xpk/terraform.aws-baseline-infra
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

FIX: fixed bugs

Browse Source
This commit is contained in:
xpk 2024-03-26 15:22:14 +08:00
parent 12cce7d59a
commit c274ca58c5
Signed by: xpk
GPG Key ID: CD4FF6793F09AB86
2 changed files with 17 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
modules/security_identity_compliance/iam-group/variables.tf
View File

@ -1,4 +1,3 @@
variable default-tags {}
variable managed-policy-arns {} variable managed-policy-arns {}
variable iam-group-name {} variable iam-group-name {}
variable iam-group-policy {} variable iam-group-policy {}

31
modules/security_identity_compliance/iam-user/main.tf
View File

@ -27,6 +27,7 @@ data "aws_iam_policy_document" "user-policy" {
actions = [ actions = [
"iam:ChangePassword", "iam:ChangePassword",
"iam:UpdateLoginProfile",
"iam:CreateAccessKey", "iam:CreateAccessKey",
"iam:DeleteAccessKey", "iam:DeleteAccessKey",
"iam:ListAccessKeys", "iam:ListAccessKeys",
@ -34,7 +35,8 @@ data "aws_iam_policy_document" "user-policy" {
"iam:EnableMFADevice", "iam:EnableMFADevice",
"iam:ListMFA*", "iam:ListMFA*",
"iam:ListVirtualMFA*", "iam:ListVirtualMFA*",
"iam:ResyncMFADevice" "iam:ResyncMFADevice",
"iam:GetUser"
] ]
effect = "Allow" effect = "Allow"
@ -42,8 +44,12 @@ data "aws_iam_policy_document" "user-policy" {
} }
statement { statement {
sid = "GetPasswordPolicy" sid = "GetBasicUserInfo"
actions = ["iam:GetAccountPasswordPolicy"] actions = [
"iam:GetAccountPasswordPolicy",
"iam:GetAccessKeyLastUsed",
"iam:GetUserPolicy"
]
effect = "Allow" effect = "Allow"
resources = ["*"] resources = ["*"]
} }
@ -55,16 +61,11 @@ resource "aws_iam_user_policy_attachment" "iam-user-managed-policies" {
policy_arn = var.managed-policy-arns[count.index] policy_arn = var.managed-policy-arns[count.index]
} }
resource "random_password" "iam-user-pass" {
count = var.create-password ? 1 : 0
length = 20
special = true
}
resource "aws_iam_user_login_profile" "iam-user-profile" { resource "aws_iam_user_login_profile" "iam-user-profile" {
count = var.create-password ? 1 : 0 count = var.create-password ? 1 : 0
user = aws_iam_user.iam-user.name user = aws_iam_user.iam-user.name
pgp_key = null password_length = 20
pgp_key = null
} }
resource "random_id" "secrets-random-id" { resource "random_id" "secrets-random-id" {
@ -81,10 +82,12 @@ resource "aws_secretsmanager_secret_version" "iam-user-secret" {
count = var.create-access-key || var.create-password ? 1 : 0 count = var.create-access-key || var.create-password ? 1 : 0
secret_id = aws_secretsmanager_secret.secretmanager[0].id secret_id = aws_secretsmanager_secret.secretmanager[0].id
secret_string = jsonencode( secret_string = jsonencode(
{ "ConsolePassword" : length(random_password.iam-user-pass) > 0 ? random_password.iam-user-pass[0].result : "NotSet", {
"ConsolePassword" : length(aws_iam_user_login_profile.iam-user-profile[0].password) > 0 ? aws_iam_user_login_profile.iam-user-profile[0].password : "NotSet",
"AccessKeyId" : length(aws_iam_access_key.iam-user-access-key) > 0 ? aws_iam_access_key.iam-user-access-key[0].id : "NotSet", "AccessKeyId" : length(aws_iam_access_key.iam-user-access-key) > 0 ? aws_iam_access_key.iam-user-access-key[0].id : "NotSet",
"KeySecret" : length(aws_iam_access_key.iam-user-access-key) > 0 ? aws_iam_access_key.iam-user-access-key[0].secret : "NotSet" "KeySecret" : length(aws_iam_access_key.iam-user-access-key) > 0 ? aws_iam_access_key.iam-user-access-key[0].secret : "NotSet"
}) }
)
} }
resource "aws_iam_group_membership" "group-membership" { resource "aws_iam_group_membership" "group-membership" {