UPD: merged iam-user-pgp into iam-user module
This commit is contained in:
parent
f11b4fbc44
commit
797caaaa49
@ -1,51 +0,0 @@
|
||||
module iam-user {
|
||||
source = "../../modules/security_identity_compliance/iam-user-gpg"
|
||||
|
||||
default-tags = local.default-tags
|
||||
iam-user-name = var.iam-user-name
|
||||
iam-user-policy = data.aws_iam_policy_document.user-policy.json
|
||||
iam-user-policy-name = "SelfServicePermissions"
|
||||
create-access-key = false
|
||||
create-password = true
|
||||
managed-policy-arns = ["arn:aws:iam::aws:policy/job-function/ViewOnlyAccess"]
|
||||
create-group = true
|
||||
iam-group-name = var.iam-group-name
|
||||
pgp-key = var.pgp-key
|
||||
}
|
||||
|
||||
data aws_iam_policy_document user-policy {
|
||||
statement {
|
||||
sid = "ManageOwnCredentials"
|
||||
|
||||
actions = [
|
||||
"iam:ChangePassword",
|
||||
"iam:CreateAccessKey",
|
||||
"iam:DeleteAccessKey",
|
||||
"iam:ListAccessKey",
|
||||
"iam:CreateVirtualMFADevice",
|
||||
"iam:EnableMFADevice",
|
||||
"iam:ListMFA*",
|
||||
"iam:ListVirtualMFA*",
|
||||
"iam:ResyncMFADevice"
|
||||
]
|
||||
|
||||
effect = "Allow"
|
||||
resources = ["arn:aws:iam::account-id:user/${var.iam-user-name}"]
|
||||
}
|
||||
}
|
||||
|
||||
output iam-user-arn {
|
||||
value = module.iam-user.iam-user-arn
|
||||
}
|
||||
|
||||
output iam-user-pass {
|
||||
value = module.iam-user.iam-user-pass
|
||||
}
|
||||
|
||||
output iam-user-access-key {
|
||||
value = module.iam-user.iam-user-access-key
|
||||
}
|
||||
|
||||
output iam-user-secret-key {
|
||||
value = module.iam-user.iam-user-secret-key
|
||||
}
|
@ -1,44 +0,0 @@
|
||||
aws-region = "ap-southeast-1"
|
||||
customer-name = "ken2026"
|
||||
environment = "dev"
|
||||
project = "iac"
|
||||
application = "terraform"
|
||||
costcenter = "none"
|
||||
DynamicAddressGroup = ""
|
||||
owner = "Rackspace"
|
||||
|
||||
iam-user-name = "TestUser1017"
|
||||
iam-group-name = "TestGroup1017"
|
||||
pgp-key = <<EOT
|
||||
mQGNBFwvcRcBDADFUwrq87O8Xe0A0m+8sBAfp9N9NfVf1DjF6u2fRNOyCe0wP7ZakmPC/lot3eAn
|
||||
9Ztd/S4ReY5o8G6O7euRsa9ha2jmOAKmChOsbAYJogz9+MI4mxKY38XyKN7qItfwDQhanAktgx+P
|
||||
BKmeBOzVPEslKb2F/bf32UilxwDdstxHBq7XObO1JFh5b5WPlau4JFG2OSlhI65+WRVBEo/d3ysc
|
||||
9m3f4nVEGbiAFzU+Tk48s00CqfMW43+Ktz9Pxi2HAbzw83UvzIsyWYPEMky0tee9iaC4XbjndTTB
|
||||
iwZpQw8+zdDpmhObkee+rFnK8/xTB8jGe5BE2Mjoo1PTM0v8jdtigC5vAKniMZq9bBccX+Wfmx9D
|
||||
LlL5hTqQ04a22VCVi0jSTLEwL6SKmx5O81OQWPOKcl+mi3DwoiT2Te9EXbTiiwVQHcoKkVs+jjRr
|
||||
6I3vtbbvKen/Dd9jE+dBtrOmPfJPAIm0oNg47R1soqIiYDm3PNC9XoWwMqn1zfTvlc6RIYMAEQEA
|
||||
AbQXeCBwIGsgPHhwa0BoZWFkZGVzay5tZT6JAc4EEwEIADgWIQRfsOzq3+qQBFR9qhXNT/Z5Pwmr
|
||||
hgUCXC9xFwIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRDNT/Z5Pwmrhl3hDACaAgHhd8dP
|
||||
433Q25veYnE0tyEQNpF36v3AhBSCW6r5+KDkWmvyo87JXx6uyD09vHd2maQDgc9D3GBD54X3CBTA
