From 797caaaa4974e7ca2406a7eab741cb06294a3478 Mon Sep 17 00:00:00 2001
From: KF <ee@rackspace>
Date: Thu, 20 Oct 2022 09:12:29 +0800
Subject: [PATCH] UPD: merged iam-user-pgp into iam-user module

---
 examples/iam.user.gpg/main.tf                 | 51 ----------
 examples/iam.user.gpg/terraform.tfvars        | 44 ---------
 examples/iam.user.gpg/variables.tf            | 28 ------
 .../iam-user-gpg/README.md                    | 53 -----------
 .../iam-user-gpg/main.tf                      | 95 -------------------
 .../iam-user-gpg/outputs.tf                   | 19 ----
 .../iam-user-gpg/variables.tf                 | 27 ------
 .../iam-user/README.md                        | 58 +++++++++--
 .../iam-user/main.tf                          | 22 ++++-
 .../iam-user/outputs.tf                       | 16 ++++
 .../iam-user/variables.tf                     | 15 ++-
 11 files changed, 96 insertions(+), 332 deletions(-)
 delete mode 100644 examples/iam.user.gpg/main.tf
 delete mode 100644 examples/iam.user.gpg/terraform.tfvars
 delete mode 100644 examples/iam.user.gpg/variables.tf
 delete mode 100644 modules/security_identity_compliance/iam-user-gpg/README.md
 delete mode 100644 modules/security_identity_compliance/iam-user-gpg/main.tf
 delete mode 100644 modules/security_identity_compliance/iam-user-gpg/outputs.tf
 delete mode 100644 modules/security_identity_compliance/iam-user-gpg/variables.tf

diff --git a/examples/iam.user.gpg/main.tf b/examples/iam.user.gpg/main.tf
deleted file mode 100644
index fc0a4cc..0000000
--- a/examples/iam.user.gpg/main.tf
+++ /dev/null
@@ -1,51 +0,0 @@
-module iam-user {
-  source = "../../modules/security_identity_compliance/iam-user-gpg"
-
-  default-tags    = local.default-tags
-  iam-user-name   = var.iam-user-name
-  iam-user-policy = data.aws_iam_policy_document.user-policy.json
-  iam-user-policy-name = "SelfServicePermissions"
-  create-access-key = false
-  create-password = true
-  managed-policy-arns = ["arn:aws:iam::aws:policy/job-function/ViewOnlyAccess"]
-  create-group = true
-  iam-group-name = var.iam-group-name
-  pgp-key = var.pgp-key
-}
-
-data aws_iam_policy_document user-policy {
-  statement {
-    sid = "ManageOwnCredentials"
-
-    actions = [
-      "iam:ChangePassword",
-      "iam:CreateAccessKey",
-      "iam:DeleteAccessKey",
-      "iam:ListAccessKey",
-      "iam:CreateVirtualMFADevice",
-      "iam:EnableMFADevice",
-      "iam:ListMFA*",
-      "iam:ListVirtualMFA*",
-      "iam:ResyncMFADevice"
-    ]
-
-    effect = "Allow"
-    resources = ["arn:aws:iam::account-id:user/${var.iam-user-name}"]
-  }
-}
-
-output iam-user-arn {
-  value = module.iam-user.iam-user-arn
-}
-
-output iam-user-pass {
-  value = module.iam-user.iam-user-pass
-}
-
-output iam-user-access-key {
-  value = module.iam-user.iam-user-access-key
-}
-
-output iam-user-secret-key {
-  value = module.iam-user.iam-user-secret-key
-}
\ No newline at end of file
diff --git a/examples/iam.user.gpg/terraform.tfvars b/examples/iam.user.gpg/terraform.tfvars
deleted file mode 100644
index 9e681df..0000000
--- a/examples/iam.user.gpg/terraform.tfvars
+++ /dev/null
@@ -1,44 +0,0 @@
-aws-region          = "ap-southeast-1"
