xpk/terraform.aws-baseline-infra
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

UPD: merged iam-user-pgp into iam-user module

Browse Source
This commit is contained in:
KF 2022-10-20 09:12:29 +08:00
parent f11b4fbc44
commit 797caaaa49
Signed by: xpk
GPG Key ID: CD4FF6793F09AB86
11 changed files with 96 additions and 332 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

51
examples/iam.user.gpg/main.tf
View File

@ -1,51 +0,0 @@
module iam-user {
source = "../../modules/security_identity_compliance/iam-user-gpg"
default-tags = local.default-tags
iam-user-name = var.iam-user-name
iam-user-policy = data.aws_iam_policy_document.user-policy.json
iam-user-policy-name = "SelfServicePermissions"
create-access-key = false
create-password = true
managed-policy-arns = ["arn:aws:iam::aws:policy/job-function/ViewOnlyAccess"]
create-group = true
iam-group-name = var.iam-group-name
pgp-key = var.pgp-key
}
data aws_iam_policy_document user-policy {
statement {
sid = "ManageOwnCredentials"
actions = [
"iam:ChangePassword",
"iam:CreateAccessKey",
"iam:DeleteAccessKey",
"iam:ListAccessKey",
"iam:CreateVirtualMFADevice",
"iam:EnableMFADevice",
"iam:ListMFA*",
"iam:ListVirtualMFA*",
"iam:ResyncMFADevice"
]
effect = "Allow"
resources = ["arn:aws:iam::account-id:user/${var.iam-user-name}"]
}
}
output iam-user-arn {
value = module.iam-user.iam-user-arn
}
output iam-user-pass {
value = module.iam-user.iam-user-pass
}
output iam-user-access-key {
value = module.iam-user.iam-user-access-key
}
output iam-user-secret-key {
value = module.iam-user.iam-user-secret-key
}