|
||||
q89a60dAfdW152sm7X74gKLTgSXXnYBAXC6ZY75uusw+DKpRzPRfzkHwX+7cl4sErDMivCzci0nf
|
||||
dn9uGOFD/96AZUwb40Rr3abetisddF6Tog8REhAY6apNFddWlYrdLkoHJqnZjVpMlWK/08bWOyDE
|
||||
sIv0wC1yqtY9WKyQv0A8E03ZBjACzTIn988DvfA5e8iNxOvduk+s8xuHFNblyZYzJsqDuD+i/qVD
|
||||
MI188A3OhO3Ew3D2pGvf9w97qI0Q5b4fKVgFfQHaJnruqrJiIaYLtyeiZr2NsHu6rRxky/Wr3Oat
|
||||
9Z+AUzNc/BcvW19paD+c0AOFwR9fGuDWwcSN0QffHA905ydklPDKuxa9F1MZcuEvW+HHrxHTL08l
|
||||
YonBTydQKY5XOZe2pFFf3JgTXsCTlZYbbiZzJ4mXGjRLQ325AY0EXC9xFwEMAOWNTfkoha8t0NEF
|
||||
+WmBybtQ0R/AraG3CmjN416Sfnudhg0HX+NXbsCNCtt5ht2lS+y1gDD/pClR02/QFjNfihjxxHIC
|
||||
ql9dnqDUlay1wmgv2kKGbHGeRZ3MnwYJjm2evAEid2GA7euBYwUbFS6cJz88jn+cTENsNpn6zNYD
|
||||
1112o1vdZTUZzIGvYIw8DL31FgC6twZlSsJ7wIhKQxj40uxQ+sPCxvvhFIz3et2COfKlQwsyugD0
|
||||
wefFqU65ByTArs8qBiuMjphqx4JVkfv+NUk7hSAc7/+XC7Fz6kSuMljLeg0SZY02Od/2U6iy2zQm
|
||||
6psmKgITwfgy01YcKXNCJDR8CcIb70xr3WmdJmqpmQUl19VLbF0cIeXTuG7YUEmWWqLNXlAxnpBf
|
||||
2pknLKfqUIrRAEHC4L7LWFdi+UeDeoOFvbkKcQ0MjYBrA0wfr2kF6y0PagTgHUW0eUnQx4CRIKab
|
||||
LwwqQphwoug+jMqLOF9SVK4Rq+TrspmGg8GR0OeBbwARAQABiQG2BBgBCAAgFiEEX7Ds6t/qkARU
|
||||
faoVzU/2eT8Jq4YFAlwvcRcCGwwACgkQzU/2eT8Jq4aKugwAiNYSNwonzR15p24zsfLqxBeNLmtt
|
||||
XcoorlpmSPAQFr9gMUY94I+ZH4jKydhz8H5oEuxHnM4VQIs1OAH9YQqG/m8aq91i+Gva3quSjdTN
|
||||
Xl6lnPnC1eZKJbm04U2Uj73cAtt+rGJoqvZiEOme2LqQtmiQhJh5ASMX+W9d3bCnogML/CHVRV0t
|
||||
hVf5tudCK8R+KwcNV1NjvH7sVbtxfpJTeZtP7hIxhEUnTnjetd54UJKBQ3yFuDXD2d0nuuCSz1qO
|
||||
8C/HYe672m2slVZfX5eTQItVd3wPCc9Zfum3zTMuFTFb8en9cOUzLynfzOwj2+FGwlwaWUppUBH/
|
||||
D8HUCIzKJcXVHHCi3pww8TSVoD+n545kUhyJwh+qxWtttm4Hs0al3t0QGuaD6RHGtpdqZ8jgRY8Q
|
||||
FLiCnhBm3F0GWXkbKUfH2zVPSexsPSp/DH1hjy7s+ugIJZ75+JzXfFL45C2aXhArKdCFqQQlVFh7
|
||||
B92IFh1fiCOyTmXkDWiNOa5jY9mN
|
||||
EOT
|
@ -1,28 +0,0 @@
|
||||
variable "aws-region" {}
|
||||
variable "customer-name" {}
|
||||
variable "environment" {}
|
||||
variable "project" {}
|
||||
variable "application" {}
|
||||
variable "owner" {}
|
||||
variable "costcenter" {}
|
||||
variable "DynamicAddressGroup" {}
|
||||
|
||||
locals {
|
||||
default-tags = {
|
||||
ServiceProvider = "RackspaceTechnology"
|
||||
Environment = var.environment
|
||||
Project = var.project
|
||||
Application = var.application
|
||||
TerraformMode = "managed"
|
||||
BuildDate = formatdate("YYYYMMDD", timestamp())
|
||||
Owner = var.owner
|
||||
CostCenter = var.costcenter
|
||||
DynamicAddressGroup = var.DynamicAddressGroup
|
||||
|
||||
}
|
||||
resource-prefix = "${var.environment}-substr(${var.aws-region},0,2)-${var.customer-name}-${var.project}"
|
||||
}
|
||||
|
||||
variable iam-user-name {}
|
||||
variable iam-group-name {}
|
||||
variable pgp-key {}
|
@ -1,53 +0,0 @@
|
||||
# iam-user module
|
||||
Module for creating IAM user. Credentials, if any, will be encrypted with gpg key. To obtain gpg public key of a user, run