-customer-name       = "ken2026"
-environment         = "dev"
-project             = "iac"
-application         = "terraform"
-costcenter          = "none"
-DynamicAddressGroup = ""
-owner               = "Rackspace"
-
-iam-user-name  = "TestUser1017"
-iam-group-name = "TestGroup1017"
-pgp-key = <<EOT
-mQGNBFwvcRcBDADFUwrq87O8Xe0A0m+8sBAfp9N9NfVf1DjF6u2fRNOyCe0wP7ZakmPC/lot3eAn
-9Ztd/S4ReY5o8G6O7euRsa9ha2jmOAKmChOsbAYJogz9+MI4mxKY38XyKN7qItfwDQhanAktgx+P
-BKmeBOzVPEslKb2F/bf32UilxwDdstxHBq7XObO1JFh5b5WPlau4JFG2OSlhI65+WRVBEo/d3ysc
-9m3f4nVEGbiAFzU+Tk48s00CqfMW43+Ktz9Pxi2HAbzw83UvzIsyWYPEMky0tee9iaC4XbjndTTB
-iwZpQw8+zdDpmhObkee+rFnK8/xTB8jGe5BE2Mjoo1PTM0v8jdtigC5vAKniMZq9bBccX+Wfmx9D
-LlL5hTqQ04a22VCVi0jSTLEwL6SKmx5O81OQWPOKcl+mi3DwoiT2Te9EXbTiiwVQHcoKkVs+jjRr
-6I3vtbbvKen/Dd9jE+dBtrOmPfJPAIm0oNg47R1soqIiYDm3PNC9XoWwMqn1zfTvlc6RIYMAEQEA
-AbQXeCBwIGsgPHhwa0BoZWFkZGVzay5tZT6JAc4EEwEIADgWIQRfsOzq3+qQBFR9qhXNT/Z5Pwmr
-hgUCXC9xFwIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRDNT/Z5Pwmrhl3hDACaAgHhd8dP
-433Q25veYnE0tyEQNpF36v3AhBSCW6r5+KDkWmvyo87JXx6uyD09vHd2maQDgc9D3GBD54X3CBTA
-q89a60dAfdW152sm7X74gKLTgSXXnYBAXC6ZY75uusw+DKpRzPRfzkHwX+7cl4sErDMivCzci0nf
-dn9uGOFD/96AZUwb40Rr3abetisddF6Tog8REhAY6apNFddWlYrdLkoHJqnZjVpMlWK/08bWOyDE
-sIv0wC1yqtY9WKyQv0A8E03ZBjACzTIn988DvfA5e8iNxOvduk+s8xuHFNblyZYzJsqDuD+i/qVD
-MI188A3OhO3Ew3D2pGvf9w97qI0Q5b4fKVgFfQHaJnruqrJiIaYLtyeiZr2NsHu6rRxky/Wr3Oat
-9Z+AUzNc/BcvW19paD+c0AOFwR9fGuDWwcSN0QffHA905ydklPDKuxa9F1MZcuEvW+HHrxHTL08l
-YonBTydQKY5XOZe2pFFf3JgTXsCTlZYbbiZzJ4mXGjRLQ325AY0EXC9xFwEMAOWNTfkoha8t0NEF
-+WmBybtQ0R/AraG3CmjN416Sfnudhg0HX+NXbsCNCtt5ht2lS+y1gDD/pClR02/QFjNfihjxxHIC
-ql9dnqDUlay1wmgv2kKGbHGeRZ3MnwYJjm2evAEid2GA7euBYwUbFS6cJz88jn+cTENsNpn6zNYD
-1112o1vdZTUZzIGvYIw8DL31FgC6twZlSsJ7wIhKQxj40uxQ+sPCxvvhFIz3et2COfKlQwsyugD0
-wefFqU65ByTArs8qBiuMjphqx4JVkfv+NUk7hSAc7/+XC7Fz6kSuMljLeg0SZY02Od/2U6iy2zQm
-6psmKgITwfgy01YcKXNCJDR8CcIb70xr3WmdJmqpmQUl19VLbF0cIeXTuG7YUEmWWqLNXlAxnpBf
-2pknLKfqUIrRAEHC4L7LWFdi+UeDeoOFvbkKcQ0MjYBrA0wfr2kF6y0PagTgHUW0eUnQx4CRIKab
-LwwqQphwoug+jMqLOF9SVK4Rq+TrspmGg8GR0OeBbwARAQABiQG2BBgBCAAgFiEEX7Ds6t/qkARU
-faoVzU/2eT8Jq4YFAlwvcRcCGwwACgkQzU/2eT8Jq4aKugwAiNYSNwonzR15p24zsfLqxBeNLmtt
-XcoorlpmSPAQFr9gMUY94I+ZH4jKydhz8H5oEuxHnM4VQIs1OAH9YQqG/m8aq91i+Gva3quSjdTN
-Xl6lnPnC1eZKJbm04U2Uj73cAtt+rGJoqvZiEOme2LqQtmiQhJh5ASMX+W9d3bCnogML/CHVRV0t
-hVf5tudCK8R+KwcNV1NjvH7sVbtxfpJTeZtP7hIxhEUnTnjetd54UJKBQ3yFuDXD2d0nuuCSz1qO
-8C/HYe672m2slVZfX5eTQItVd3wPCc9Zfum3zTMuFTFb8en9cOUzLynfzOwj2+FGwlwaWUppUBH/
-D8HUCIzKJcXVHHCi3pww8TSVoD+n545kUhyJwh+qxWtttm4Hs0al3t0QGuaD6RHGtpdqZ8jgRY8Q
-FLiCnhBm3F0GWXkbKUfH2zVPSexsPSp/DH1hjy7s+ugIJZ75+JzXfFL45C2aXhArKdCFqQQlVFh7
-B92IFh1fiCOyTmXkDWiNOa5jY9mN
-EOT
diff --git a/examples/iam.user.gpg/variables.tf b/examples/iam.user.gpg/variables.tf
deleted file mode 100644
index f65a05a..0000000
--- a/examples/iam.user.gpg/variables.tf
+++ /dev/null
@@ -1,28 +0,0 @@
-variable "aws-region" {}
-variable "customer-name" {}
-variable "environment" {}
-variable "project" {}
-variable "application" {}
-variable "owner" {}
-variable "costcenter" {}
-variable "DynamicAddressGroup" {}
-
-locals {
-  default-tags = {
-    ServiceProvider     = "RackspaceTechnology"