44
examples/iam.user.gpg/terraform.tfvars
View File

@ -1,44 +0,0 @@
aws-region = "ap-southeast-1"
customer-name = "ken2026"
environment = "dev"
project = "iac"
application = "terraform"
costcenter = "none"
DynamicAddressGroup = ""
owner = "Rackspace"
iam-user-name = "TestUser1017"
iam-group-name = "TestGroup1017"
pgp-key = <<EOT
mQGNBFwvcRcBDADFUwrq87O8Xe0A0m+8sBAfp9N9NfVf1DjF6u2fRNOyCe0wP7ZakmPC/lot3eAn
9Ztd/S4ReY5o8G6O7euRsa9ha2jmOAKmChOsbAYJogz9+MI4mxKY38XyKN7qItfwDQhanAktgx+P
BKmeBOzVPEslKb2F/bf32UilxwDdstxHBq7XObO1JFh5b5WPlau4JFG2OSlhI65+WRVBEo/d3ysc
9m3f4nVEGbiAFzU+Tk48s00CqfMW43+Ktz9Pxi2HAbzw83UvzIsyWYPEMky0tee9iaC4XbjndTTB
iwZpQw8+zdDpmhObkee+rFnK8/xTB8jGe5BE2Mjoo1PTM0v8jdtigC5vAKniMZq9bBccX+Wfmx9D
LlL5hTqQ04a22VCVi0jSTLEwL6SKmx5O81OQWPOKcl+mi3DwoiT2Te9EXbTiiwVQHcoKkVs+jjRr
6I3vtbbvKen/Dd9jE+dBtrOmPfJPAIm0oNg47R1soqIiYDm3PNC9XoWwMqn1zfTvlc6RIYMAEQEA
AbQXeCBwIGsgPHhwa0BoZWFkZGVzay5tZT6JAc4EEwEIADgWIQRfsOzq3+qQBFR9qhXNT/Z5Pwmr
hgUCXC9xFwIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRDNT/Z5Pwmrhl3hDACaAgHhd8dP
433Q25veYnE0tyEQNpF36v3AhBSCW6r5+KDkWmvyo87JXx6uyD09vHd2maQDgc9D3GBD54X3CBTA
q89a60dAfdW152sm7X74gKLTgSXXnYBAXC6ZY75uusw+DKpRzPRfzkHwX+7cl4sErDMivCzci0nf
dn9uGOFD/96AZUwb40Rr3abetisddF6Tog8REhAY6apNFddWlYrdLkoHJqnZjVpMlWK/08bWOyDE
sIv0wC1yqtY9WKyQv0A8E03ZBjACzTIn988DvfA5e8iNxOvduk+s8xuHFNblyZYzJsqDuD+i/qVD
MI188A3OhO3Ew3D2pGvf9w97qI0Q5b4fKVgFfQHaJnruqrJiIaYLtyeiZr2NsHu6rRxky/Wr3Oat
9Z+AUzNc/BcvW19paD+c0AOFwR9fGuDWwcSN0QffHA905ydklPDKuxa9F1MZcuEvW+HHrxHTL08l
YonBTydQKY5XOZe2pFFf3JgTXsCTlZYbbiZzJ4mXGjRLQ325AY0EXC9xFwEMAOWNTfkoha8t0NEF
+WmBybtQ0R/AraG3CmjN416Sfnudhg0HX+NXbsCNCtt5ht2lS+y1gDD/pClR02/QFjNfihjxxHIC
ql9dnqDUlay1wmgv2kKGbHGeRZ3MnwYJjm2evAEid2GA7euBYwUbFS6cJz88jn+cTENsNpn6zNYD
1112o1vdZTUZzIGvYIw8DL31FgC6twZlSsJ7wIhKQxj40uxQ+sPCxvvhFIz3et2COfKlQwsyugD0
wefFqU65ByTArs8qBiuMjphqx4JVkfv+NUk7hSAc7/+XC7Fz6kSuMljLeg0SZY02Od/2U6iy2zQm
6psmKgITwfgy01YcKXNCJDR8CcIb70xr3WmdJmqpmQUl19VLbF0cIeXTuG7YUEmWWqLNXlAxnpBf
2pknLKfqUIrRAEHC4L7LWFdi+UeDeoOFvbkKcQ0MjYBrA0wfr2kF6y0PagTgHUW0eUnQx4CRIKab
LwwqQphwoug+jMqLOF9SVK4Rq+TrspmGg8GR0OeBbwARAQABiQG2BBgBCAAgFiEEX7Ds6t/qkARU
faoVzU/2eT8Jq4YFAlwvcRcCGwwACgkQzU/2eT8Jq4aKugwAiNYSNwonzR15p24zsfLqxBeNLmtt
XcoorlpmSPAQFr9gMUY94I+ZH4jKydhz8H5oEuxHnM4VQIs1OAH9YQqG/m8aq91i+Gva3quSjdTN
Xl6lnPnC1eZKJbm04U2Uj73cAtt+rGJoqvZiEOme2LqQtmiQhJh5ASMX+W9d3bCnogML/CHVRV0t
hVf5tudCK8R+KwcNV1NjvH7sVbtxfpJTeZtP7hIxhEUnTnjetd54UJKBQ3yFuDXD2d0nuuCSz1qO
8C/HYe672m2slVZfX5eTQItVd3wPCc9Zfum3zTMuFTFb8en9cOUzLynfzOwj2+FGwlwaWUppUBH/
D8HUCIzKJcXVHHCi3pww8TSVoD+n545kUhyJwh+qxWtttm4Hs0al3t0QGuaD6RHGtpdqZ8jgRY8Q
FLiCnhBm3F0GWXkbKUfH2zVPSexsPSp/DH1hjy7s+ugIJZ75+JzXfFL45C2aXhArKdCFqQQlVFh7
B92IFh1fiCOyTmXkDWiNOa5jY9mN
EOT