|
||||
```bash
|
||||
gpg --export key-owner-name | base64
|
||||
```
|
||||
|
||||
To decrypt the encrypted data
|
||||
```bash
|
||||
terraform output iam-user-pass | tr -d \" | base64 -d | gpg -d
|
||||
terraform output iam-user-secret-key | tr -d \" | base64 -d | gpg -d
|
||||
```
|
||||
|
||||
## Example
|
||||
```terraform
|
||||
module iam-user {
|
||||
source = "../../modules/security_identity_compliance/iam-user"
|
||||
|
||||
default-tags = local.default-tags
|
||||
iam-user-name = var.iam-user-name
|
||||
iam-user-policy = data.aws_iam_policy_document.user-policy.json
|
||||
iam-user-policy-name = "SelfServicePermissions"
|
||||
create-access-key = false
|
||||
create-password = false
|
||||
managed-policy-arns = ["arn:aws:iam::aws:policy/job-function/ViewOnlyAccess"]
|
||||
create-group = true
|
||||
iam-group-name = var.iam-group-name
|
||||
}
|
||||
|
||||
data aws_iam_policy_document user-policy {
|
||||
statement {
|
||||
sid = "ManageOwnCredentials"
|
||||
|
||||
actions = [
|
||||
"iam:ChangePassword",
|
||||
"iam:CreateAccessKey",
|
||||
"iam:DeleteAccessKey",
|
||||
"iam:ListAccessKey",
|
||||
"iam:CreateVirtualMFADevice",
|
||||
"iam:EnableMFADevice",
|
||||
"iam:ListMFA*",
|
||||
"iam:ListVirtualMFA*",
|
||||
"iam:ResyncMFADevice"
|
||||
]
|
||||
|
||||
effect = "Allow"
|
||||
resources = ["arn:aws:iam::account-id:user/${var.iam-user-name}"]
|
||||
}
|
||||
}
|
||||
|
||||
output iam-user-arn {
|
||||
value = module.iam-user.iam-user-arn
|
||||
}
|
||||
```
|
@ -1,95 +0,0 @@
|
||||
resource "aws_iam_user" "iam-user" {
|
||||
name = var.iam-user-name
|
||||
tags = var.default-tags
|
||||
force_destroy = true
|
||||
}
|
||||
|
||||
resource "aws_iam_access_key" "iam-user-access-key" {
|
||||
count = var.create-access-key ? 1 : 0
|
||||
user = aws_iam_user.iam-user.name
|
||||
pgp_key = var.pgp-key
|
||||
}
|
||||
|
||||
#resource "aws_iam_user_policy" "iam-user-policy" {
|
||||
# count = var.create-group ? 0 : 1
|
||||
# name = var.iam-user-policy-name
|
||||
# user = aws_iam_user.iam-user.name
|
||||
# policy = var.iam-user-policy
|
||||
#}
|
||||
|
||||
resource "aws_iam_user_policy" iam-user-selfservice-policy {
|
||||
name = "SelfServicePermissions"
|
||||
user = aws_iam_user.iam-user.name
|
||||
policy = data.aws_iam_policy_document.user-policy.json
|
||||
}
|
||||
|
||||
data aws_iam_policy_document user-policy {
|
||||
statement {
|
||||
sid = "ManageOwnCredentials"
|
||||
|
||||
actions = [
|
||||
"iam:ChangePassword",
|
||||
"iam:CreateAccessKey",
|
||||
"iam:DeleteAccessKey",
|
||||
"iam:ListAccessKey",
|
||||
"iam:CreateVirtualMFADevice",
|
||||
"iam:EnableMFADevice",
|
||||
"iam:ListMFA*",
|
||||
"iam:ListVirtualMFA*",
|
||||
"iam:ResyncMFADevice"
|
||||
]
|
||||
|
||||
effect = "Allow"
|
||||
