UPD: Updated ManageOwnCredentials policy

modules/security_identity_compliance/iam-user/main.tf

@@ -10,8 +10,8 @@ resource "aws_iam_access_key" "iam-user-access-key" {
 }
 
 resource "aws_iam_access_key" "iam-user-access-key-pgp" {
-  count = var.create-access-key && var.pgp-key != null ? 1 : 0
-  user  = aws_iam_user.iam-user.name
+  count   = var.create-access-key && var.pgp-key != null ? 1 : 0
+  user    = aws_iam_user.iam-user.name
   pgp_key = var.pgp-key
 }
 
@@ -37,7 +37,7 @@ data "aws_iam_policy_document" "user-policy" {
       "iam:ChangePassword",
       "iam:CreateAccessKey",
       "iam:DeleteAccessKey",
-      "iam:ListAccessKey",
+      "iam:ListAccessKeys",
       "iam:CreateVirtualMFADevice",
       "iam:EnableMFADevice",
       "iam:ListMFA*",
@@ -46,7 +46,14 @@ data "aws_iam_policy_document" "user-policy" {
     ]
 
     effect    = "Allow"
-    resources = ["arn:aws:iam::account-id:user/${var.iam-user-name}"]
+    resources = ["arn:aws:iam::*:user/$${aws:username}"]
+  }
+
+  statement {
+    sid       = "GetPasswordPolicy"
+    actions   = ["iam:GetAccountPasswordPolicy"]
+    effect    = "Allow"
+    resources = ["*"]
   }
 }
 
@@ -68,12 +75,12 @@ resource "aws_iam_user_login_profile" "iam-user-profile" {
 }
 
 resource "aws_iam_user_login_profile" "iam-user-profile-pgp" {
-  count = var.create-password && var.pgp-key != null ? 1 : 0
-  user  = aws_iam_user.iam-user.name
+  count   = var.create-password && var.pgp-key != null ? 1 : 0
+  user    = aws_iam_user.iam-user.name
   pgp_key = var.pgp-key
 }
 
-resource random_id secrets-random-id {
+resource "random_id" "secrets-random-id" {
   byte_length = 2
 }
 resource "aws_secretsmanager_secret" "secretmanager" {