-    Environment         = var.environment
-    Project             = var.project
-    Application         = var.application
-    TerraformMode       = "managed"
-    BuildDate           = formatdate("YYYYMMDD", timestamp())
-    Owner               = var.owner
-    CostCenter          = var.costcenter
-    DynamicAddressGroup = var.DynamicAddressGroup
-
-  }
-  resource-prefix = "${var.environment}-substr(${var.aws-region},0,2)-${var.customer-name}-${var.project}"
-}
-
-variable iam-user-name {}
-variable iam-group-name {}
-variable pgp-key {}
\ No newline at end of file
diff --git a/modules/security_identity_compliance/iam-user-gpg/README.md b/modules/security_identity_compliance/iam-user-gpg/README.md
deleted file mode 100644
index 0397790..0000000
--- a/modules/security_identity_compliance/iam-user-gpg/README.md
+++ /dev/null
@@ -1,53 +0,0 @@
-# iam-user module
-Module for creating IAM user. Credentials, if any, will be encrypted with gpg key. To obtain gpg public key of a user, run
-```bash
-gpg --export key-owner-name | base64
-```
-
-To decrypt the encrypted data
-```bash
-terraform output iam-user-pass  | tr -d \" | base64 -d | gpg -d
-terraform output iam-user-secret-key  | tr -d \" | base64 -d | gpg -d
-```
-
-## Example
-```terraform
-module iam-user {
-  source = "../../modules/security_identity_compliance/iam-user"
-
-  default-tags    = local.default-tags
-  iam-user-name   = var.iam-user-name
-  iam-user-policy = data.aws_iam_policy_document.user-policy.json
-  iam-user-policy-name = "SelfServicePermissions"
-  create-access-key = false
-  create-password = false
-  managed-policy-arns = ["arn:aws:iam::aws:policy/job-function/ViewOnlyAccess"]
-  create-group = true
-  iam-group-name = var.iam-group-name
-}
-
-data aws_iam_policy_document user-policy {
-  statement {
-    sid = "ManageOwnCredentials"
-
-    actions = [
-      "iam:ChangePassword",
-      "iam:CreateAccessKey",
-      "iam:DeleteAccessKey",
-      "iam:ListAccessKey",
-      "iam:CreateVirtualMFADevice",
-      "iam:EnableMFADevice",
-      "iam:ListMFA*",
-      "iam:ListVirtualMFA*",
-      "iam:ResyncMFADevice"
-    ]
-
-    effect = "Allow"
-    resources = ["arn:aws:iam::account-id:user/${var.iam-user-name}"]
-  }
-}
-
-output iam-user-arn {
-  value = module.iam-user.iam-user-arn
-}
-```
\ No newline at end of file
diff --git a/modules/security_identity_compliance/iam-user-gpg/main.tf b/modules/security_identity_compliance/iam-user-gpg/main.tf
deleted file mode 100644
index 155c86c..0000000
--- a/modules/security_identity_compliance/iam-user-gpg/main.tf
+++ /dev/null
@@ -1,95 +0,0 @@
-resource "aws_iam_user" "iam-user" {
-  name          = var.iam-user-name
-  tags          = var.default-tags
-  force_destroy = true
-}
-
-resource "aws_iam_access_key" "iam-user-access-key" {
-  count = var.create-access-key ? 1 : 0
-  user  = aws_iam_user.iam-user.name
-  pgp_key = var.pgp-key
-}
-
-#resource "aws_iam_user_policy" "iam-user-policy" {
-#  count = var.create-group ? 0 : 1
-#  name   = var.iam-user-policy-name
-#  user   = aws_iam_user.iam-user.name
-#  policy = var.iam-user-policy
-#}
-
-resource "aws_iam_user_policy" iam-user-selfservice-policy {