resources = ["arn:aws:iam::account-id:user/${var.iam-user-name}"]
|
||||
}
|
||||
}
|
||||
|
||||
resource "aws_iam_user_policy_attachment" "iam-user-managed-policies" {
|
||||
count = var.create-group ? 0: length(var.managed-policy-arns)
|
||||
user = aws_iam_user.iam-user.name
|
||||
policy_arn = var.managed-policy-arns[count.index]
|
||||
}
|
||||
|
||||
resource "random_password" "iam-user-pass" {
|
||||
count = var.create-password ? 1 : 0
|
||||
length = 20
|
||||
special = true
|
||||
}
|
||||
|
||||
resource "aws_iam_user_login_profile" "iam-user-profile" {
|
||||
count = var.create-password ? 1 : 0
|
||||
user = aws_iam_user.iam-user.name
|
||||
pgp_key = var.pgp-key
|
||||
}
|
||||
|
||||
resource aws_iam_group iam-group {
|
||||
count = var.create-group ? 1 : 0
|
||||
name = var.iam-group-name
|
||||
}
|
||||
|
||||
resource aws_iam_group_membership new-group-membership {
|
||||
for_each = aws_iam_group.iam-group
|
||||
name = "MembershipToNewGroups"
|
||||
group = each.value
|
||||
users = [aws_iam_user.iam-user.name]
|
||||
}
|
||||
|
||||
resource aws_iam_group_membership existing-group-membership {
|
||||
for_each = var.add-to-groups
|
||||
name = "MembershipToExistingGroups"
|
||||
group = each.value
|
||||
users = [aws_iam_user.iam-user.name]
|
||||
}
|
||||
|
||||
#resource "aws_iam_group_policy" "iam-group-policy" {
|
||||
# count = var.create-group ? 1 : 0
|
||||
# name = "SelfServiceAccess"
|
||||
# group = aws_iam_group.iam-group[0].name
|
||||
# policy = var.iam-user-policy
|
||||
#}
|
||||
|
||||
resource "aws_iam_group_policy_attachment" "iam-group-managed-policies" {
|
||||
count = var.create-group ? length(var.managed-policy-arns) : 0
|
||||
group = aws_iam_group.iam-group[0].name
|
||||
policy_arn = var.managed-policy-arns[count.index]
|
||||
}
|
@ -1,19 +0,0 @@
|
||||
output iam-user-name {
|
||||
value = aws_iam_user.iam-user.name
|
||||
}
|
||||
|
||||
output iam-user-arn {
|
||||
value = aws_iam_user.iam-user.arn
|
||||
}
|
||||
|
||||
output iam-user-pass {
|
||||
value = try(aws_iam_user_login_profile.iam-user-profile[0].encrypted_password, "")
|
||||
}
|
||||
|
||||
output iam-user-access-key {
|
||||
value = try(aws_iam_access_key.iam-user-access-key[0].id, "")
|
||||
}
|
||||
|
||||
output iam-user-secret-key {
|
||||
value = try(aws_iam_access_key.iam-user-access-key[0].encrypted_secret, "")
|
||||
}
|
@ -1,27 +0,0 @@
|
||||
variable iam-user-name {}
|
||||
variable iam-user-policy {}
|
||||
variable create-access-key {
|
||||
type = bool
|
||||
}
|
||||
variable create-password {
|
||||
type = bool
|
||||
}
|
||||
variable default-tags {}
|
||||
variable managed-policy-arns {}
|
||||
variable create-group {
|
||||
type = bool
|
||||
}
|
||||
variable iam-group-name {
|
||||
type = string
|
||||
default = ""
|
||||
}
|
||||
|
||||
