terraform.aws-baseline-infra/modules/security_identity_compliance/iam-user/main.tf

resource "aws_iam_user" "iam-user" {
  name          = var.iam-user-name
  tags          = var.default-tags
  force_destroy = true
}

resource "aws_iam_access_key" "iam-user-access-key" {
  count = var.create-access-key && var.pgp-key == null ? 1 : 0
  user  = aws_iam_user.iam-user.name
}

resource "aws_iam_access_key" "iam-user-access-key-pgp" {
  count = var.create-access-key && var.pgp-key != null ? 1 : 0
  user  = aws_iam_user.iam-user.name
  pgp_key = var.pgp-key
}


resource "aws_iam_user_policy" "iam-user-policy" {
  count  = var.iam-user-policy != "" ? 1 : 0
  name   = var.iam-user-policy-name
  user   = aws_iam_user.iam-user.name
  policy = var.iam-user-policy
}

resource "aws_iam_user_policy" "iam-user-selfservice-policy" {
  name   = "SelfServicePermissions"
  user   = aws_iam_user.iam-user.name
  policy = data.aws_iam_policy_document.user-policy.json
}

data "aws_iam_policy_document" "user-policy" {
  statement {
    sid = "ManageOwnCredentials"

    actions = [
      "iam:ChangePassword",
      "iam:CreateAccessKey",
      "iam:DeleteAccessKey",
      "iam:ListAccessKey",
      "iam:CreateVirtualMFADevice",
      "iam:EnableMFADevice",
      "iam:ListMFA*",
      "iam:ListVirtualMFA*",
      "iam:ResyncMFADevice"
    ]

    effect    = "Allow"
    resources = ["arn:aws:iam::account-id:user/${var.iam-user-name}"]
  }
}

resource "aws_iam_user_policy_attachment" "iam-user-managed-policies" {
  count      = length(var.add-to-groups) > 0 ? 0 : length(var.managed-policy-arns)
  user       = aws_iam_user.iam-user.name
  policy_arn = var.managed-policy-arns[count.index]
}

resource "random_password" "iam-user-pass" {
  count   = var.create-password ? 1 : 0
  length  = 20
  special = true
}

resource "aws_iam_user_login_profile" "iam-user-profile" {
  count = var.create-password && var.pgp-key == null ? 1 : 0
  user  = aws_iam_user.iam-user.name
}

resource "aws_iam_user_login_profile" "iam-user-profile-pgp" {
  count = var.create-password && var.pgp-key != null ? 1 : 0
  user  = aws_iam_user.iam-user.name
  pgp_key = var.pgp-key
}

resource random_id secrets-random-id {
  byte_length = 2
}
resource "aws_secretsmanager_secret" "secretmanager" {
  count       = var.create-access-key || var.create-password ? 1 : 0
  name        = "IamUserCredential-${random_id.secrets-random-id.dec}-${var.iam-user-name}"
  description = "AWS resource credential"
  tags        = var.default-tags
}

resource "aws_secretsmanager_secret_version" "iam-user-secret" {
  count     = var.create-access-key || var.create-password ? 1 : 0
  secret_id = aws_secretsmanager_secret.secretmanager[0].id
  secret_string = jsonencode(
    { "ConsolePassword" : length(random_password.iam-user-pass) > 0 ? random_password.iam-user-pass[0].result : "NotSet",
      "AccessKeyId" : length(aws_iam_access_key.iam-user-access-key) > 0 ? aws_iam_access_key.iam-user-access-key[0].id : "NotSet",
      "KeySecret" : length(aws_iam_access_key.iam-user-access-key) > 0 ? aws_iam_access_key.iam-user-access-key[0].secret : "NotSet"
  })
}

resource "aws_iam_group_membership" "group-membership" {
  for_each = toset(var.add-to-groups)
  name     = "MembershipToExistingGroups"
  group    = each.value
  users    = [aws_iam_user.iam-user.name]
}