28
examples/iam.user.gpg/variables.tf
View File

@ -1,28 +0,0 @@
variable "aws-region" {}
variable "customer-name" {}
variable "environment" {}
variable "project" {}
variable "application" {}
variable "owner" {}
variable "costcenter" {}
variable "DynamicAddressGroup" {}
locals {
default-tags = {
ServiceProvider = "RackspaceTechnology"
Environment = var.environment
Project = var.project
Application = var.application
TerraformMode = "managed"
BuildDate = formatdate("YYYYMMDD", timestamp())
Owner = var.owner
CostCenter = var.costcenter
DynamicAddressGroup = var.DynamicAddressGroup
}
resource-prefix = "${var.environment}-substr(${var.aws-region},0,2)-${var.customer-name}-${var.project}"
}
variable iam-user-name {}
variable iam-group-name {}
variable pgp-key {}

53
modules/security_identity_compliance/iam-user-gpg/README.md
View File

@ -1,53 +0,0 @@
# iam-user module
Module for creating IAM user. Credentials, if any, will be encrypted with gpg key. To obtain gpg public key of a user, run
```bash
gpg --export key-owner-name | base64
```
To decrypt the encrypted data
```bash
terraform output iam-user-pass | tr -d \" | base64 -d | gpg -d
terraform output iam-user-secret-key | tr -d \" | base64 -d | gpg -d
```
## Example
```terraform
module iam-user {
source = "../../modules/security_identity_compliance/iam-user"
default-tags = local.default-tags
iam-user-name = var.iam-user-name
iam-user-policy = data.aws_iam_policy_document.user-policy.json
iam-user-policy-name = "SelfServicePermissions"
create-access-key = false
create-password = false
managed-policy-arns = ["arn:aws:iam::aws:policy/job-function/ViewOnlyAccess"]
create-group = true
iam-group-name = var.iam-group-name
}
data aws_iam_policy_document user-policy {
statement {
sid = "ManageOwnCredentials"
actions = [
"iam:ChangePassword",
"iam:CreateAccessKey",
"iam:DeleteAccessKey",
"iam:ListAccessKey",
"iam:CreateVirtualMFADevice",
"iam:EnableMFADevice",
"iam:ListMFA*",
"iam:ListVirtualMFA*",
"iam:ResyncMFADevice"
]
effect = "Allow"
resources = ["arn:aws:iam::account-id:user/${var.iam-user-name}"]
}
}
output iam-user-arn {
value = module.iam-user.iam-user-arn
}
```

95
modules/security_identity_compliance/iam-user-gpg/main.tf
View File

@ -1,95 +0,0 @@
resource "aws_iam_user" "iam-user" {
name = var.iam-user-name
tags = var.default-tags
force_destroy = true
}
resource "aws_iam_access_key" "iam-user-access-key" {
count = var.create-access-key ? 1 : 0
user = aws_iam_user.iam-user.name
pgp_key = var.pgp-key
}
#resource "aws_iam_user_policy" "iam-user-policy" {
# count = var.create-group ? 0 : 1
# name = var.iam-user-policy-name
# user = aws_iam_user.iam-user.name
# policy = var.iam-user-policy
#}
resource "aws_iam_user_policy" iam-user-selfservice-policy {
name = "SelfServicePermissions"
user = aws_iam_user.iam-user.name
policy = data.aws_iam_policy_document.user-policy.json
}
data aws_iam_policy_document user-policy {
statement {
sid = "ManageOwnCredentials"
actions = [
"iam:ChangePassword",
"iam:CreateAccessKey",
"iam:DeleteAccessKey",
"iam:ListAccessKey",
"iam:CreateVirtualMFADevice",
"iam:EnableMFADevice",
"iam:ListMFA*",
"iam:ListVirtualMFA*",
"iam:ResyncMFADevice"
]
effect = "Allow"
resources = ["arn:aws:iam::account-id:user/${var.iam-user-name}"]
}
}
resource "aws_iam_user_policy_attachment" "iam-user-managed-policies" {
count = var.create-group ? 0: length(var.managed-policy-arns)
user = aws_iam_user.iam-user.name
policy_arn = var.managed-policy-arns[count.index]
}
resource "random_password" "iam-user-pass" {
count = var.create-password ? 1 : 0
length = 20
special = true
}
resource "aws_iam_user_login_profile" "iam-user-profile" {
count = var.create-password ? 1 : 0
user = aws_iam_user.iam-user.name
pgp_key = var.pgp-key
}
resource aws_iam_group iam-group {
count = var.create-group ? 1 : 0
name = var.iam-group-name
}
resource aws_iam_group_membership new-group-membership {
for_each = aws_iam_group.iam-group
name = "MembershipToNewGroups"
group = each.value
users = [aws_iam_user.iam-user.name]
}
resource aws_iam_group_membership existing-group-membership {
for_each = var.add-to-groups
name = "MembershipToExistingGroups"
group = each.value
users = [aws_iam_user.iam-user.name]
}
#resource "aws_iam_group_policy" "iam-group-policy" {
# count = var.create-group ? 1 : 0
# name = "SelfServiceAccess"
# group = aws_iam_group.iam-group[0].name
# policy = var.iam-user-policy
#}
resource "aws_iam_group_policy_attachment" "iam-group-managed-policies" {
count = var.create-group ? length(var.managed-policy-arns) : 0
group = aws_iam_group.iam-group[0].name
policy_arn = var.managed-policy-arns[count.index]
}