variable add-to-groups {
|
||||
type = list
|
||||
default = []
|
||||
}
|
||||
variable iam-user-policy-name {}
|
||||
variable pgp-key {
|
||||
type = string
|
||||
default = ""
|
||||
}
|
@ -1,24 +1,62 @@
|
||||
# iam-user module
|
||||
Module for creating IAM user. Credentials, if any, will be stored in secretsmanager
|
||||
Module for creating IAM user. Credentials, if any, will be stored in secretsmanager.
|
||||
Optionally, credentials can be encrypted with gpg key when ```pgp-key``` parameter is provided. To obtain gpg public key of a user, run
|
||||
```bash
|
||||
gpg --export key-owner-name | base64
|
||||
```
|
||||
|
||||
To decrypt the encrypted data
|
||||
```bash
|
||||
terraform output iam-user-pass-pgp | tr -d \" | base64 -d | gpg -d
|
||||
terraform output iam-user-secret-key-pgp | tr -d \" | base64 -d | gpg -d
|
||||
```
|
||||
|
||||
## Example
|
||||
```terraform
|
||||
module iam-user {
|
||||
module iam-group {
|
||||
source = "../../modules/security_identity_compliance/iam-group"
|
||||
default-tags = local.default-tags
|
||||
|
||||
iam-group-name = "ViewOnlyUsers001"
|
||||
iam-group-policy = ""
|
||||
iam-group-policy-name = ""
|
||||
managed-policy-arns = ["arn:aws:iam::aws:policy/job-function/ViewOnlyAccess"]
|
||||
}
|
||||
|
||||
module iam-user1 {
|
||||
source = "../../modules/security_identity_compliance/iam-user"
|
||||
|
||||
default-tags = local.default-tags
|
||||
iam-user-name = var.iam-user-name
|
||||
iam-user-policy = ""
|
||||
iam-user-policy-name = "SelfServicePermissions"
|
||||
iam-user-name = "UserNoGroup001"
|
||||
create-access-key = true
|
||||
create-password = true
|
||||
pgp-key = var.pgp-key
|
||||
managed-policy-arns = ["arn:aws:iam::aws:policy/job-function/ViewOnlyAccess"]
|
||||
}
|
||||
|
||||
module iam-user2 {
|
||||
source = "../../modules/security_identity_compliance/iam-user"
|
||||
|
||||
default-tags = local.default-tags
|
||||
iam-user-name = "UserInGroup001"
|
||||
iam-user-policy = data.aws_iam_policy_document.user-policy.json
|
||||
iam-user-policy-name = "S3AdminPermissions"
|
||||
create-access-key = false
|
||||
create-password = false
|
||||
managed-policy-arns = ["arn:aws:iam::aws:policy/job-function/ViewOnlyAccess"]
|
||||
create-group = true
|
||||
add-to-groups = []
|
||||
iam-group-name = var.iam-group-name
|
||||
add-to-groups = [module.iam-group.iam-group-name]
|
||||
}
|
||||
|
||||
output iam-user-arn {
|
||||
value = module.iam-user.iam-user-arn
|
||||
data aws_iam_policy_document user-policy {
|
||||
statement {
|
||||
sid = "s3admin"
|
||||
|
||||
actions = [
|
||||
"s3:*"
|
||||
]
|
||||
|
||||
effect = "Allow"
|
||||
resources = ["*"]
|
||||
}
|
||||
}
|
||||
```
|
@ -5,10 +5,17 @@ resource "aws_iam_user" "iam-user" {
|
||||
}
|
||||
|
||||
resource "aws_iam_access_key" "iam-user-access-key" {
