Add SESSION TIMEOUT support

Author: Robert Tomczak

redshift/data_source_redshift_user.go

@@ -52,12 +52,17 @@ This data source can be used to fetch information about a specific database user
 				Computed:    true,
 				Description: `Indicates whether the user is a superuser with all database privileges.`,
 			},
+			userSessionTimeoutAttr: {
+				Type:        schema.TypeInt,
+				Computed:    true,
+				Description: "The maximum time in seconds that a session remains inactive or idle. The range is 60 seconds (one minute) to 1,728,000 seconds (20 days). If no session timeout is set for the user, the cluster setting applies.",
+			},
 		},
 	}
 }
 
 func dataSourceRedshiftUserRead(db *DBConnection, d *schema.ResourceData) error {
-	var useSysID, userValidUntil, userConnLimit, userSyslogAccess string
+	var useSysID, userValidUntil, userConnLimit, userSyslogAccess, userSessionTimeout string
 	var userSuperuser, userCreateDB bool
 
 	columns := []string{
@@ -66,6 +71,7 @@ func dataSourceRedshiftUserRead(db *DBConnection, d *schema.ResourceData) error
 		"usesuper",
 		"syslogaccess",
 		`COALESCE(useconnlimit::TEXT, 'UNLIMITED')`,
+		"sessiontimeout",
 	}
 
 	values := []interface{}{
@@ -74,6 +80,7 @@ func dataSourceRedshiftUserRead(db *DBConnection, d *schema.ResourceData) error
 		&userSuperuser,
 		&userSyslogAccess,
 		&userConnLimit,
+		&userSessionTimeout,
 	}
 
 	userName := d.Get(userNameAttr).(string)
@@ -96,12 +103,18 @@ func dataSourceRedshiftUserRead(db *DBConnection, d *schema.ResourceData) error
 		}
 	}
 
+	userSessionTimeoutNumber, err := strconv.Atoi(userSessionTimeout)
+	if err != nil {
+		return err
+	}
+
 	d.SetId(useSysID)
 	d.Set(userCreateDBAttr, userCreateDB)
 	d.Set(userSuperuserAttr, userSuperuser)
 	d.Set(userSyslogAccessAttr, userSyslogAccess)
 	d.Set(userConnLimitAttr, userConnLimitNumber)
 	d.Set(userValidUntilAttr, userValidUntil)
+	d.Set(userSessionTimeoutAttr, userSessionTimeoutNumber)
 
 	return nil
 }

redshift/data_source_redshift_user_test.go

@@ -26,6 +26,7 @@ func TestAccDataSourceRedshiftUser_Basic(t *testing.T) {
 					resource.TestCheckResourceAttrSet("data.redshift_user.simple", userConnLimitAttr),
 					resource.TestCheckResourceAttrSet("data.redshift_user.simple", userSyslogAccessAttr),
 					resource.TestCheckResourceAttrSet("data.redshift_user.simple", userSuperuserAttr),
+					resource.TestCheckResourceAttrSet("data.redshift_user.simple", userSessionTimeoutAttr),
 				),
 			},
 		},

redshift/resource_redshift_user.go

@@ -16,13 +16,14 @@ import (
 )
 
 const (
-	userNameAttr         = "name"
-	userPasswordAttr     = "password"
-	userValidUntilAttr   = "valid_until"
-	userCreateDBAttr     = "create_database"
-	userConnLimitAttr    = "connection_limit"
-	userSyslogAccessAttr = "syslog_access"
-	userSuperuserAttr    = "superuser"
+	userNameAttr           = "name"
+	userPasswordAttr       = "password"
+	userValidUntilAttr     = "valid_until"
+	userCreateDBAttr       = "create_database"
+	userConnLimitAttr      = "connection_limit"
+	userSyslogAccessAttr   = "syslog_access"
+	userSuperuserAttr      = "superuser"
+	userSessionTimeoutAttr = "session_timeout"
 
 	// defaults
 	defaultUserSyslogAccess          = "RESTRICTED"
@@ -123,6 +124,13 @@ Amazon Redshift user accounts can only be created and dropped by a database supe
 				Default:       false,
 				Description:   `Determine whether the user is a superuser with all database privileges.`,
 			},
+			userSessionTimeoutAttr: {
+				Type:         schema.TypeInt,
+				Optional:     true,
+				Default:      0,
+				Description:  "The maximum time in seconds that a session remains inactive or idle. The range is 60 seconds (one minute) to 1,728,000 seconds (20 days). If no session timeout is set for the user, the cluster setting applies.",
+				ValidateFunc: validation.All(validation.IntAtLeast(60), validation.IntAtMost(1728000)),
+			},
 		},
 	}
 }
@@ -162,6 +170,7 @@ func resourceRedshiftUserCreate(db *DBConnection, d *schema.ResourceData) error
 		sqlKey string
 	}{
 		{userConnLimitAttr, "CONNECTION LIMIT"},
+		{userSessionTimeoutAttr, "SESSION TIMEOUT"},
 	}
 
 	boolOpts := []struct {
@@ -215,7 +224,9 @@ func resourceRedshiftUserCreate(db *DBConnection, d *schema.ResourceData) error
 
 	for _, opt := range intOpts {
 		val := d.Get(opt.hclKey).(int)
-		createOpts = append(createOpts, fmt.Sprintf("%s %d", opt.sqlKey, val))
+		if opt.hclKey != userSessionTimeoutAttr && val != 0 {
+			createOpts = append(createOpts, fmt.Sprintf("%s %d", opt.sqlKey, val))
+		}
 	}
 
