diff --git a/aws-iam-role-crossacct/README.md b/aws-iam-role-crossacct/README.md
index 75530678..952a7449 100644
--- a/aws-iam-role-crossacct/README.md
+++ b/aws-iam-role-crossacct/README.md
@@ -32,6 +32,7 @@ No requirements.
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| iam\_path | The IAM path to put this role in. | `string` | `"/"` | no |
+| max\_session\_duration | The maximum session duration (in seconds) for the role. | `number` | `3600` | no |
| oidc | A list of AWS OIDC IDPs to establish a trust relationship for this role. | list(object(
{
idp_arn : string, # the AWS IAM IDP arn
client_ids : list(string), # a list of oidc client ids
provider : string # your provider url, such as foo.okta.com
}
))
| `[]` | no |
| role\_name | The name of the role. | `string` | n/a | yes |
| saml\_idp\_arn | The AWS SAML IDP arn to establish a trust relationship. Ignored if empty or not provided. | `string` | `""` | no |
diff --git a/aws-iam-role-crossacct/main.tf b/aws-iam-role-crossacct/main.tf
index 591d12b1..b8c460e2 100644
--- a/aws-iam-role-crossacct/main.tf
+++ b/aws-iam-role-crossacct/main.tf
@@ -61,10 +61,11 @@ data "aws_iam_policy_document" "assume-role" {
}
resource "aws_iam_role" "role" {
- name = var.role_name
- path = var.iam_path
- assume_role_policy = data.aws_iam_policy_document.assume-role.json
- tags = var.tags
+ name = var.role_name
+ path = var.iam_path
+ assume_role_policy = data.aws_iam_policy_document.assume-role.json
+ tags = var.tags
+ max_session_duration = var.max_session_duration
# We have to force detach policies in order to recreate roles.
# The other option would be to use name_prefix and create_before_destroy, but that
diff --git a/aws-iam-role-crossacct/variables.tf b/aws-iam-role-crossacct/variables.tf
index 0e4412d5..3bfc311e 100755
--- a/aws-iam-role-crossacct/variables.tf
+++ b/aws-iam-role-crossacct/variables.tf
@@ -44,3 +44,10 @@ variable tags {
default = {}
description = "A map of tags to assign this IAM Role."
}
+
+
+variable max_session_duration {
+ type = number
+ default = 60 * 60 // 1 hour
+ description = "The maximum session duration (in seconds) for the role."
+}
diff --git a/aws-iam-role-poweruser/README.md b/aws-iam-role-poweruser/README.md
index 457b4ece..a21263a5 100644
--- a/aws-iam-role-poweruser/README.md
+++ b/aws-iam-role-poweruser/README.md
@@ -33,6 +33,7 @@ No requirements.
|------|-------------|------|---------|:--------:|
| authorize\_iam | Indicates if we should augment the PowerUserAccess policy with certain IAM actions. | `bool` | `true` | no |
| iam\_path | n/a | `string` | `"/"` | no |
+| max\_session\_duration | The maximum session duration (in seconds) for the role. | `number` | `3600` | no |
| oidc | A list of AWS OIDC IDPs to establish a trust relationship for this role. | list(object(
{
idp_arn : string, # the AWS IAM IDP arn
client_ids : list(string), # a list of oidc client ids
provider : string # your provider url, such as foo.okta.com
}
))
| `[]` | no |
| role\_name | n/a | `string` | `"poweruser"` | no |
| saml\_idp\_arn | The AWS SAML IDP arn to establish a trust relationship. Ignored if empty or not provided. | `string` | `""` | no |
diff --git a/aws-iam-role-poweruser/main.tf b/aws-iam-role-poweruser/main.tf
index 5f0dd668..4d250f7d 100755
--- a/aws-iam-role-poweruser/main.tf
+++ b/aws-iam-role-poweruser/main.tf
@@ -61,10 +61,11 @@ data "aws_iam_policy_document" "assume-role" {
}
resource "aws_iam_role" "poweruser" {
- name = var.role_name
- path = var.iam_path
- assume_role_policy = data.aws_iam_policy_document.assume-role.json
- tags = var.tags
+ name = var.role_name
+ path = var.iam_path
+ assume_role_policy = data.aws_iam_policy_document.assume-role.json
+ max_session_duration = var.max_session_duration
+ tags = var.tags
}
resource "aws_iam_role_policy_attachment" "poweruser" {
diff --git a/aws-iam-role-poweruser/variables.tf b/aws-iam-role-poweruser/variables.tf
index 6125c7bf..f86f2892 100755
--- a/aws-iam-role-poweruser/variables.tf
+++ b/aws-iam-role-poweruser/variables.tf
@@ -45,6 +45,12 @@ variable authorize_iam {
description = "Indicates if we should augment the PowerUserAccess policy with certain IAM actions."
}
+variable max_session_duration {
+ type = number
+ default = 60 * 60 // 1 hour
+ description = "The maximum session duration (in seconds) for the role."
+}
+
variable tags {
type = map(string)
default = {}
diff --git a/aws-s3-private-bucket/README.md b/aws-s3-private-bucket/README.md
index 8a7406aa..24117fea 100644
--- a/aws-s3-private-bucket/README.md
+++ b/aws-s3-private-bucket/README.md
@@ -49,7 +49,7 @@ No requirements.
| bucket\_policy | n/a | `string` | `""` | no |
| enable\_versioning | Keep old versions of overwritten S3 objects. | `bool` | `true` | no |
| env | n/a | `string` | n/a | yes |
-| grants | List of objects with the canonical user id and permissions, used when defining the grant acl. | list(object(
{
canonical_user_id : string,
permissions : list(string), # a list of permissions granted to the AWS account with the canonical user
}
))
| `[]` | no |
+| grants | A list of canonical user ID to permissions pairs. Used when we want to grant permissions to AWS accounts via the S3 ACL system. | `list(object({ canonical_user_id : string, permissions : list(string) }))` | `[]` | no |
| lifecycle\_rules | List of maps containing configuration of object lifecycle management. | `any` | [
{
"enabled": true,
"expiration": {
"expired_object_delete_marker": true
},
"noncurrent_version_expiration": {
"days": 365
},
"noncurrent_version_transition": {
"days": 30,
"storage_class": "STANDARD_IA"
}
}
]
| no |
| owner | n/a | `string` | n/a | yes |
| project | n/a | `string` | n/a | yes |