suzuki-shunsuke/tfaction

feat: Add feature to configure “role-session-name” in config

Closed this issue · 5 comments

ponkio-o commented

Feature Overview

I want to be able to set any role-session-name in aws-actions/configure-aws-credentials.

Why is the feature needed?

Currently, tfaction has a fixed value of samplerolesession when execute AssumeRole operation, which is undesirable.

tfaction/setup/action.yaml

Line 93 in 1f76ed1

role-session-name: samplerolesession

This value is mainly recorded in CloudTrail as the User name.
image

Ideally, different names should be set for different IAM Roles. This makes it easier to track which session performed which operation.

Example Code

tfaction-root.yaml

target_groups:
  - working_directory: fastly
    target: fastly
    aws_region: ap-northeast-1
    terraform_plan_config:
      aws_assume_role_arn: arn:aws:iam::123412341234:role/github-actions-terraform-plan-role
      aws_role_session_name: fastly-plan
    ...

expand as follow:

- uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
      if: steps.target-config.outputs.aws_assume_role_arn != ''
      with:
        role-to-assume: ${{ steps.target-config.outputs.aws_assume_role_arn }}
        role-session-name: fastly-plan
        aws-region: ${{ steps.target-config.outputs.aws_region }}

Note

No response

ponkio-o commented

I created the following PR. What do you think?
#1931

suzuki-shunsuke commented

Thank you for your suggestion and pull request.
Looks good, but I think we can improve the default role session name.

e.g. tfaction-{plan or apply}-{target}

The maximum length of IAM Role session name is 64, so if target is too long, we need to remove {target} from the session name.

tfaction-{plan or apply}

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html

I'm sorry but I noticed this after merging your pull request.
I created a pull request for this.

  • 👍1
ponkio-o commented

Thank you for you follow up! It seemed like a good idea!

  • 👍1
suzuki-shunsuke commented

📝

The maximum length of the session name is 64.
And it must satisfy regular expression pattern [\w+=,.@-]*.
The default value of session name is

  1. tfaction-{plan or apply}-{normalized target}-{GitHub Actions Run ID}
  2. tfaction-{plan or apply}-{normalized target}
  3. tfaction-{plan or apply}-{GitHub Actions Run ID}
  4. tfaction-{plan or apply}

/ in the default targets are converted to _.
And if target is too long, it is removed from the default session name.

  • 👍1