Open kjenney opened 1 year ago
Voting for Prioritization
Volunteering to Work on This Issue
Hey @jkerry 👋 Thanks for taking the time to raise this! I'm fairly certain that the assume_role.duration
argument adjusts the time that the token retrieved during role assumption is valid for, and that the the underlying SDK will attempt to refresh the token at the end of the duration (this is backed up by a Reddit comment made by one of the Terraform Core team engineers when discussing the S3 backend -- I typically wouldn't link to Reddit, but his response was quite thorough!). If your end goal is to have the Terraform run fail after the credential has expired, I believe you would need to configure the role policy to set a maximum session duration, as the token will not be automatically renewed in the case of session expiry.
Can this be documented properly somewhere? I looked through the provider documentation as well as the source code in this repo, and this was not apparent to me at all.
Still waiting for a response here. Somebody that understands exactly how this assume_role.duration works should update the documentation so that users can also understand exactly how it works.
Terraform Core Version
1.5.0
AWS Provider Version
5.16.1
Affected Resource(s)
I have Terraform that provisions an RDS databases synchronously and takes about 18 minutes. I have set an assume_role duration, and it is not being enforced as the apply lasts longer than 15 minutes. The provider documentation mentions nothing about getting new credentials during the apply process, so I need clarification on how/why this is occurring.
module.db.module.db_instance.aws_db_instance.this[0]: Creation complete after 19m42s [id=db-CFU52RWE774IJZXP55SZ4P3ZCM]
Expected Behavior
I expect Terraform to begin erroring if the apply takes longer than 15 minutes and then failing with an error.
Actual Behavior
The apply completes after 20 minutes with no errors.
Relevant Error/Panic Output Snippet
Terraform Configuration Files
Steps to Reproduce
terraform init terraform apply
Debug Output
Panic Output
No response
Important Factoids
I'm trying to understand what the expectations are for Terraform in handling AWS credentials when assuming roles.
References
No response
Would you like to implement a fix?
None