19
modules/security_identity_compliance/iam-user-gpg/outputs.tf
View File

@ -1,19 +0,0 @@
output iam-user-name {
value = aws_iam_user.iam-user.name
}
output iam-user-arn {
value = aws_iam_user.iam-user.arn
}
output iam-user-pass {
value = try(aws_iam_user_login_profile.iam-user-profile[0].encrypted_password, "")
}
output iam-user-access-key {
value = try(aws_iam_access_key.iam-user-access-key[0].id, "")
}
output iam-user-secret-key {
value = try(aws_iam_access_key.iam-user-access-key[0].encrypted_secret, "")
}

27
modules/security_identity_compliance/iam-user-gpg/variables.tf
View File

@ -1,27 +0,0 @@
variable iam-user-name {}
variable iam-user-policy {}
variable create-access-key {
type = bool
}
variable create-password {
type = bool
}
variable default-tags {}
variable managed-policy-arns {}
variable create-group {
type = bool
}
variable iam-group-name {
type = string
default = ""
}
variable add-to-groups {
type = list
default = []
}
variable iam-user-policy-name {}
variable pgp-key {
type = string
default = ""
}

58
modules/security_identity_compliance/iam-user/README.md
View File

@ -1,24 +1,62 @@
# iam-user module
Module for creating IAM user. Credentials, if any, will be stored in secretsmanager
Module for creating IAM user. Credentials, if any, will be stored in secretsmanager.
Optionally, credentials can be encrypted with gpg key when ```pgp-key``` parameter is provided. To obtain gpg public key of a user, run
```bash
gpg --export key-owner-name | base64
```
To decrypt the encrypted data
```bash
terraform output iam-user-pass-pgp | tr -d \" | base64 -d | gpg -d
terraform output iam-user-secret-key-pgp | tr -d \" | base64 -d | gpg -d
```
## Example
```terraform
module iam-user {
module iam-group {
source = "../../modules/security_identity_compliance/iam-group"
default-tags = local.default-tags
iam-group-name = "ViewOnlyUsers001"
iam-group-policy = ""
iam-group-policy-name = ""
managed-policy-arns = ["arn:aws:iam::aws:policy/job-function/ViewOnlyAccess"]
}
module iam-user1 {
source = "../../modules/security_identity_compliance/iam-user"
default-tags = local.default-tags
iam-user-name = var.iam-user-name
iam-user-policy = ""
iam-user-policy-name = "SelfServicePermissions"
iam-user-name = "UserNoGroup001"
create-access-key = true
create-password = true
pgp-key = var.pgp-key
managed-policy-arns = ["arn:aws:iam::aws:policy/job-function/ViewOnlyAccess"]
}
module iam-user2 {
source = "../../modules/security_identity_compliance/iam-user"
default-tags = local.default-tags
iam-user-name = "UserInGroup001"
iam-user-policy = data.aws_iam_policy_document.user-policy.json
iam-user-policy-name = "S3AdminPermissions"
create-access-key = false
create-password = false
managed-policy-arns = ["arn:aws:iam::aws:policy/job-function/ViewOnlyAccess"]
create-group = true
add-to-groups = []
iam-group-name = var.iam-group-name
add-to-groups = [module.iam-group.iam-group-name]
}
output iam-user-arn {
value = module.iam-user.iam-user-arn
data aws_iam_policy_document user-policy {
statement {
sid = "s3admin"
actions = [
"s3:*"
]
effect = "Allow"
resources = ["*"]
}
}
```

