NEW: Process credentials with gpg
This commit is contained in:
KF
parent
eea73dc110
commit
3ff617b388
GPG Key ID:
CD4FF6793F09AB86
53
modules/security_identity_compliance/iam-user-gpg/README.md
Normal file
53
modules/security_identity_compliance/iam-user-gpg/README.md
Normal file
@ -0,0 +1,53 @@
|
||||
# iam-user module
|
||||
Module for creating IAM user. Credentials, if any, will be encrypted with gpg key. To obtain gpg public key of a user, run
|
||||
```bash
|
||||
gpg --export key-owner-name | base64
|
||||
```
|
||||
|
||||
To decrypt the encrypted data
|
||||
```bash
|
||||
terraform output iam-user-pass | tr -d \" | base64 -d | gpg -d
|
||||
terraform output iam-user-secret-key | tr -d \" | base64 -d | gpg -d
|
||||
```
|
||||
|
||||
## Example
|
||||
```terraform
|
||||
module iam-user {
|
||||
source = "../../modules/security_identity_compliance/iam-user"
|
||||
|
||||
default-tags = local.default-tags
|
||||
iam-user-name = var.iam-user-name
|
||||
iam-user-policy = data.aws_iam_policy_document.user-policy.json
|
||||
iam-user-policy-name = "SelfServicePermissions"
|
||||
create-access-key = false
|
||||
create-password = false
|
||||
managed-policy-arns = ["arn:aws:iam::aws:policy/job-function/ViewOnlyAccess"]
|
||||
create-group = true
|
||||
iam-group-name = var.iam-group-name
|
||||
}
|
||||
|
||||
data aws_iam_policy_document user-policy {
|
||||
statement {
|
||||
sid = "ManageOwnCredentials"
|
||||
|
||||
actions = [
|
||||
"iam:ChangePassword",
|
||||
"iam:CreateAccessKey",
|
||||
"iam:DeleteAccessKey",
|
||||
"iam:ListAccessKey",
|
||||
"iam:CreateVirtualMFADevice",
|
||||
"iam:EnableMFADevice",
|
||||
"iam:ListMFA*",
|
||||
"iam:ListVirtualMFA*",
|
||||
"iam:ResyncMFADevice"
|
||||
]
|
||||
|
||||
effect = "Allow"
|
||||
resources = ["arn:aws:iam::account-id:user/${var.iam-user-name}"]
|
||||
}
|
||||
}
|
||||
|
||||
output iam-user-arn {
|
||||
value = module.iam-user.iam-user-arn
|
||||
}
|
||||
```
|
||||
68
modules/security_identity_compliance/iam-user-gpg/main.tf
Normal file
68
modules/security_identity_compliance/iam-user-gpg/main.tf
Normal file
@ -0,0 +1,68 @@
|
||||
resource "aws_iam_user" "iam-user" {
|
||||
name = var.iam-user-name
|
||||
tags = var.default-tags
|
||||
force_destroy = true
|
||||
}
|
||||
|
||||
resource "aws_iam_access_key" "iam-user-access-key" {
|
||||
count = var.create-access-key ? 1 : 0
|
||||
user = aws_iam_user.iam-user.name
|
||||
pgp_key = var.pgp-key
|
||||
}
|
||||
|
||||
resource "aws_iam_user_policy" "iam-user-policy" {
|
||||
count = var.create-group ? 0 : 1
|
||||
name = var.iam-user-policy-name
|
||||
user = aws_iam_user.iam-user.name
|
||||
policy = var.iam-user-policy
|
||||
}
|
||||
|
||||
resource "aws_iam_user_policy_attachment" "iam-user-managed-policies" {
|
||||
count = var.create-group ? 0: length(var.managed-policy-arns)
|
||||
user = aws_iam_user.iam-user.name
|
||||
policy_arn = var.managed-policy-arns[count.index]
|
||||
}
|
||||
|
||||
resource "random_password" "iam-user-pass" {
|
||||
count = var.create-password ? 1 : 0
|
||||
length = 20
|
||||
special = true
|
||||
}
|
||||
|
||||
resource "aws_iam_user_login_profile" "iam-user-profile" {
|
||||
count = var.create-password ? 1 : 0
|
||||
user = aws_iam_user.iam-user.name
|
||||
pgp_key = var.pgp-key
|
||||
}
|
||||
|
||||
resource aws_iam_group iam-group {
|
||||
count = var.create-group ? 1 : 0
|
||||
name = var.iam-group-name
|
||||
}
|
||||
|
||||
resource aws_iam_group_membership new-group-membership {
|
||||
count = length(aws_iam_group.iam-group)
|
||||
name = aws_iam_group.iam-group[0].name
|
||||
group = aws_iam_group.iam-group[0].name
|
||||
users = [aws_iam_user.iam-user.name]
|
||||
}
|
||||
|
||||
resource aws_iam_group_membership existing-group-membership {
|
||||
count = length(var.add-to-groups)
|
||||
name = var.add-to-groups[count.index]
|
||||
group = var.add-to-groups[count.index]
|
||||
users = [aws_iam_user.iam-user.name]
|
||||
}
|
||||
|
||||
resource "aws_iam_group_policy" "iam-group-policy" {
|
||||
count = var.create-group ? 1 : 0
|
||||
name = "SelfServiceAccess"
|
||||
group = aws_iam_group.iam-group[0].name
|
||||
policy = var.iam-user-policy
|
||||
}
|
||||
|
||||
resource "aws_iam_group_policy_attachment" "iam-group-managed-policies" {
|
||||
count = var.create-group ? length(var.managed-policy-arns) : 0
|
||||
group = aws_iam_group.iam-group[0].name
|
||||
policy_arn = var.managed-policy-arns[count.index]
|
||||
}
|
||||
19
modules/security_identity_compliance/iam-user-gpg/outputs.tf
Normal file
19
modules/security_identity_compliance/iam-user-gpg/outputs.tf
Normal file
@ -0,0 +1,19 @@
|
||||
output iam-user-name {
|
||||
value = aws_iam_user.iam-user.name
|
||||
}
|
||||
|
||||
output iam-user-arn {
|
||||
value = aws_iam_user.iam-user.arn
|
||||
}
|
||||
|
||||
output iam-user-pass {
|
||||
value = try(aws_iam_user_login_profile.iam-user-profile[0].encrypted_password, "")
|
||||
}
|
||||
|
||||
output iam-user-access-key {
|
||||
value = try(aws_iam_access_key.iam-user-access-key[0].id, "")
|
||||
}
|
||||
|
||||
output iam-user-secret-key {
|
||||
value = try(aws_iam_access_key.iam-user-access-key[0].encrypted_secret, "")
|
||||
}
|
||||
@ -0,0 +1,27 @@
|
||||
variable iam-user-name {}
|
||||
variable iam-user-policy {}
|
||||
variable create-access-key {
|
||||
type = bool
|
||||
}
|
||||
variable create-password {
|
||||
type = bool
|
||||
}
|
||||
variable default-tags {}
|
||||
variable managed-policy-arns {}
|
||||
variable create-group {
|
||||
type = bool
|
||||
}
|
||||
variable iam-group-name {
|
||||
type = string
|
||||
default = ""
|
||||
}
|
||||
|
||||
variable add-to-groups {
|
||||
type = list
|
||||
default = []
|
||||
}
|
||||
variable iam-user-policy-name {}
|
||||
variable pgp-key {
|
||||
type = string
|
||||
default = ""
|
||||
}
|
||||
Loading…
Reference in New Issue
Block a user