Added IAM role session duration (#38)

* Added IAM role session duration * Make terratest run after bats test finished * Fix IAM role for elasticsearch * Fix IAM role for elasticsearch Co-authored-by: Maxim Mironenko <simixido@gmail.com>
cloudposse · Feb 25, 2020 · 1854006 · 1854006
1 parent 33b651e
commit 1854006
Show file tree

Hide file tree

Showing 5 changed files with 22 additions and 7 deletions.
diff --git a/README.md b/README.md
@@ -167,6 +167,7 @@ Available targets:
 | iam_actions | List of actions to allow for the IAM roles, _e.g._ `es:ESHttpGet`, `es:ESHttpPut`, `es:ESHttpPost` | list(string) | `<list>` | no |
 | iam_authorizing_role_arns | List of IAM role ARNs to permit to assume the Elasticsearch user role | list(string) | `<list>` | no |
 | iam_role_arns | List of IAM role ARNs to permit access to the Elasticsearch domain | list(string) | `<list>` | no |
+| iam_role_max_session_duration | The maximum session duration (in seconds) for the user role. Can have a value from 1 hour to 12 hours | number | `3600` | no |
 | instance_count | Number of data nodes in the cluster | number | `4` | no |
 | instance_type | Elasticsearch instance type for data nodes in the cluster | string | `t2.small.elasticsearch` | no |
 | kibana_subdomain_name | The name of the subdomain for Kibana in the DNS zone (_e.g._ `kibana`, `ui`, `ui-es`, `search-ui`, `kibana.elasticsearch`) | string | `kibana` | no |

diff --git a/codefresh/test.yml b/codefresh/test.yml
@@ -66,9 +66,9 @@ steps:
         commands:
           - make -C test/ examples/complete
 
-      test_examples_complete_terratest:
-        title: Test "examples/complete" with terratest
-        image: ${{TEST_IMAGE}}
-        stage: Test
-        commands:
-          - make -C test/src
+  test_examples_complete_terratest:
+    title: Test "examples/complete" with terratest
+    image: ${{TEST_IMAGE}}
+    stage: Test
+    commands:
+      - make -C test/src
diff --git a/docs/terraform.md b/docs/terraform.md
@@ -24,6 +24,7 @@
 | iam_actions | List of actions to allow for the IAM roles, _e.g._ `es:ESHttpGet`, `es:ESHttpPut`, `es:ESHttpPost` | list(string) | `<list>` | no |
 | iam_authorizing_role_arns | List of IAM role ARNs to permit to assume the Elasticsearch user role | list(string) | `<list>` | no |
 | iam_role_arns | List of IAM role ARNs to permit access to the Elasticsearch domain | list(string) | `<list>` | no |
+| iam_role_max_session_duration | The maximum session duration (in seconds) for the user role. Can have a value from 1 hour to 12 hours | number | `3600` | no |
 | instance_count | Number of data nodes in the cluster | number | `4` | no |
 | instance_type | Elasticsearch instance type for data nodes in the cluster | string | `t2.small.elasticsearch` | no |
 | kibana_subdomain_name | The name of the subdomain for Kibana in the DNS zone (_e.g._ `kibana`, `ui`, `ui-es`, `search-ui`, `kibana.elasticsearch`) | string | `kibana` | no |

diff --git a/main.tf b/main.tf
@@ -63,9 +63,14 @@ resource "aws_security_group_rule" "egress" {
   security_group_id = join("", aws_security_group.default.*.id)
 }
 
+data "aws_iam_role" "default" {
+  count = var.enabled ? 1 : 0
+  name  = "AWSServiceRoleForAmazonElasticsearchService"
+}
+
 # https://github.com/terraform-providers/terraform-provider-aws/issues/5218
 resource "aws_iam_service_linked_role" "default" {
-  count            = var.enabled && var.create_iam_service_linked_role ? 1 : 0
+  count            = var.enabled && length(data.aws_iam_role.default.*.id) == 0 ? 1 : 0
   aws_service_name = "es.amazonaws.com"
   description      = "AWSServiceRoleForAmazonElasticsearchService Service-Linked Role"
 }
@@ -77,6 +82,8 @@ resource "aws_iam_role" "elasticsearch_user" {
   assume_role_policy = join("", data.aws_iam_policy_document.assume_role.*.json)
   description        = "IAM Role to assume to access the Elasticsearch ${module.label.id} cluster"
   tags               = module.user_label.tags
+
+  max_session_duration = var.iam_role_max_session_duration
 }
 
 data "aws_iam_policy_document" "assume_role" {

diff --git a/variables.tf b/variables.tf
@@ -235,3 +235,9 @@ variable "node_to_node_encryption_enabled" {
   default     = false
   description = "Whether to enable node-to-node encryption"
 }
+
+variable "iam_role_max_session_duration" {
+  type        = number
+  default     = 3600
+  description = "The maximum session duration (in seconds) for the user role. Can have a value from 1 hour to 12 hours"
+}