|
||||
count = var.create-access-key ? 1 : 0
|
||||
count = var.create-access-key && var.pgp-key == null ? 1 : 0
|
||||
user = aws_iam_user.iam-user.name
|
||||
}
|
||||
|
||||
resource "aws_iam_access_key" "iam-user-access-key-pgp" {
|
||||
count = var.create-access-key && var.pgp-key != null ? 1 : 0
|
||||
user = aws_iam_user.iam-user.name
|
||||
pgp_key = var.pgp-key
|
||||
}
|
||||
|
||||
|
||||
resource "aws_iam_user_policy" "iam-user-policy" {
|
||||
count = var.iam-user-policy != "" ? 1 : 0
|
||||
name = var.iam-user-policy-name
|
||||
@ -56,13 +63,22 @@ resource "random_password" "iam-user-pass" {
|
||||
}
|
||||
|
||||
resource "aws_iam_user_login_profile" "iam-user-profile" {
|
||||
count = var.create-password ? 1 : 0
|
||||
count = var.create-password && var.pgp-key == null ? 1 : 0
|
||||
user = aws_iam_user.iam-user.name
|
||||
}
|
||||
|
||||
resource "aws_iam_user_login_profile" "iam-user-profile-pgp" {
|
||||
count = var.create-password && var.pgp-key != null ? 1 : 0
|
||||
user = aws_iam_user.iam-user.name
|
||||
pgp_key = var.pgp-key
|
||||
}
|
||||
|
||||
resource random_id secrets-random-id {
|
||||
byte_length = 2
|
||||
}
|
||||
resource "aws_secretsmanager_secret" "secretmanager" {
|
||||
count = var.create-access-key || var.create-password ? 1 : 0
|
||||
name = "IamUserCredential-${var.iam-user-name}"
|
||||
name = "IamUserCredential-${random_id.secrets-random-id.dec}-${var.iam-user-name}"
|
||||
description = "AWS resource credential"
|
||||
tags = var.default-tags
|
||||
}
|
||||
|
@ -4,4 +4,20 @@ output iam-user-name {
|
||||
|
||||
output iam-user-arn {
|
||||
value = aws_iam_user.iam-user.arn
|
||||
}
|
||||
|
||||
output iam-user-access-key {
|
||||
value = try(aws_iam_access_key.iam-user-access-key[0].id, "none")
|
||||
}
|
||||
|
||||
output iam-user-access-key-pgp {
|
||||
value = try(aws_iam_access_key.iam-user-access-key-pgp[0].id, "none")
|
||||
}
|
||||
|
||||
output iam-user-secret-key-pgp {
|
||||
value = try(aws_iam_access_key.iam-user-access-key-pgp[0].encrypted_secret, "none")
|
||||
}
|
||||
|
||||
output iam-user-pass-pgp {
|
||||
value = try(aws_iam_user_login_profile.iam-user-profile-pgp[0].encrypted_password, "none")
|
||||
}
|
@ -1,5 +1,12 @@
|
||||
variable iam-user-name {}
|
||||
variable iam-user-policy {}
|
||||
variable iam-user-policy {
|
||||
type = string
|
||||
default = ""
|
||||
}
|
||||
variable iam-user-policy-name {
|
||||
type = string
|
||||
default = ""
|
||||
}
|
||||
variable create-access-key {
|
||||
type = bool
|
||||
}
|
||||
@ -12,4 +19,8 @@ variable add-to-groups {
|
||||
type = list
|
||||
default = []
|
||||
}
|
||||
variable iam-user-policy-name {}
|
||||
|
||||
variable pgp-key {
|
||||
type = string
|
||||
default = null
|
||||
}
|
Loading…
Reference in New Issue
Block a user