NEW: Process credentials with gpg

2022-10-17 13:19:53 +08:00 · 2022-10-17 13:19:53 +08:00 · 3ff617b388
commit 3ff617b388
parent eea73dc110
4 changed files with 167 additions and 0 deletions
--- a/modules/security_identity_compliance/iam-user-gpg/README.md
+++ b/modules/security_identity_compliance/iam-user-gpg/README.md
@ -0,0 +1,53 @@
 # iam-user module
 Module for creating IAM user. Credentials, if any, will be encrypted with gpg key. To obtain gpg public key of a user, run
 ```bash
 gpg --export key-owner-name | base64
 ```
 To decrypt the encrypted data
 ```bash
 terraform output iam-user-pass  | tr -d \" | base64 -d | gpg -d
 terraform output iam-user-secret-key  | tr -d \" | base64 -d | gpg -d
 ```
 ## Example
 ```terraform
 module iam-user {
  source = "../../modules/security_identity_compliance/iam-user"
  default-tags    = local.default-tags
  iam-user-name   = var.iam-user-name
  iam-user-policy = data.aws_iam_policy_document.user-policy.json
  iam-user-policy-name = "SelfServicePermissions"
  create-access-key = false
  create-password = false
  managed-policy-arns = ["arn:aws:iam::aws:policy/job-function/ViewOnlyAccess"]
  create-group = true
  iam-group-name = var.iam-group-name
 }
 data aws_iam_policy_document user-policy {
  statement {
    sid = "ManageOwnCredentials"
    actions = [
      "iam:ChangePassword",
      "iam:CreateAccessKey",
      "iam:DeleteAccessKey",
      "iam:ListAccessKey",
      "iam:CreateVirtualMFADevice",
      "iam:EnableMFADevice",
      "iam:ListMFA*",
      "iam:ListVirtualMFA*",
      "iam:ResyncMFADevice"
    ]
    effect = "Allow"
    resources = ["arn:aws:iam::account-id:user/${var.iam-user-name}"]
  }
 }
 output iam-user-arn {
  value = module.iam-user.iam-user-arn
 }
 ```
--- a/modules/security_identity_compliance/iam-user-gpg/main.tf
+++ b/modules/security_identity_compliance/iam-user-gpg/main.tf
@ -0,0 +1,68 @@
 resource "aws_iam_user" "iam-user" {
  name          = var.iam-user-name
  tags          = var.default-tags
  force_destroy = true
 }
 resource "aws_iam_access_key" "iam-user-access-key" {
  count = var.create-access-key ? 1 : 0
  user  = aws_iam_user.iam-user.name
  pgp_key = var.pgp-key
 }
 resource "aws_iam_user_policy" "iam-user-policy" {
  count = var.create-group ? 0 : 1
  name   = var.iam-user-policy-name
  user   = aws_iam_user.iam-user.name
  policy = var.iam-user-policy
 }
 resource "aws_iam_user_policy_attachment" "iam-user-managed-policies" {
  count = var.create-group ? 0: length(var.managed-policy-arns)
  user       = aws_iam_user.iam-user.name
  policy_arn = var.managed-policy-arns[count.index]
 }
 resource "random_password" "iam-user-pass" {
  count   = var.create-password ? 1 : 0
  length  = 20
  special = true
 }
 resource "aws_iam_user_login_profile" "iam-user-profile" {
  count = var.create-password ? 1 : 0
  user  = aws_iam_user.iam-user.name
  pgp_key = var.pgp-key
 }
 resource aws_iam_group iam-group {
  count = var.create-group ? 1 : 0
  name = var.iam-group-name
 }
 resource aws_iam_group_membership new-group-membership {
  count = length(aws_iam_group.iam-group)
  name = aws_iam_group.iam-group[0].name
  group = aws_iam_group.iam-group[0].name
  users = [aws_iam_user.iam-user.name]
 }
 resource aws_iam_group_membership existing-group-membership {
  count = length(var.add-to-groups)
  name = var.add-to-groups[count.index]
  group = var.add-to-groups[count.index]
  users = [aws_iam_user.iam-user.name]
 }
 resource "aws_iam_group_policy" "iam-group-policy" {
  count = var.create-group ? 1 : 0
  name   = "SelfServiceAccess"
  group   = aws_iam_group.iam-group[0].name
  policy = var.iam-user-policy
 }
 resource "aws_iam_group_policy_attachment" "iam-group-managed-policies" {
  count = var.create-group ? length(var.managed-policy-arns) : 0
  group       = aws_iam_group.iam-group[0].name
  policy_arn = var.managed-policy-arns[count.index]
 }
--- a/modules/security_identity_compliance/iam-user-gpg/outputs.tf
+++ b/modules/security_identity_compliance/iam-user-gpg/outputs.tf
@ -0,0 +1,19 @@
 output iam-user-name {
  value = aws_iam_user.iam-user.name
 }
 output iam-user-arn {
  value = aws_iam_user.iam-user.arn
 }
 output iam-user-pass {
  value = try(aws_iam_user_login_profile.iam-user-profile[0].encrypted_password, "")
 }
 output iam-user-access-key {
  value = try(aws_iam_access_key.iam-user-access-key[0].id, "")
 }
 output iam-user-secret-key {
  value = try(aws_iam_access_key.iam-user-access-key[0].encrypted_secret, "")
 }
--- a/modules/security_identity_compliance/iam-user-gpg/variables.tf
+++ b/modules/security_identity_compliance/iam-user-gpg/variables.tf
@ -0,0 +1,27 @@
 variable iam-user-name {}
 variable iam-user-policy {}
 variable create-access-key {
  type = bool
 }
 variable create-password {
  type = bool
 }
 variable default-tags {}
 variable managed-policy-arns {}
 variable create-group {
  type = bool
 }
 variable iam-group-name {
  type = string
  default = ""
 }
 variable add-to-groups {
  type = list
  default = []
 }
 variable iam-user-policy-name {}
 variable pgp-key {
  type = string
  default = ""
 }