terraform.aws-baseline-infra/modules/security_identity_compliance/iam-user/README.md

# iam-user module
Module for creating IAM user. Credentials, if any, will be stored in secretsmanager. 
Optionally, credentials can be encrypted with gpg key when ```pgp-key``` parameter is provided. To obtain gpg public key of a user, run
```bash
gpg --export key-owner-name | base64
```

To decrypt the encrypted data
```bash
terraform output iam-user-pass-pgp  | tr -d \" | base64 -d | gpg -d
terraform output iam-user-secret-key-pgp  | tr -d \" | base64 -d | gpg -d
```

## Example
```terraform
module iam-group {
  source = "../../modules/security_identity_compliance/iam-group"
  default-tags    = local.default-tags

  iam-group-name        = "ViewOnlyUsers001"
  iam-group-policy      = ""
  iam-group-policy-name = ""
  managed-policy-arns   = ["arn:aws:iam::aws:policy/job-function/ViewOnlyAccess"]
}

module iam-user1 {
  source = "../../modules/security_identity_compliance/iam-user"

  default-tags    = local.default-tags
  iam-user-name   = "UserNoGroup001"
  create-access-key = true
  create-password = true
  pgp-key = var.pgp-key
  managed-policy-arns = ["arn:aws:iam::aws:policy/job-function/ViewOnlyAccess"]
}

module iam-user2 {
  source = "../../modules/security_identity_compliance/iam-user"

  default-tags    = local.default-tags
  iam-user-name   = "UserInGroup001"
  iam-user-policy = data.aws_iam_policy_document.user-policy.json
  iam-user-policy-name = "S3AdminPermissions"
  create-access-key = false
  create-password = false
  managed-policy-arns = ["arn:aws:iam::aws:policy/job-function/ViewOnlyAccess"]
  add-to-groups = [module.iam-group.iam-group-name]
}

data aws_iam_policy_document user-policy {
  statement {
    sid = "s3admin"

    actions = [
      "s3:*"
    ]

    effect = "Allow"
    resources = ["*"]
  }
}
```