From c274ca58c51ba65cf2012cbab3fe6f2151b706d1 Mon Sep 17 00:00:00 2001
From: xpk <xpk@headdesk.me>
Date: Tue, 26 Mar 2024 15:22:14 +0800
Subject: [PATCH] FIX: fixed bugs

---
 .../iam-group/variables.tf                    |  1 -
 .../iam-user/main.tf                          | 31 ++++++++++---------
 2 files changed, 17 insertions(+), 15 deletions(-)

diff --git a/modules/security_identity_compliance/iam-group/variables.tf b/modules/security_identity_compliance/iam-group/variables.tf
index 8e10add..e727b89 100644
--- a/modules/security_identity_compliance/iam-group/variables.tf
+++ b/modules/security_identity_compliance/iam-group/variables.tf
@@ -1,4 +1,3 @@
-variable default-tags {}
 variable managed-policy-arns {}
 variable iam-group-name {}
 variable iam-group-policy {}
diff --git a/modules/security_identity_compliance/iam-user/main.tf b/modules/security_identity_compliance/iam-user/main.tf
index f607ec9..ebeb863 100644
--- a/modules/security_identity_compliance/iam-user/main.tf
+++ b/modules/security_identity_compliance/iam-user/main.tf
@@ -27,6 +27,7 @@ data "aws_iam_policy_document" "user-policy" {
 
     actions = [
       "iam:ChangePassword",
+      "iam:UpdateLoginProfile",
       "iam:CreateAccessKey",
       "iam:DeleteAccessKey",
       "iam:ListAccessKeys",
@@ -34,7 +35,8 @@ data "aws_iam_policy_document" "user-policy" {
       "iam:EnableMFADevice",
       "iam:ListMFA*",
       "iam:ListVirtualMFA*",
-      "iam:ResyncMFADevice"
+      "iam:ResyncMFADevice",
+      "iam:GetUser"
     ]
 
     effect    = "Allow"
@@ -42,8 +44,12 @@ data "aws_iam_policy_document" "user-policy" {
   }
 
   statement {
-    sid       = "GetPasswordPolicy"
-    actions   = ["iam:GetAccountPasswordPolicy"]
+    sid = "GetBasicUserInfo"
+    actions = [
+      "iam:GetAccountPasswordPolicy",
+      "iam:GetAccessKeyLastUsed",
+      "iam:GetUserPolicy"
+    ]
     effect    = "Allow"
     resources = ["*"]
   }
@@ -55,16 +61,11 @@ resource "aws_iam_user_policy_attachment" "iam-user-managed-policies" {
   policy_arn = var.managed-policy-arns[count.index]
 }
 
-resource "random_password" "iam-user-pass" {
-  count   = var.create-password ? 1 : 0
-  length  = 20
-  special = true
-}
-
 resource "aws_iam_user_login_profile" "iam-user-profile" {
-  count   = var.create-password ? 1 : 0
-  user    = aws_iam_user.iam-user.name
-  pgp_key = null
+  count           = var.create-password ? 1 : 0
+  user            = aws_iam_user.iam-user.name
+  password_length = 20
+  pgp_key         = null
 }
 
 resource "random_id" "secrets-random-id" {
@@ -81,10 +82,12 @@ resource "aws_secretsmanager_secret_version" "iam-user-secret" {
   count     = var.create-access-key || var.create-password ? 1 : 0
   secret_id = aws_secretsmanager_secret.secretmanager[0].id
   secret_string = jsonencode(
-    { "ConsolePassword" : length(random_password.iam-user-pass) > 0 ? random_password.iam-user-pass[0].result : "NotSet",
+    {
+      "ConsolePassword" : length(aws_iam_user_login_profile.iam-user-profile[0].password) > 0 ? aws_iam_user_login_profile.iam-user-profile[0].password : "NotSet",
       "AccessKeyId" : length(aws_iam_access_key.iam-user-access-key) > 0 ? aws_iam_access_key.iam-user-access-key[0].id : "NotSet",
       "KeySecret" : length(aws_iam_access_key.iam-user-access-key) > 0 ? aws_iam_access_key.iam-user-access-key[0].secret : "NotSet"
-  })
+    }
+  )
 }
 
 resource "aws_iam_group_membership" "group-membership" {