Support MaxSessionDuration for roles

lib/miam/client.rb

@@ -255,12 +255,24 @@ def walk_role(role_name, expected_attrs, actual_attrs)
       log(:warn, "Role `#{role_name}`: 'path' cannot be updated", :color => :yellow)
     end
 
-    updated = walk_assume_role_policy(role_name, expected_attrs[:assume_role_policy_document], actual_attrs[:assume_role_policy_document])
+    updated = walk_role_settings(role_name, {max_session_duration: expected_attrs[:max_session_duration]}, {max_session_duration: actual_attrs[:max_session_duration]})
+    updated = walk_assume_role_policy(role_name, expected_attrs[:assume_role_policy_document], actual_attrs[:assume_role_policy_document]) || updated
     updated = walk_role_instance_profiles(role_name, expected_attrs[:instance_profiles], actual_attrs[:instance_profiles]) || updated
     updated = walk_attached_managed_policies(:role, role_name, expected_attrs[:attached_managed_policies], actual_attrs[:attached_managed_policies]) || updated
     walk_policies(:role, role_name, expected_attrs[:policies], actual_attrs[:policies]) || updated
   end
 
+  def walk_role_settings(role_name, expected_settings, actual_settings)
+    updated = false
+
+    if expected_settings != actual_settings
+      @driver.update_role_settings(role_name, expected_settings, actual_settings)
+      updated = true
+    end
+
+    updated
+  end
+
   def walk_assume_role_policy(role_name, expected_assume_role_policy, actual_assume_role_policy)
     updated = false
     expected_assume_role_policy.sort_array!

lib/miam/driver.rb

@@ -178,6 +178,7 @@ def create_role(role_name, attrs)
       params = {
         :role_name => role_name,
         :assume_role_policy_document => encode_document(assume_role_policy_document),
+        :max_session_duration => attrs.fetch(:max_session_duration)
       }
 
       params[:path] = attrs[:path] if attrs[:path]
@@ -189,6 +190,7 @@ def create_role(role_name, attrs)
       :assume_role_policy_document => assume_role_policy_document,
       :policies => {},
       :attached_managed_policies => [],
+      :max_session_duration => attrs.fetch(:max_session_duration),
     }
 
     new_role_attrs[:path] = attrs[:path] if attrs[:path]
@@ -237,6 +239,14 @@ def remove_role_from_instance_profiles(role_name, instance_profile_names)
     end
   end
 
+  def update_role_settings(role_name, new_settings, old_settings)
+    log(:info, "Update Role `#{role_name}` > Settings", :color => :green)
+    log(:info, Miam::Utils.diff(old_settings, new_settings, :color => @options[:color]), :color => false)
+    unless_dry_run do
+      @iam.update_role(new_settings.merge(role_name: role_name))
+    end
+  end
+
   def update_assume_role_policy(role_name, policy_document, old_policy_document)
     log(:info, "Update Role `#{role_name}` > AssumeRolePolicy", :color => :green)
     log(:info, Miam::Utils.diff(old_policy_document, policy_document, :color => @options[:color]), :color => false)

lib/miam/dsl/context/role.rb

@@ -4,7 +4,7 @@ class Miam::DSL::Context::Role
   def initialize(context, name, &block)
     @role_name = name
     @context = context.merge(:role_name => name)
-    @result = {:instance_profiles => [], :policies => {}, :attached_managed_policies => []}
+    @result = {:instance_profiles => [], :max_session_duration => 3600, :policies => {}, :attached_managed_policies => []}
     instance_eval(&block)
   end
 
@@ -22,6 +22,10 @@ def instance_profiles(*profiles)
     @result[:instance_profiles].concat(profiles.map(&:to_s))
   end
 
+  def max_session_duration(duration)
+    @result[:max_session_duration] = duration
+  end
+
   def assume_role_policy_document
     if @result[:assume_role_policy_document]
       raise "Role `#{@role_name}` > AssumeRolePolicyDocument: already defined"

lib/miam/dsl/converter.rb

@@ -95,6 +95,8 @@ def output_role(role_name, attrs)
 role #{role_name.inspect}, #{Miam::Utils.unbrace(role_options.inspect)} do
   #{output_role_instance_profiles(attrs[:instance_profiles])}
 
+  #{output_role_max_session_duration(attrs[:max_session_duration])}
+
   #{output_assume_role_policy_document(attrs[:assume_role_policy_document])}
 
   #{output_policies(attrs[:policies])}
@@ -122,6 +124,12 @@ def output_instance_profiles(instance_profiles)
     }.select {|i| i }.join("\n")
   end
 
+  def output_role_max_session_duration(max_session_duration)
+    <<-EOS.strip
+      max_session_duration #{max_session_duration}
+    EOS
+  end
+
   def output_assume_role_policy_document(assume_role_policy_document)
     assume_role_policy_document = assume_role_policy_document.pretty_inspect
     assume_role_policy_document.gsub!("\n", "\n    ").strip!

lib/miam/exporter.rb

@@ -144,6 +144,8 @@ def export_roles(roles, instance_profile_roles)
       instance_profiles = role.instance_profile_list.map {|i| i.instance_profile_name }
       policies = export_role_policies(role)
       attached_managed_policies = role.attached_managed_policies.map(&:policy_arn)
+      role_data = @iam.get_role(role_name: role_name).role
+      max_session_duration = role_data.max_session_duration
 
       @mutex.synchronize do
         instance_profiles.each do |instance_profile_name|
@@ -159,6 +161,7 @@ def export_roles(roles, instance_profile_roles)
           :instance_profiles => instance_profiles,
           :policies => policies,
           :attached_managed_policies => attached_managed_policies,
+          :max_session_duration => max_session_duration,
         }
 
         progress