 	for _, opt := range boolOpts {
@@ -253,7 +264,7 @@ func resourceRedshiftUserRead(db *DBConnection, d *schema.ResourceData) error {
 }
 
 func resourceRedshiftUserReadImpl(db *DBConnection, d *schema.ResourceData) error {
-	var userName, userValidUntil, userConnLimit, userSyslogAccess string
+	var userName, userValidUntil, userConnLimit, userSyslogAccess, userSessionTimeout string
 	var userSuperuser, userCreateDB bool
 
 	columns := []string{
@@ -262,6 +273,7 @@ func resourceRedshiftUserReadImpl(db *DBConnection, d *schema.ResourceData) erro
 		"usesuper",
 		"syslogaccess",
 		`COALESCE(useconnlimit::TEXT, 'UNLIMITED')`,
+		"sessiontimeout",
 	}
 
 	values := []interface{}{
@@ -270,6 +282,7 @@ func resourceRedshiftUserReadImpl(db *DBConnection, d *schema.ResourceData) erro
 		&userSuperuser,
 		&userSyslogAccess,
 		&userConnLimit,
+		&userSessionTimeout,
 	}
 
 	useSysID := d.Id()
@@ -301,12 +314,18 @@ func resourceRedshiftUserReadImpl(db *DBConnection, d *schema.ResourceData) erro
 		}
 	}
 
+	userSessionTimeoutNumber, err := strconv.Atoi(userSessionTimeout)
+	if err != nil {
+		return err
+	}
+
 	d.Set(userNameAttr, userName)
 	d.Set(userCreateDBAttr, userCreateDB)
 	d.Set(userSuperuserAttr, userSuperuser)
 	d.Set(userSyslogAccessAttr, userSyslogAccess)
 	d.Set(userConnLimitAttr, userConnLimitNumber)
 	d.Set(userValidUntilAttr, userValidUntil)
+	d.Set(userSessionTimeoutAttr, userSessionTimeoutNumber)
 
 	return nil
 }
@@ -451,6 +470,10 @@ func resourceRedshiftUserUpdate(db *DBConnection, d *schema.ResourceData) error
 		return err
 	}
 
+	if err := setUserSessionTimeout(tx, d); err != nil {
+		return err
+	}
+
 	if err := tx.Commit(); err != nil {
 		return fmt.Errorf("could not commit transaction: %w", err)
 	}
@@ -514,6 +537,26 @@ func setUserConnLimit(tx *sql.Tx, d *schema.ResourceData) error {
 	return nil
 }
 
+func setUserSessionTimeout(tx *sql.Tx, d *schema.ResourceData) error {
+	if !d.HasChange(userSessionTimeoutAttr) {
+		return nil
+	}
+
+	sessionTimeout := d.Get(userSessionTimeoutAttr).(int)
+	userName := d.Get(userNameAttr).(string)
+	sql := ""
+	if sessionTimeout == 0 {
+		sql = fmt.Sprintf("ALTER USER %s RESET SESSION TIMEOUT", pq.QuoteIdentifier(userName))
+	} else {
+		sql = fmt.Sprintf("ALTER USER %s SESSION TIMEOUT %d", pq.QuoteIdentifier(userName), sessionTimeout)
+	}
+	if _, err := tx.Exec(sql); err != nil {
+		return fmt.Errorf("Error updating user SESSION TIMEOUT: %w", err)
+	}
+
+	return nil
+}
+
 func setUserCreateDB(tx *sql.Tx, d *schema.ResourceData) error {
 	if !d.HasChange(userCreateDBAttr) {
 		return nil

redshift/resource_redshift_user_test.go

@@ -39,6 +39,7 @@ func TestAccRedshiftUser_Basic(t *testing.T) {
 					resource.TestCheckResourceAttr("redshift_user.user_with_defaults", "password", ""),
 					resource.TestCheckResourceAttr("redshift_user.user_with_defaults", "valid_until", "infinity"),
 					resource.TestCheckResourceAttr("redshift_user.user_with_defaults", "syslog_access", "RESTRICTED"),
+					resource.TestCheckResourceAttr("redshift_user.user_with_defaults", "session_timeout", "0"),
 
 					testAccCheckRedshiftUserExists("user_create_database"),
 					resource.TestCheckResourceAttr("redshift_user.user_with_create_database", "name", "user_create_database"),
@@ -51,6 +52,10 @@ func TestAccRedshiftUser_Basic(t *testing.T) {
 					testAccCheckRedshiftUserExists("user_superuser"),
 					resource.TestCheckResourceAttr("redshift_user.user_superuser", "name", "user_superuser"),
 					resource.TestCheckResourceAttr("redshift_user.user_superuser", "superuser", "true"),
+
+					testAccCheckRedshiftUserExists("user_timeout"),
+					resource.TestCheckResourceAttr("redshift_user.user_timeout", "name", "user_timeout"),
+					resource.TestCheckResourceAttr("redshift_user.user_timeout", "session_timeout", "60"),
 				),
 			},
 		},
@@ -375,6 +380,12 @@ resource "redshift_user" "user_superuser" {
   superuser = true
   password = "FooBarBaz123"
 }
+
+resource "redshift_user" "user_timeout" {
+  name = "user_timeout"
+  password = "FooBarBaz123"
+  session_timeout = 60
+}
 `
 
 func TestPermanentUsername(t *testing.T) {