-  name = "SelfServicePermissions"
-  user   = aws_iam_user.iam-user.name
-  policy = data.aws_iam_policy_document.user-policy.json
-}
-
-data aws_iam_policy_document user-policy {
-  statement {
-    sid = "ManageOwnCredentials"
-
-    actions = [
-      "iam:ChangePassword",
-      "iam:CreateAccessKey",
-      "iam:DeleteAccessKey",
-      "iam:ListAccessKey",
-      "iam:CreateVirtualMFADevice",
-      "iam:EnableMFADevice",
-      "iam:ListMFA*",
-      "iam:ListVirtualMFA*",
-      "iam:ResyncMFADevice"
-    ]
-
-    effect = "Allow"
-    resources = ["arn:aws:iam::account-id:user/${var.iam-user-name}"]
-  }
-}
-
-resource "aws_iam_user_policy_attachment" "iam-user-managed-policies" {
-  count = var.create-group ? 0: length(var.managed-policy-arns)
-  user       = aws_iam_user.iam-user.name
-  policy_arn = var.managed-policy-arns[count.index]
-}
-
-resource "random_password" "iam-user-pass" {
-  count   = var.create-password ? 1 : 0
-  length  = 20
-  special = true
-}
-
-resource "aws_iam_user_login_profile" "iam-user-profile" {
-  count = var.create-password ? 1 : 0
-  user  = aws_iam_user.iam-user.name
-  pgp_key = var.pgp-key
-}
-
-resource aws_iam_group iam-group {
-  count = var.create-group ? 1 : 0
-  name = var.iam-group-name
-}
-
-resource aws_iam_group_membership new-group-membership {
-  for_each = aws_iam_group.iam-group
-  name = "MembershipToNewGroups"
-  group = each.value
-  users = [aws_iam_user.iam-user.name]
-}
-
-resource aws_iam_group_membership existing-group-membership {
-  for_each = var.add-to-groups
-  name = "MembershipToExistingGroups"
-  group = each.value
-  users = [aws_iam_user.iam-user.name]
-}
-
-#resource "aws_iam_group_policy" "iam-group-policy" {
-#  count = var.create-group ? 1 : 0
-#  name   = "SelfServiceAccess"
-#  group   = aws_iam_group.iam-group[0].name
-#  policy = var.iam-user-policy
-#}
-
-resource "aws_iam_group_policy_attachment" "iam-group-managed-policies" {
-  count = var.create-group ? length(var.managed-policy-arns) : 0
-  group       = aws_iam_group.iam-group[0].name
-  policy_arn = var.managed-policy-arns[count.index]
-}
diff --git a/modules/security_identity_compliance/iam-user-gpg/outputs.tf b/modules/security_identity_compliance/iam-user-gpg/outputs.tf
deleted file mode 100644
index 63d50b1..0000000
--- a/modules/security_identity_compliance/iam-user-gpg/outputs.tf
+++ /dev/null
@@ -1,19 +0,0 @@
-output iam-user-name {
-  value = aws_iam_user.iam-user.name
-}
-
-output iam-user-arn {
-  value = aws_iam_user.iam-user.arn
-}
-
-output iam-user-pass {
-  value = try(aws_iam_user_login_profile.iam-user-profile[0].encrypted_password, "")
-}
-
-output iam-user-access-key {
-  value = try(aws_iam_access_key.iam-user-access-key[0].id, "")
-}
-
-output iam-user-secret-key {
-  value = try(aws_iam_access_key.iam-user-access-key[0].encrypted_secret, "")
-}
\ No newline at end of file
diff --git a/modules/security_identity_compliance/iam-user-gpg/variables.tf b/modules/security_identity_compliance/iam-user-gpg/variables.tf
deleted file mode 100644
index 5b78307..0000000
--- a/modules/security_identity_compliance/iam-user-gpg/variables.tf
+++ /dev/null
@@ -1,27 +0,0 @@
-variable iam-user-name {}
