diff --git a/modules/security_identity_compliance/iam-user/README.md b/modules/security_identity_compliance/iam-user/README.md index 821fcf2..3725a21 100644 --- a/modules/security_identity_compliance/iam-user/README.md +++ b/modules/security_identity_compliance/iam-user/README.md @@ -12,6 +12,8 @@ module iam-user { create-access-key = false create-password = false managed-policy-arns = ["arn:aws:iam::aws:policy/job-function/ViewOnlyAccess"] + create-group = true + iam-group-name = var.iam-group-name } data aws_iam_policy_document user-policy { @@ -34,4 +36,8 @@ data aws_iam_policy_document user-policy { resources = ["arn:aws:iam::account-id:user/${var.iam-user-name}"] } } + +output iam-user-arn { + value = module.iam-user.iam-user-arn +} ``` \ No newline at end of file diff --git a/modules/security_identity_compliance/iam-user/main.tf b/modules/security_identity_compliance/iam-user/main.tf index bcecea5..10e4b7f 100644 --- a/modules/security_identity_compliance/iam-user/main.tf +++ b/modules/security_identity_compliance/iam-user/main.tf @@ -10,15 +10,16 @@ resource "aws_iam_access_key" "iam-user-access-key" { } resource "aws_iam_user_policy" "iam-user-policy" { + count = var.create-group ? 0 : 1 name = "SelfServiceAccess" user = aws_iam_user.iam-user.name policy = var.iam-user-policy } resource "aws_iam_user_policy_attachment" "iam-user-managed-policies" { - for_each = toset(var.managed-policy-arns) + count = var.create-group ? 0: length(var.managed-policy-arns) user = aws_iam_user.iam-user.name - policy_arn = each.value + policy_arn = var.managed-policy-arns[count.index] } resource "random_password" "iam-user-pass" { @@ -47,4 +48,36 @@ resource "aws_secretsmanager_secret_version" "iam-user-secret" { "AccessKeyId" : length(aws_iam_access_key.iam-user-access-key) > 0 ? aws_iam_access_key.iam-user-access-key[0].id : "NotSet", "KeySecret" : length(aws_iam_access_key.iam-user-access-key) > 0 ? aws_iam_access_key.iam-user-access-key[0].secret : "NotSet" }) -} \ No newline at end of file +} + +resource aws_iam_group iam-group { + count = var.create-group ? 1 : 0 + name = var.iam-group-name +} + +resource aws_iam_group_membership new-group-membership { + count = length(aws_iam_group.iam-group) + name = aws_iam_group.iam-group[0].name + group = aws_iam_group.iam-group[0].name + users = [aws_iam_user.iam-user.name] +} + +resource aws_iam_group_membership existing-group-membership { + count = length(var.add-to-groups) + name = var.add-to-groups[count.index] + group = var.add-to-groups[count.index] + users = [aws_iam_user.iam-user.name] +} + +resource "aws_iam_group_policy" "iam-group-policy" { + count = var.create-group ? 1 : 0 + name = "SelfServiceAccess" + group = aws_iam_group.iam-group[0].name + policy = var.iam-user-policy +} + +resource "aws_iam_group_policy_attachment" "iam-group-managed-policies" { + count = var.create-group ? length(var.managed-policy-arns) : 0 + group = aws_iam_group.iam-group[0].name + policy_arn = var.managed-policy-arns[count.index] +} diff --git a/modules/security_identity_compliance/iam-user/outputs.tf b/modules/security_identity_compliance/iam-user/outputs.tf new file mode 100644 index 0000000..d79a0f8 --- /dev/null +++ b/modules/security_identity_compliance/iam-user/outputs.tf @@ -0,0 +1,7 @@ +output iam-user-name { + value = aws_iam_user.iam-user.name +} + +output iam-user-arn { + value = aws_iam_user.iam-user.arn +} \ No newline at end of file diff --git a/modules/security_identity_compliance/iam-user/variables.tf b/modules/security_identity_compliance/iam-user/variables.tf index 31a044e..f3987e7 100644 --- a/modules/security_identity_compliance/iam-user/variables.tf +++ b/modules/security_identity_compliance/iam-user/variables.tf @@ -7,4 +7,16 @@ variable create-password { type = bool } variable default-tags {} -variable managed-policy-arns {} \ No newline at end of file +variable managed-policy-arns {} +variable create-group { + type = bool +} +variable iam-group-name { + type = string + default = "" +} + +variable add-to-groups { + type = list + default = [] +} \ No newline at end of file