I have terraform scripts which contains code for creating ami from ec2 instance and use this ami further for autoscaling. But ami creation is taking much time due to that my terraform((jenkins agent) to AWS account session get timeout in 60 minutes. This leads to not saving tfstate into s3, few resource were not created. And when we try plan again it will again create new resource all though many of them were already created due to tfstate is not saved. I am using terragrunt + terraform and defining iam_role in terragrunt.hcl file this will assume iam role in other AWS account where we are actually creating AWS resources. This particualr session is timeout within 60 minutes. I have tried to increase session duration of both iam roles to 2 hours but it is not working. could you please suggest if you face similar issues and solutions for the same.
If you use the “assume role” features built in to the S3 backend and AWS provider then they should be able to automatically renew the credentials when they expire, so that the expiration time won’t matter. I would suggest using this strategy if possible, because then you don’t need to be concerned about the session length limits.
It sounds like you are instead using some other tool to call
sts:AssumeRole before running Terraform, and then passing those credentials to Terraform. If that is true then you will need to change the configuration of that other software rather than changing your Terraform configuration.
You also mentioned that you cannot extend the session duration beyond one hour. According to the sts:AssumeRole documentation, each role has its own configurable maximum session lifetime which defaults to one hour but can be reconfigured for up to 12 hours. Therefore I guess you probably have your role currently set to the default maximum duration and so your attempt to request a longer session was ignored. If you increase the “max session duration” setting on your role then that might allow you to successfully request a longer session.
Hi @apparentlymart , I got the solution for this later.
I have added iam_assume_role_duration attribute in hcl file from where I am assuming IAM role of target account. And increased iam role session duration from 1 hour. It worked. Thanks for suggestions.