xpk/terraform.aws-baseline-infra
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

UPD: added iam group support

Browse Source
This commit is contained in:
xpk 2022-09-16 10:37:28 +08:00
parent 06233f9ae0
commit 9cc5df4dda
Signed by: xpk
GPG Key ID: CD4FF6793F09AB86
4 changed files with 62 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
modules/security_identity_compliance/iam-user/README.md
View File

@ -12,6 +12,8 @@ module iam-user {
create-access-key = false create-access-key = false
create-password = false create-password = false
managed-policy-arns = ["arn:aws:iam::aws:policy/job-function/ViewOnlyAccess"] managed-policy-arns = ["arn:aws:iam::aws:policy/job-function/ViewOnlyAccess"]
create-group = true
iam-group-name = var.iam-group-name
} }
data aws_iam_policy_document user-policy { data aws_iam_policy_document user-policy {
@ -34,4 +36,8 @@ data aws_iam_policy_document user-policy {
resources = ["arn:aws:iam::account-id:user/${var.iam-user-name}"] resources = ["arn:aws:iam::account-id:user/${var.iam-user-name}"]
} }
} }
output iam-user-arn {
value = module.iam-user.iam-user-arn
}
``` ```

37
modules/security_identity_compliance/iam-user/main.tf
View File

@ -10,15 +10,16 @@ resource "aws_iam_access_key" "iam-user-access-key" {
} }
resource "aws_iam_user_policy" "iam-user-policy" { resource "aws_iam_user_policy" "iam-user-policy" {
count = var.create-group ? 0 : 1
name = "SelfServiceAccess" name = "SelfServiceAccess"
user = aws_iam_user.iam-user.name user = aws_iam_user.iam-user.name
policy = var.iam-user-policy policy = var.iam-user-policy
} }
resource "aws_iam_user_policy_attachment" "iam-user-managed-policies" { resource "aws_iam_user_policy_attachment" "iam-user-managed-policies" {
for_each = toset(var.managed-policy-arns) count = var.create-group ? 0: length(var.managed-policy-arns)
user = aws_iam_user.iam-user.name user = aws_iam_user.iam-user.name
policy_arn = each.value policy_arn = var.managed-policy-arns[count.index]
} }
resource "random_password" "iam-user-pass" { resource "random_password" "iam-user-pass" {
@ -48,3 +49,35 @@ resource "aws_secretsmanager_secret_version" "iam-user-secret" {
"KeySecret" : length(aws_iam_access_key.iam-user-access-key) > 0 ? aws_iam_access_key.iam-user-access-key[0].secret : "NotSet" "KeySecret" : length(aws_iam_access_key.iam-user-access-key) > 0 ? aws_iam_access_key.iam-user-access-key[0].secret : "NotSet"
}) })
} }
resource aws_iam_group iam-group {
count = var.create-group ? 1 : 0
name = var.iam-group-name
}
resource aws_iam_group_membership new-group-membership {
count = length(aws_iam_group.iam-group)
name = aws_iam_group.iam-group[0].name
group = aws_iam_group.iam-group[0].name
users = [aws_iam_user.iam-user.name]
}
resource aws_iam_group_membership existing-group-membership {
count = length(var.add-to-groups)
name = var.add-to-groups[count.index]
group = var.add-to-groups[count.index]
users = [aws_iam_user.iam-user.name]
}
resource "aws_iam_group_policy" "iam-group-policy" {
count = var.create-group ? 1 : 0
name = "SelfServiceAccess"
group = aws_iam_group.iam-group[0].name
policy = var.iam-user-policy
}
resource "aws_iam_group_policy_attachment" "iam-group-managed-policies" {
count = var.create-group ? length(var.managed-policy-arns) : 0
group = aws_iam_group.iam-group[0].name
policy_arn = var.managed-policy-arns[count.index]
}

7
modules/security_identity_compliance/iam-user/outputs.tf Normal file
View File

@ -0,0 +1,7 @@
output iam-user-name {
value = aws_iam_user.iam-user.name
}
output iam-user-arn {
value = aws_iam_user.iam-user.arn
}

12
modules/security_identity_compliance/iam-user/variables.tf
View File

@ -8,3 +8,15 @@ variable create-password {
} }
variable default-tags {} variable default-tags {}
variable managed-policy-arns {} variable managed-policy-arns {}
variable create-group {
type = bool
}
variable iam-group-name {
type = string
default = ""
}
variable add-to-groups {
type = list
default = []
}