From 7f927fcbdc1496351f121aaf2917c626c5cd2419 Mon Sep 17 00:00:00 2001 From: xpk Date: Tue, 26 Mar 2024 14:37:49 +0800 Subject: [PATCH] UPD: Updated ManageOwnCredentials policy --- .../iam-user/main.tf | 21 ++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/modules/security_identity_compliance/iam-user/main.tf b/modules/security_identity_compliance/iam-user/main.tf index fc39260..3d14687 100644 --- a/modules/security_identity_compliance/iam-user/main.tf +++ b/modules/security_identity_compliance/iam-user/main.tf @@ -10,8 +10,8 @@ resource "aws_iam_access_key" "iam-user-access-key" { } resource "aws_iam_access_key" "iam-user-access-key-pgp" { - count = var.create-access-key && var.pgp-key != null ? 1 : 0 - user = aws_iam_user.iam-user.name + count = var.create-access-key && var.pgp-key != null ? 1 : 0 + user = aws_iam_user.iam-user.name pgp_key = var.pgp-key } @@ -37,7 +37,7 @@ data "aws_iam_policy_document" "user-policy" { "iam:ChangePassword", "iam:CreateAccessKey", "iam:DeleteAccessKey", - "iam:ListAccessKey", + "iam:ListAccessKeys", "iam:CreateVirtualMFADevice", "iam:EnableMFADevice", "iam:ListMFA*", @@ -46,7 +46,14 @@ data "aws_iam_policy_document" "user-policy" { ] effect = "Allow" - resources = ["arn:aws:iam::account-id:user/${var.iam-user-name}"] + resources = ["arn:aws:iam::*:user/$${aws:username}"] + } + + statement { + sid = "GetPasswordPolicy" + actions = ["iam:GetAccountPasswordPolicy"] + effect = "Allow" + resources = ["*"] } } @@ -68,12 +75,12 @@ resource "aws_iam_user_login_profile" "iam-user-profile" { } resource "aws_iam_user_login_profile" "iam-user-profile-pgp" { - count = var.create-password && var.pgp-key != null ? 1 : 0 - user = aws_iam_user.iam-user.name + count = var.create-password && var.pgp-key != null ? 1 : 0 + user = aws_iam_user.iam-user.name pgp_key = var.pgp-key } -resource random_id secrets-random-id { +resource "random_id" "secrets-random-id" { byte_length = 2 } resource "aws_secretsmanager_secret" "secretmanager" {