-variable iam-user-policy {}
-variable create-access-key {
-  type = bool
-}
-variable create-password {
-  type = bool
-}
-variable default-tags {}
-variable managed-policy-arns {}
-variable create-group {
-  type = bool
-}
-variable iam-group-name {
-  type = string
-  default = ""
-}
-
-variable add-to-groups {
-  type = list
-  default = []
-}
-variable iam-user-policy-name {}
-variable pgp-key {
-  type = string
-  default = ""
-}
\ No newline at end of file
diff --git a/modules/security_identity_compliance/iam-user/README.md b/modules/security_identity_compliance/iam-user/README.md
index df14578..2d9e404 100644
--- a/modules/security_identity_compliance/iam-user/README.md
+++ b/modules/security_identity_compliance/iam-user/README.md
@@ -1,24 +1,62 @@
 # iam-user module
-Module for creating IAM user. Credentials, if any, will be stored in secretsmanager
+Module for creating IAM user. Credentials, if any, will be stored in secretsmanager. 
+Optionally, credentials can be encrypted with gpg key when ```pgp-key``` parameter is provided. To obtain gpg public key of a user, run
+```bash
+gpg --export key-owner-name | base64
+```
+
+To decrypt the encrypted data
+```bash
+terraform output iam-user-pass-pgp  | tr -d \" | base64 -d | gpg -d
+terraform output iam-user-secret-key-pgp  | tr -d \" | base64 -d | gpg -d
+```
 
 ## Example
 ```terraform
-module iam-user {
+module iam-group {
+  source = "../../modules/security_identity_compliance/iam-group"
+  default-tags    = local.default-tags
+
+  iam-group-name        = "ViewOnlyUsers001"
+  iam-group-policy      = ""
+  iam-group-policy-name = ""
+  managed-policy-arns   = ["arn:aws:iam::aws:policy/job-function/ViewOnlyAccess"]
+}
+
+module iam-user1 {
   source = "../../modules/security_identity_compliance/iam-user"
 
   default-tags    = local.default-tags
-  iam-user-name   = var.iam-user-name
-  iam-user-policy = ""
-  iam-user-policy-name = "SelfServicePermissions"
+  iam-user-name   = "UserNoGroup001"
+  create-access-key = true
+  create-password = true
+  pgp-key = var.pgp-key
+  managed-policy-arns = ["arn:aws:iam::aws:policy/job-function/ViewOnlyAccess"]
+}
+
+module iam-user2 {
+  source = "../../modules/security_identity_compliance/iam-user"
+
+  default-tags    = local.default-tags
+  iam-user-name   = "UserInGroup001"
+  iam-user-policy = data.aws_iam_policy_document.user-policy.json
+  iam-user-policy-name = "S3AdminPermissions"
   create-access-key = false
   create-password = false
   managed-policy-arns = ["arn:aws:iam::aws:policy/job-function/ViewOnlyAccess"]
-  create-group = true
-  add-to-groups = []
-  iam-group-name = var.iam-group-name
+  add-to-groups = [module.iam-group.iam-group-name]
 }
 
-output iam-user-arn {
-  value = module.iam-user.iam-user-arn
+data aws_iam_policy_document user-policy {
+  statement {
+    sid = "s3admin"
+
+    actions = [
+      "s3:*"
+    ]
+
+    effect = "Allow"
+    resources = ["*"]
+  }
 }
 ```
\ No newline at end of file
diff --git a/modules/security_identity_compliance/iam-user/main.tf b/modules/security_identity_compliance/iam-user/main.tf
index b2e1846..fc39260 100644
--- a/modules/security_identity_compliance/iam-user/main.tf
