[provider] Add aws session role name

Closes #332

Author: phillbaker

docs/index.md

@@ -63,6 +63,7 @@ The following arguments are supported:
 * `username` (Optional) - Username to use to connect to elasticsearch using basic auth. Defaults to `ELASTICSEARCH_USERNAME` from the environment
 * `password` (Optional) - Password to use to connect to elasticsearch using basic auth. Defaults to `ELASTICSEARCH_PASSWORD` from the environment
 * `aws_assume_role_arn` (Optional) - ARN of role to assume when using AWS Elasticsearch Service domains.
+* `aws_assume_role_session_name` - AWS IAM session name to use when assuming a role.
 * `aws_access_key` (Optional) - The access key for use with AWS Elasticsearch Service domains. It can also be sourced from the `AWS_ACCESS_KEY_ID` environment variable.
 * `aws_secret_key` (Optional) - The secret key for use with AWS Elasticsearch Service domains. It can also be sourced from the `AWS_SECRET_ACCESS_KEY` environment variable.
 * `aws_token` (Optional) - The session token for use with AWS Elasticsearch Service domains. It can also be sourced from the `AWS_SESSION_TOKEN` environment variable.

es/provider.go

@@ -42,30 +42,31 @@ const (
 var awsUrlRegexp = regexp.MustCompile(`([a-z0-9-]+).es.amazonaws.com$`)
 
 type ProviderConf struct {
-	rawUrl             string
-	insecure           bool
-	sniffing           bool
-	healthchecking     bool
-	cacertFile         string
-	username           string
-	password           string
-	token              string
-	tokenName          string
-	parsedUrl          *url.URL
-	signAWSRequests    bool
-	esVersion          string
-	pingTimeoutSeconds int
-	awsRegion          string
-	awsAssumeRoleArn   string
-	awsAccessKeyId     string
-	awsSecretAccessKey string
-	awsSessionToken    string
-	awsSig4Service     string
-	awsProfile         string
-	certPemPath        string
-	keyPemPath         string
-	kibanaUrl          string
-	hostOverride       string
+	rawUrl                   string
+	insecure                 bool
+	sniffing                 bool
+	healthchecking           bool
+	cacertFile               string
+	username                 string
+	password                 string
+	token                    string
+	tokenName                string
+	parsedUrl                *url.URL
+	signAWSRequests          bool
+	esVersion                string
+	pingTimeoutSeconds       int
+	awsRegion                string
+	awsAssumeRoleArn         string
+	awsAssumeRoleSessionName string
+	awsAccessKeyId           string
+	awsSecretAccessKey       string
+	awsSessionToken          string
+	awsSig4Service           string
+	awsProfile               string
+	certPemPath              string
+	keyPemPath               string
+	kibanaUrl                string
+	hostOverride             string
 	// determined after connecting to the server
 	flavor ServerFlavor
 }
@@ -127,6 +128,12 @@ func Provider() *schema.Provider {
 				Default:     "",
 				Description: "Amazon Resource Name of an IAM Role to assume prior to making AWS API calls.",
 			},
+			"aws_assume_role_session_name": {
+				Type:        schema.TypeString,
+				Optional:    true,
+				Default:     "",
+				Description: "AWS IAM session name to use when assuming a role.",
+			},
 			"aws_access_key": {
 				Type:        schema.TypeString,
 				Optional:    true,
@@ -291,14 +298,15 @@ func providerConfigure(c context.Context, d *schema.ResourceData) (interface{},
 		pingTimeoutSeconds: d.Get("version_ping_timeout").(int),
 		awsRegion:          d.Get("aws_region").(string),
 
-		awsAssumeRoleArn:   d.Get("aws_assume_role_arn").(string),
-		awsAccessKeyId:     d.Get("aws_access_key").(string),
-		awsSecretAccessKey: d.Get("aws_secret_key").(string),
-		awsSessionToken:    d.Get("aws_token").(string),
-		awsProfile:         d.Get("aws_profile").(string),
-		certPemPath:        d.Get("client_cert_path").(string),
-		keyPemPath:         d.Get("client_key_path").(string),
-		hostOverride:       d.Get("host_override").(string),
+		awsAssumeRoleArn:         d.Get("aws_assume_role_arn").(string),
+		awsAssumeRoleSessionName: d.Get("aws_assume_role_session_name").(string),
+		awsAccessKeyId:           d.Get("aws_access_key").(string),
+		awsSecretAccessKey:       d.Get("aws_secret_key").(string),
+		awsSessionToken:          d.Get("aws_token").(string),
+		awsProfile:               d.Get("aws_profile").(string),
+		certPemPath:              d.Get("client_cert_path").(string),
+		keyPemPath:               d.Get("client_key_path").(string),
+		hostOverride:             d.Get("host_override").(string),
 	}, nil
 }
 
@@ -545,15 +553,16 @@ func getKibanaClient(conf *ProviderConf) (interface{}, error) {
 	}
 }
 
-func assumeRoleCredentials(region, roleARN, profile string) *awscredentials.Credentials {
+func assumeRoleCredentials(region, roleARN, roleSessionName, profile string) *awscredentials.Credentials {
 	sessOpts := awsSessionOptions(region)
 	sessOpts.Profile = profile
 
 	sess := awssession.Must(awssession.NewSessionWithOptions(sessOpts))
 	stsClient := awssts.New(sess)
 	assumeRoleProvider := &awsstscreds.AssumeRoleProvider{
-		Client:  stsClient,
-		RoleARN: roleARN,
+		Client:          stsClient,
+		RoleARN:         roleARN,
+		RoleSessionName: roleSessionName,
 	}
 
 	return awscredentials.NewChainCredentials([]awscredentials.Provider{assumeRoleProvider})
@@ -591,7 +600,7 @@ func awsSession(region string, conf *ProviderConf) *awssession.Session {
 	if conf.awsAccessKeyId != "" {
 		sessOpts.Config.Credentials = awscredentials.NewStaticCredentials(conf.awsAccessKeyId, conf.awsSecretAccessKey, conf.awsSessionToken)
 	} else if conf.awsAssumeRoleArn != "" {
-		sessOpts.Config.Credentials = assumeRoleCredentials(region, conf.awsAssumeRoleArn, conf.awsProfile)
+		sessOpts.Config.Credentials = assumeRoleCredentials(region, conf.awsAssumeRoleArn, conf.awsAssumeRoleSessionName, conf.awsProfile)
 	} else if conf.awsProfile != "" {
 		sessOpts.Profile = conf.awsProfile
 	}