22
modules/security_identity_compliance/iam-user/main.tf
View File

@ -5,10 +5,17 @@ resource "aws_iam_user" "iam-user" {
}
resource "aws_iam_access_key" "iam-user-access-key" {
count = var.create-access-key ? 1 : 0
count = var.create-access-key && var.pgp-key == null ? 1 : 0
user = aws_iam_user.iam-user.name
}
resource "aws_iam_access_key" "iam-user-access-key-pgp" {
count = var.create-access-key && var.pgp-key != null ? 1 : 0
user = aws_iam_user.iam-user.name
pgp_key = var.pgp-key
}
resource "aws_iam_user_policy" "iam-user-policy" {
count = var.iam-user-policy != "" ? 1 : 0
name = var.iam-user-policy-name
@ -56,13 +63,22 @@ resource "random_password" "iam-user-pass" {
}
resource "aws_iam_user_login_profile" "iam-user-profile" {
count = var.create-password ? 1 : 0
count = var.create-password && var.pgp-key == null ? 1 : 0
user = aws_iam_user.iam-user.name
}
resource "aws_iam_user_login_profile" "iam-user-profile-pgp" {
count = var.create-password && var.pgp-key != null ? 1 : 0
user = aws_iam_user.iam-user.name
pgp_key = var.pgp-key
}
resource random_id secrets-random-id {
byte_length = 2
}
resource "aws_secretsmanager_secret" "secretmanager" {
count = var.create-access-key || var.create-password ? 1 : 0
name = "IamUserCredential-${var.iam-user-name}"
name = "IamUserCredential-${random_id.secrets-random-id.dec}-${var.iam-user-name}"
description = "AWS resource credential"
tags = var.default-tags
}

16
modules/security_identity_compliance/iam-user/outputs.tf
View File

@ -5,3 +5,19 @@ output iam-user-name {
output iam-user-arn {
value = aws_iam_user.iam-user.arn
}
output iam-user-access-key {
value = try(aws_iam_access_key.iam-user-access-key[0].id, "none")
}
output iam-user-access-key-pgp {
value = try(aws_iam_access_key.iam-user-access-key-pgp[0].id, "none")
}
output iam-user-secret-key-pgp {
value = try(aws_iam_access_key.iam-user-access-key-pgp[0].encrypted_secret, "none")
}
output iam-user-pass-pgp {
value = try(aws_iam_user_login_profile.iam-user-profile-pgp[0].encrypted_password, "none")
}

15
modules/security_identity_compliance/iam-user/variables.tf
View File

@ -1,5 +1,12 @@
variable iam-user-name {}
variable iam-user-policy {}
variable iam-user-policy {
type = string
default = ""
}
variable iam-user-policy-name {
type = string
default = ""
}
variable create-access-key {
type = bool
}
@ -12,4 +19,8 @@ variable add-to-groups {
type = list
default = []
}
variable iam-user-policy-name {}
variable pgp-key {
type = string
default = null
}