_role_path) | (Optional) Path for the created role, requires `repo` is set. | `string` | `"/github-actions/"` | no | +| [role_permissions_boundary](#input_role_permissions_boundary) | (Optional) Boundary for the created role, requires `repo` is set. | `string` | `null` | no | +| [role_policy_arns](#input_role_policy_arns) | List of ARNs of IAM policies to attach to IAM role | `list(string)` | `[]` | no | ## Outputs -| Name | Description | -|------|-------------| -| [conditions](#output\_conditions) | The assume conditions added to the role. | -| [role](#output\_role) | The crated role that can be assumed for the configured repository. | +| Name | Description | +| ----------------------------------------------------------------- | ------------------------------------------------------------------ | +| [conditions](#output_conditions) | The assume conditions added to the role. | +| [role](#output_role) | The crated role that can be assumed for the configured repository. | + ## Contribution diff --git a/main.tf b/main.tf index 732e023..1e2c13a 100644 --- a/main.tf +++ b/main.tf @@ -93,6 +93,7 @@ resource "aws_iam_role" "main" { path = var.role_path permissions_boundary = var.role_permissions_boundary assume_role_policy = data.aws_iam_policy_document.github_actions_assume_role_policy[0].json + max_session_duration = var.role_max_session_duration } resource "aws_iam_role_policy_attachment" "custom" { diff --git a/variables.tf b/variables.tf index 10d9ff4..5584bf5 100644 --- a/variables.tf +++ b/variables.tf @@ -71,8 +71,14 @@ variable "role_policy_arns" { default = [] } +variable "role_max_session_duration" { + description = "Maximum session duration (in seconds) that you want to set for the specified role." + type = number + default = null +} + variable "account_ids" { description = "Root users of these Accounts (id) would be given the permissions to assume the role created by this module." type = list(string) default = [] -} \ No newline at end of file +}