+++ b/modules/security_identity_compliance/iam-user/main.tf
@@ -5,10 +5,17 @@ resource "aws_iam_user" "iam-user" {
 }
 
 resource "aws_iam_access_key" "iam-user-access-key" {
-  count = var.create-access-key ? 1 : 0
+  count = var.create-access-key && var.pgp-key == null ? 1 : 0
   user  = aws_iam_user.iam-user.name
 }
 
+resource "aws_iam_access_key" "iam-user-access-key-pgp" {
+  count = var.create-access-key && var.pgp-key != null ? 1 : 0
+  user  = aws_iam_user.iam-user.name
+  pgp_key = var.pgp-key
+}
+
+
 resource "aws_iam_user_policy" "iam-user-policy" {
   count  = var.iam-user-policy != "" ? 1 : 0
   name   = var.iam-user-policy-name
@@ -56,13 +63,22 @@ resource "random_password" "iam-user-pass" {
 }
 
 resource "aws_iam_user_login_profile" "iam-user-profile" {
-  count = var.create-password ? 1 : 0
+  count = var.create-password && var.pgp-key == null ? 1 : 0
   user  = aws_iam_user.iam-user.name
 }
 
+resource "aws_iam_user_login_profile" "iam-user-profile-pgp" {
+  count = var.create-password && var.pgp-key != null ? 1 : 0
+  user  = aws_iam_user.iam-user.name
+  pgp_key = var.pgp-key
+}
+
+resource random_id secrets-random-id {
+  byte_length = 2
+}
 resource "aws_secretsmanager_secret" "secretmanager" {
   count       = var.create-access-key || var.create-password ? 1 : 0
-  name        = "IamUserCredential-${var.iam-user-name}"
+  name        = "IamUserCredential-${random_id.secrets-random-id.dec}-${var.iam-user-name}"
   description = "AWS resource credential"
   tags        = var.default-tags
 }
diff --git a/modules/security_identity_compliance/iam-user/outputs.tf b/modules/security_identity_compliance/iam-user/outputs.tf
index d79a0f8..61fd0c7 100644
--- a/modules/security_identity_compliance/iam-user/outputs.tf
+++ b/modules/security_identity_compliance/iam-user/outputs.tf
@@ -4,4 +4,20 @@ output iam-user-name {
 
 output iam-user-arn {
   value = aws_iam_user.iam-user.arn
+}
+
+output iam-user-access-key {
+  value = try(aws_iam_access_key.iam-user-access-key[0].id, "none")
+}
+
+output iam-user-access-key-pgp {
+  value = try(aws_iam_access_key.iam-user-access-key-pgp[0].id, "none")
+}
+
+output iam-user-secret-key-pgp {
+  value = try(aws_iam_access_key.iam-user-access-key-pgp[0].encrypted_secret, "none")
+}
+
+output iam-user-pass-pgp {
+  value = try(aws_iam_user_login_profile.iam-user-profile-pgp[0].encrypted_password, "none")
 }
\ No newline at end of file
diff --git a/modules/security_identity_compliance/iam-user/variables.tf b/modules/security_identity_compliance/iam-user/variables.tf
index e7a1640..1d2d15e 100644
--- a/modules/security_identity_compliance/iam-user/variables.tf
+++ b/modules/security_identity_compliance/iam-user/variables.tf
@@ -1,5 +1,12 @@
 variable iam-user-name {}
-variable iam-user-policy {}
+variable iam-user-policy {
+  type = string
+  default = ""
+}
+variable iam-user-policy-name {
+  type = string
+  default = ""
+}
 variable create-access-key {
   type = bool
 }
@@ -12,4 +19,8 @@ variable add-to-groups {
   type = list
   default = []
 }
-variable iam-user-policy-name {}
\ No newline at end of file
+
+variable pgp-key {
+  type = string
+  default = null
+}
\ No newline at end of file