Add MaxSesessionDuration to iam_role for federated users #3977
Conversation
ghost
added
size/XXL
stephencoe
changed the title
ghost
added
size/XXL
|
this is my first PR into TF, I am unsure why CI failed 😕 |
|
My recommendation is to split the SDK update into it's own PR first (generally we merge these really fast) |
vendor/vendor.json
Outdated
| @@ -39,884 +39,892 @@ | |||
| "revisionTime": "2017-07-27T15:54:43Z" | |||
| }, | |||
| { | |||
| "checksumSHA1": "y1bmVkrw6lKwgq8z+S3GzO1F5JE=", | |||
| "checksumSHA1": "N+8JQQqczoq0UfwXrcVqqRDcb5E=", | |||
There was a problem hiding this comment.
Did you accidentally govendor the root? I think it'll complain about that. See any of the recent Deps: Bump aws-sdk-go PRs for how it's done (we're hoping to automate this shortly)
There was a problem hiding this comment.
thanks, I will split that out
stephencoe
force-pushed
the
iam_role_mfa_duration
branch
from
4d6ec2e to
df55b62
Compare
ghost
added
size/L
* master: bumping to 1.13.23
aws/resource_aws_iam_role.go
Outdated
| Optional: true, | ||
| Default: 3600, | ||
| ValidateFunc: func(v interface{}, k string) (ws []string, errors []error) { | ||
| value := v.(int64) |
There was a problem hiding this comment.
how about replace custom function with existing validation.IntBetween() instead?
There was a problem hiding this comment.
As noted above, this should be updated to ValidateFunc: validation.IntBetween(3600, 43200)
bflad
added
service/iam
There was a problem hiding this comment.
Hi @stephencoe! 👋 Thanks for submitting this! Can you please see the feedback below and let us know if you have any questions or do not have time to implement them?
aws/resource_aws_iam_role.go
Outdated
| if d.HasChange("max_session_duration") { | ||
| roleMaxDurationInput := &iam.UpdateRoleInput{ | ||
| RoleName: aws.String(d.Id()), | ||
| MaxSessionDuration: aws.Int64(d.Get("assume_role_policy").(int64)), |
There was a problem hiding this comment.
This looks like it has two issues:
- Copy-paste typo of which attribute to grab, should be
"max_session_duration" schema.TypeIntreturns a regularint, so I believe this needs to beaws.Int64(int64(d.Get("max_session_duration").(int)))
aws/resource_aws_iam_role.go
Outdated
| } | ||
| _, err := iamconn.UpdateRole(roleMaxDurationInput) | ||
| if err != nil { | ||
| if iamerr, ok := err.(awserr.Error); ok && iamerr.Code() == "NoSuchEntity" { |
There was a problem hiding this comment.
Two notes here:
- This can be simplified and use the SDK provided constant with
if isAWSErr(err, iam.ErrCodeNoSuchEntityException, "") { - The error message needs to be updated
aws/resource_aws_iam_role_test.go
Outdated
| @@ -158,6 +158,40 @@ func TestAccAWSIAMRole_force_detach_policies(t *testing.T) { | |||
| }) | |||
| } | |||
|
|
|||
| func TestAccAWSIAMRole_testMaxSessionDuration(t *testing.T) { | |||
There was a problem hiding this comment.
You can drop the second test before MaxSessionDuration
aws/resource_aws_iam_role_test.go
Outdated
| @@ -261,6 +295,39 @@ func testAccAddAwsIAMRolePolicy(n string) resource.TestCheckFunc { | |||
| } | |||
| } | |||
|
|
|||
| func testMaxSessionDuration(rName string) string { | |||
There was a problem hiding this comment.
The signature here should be:
func testAccCheckIAMRoleConfig_MaxSessionDuration(rName string, maxSessionDuration int) string {Then accept the parameter in the HCL configuration:
max_session_duration = %dSo we can remove the other two test configurations.
| @@ -49,6 +49,8 @@ The following arguments are supported: | |||
| See [IAM Identifiers](https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_Identifiers.html) for more information. | |||
| * `description` - (Optional) The description of the role. | |||
|
|
|||
| * `max_session_duration` - (Optional) Max duration of a federated role | |||
There was a problem hiding this comment.
This should probably note that the duration is in seconds and defaults to 3600. The SDK documentation sums it up pretty well:
The maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours.
aws/resource_aws_iam_role.go
Outdated
| Optional: true, | ||
| Default: 3600, | ||
| ValidateFunc: func(v interface{}, k string) (ws []string, errors []error) { | ||
| value := v.(int64) |
There was a problem hiding this comment.
As noted above, this should be updated to ValidateFunc: validation.IntBetween(3600, 43200)
aws/resource_aws_iam_role_test.go
Outdated
| resource "aws_iam_role" "role" { | ||
| name = "test-role-%s" | ||
| path = "/" | ||
| max_session_duration = 46800 |
There was a problem hiding this comment.
