From f87e2cb06341a940fa894c3faae62a02762d3d78 Mon Sep 17 00:00:00 2001
From: edulop <elopez@chanzuckerberg.com>
Date: Mon, 29 Jun 2020 15:46:23 -0400
Subject: [PATCH 1/4] [feature] Allow overwriting the default session duration

---
 aws-iam-role-crossacct/README.md    | 1 +
 aws-iam-role-crossacct/main.tf      | 9 +++++----
 aws-iam-role-crossacct/variables.tf | 7 +++++++
 aws-iam-role-poweruser/README.md    | 1 +
 aws-iam-role-poweruser/main.tf      | 7 ++++---
 aws-iam-role-poweruser/variables.tf | 6 ++++++
 6 files changed, 24 insertions(+), 7 deletions(-)

diff --git a/aws-iam-role-crossacct/README.md b/aws-iam-role-crossacct/README.md
index 9eeb829d..98dcf93d 100644
--- a/aws-iam-role-crossacct/README.md
+++ b/aws-iam-role-crossacct/README.md
@@ -32,6 +32,7 @@ No requirements.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | iam\_path | The IAM path to put this role in. | `string` | `"/"` | no |
+| max\_session\_duration | The maximum session duration (in seconds) that you want to set for the specified role. | `number` | `3600` | no |
 | oidc | A list of AWS OIDC IDPs to establish a trust relationship for this role. | <pre>list(object(<br>    {<br>      idp_arn : string,          # the AWS IAM IDP arn<br>      client_ids : list(string), # a list of oidc client ids<br>      provider : string          # your provider url, such as foo.okta.com<br>    }<br>  ))</pre> | `[]` | no |
 | role\_name | The name of the role. | `string` | n/a | yes |
 | role\_tags | A map of tags to assign this IAM Role. | `map(string)` | `{}` | no |
diff --git a/aws-iam-role-crossacct/main.tf b/aws-iam-role-crossacct/main.tf
index 4d787cfe..f279cb2c 100644
--- a/aws-iam-role-crossacct/main.tf
+++ b/aws-iam-role-crossacct/main.tf
@@ -61,10 +61,11 @@ data "aws_iam_policy_document" "assume-role" {
 }
 
 resource "aws_iam_role" "role" {
-  name               = var.role_name
-  path               = var.iam_path
-  assume_role_policy = data.aws_iam_policy_document.assume-role.json
-  tags               = var.role_tags
+  name                 = var.role_name
+  path                 = var.iam_path
+  assume_role_policy   = data.aws_iam_policy_document.assume-role.json
+  tags                 = var.role_tags
+  max_session_duration = var.max_session_duration
 
   # We have to force detach policies in order to recreate roles.
   # The other option would be to use name_prefix and create_before_destroy, but that
diff --git a/aws-iam-role-crossacct/variables.tf b/aws-iam-role-crossacct/variables.tf
index 8af11f98..6b944683 100755
--- a/aws-iam-role-crossacct/variables.tf
+++ b/aws-iam-role-crossacct/variables.tf
@@ -44,3 +44,10 @@ variable role_tags {
   default     = {}
   description = "A map of tags to assign this IAM Role."
 }
+
+
+variable max_session_duration {
+  type        = number
+  default     = 60 * 60 // 1 hour
+  description = "The maximum session duration (in seconds) that you want to set for the specified role."
+}
diff --git a/aws-iam-role-poweruser/README.md b/aws-iam-role-poweruser/README.md
index ee31e6a1..1e0a7ee3 100644
--- a/aws-iam-role-poweruser/README.md
+++ b/aws-iam-role-poweruser/README.md
@@ -33,6 +33,7 @@ No requirements.
 |------|-------------|------|---------|:--------:|
 | authorize\_iam | Indicates if we should augment the PowerUserAccess policy with certain IAM actions. | `bool` | `true` | no |
 | iam\_path | n/a | `string` | `"/"` | no |
+| max\_session\_duration | The maximum session duration (in seconds) that you want to set for the specified role. | `number` | `3600` | no |
 | oidc | A list of AWS OIDC IDPs to establish a trust relationship for this role. | <pre>list(object(<br>    {<br>      idp_arn : string,          # the AWS IAM IDP arn<br>      client_ids : list(string), # a list of oidc client ids<br>      provider : string          # your provider url, such as foo.okta.com<br>    }<br>  ))</pre> | `[]` | no |
 | role\_name | n/a | `string` | `"poweruser"` | no |
 | saml\_idp\_arn | The AWS SAML IDP arn to establish a trust relationship. Ignored if empty or not provided. | `string` | `""` | no |
diff --git a/aws-iam-role-poweruser/main.tf b/aws-iam-role-poweruser/main.tf
index b0f99cc5..993583f0 100755
--- a/aws-iam-role-poweruser/main.tf
+++ b/aws-iam-role-poweruser/main.tf
@@ -61,9 +61,10 @@ data "aws_iam_policy_document" "assume-role" {
 }
 
 resource "aws_iam_role" "poweruser" {
-  name               = var.role_name
-  path               = var.iam_path
-  assume_role_policy = data.aws_iam_policy_document.assume-role.json
+  name                 = var.role_name
+  path                 = var.iam_path
+  assume_role_policy   = data.aws_iam_policy_document.assume-role.json
+  max_session_duration = var.max_session_duration
 }
 
 resource "aws_iam_role_policy_attachment" "poweruser" {
diff --git a/aws-iam-role-poweruser/variables.tf b/aws-iam-role-poweruser/variables.tf
index 1c97daac..cef0c205 100755
--- a/aws-iam-role-poweruser/variables.tf
+++ b/aws-iam-role-poweruser/variables.tf
@@ -44,3 +44,9 @@ variable authorize_iam {
   default     = true
   description = "Indicates if we should augment the PowerUserAccess policy with certain IAM actions."
 }
+
+variable max_session_duration {
+  type        = number
+  default     = 60 * 60 // 1 hour
+  description = "The maximum session duration (in seconds) that you want to set for the specified role."
+}

