UPD: added iam group support
This commit is contained in:
parent
06233f9ae0
commit
9cc5df4dda
@ -12,6 +12,8 @@ module iam-user {
|
||||
create-access-key = false
|
||||
create-password = false
|
||||
managed-policy-arns = ["arn:aws:iam::aws:policy/job-function/ViewOnlyAccess"]
|
||||
create-group = true
|
||||
iam-group-name = var.iam-group-name
|
||||
}
|
||||
|
||||
data aws_iam_policy_document user-policy {
|
||||
@ -34,4 +36,8 @@ data aws_iam_policy_document user-policy {
|
||||
resources = ["arn:aws:iam::account-id:user/${var.iam-user-name}"]
|
||||
}
|
||||
}
|
||||
|
||||
output iam-user-arn {
|
||||
value = module.iam-user.iam-user-arn
|
||||
}
|
||||
```
|
@ -10,15 +10,16 @@ resource "aws_iam_access_key" "iam-user-access-key" {
|
||||
}
|
||||
|
||||
resource "aws_iam_user_policy" "iam-user-policy" {
|
||||
count = var.create-group ? 0 : 1
|
||||
name = "SelfServiceAccess"
|
||||
user = aws_iam_user.iam-user.name
|
||||
policy = var.iam-user-policy
|
||||
}
|
||||
|
||||
resource "aws_iam_user_policy_attachment" "iam-user-managed-policies" {
|
||||
for_each = toset(var.managed-policy-arns)
|
||||
count = var.create-group ? 0: length(var.managed-policy-arns)
|
||||
user = aws_iam_user.iam-user.name
|
||||
policy_arn = each.value
|
||||
policy_arn = var.managed-policy-arns[count.index]
|
||||
}
|
||||
|
||||
resource "random_password" "iam-user-pass" {
|
||||
@ -47,4 +48,36 @@ resource "aws_secretsmanager_secret_version" "iam-user-secret" {
|
||||
"AccessKeyId" : length(aws_iam_access_key.iam-user-access-key) > 0 ? aws_iam_access_key.iam-user-access-key[0].id : "NotSet",
|
||||
"KeySecret" : length(aws_iam_access_key.iam-user-access-key) > 0 ? aws_iam_access_key.iam-user-access-key[0].secret : "NotSet"
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
resource aws_iam_group iam-group {
|
||||
count = var.create-group ? 1 : 0
|
||||
name = var.iam-group-name
|
||||
}
|
||||
|
||||
resource aws_iam_group_membership new-group-membership {
|
||||
count = length(aws_iam_group.iam-group)
|
||||
name = aws_iam_group.iam-group[0].name
|
||||
group = aws_iam_group.iam-group[0].name
|
||||
users = [aws_iam_user.iam-user.name]
|
||||
}
|
||||
|
||||
resource aws_iam_group_membership existing-group-membership {
|
||||
count = length(var.add-to-groups)
|
||||
name = var.add-to-groups[count.index]
|
||||
group = var.add-to-groups[count.index]
|
||||
users = [aws_iam_user.iam-user.name]
|
||||
}
|
||||
|
||||
resource "aws_iam_group_policy" "iam-group-policy" {
|
||||
count = var.create-group ? 1 : 0
|
||||
name = "SelfServiceAccess"
|
||||
group = aws_iam_group.iam-group[0].name
|
||||
policy = var.iam-user-policy
|
||||
}
|
||||
|
||||
resource "aws_iam_group_policy_attachment" "iam-group-managed-policies" {
|
||||
count = var.create-group ? length(var.managed-policy-arns) : 0
|
||||
group = aws_iam_group.iam-group[0].name
|
||||
policy_arn = var.managed-policy-arns[count.index]
|
||||
}
|
||||
|
7
modules/security_identity_compliance/iam-user/outputs.tf
Normal file
7
modules/security_identity_compliance/iam-user/outputs.tf
Normal file
@ -0,0 +1,7 @@
|
||||
output iam-user-name {
|
||||
value = aws_iam_user.iam-user.name
|
||||
}
|
||||
|
||||
output iam-user-arn {
|
||||
value = aws_iam_user.iam-user.arn
|
||||
}
|
@ -7,4 +7,16 @@ variable create-password {
|
||||
type = bool
|
||||
}
|
||||
variable default-tags {}
|
||||
variable managed-policy-arns {}
|
||||
variable managed-policy-arns {}
|
||||
variable create-group {
|
||||
type = bool
|
||||
}
|
||||
variable iam-group-name {
|
||||
type = string
|
||||
default = ""
|
||||
}
|
||||
|
||||
variable add-to-groups {
|
||||
type = list
|
||||
default = []
|
||||
}
|
Loading…
Reference in New Issue
Block a user