Increases session duration to 8 hours to accomodate transfer of ISOs

base/kms/shared_ami_key/main.tf

@@ -23,3 +23,18 @@ module "shared_ami_key" {
   aws_account_id = var.aws_account_id
   aws_partition = var.aws_partition
 }
+
+resource "aws_s3_bucket" "xdr-shared-amis" {
+  bucket = "xdr-shared-amis"
+  acl  = "private"
+  tags = merge(var.standard_tags, var.tags)
+
+  server_side_encryption_configuration {
+    rule {
+      apply_server_side_encryption_by_default {
+        kms_master_key_id = module.shared_ami_key.key_arn
+        sse_algorithm     = "aws:kms"
+      }
+    }
+  }
+}

submodules/iam/common_services_roles/modules/saml_linked_role/main.tf

@@ -6,6 +6,7 @@ resource "aws_iam_role" "this" {
   path               = var.path
   assume_role_policy = var.assume_role_policy
   name               = var.name
+  max_session_duration = var.max_session_duration
 }
 
 resource "okta_group" "this" {

submodules/iam/common_services_roles/modules/saml_linked_role/variables.tf

@@ -18,3 +18,9 @@ variable okta_app_id {
 variable account_friendly_name {
     type = string
 }
+
+variable max_session_duration {
+  type = number
+  description = "Max time to assume role in seconds. Can be from 1 - 12 hours."
+  default = 3600
+}

submodules/iam/common_services_roles/role-mdr_engineer_readonly.tf

@@ -16,6 +16,7 @@ module "role-mdr_engineer_readonly" {
   path                  = "/user/"
   assume_role_policy    = data.aws_iam_policy_document.okta_saml_assume_role_policy.json
   okta_app_id           = data.okta_app.awsapp.id
+  max_session_duration  = 28800
 }
 
 resource "aws_iam_role_policy_attachment" "mdr_engineer_readonly_ViewOnlyAccess" {

submodules/iam/common_services_roles/role-mdr_terraformer.tf

@@ -2,6 +2,7 @@ resource aws_iam_role "mdr_terraformer" {
   name                  = "mdr_terraformer"
   path                  = "/user/"
   assume_role_policy    = data.aws_iam_policy_document.non_saml_assume_role_policy.json
+  max_session_duration  = 28800
 }
 
 resource aws_iam_role_policy_attachment "mdr_terraformer-mdr_terraformer" {

submodules/iam/okta_saml_roles/modules/saml_linked_role/main.tf

@@ -6,6 +6,7 @@ resource "aws_iam_role" "this" {
   path               = var.path
   assume_role_policy = var.assume_role_policy
   name               = var.name
+  max_session_duration = var.max_session_duration
 }
 
 resource "okta_group" "this" {

submodules/iam/okta_saml_roles/modules/saml_linked_role/variables.tf

@@ -18,3 +18,9 @@ variable okta_app_id {
 variable account_friendly_name {
     type = string
 }
+
+variable max_session_duration {
+  type = number
+  description = "Max time to assume role in seconds. Can be from 1 - 12 hours."
+  default = 3600
+}

submodules/iam/okta_saml_roles/role-mdr_engineer_readonly.tf

@@ -16,6 +16,7 @@ module "role-mdr_engineer_readonly" {
   path                  = "/user/"
   assume_role_policy    = local.assume_role_policy
   okta_app_id           = data.okta_app.awsapp.id
+  max_session_duration  = 28800
 }
 
 resource "aws_iam_role_policy_attachment" "mdr_engineer_readonly_ReadOnlyAccess" {

submodules/iam/okta_saml_roles/role-mdr_terraformer.tf

@@ -6,6 +6,7 @@ module "role-mdr_terraformer" {
   path                  = "/user/"
   assume_role_policy    = local.assume_role_policy
   okta_app_id           = data.okta_app.awsapp.id
+  max_session_duration  = 28800
 }
 
 resource aws_iam_role_policy_attachment "mdr_terraformer-mdr_terraformer" {