From 75ea238b3090089b8fb2225372c16c16aa80496e Mon Sep 17 00:00:00 2001
From: Eduardo Lopez <elopez@chanzuckerberg.com>
Date: Mon, 29 Jun 2020 18:08:44 -0400
Subject: [PATCH 2/4] Update aws-iam-role-crossacct/variables.tf

Co-authored-by: Ryan King <rking@chanzuckerberg.com>
---
 aws-iam-role-crossacct/variables.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/aws-iam-role-crossacct/variables.tf b/aws-iam-role-crossacct/variables.tf
index 5efd343f..3bfc311e 100755
--- a/aws-iam-role-crossacct/variables.tf
+++ b/aws-iam-role-crossacct/variables.tf
@@ -49,5 +49,5 @@ variable tags {
 variable max_session_duration {
   type        = number
   default     = 60 * 60 // 1 hour
-  description = "The maximum session duration (in seconds) that you want to set for the specified role."
+  description = "The maximum session duration (in seconds) for the role."
 }

From 63633c8356674965786524e11bce5e9157ed4910 Mon Sep 17 00:00:00 2001
From: Eduardo Lopez <elopez@chanzuckerberg.com>
Date: Mon, 29 Jun 2020 18:11:33 -0400
Subject: [PATCH 3/4] Update aws-iam-role-poweruser/variables.tf

Co-authored-by: Ryan King <rking@chanzuckerberg.com>
---
 aws-iam-role-poweruser/variables.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/aws-iam-role-poweruser/variables.tf b/aws-iam-role-poweruser/variables.tf
index 3fd614e5..f86f2892 100755
--- a/aws-iam-role-poweruser/variables.tf
+++ b/aws-iam-role-poweruser/variables.tf
@@ -48,7 +48,7 @@ variable authorize_iam {
 variable max_session_duration {
   type        = number
   default     = 60 * 60 // 1 hour
-  description = "The maximum session duration (in seconds) that you want to set for the specified role."
+  description = "The maximum session duration (in seconds) for the role."
 }
 
 variable tags {

From 4011359e3751a9d9fd9985331316fdbf73a5c5da Mon Sep 17 00:00:00 2001
From: edulop <elopez@chanzuckerberg.com>
Date: Mon, 29 Jun 2020 18:11:55 -0400
Subject: [PATCH 4/4] docs

---
 aws-iam-role-crossacct/README.md | 2 +-
 aws-iam-role-poweruser/README.md | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/aws-iam-role-crossacct/README.md b/aws-iam-role-crossacct/README.md
index c2f1f555..952a7449 100644
--- a/aws-iam-role-crossacct/README.md
+++ b/aws-iam-role-crossacct/README.md
@@ -32,7 +32,7 @@ No requirements.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | iam\_path | The IAM path to put this role in. | `string` | `"/"` | no |
-| max\_session\_duration | The maximum session duration (in seconds) that you want to set for the specified role. | `number` | `3600` | no |
+| max\_session\_duration | The maximum session duration (in seconds) for the role. | `number` | `3600` | no |
 | oidc | A list of AWS OIDC IDPs to establish a trust relationship for this role. | <pre>list(object(<br>    {<br>      idp_arn : string,          # the AWS IAM IDP arn<br>      client_ids : list(string), # a list of oidc client ids<br>      provider : string          # your provider url, such as foo.okta.com<br>    }<br>  ))</pre> | `[]` | no |
 | role\_name | The name of the role. | `string` | n/a | yes |
 | saml\_idp\_arn | The AWS SAML IDP arn to establish a trust relationship. Ignored if empty or not provided. | `string` | `""` | no |
diff --git a/aws-iam-role-poweruser/README.md b/aws-iam-role-poweruser/README.md
index 1c248d92..a21263a5 100644
--- a/aws-iam-role-poweruser/README.md
+++ b/aws-iam-role-poweruser/README.md
@@ -33,7 +33,7 @@ No requirements.
 |------|-------------|------|---------|:--------:|
 | authorize\_iam | Indicates if we should augment the PowerUserAccess policy with certain IAM actions. | `bool` | `true` | no |
 | iam\_path | n/a | `string` | `"/"` | no |
-| max\_session\_duration | The maximum session duration (in seconds) that you want to set for the specified role. | `number` | `3600` | no |
+| max\_session\_duration | The maximum session duration (in seconds) for the role. | `number` | `3600` | no |
 | oidc | A list of AWS OIDC IDPs to establish a trust relationship for this role. | <pre>list(object(<br>    {<br>      idp_arn : string,          # the AWS IAM IDP arn<br>      client_ids : list(string), # a list of oidc client ids<br>      provider : string          # your provider url, such as foo.okta.com<br>    }<br>  ))</pre> | `[]` | no |
 | role\_name | n/a | `string` | `"poweruser"` | no |
 | saml\_idp\_arn | The AWS SAML IDP arn to establish a trust relationship. Ignored if empty or not provided. | `string` | `""` | no |