When the tests are updated, this should test the hard edges of the validation at 43201 and 3599.
aws/resource_aws_iam_role_test.go
Outdated
| ), | ||
| }, | ||
| { | ||
| Config: testMaxSessionDuration_too_long(rName), |
There was a problem hiding this comment.
We expect these configurations to fail, which can be accomplished with:
{
Config: testAccCheckIAMRoleConfig_MaxSessionDuration(rName, 43201),
ExpectError: regexp.MustCompile(`error message here`),
},
|
This will also fix duplicate enhancement request #3969 |
ghost
added
size/M
|
@bflad thanks for the feedback, sorry its not been updated sooner :) |
| @@ -137,6 +145,10 @@ func resourceAwsIamRoleCreate(d *schema.ResourceData, meta interface{}) error { | |||
| request.Description = aws.String(v.(string)) | |||
| } | |||
|
|
|||
| if v, ok := d.GetOk("max_session_duration"); ok { | |||
| request.MaxSessionDuration = aws.Int64(v.(int64)) | |||
There was a problem hiding this comment.
=== RUN TestAccAWSIAMRole_MaxSessionDuration
panic: interface conversion: interface {} is int, not int64
goroutine 227 [running]:
github.com/terraform-providers/terraform-provider-aws/aws.resourceAwsIamRoleCreate(0xc4202c3810, 0x3542900, 0xc4208a0500, 0xc4202c3810, 0x0)
/Users/bflad/go/src/github.com/terraform-providers/terraform-provider-aws/aws/resource_aws_iam_role.go:149 +0x6da
I will fix this on merge.
| { | ||
| Config: testAccCheckIAMRoleConfig_MaxSessionDuration(rName, 3700), | ||
| Check: resource.ComposeTestCheckFunc( | ||
| testAccCheckAWSRoleExists("aws_iam_role.test", &conf), |
There was a problem hiding this comment.
--- FAIL: TestAccAWSIAMRole_MaxSessionDuration (6.39s)
testing.go:518: Step 0 error: Check failed: Check 1/2 error: Not found: aws_iam_role.test
The resource is named role in the test configuration. I will fix this on merge.
There was a problem hiding this comment.
Fixed up the panic and acceptance testing in my branch which I'll use to merge keeping your commits. Thanks for the contribution! 🚀
make testacc TEST=./aws TESTARGS='-run=TestAccAWSIAMRole'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws -v -run=TestAccAWSIAMRole -timeout 120m
=== RUN TestAccAWSIAMRolePolicy_importBasic
--- PASS: TestAccAWSIAMRolePolicy_importBasic (10.90s)
=== RUN TestAccAWSIAMRole_importBasic
--- PASS: TestAccAWSIAMRole_importBasic (8.02s)
=== RUN TestAccAWSIAMRolePolicy_basic
--- PASS: TestAccAWSIAMRolePolicy_basic (15.84s)
=== RUN TestAccAWSIAMRolePolicy_namePrefix
--- PASS: TestAccAWSIAMRolePolicy_namePrefix (8.09s)
=== RUN TestAccAWSIAMRolePolicy_generatedName
--- PASS: TestAccAWSIAMRolePolicy_generatedName (8.36s)
=== RUN TestAccAWSIAMRolePolicy_invalidJSON
--- PASS: TestAccAWSIAMRolePolicy_invalidJSON (1.24s)
=== RUN TestAccAWSIAMRole_basic
--- PASS: TestAccAWSIAMRole_basic (8.96s)
=== RUN TestAccAWSIAMRole_basicWithDescription
--- PASS: TestAccAWSIAMRole_basicWithDescription (19.16s)
=== RUN TestAccAWSIAMRole_namePrefix
--- PASS: TestAccAWSIAMRole_namePrefix (7.15s)
=== RUN TestAccAWSIAMRole_testNameChange
--- PASS: TestAccAWSIAMRole_testNameChange (14.99s)
=== RUN TestAccAWSIAMRole_badJSON
--- PASS: TestAccAWSIAMRole_badJSON (1.55s)
=== RUN TestAccAWSIAMRole_force_detach_policies
--- PASS: TestAccAWSIAMRole_force_detach_policies (7.85s)
=== RUN TestAccAWSIAMRole_MaxSessionDuration
--- PASS: TestAccAWSIAMRole_MaxSessionDuration (13.85s)
PASS
ok github.com/terraform-providers/terraform-provider-aws/aws 126.014s
|
This has been released in version 1.14.0 of the AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. |
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks! |
ghost
locked and limited conversation to collaborators
Description
Adding
max_session_durationtoiam_rolefixes #3976Changes
max_session_duration