UPD: changed to for_each

2022-10-19 20:01:04 +08:00 · 2022-10-19 20:01:04 +08:00 · c866a877b6
commit c866a877b6
parent 9002bbed80
2 changed files with 45 additions and 18 deletions
--- a/modules/security_identity_compliance/iam-user-gpg/main.tf
+++ b/modules/security_identity_compliance/iam-user-gpg/main.tf
@ -10,11 +10,38 @@ resource "aws_iam_access_key" "iam-user-access-key" {
  pgp_key = var.pgp-key
 }

-resource "aws_iam_user_policy" "iam-user-policy" {
-  count = var.create-group ? 0 : 1
-  name   = var.iam-user-policy-name
+#resource "aws_iam_user_policy" "iam-user-policy" {
+#  count = var.create-group ? 0 : 1
+#  name   = var.iam-user-policy-name
+#  user   = aws_iam_user.iam-user.name
+#  policy = var.iam-user-policy
+#}
+
+resource "aws_iam_user_policy" iam-user-selfservice-policy {
+  name = "SelfServicePermissions"
  user   = aws_iam_user.iam-user.name
-  policy = var.iam-user-policy
+  policy = data.aws_iam_policy_document.user-policy.json
+}
+
+data aws_iam_policy_document user-policy {
+  statement {
+    sid = "ManageOwnCredentials"
+
+    actions = [
+      "iam:ChangePassword",
+      "iam:CreateAccessKey",
+      "iam:DeleteAccessKey",
+      "iam:ListAccessKey",
+      "iam:CreateVirtualMFADevice",
+      "iam:EnableMFADevice",
+      "iam:ListMFA*",
+      "iam:ListVirtualMFA*",
+      "iam:ResyncMFADevice"
+    ]
+
+    effect = "Allow"
+    resources = ["arn:aws:iam::account-id:user/${var.iam-user-name}"]
+  }
 }

 resource "aws_iam_user_policy_attachment" "iam-user-managed-policies" {
@ -41,25 +68,25 @@ resource aws_iam_group iam-group {
 }

 resource aws_iam_group_membership new-group-membership {
-  count = length(aws_iam_group.iam-group)
-  name = aws_iam_group.iam-group[0].name
-  group = aws_iam_group.iam-group[0].name
+  for_each = aws_iam_group.iam-group
+  name = "MembershipToNewGroups"
+  group = each.value
  users = [aws_iam_user.iam-user.name]
 }

 resource aws_iam_group_membership existing-group-membership {
-  count = length(var.add-to-groups)
-  name = var.add-to-groups[count.index]
-  group = var.add-to-groups[count.index]
+  for_each = var.add-to-groups
+  name = "MembershipToExistingGroups"
+  group = each.value
  users = [aws_iam_user.iam-user.name]
 }

-resource "aws_iam_group_policy" "iam-group-policy" {
-  count = var.create-group ? 1 : 0
-  name   = "SelfServiceAccess"
-  group   = aws_iam_group.iam-group[0].name
-  policy = var.iam-user-policy
-}
+#resource "aws_iam_group_policy" "iam-group-policy" {
+#  count = var.create-group ? 1 : 0
+#  name   = "SelfServiceAccess"
+#  group   = aws_iam_group.iam-group[0].name
+#  policy = var.iam-user-policy
+#}

 resource "aws_iam_group_policy_attachment" "iam-group-managed-policies" {
  count = var.create-group ? length(var.managed-policy-arns) : 0
--- a/modules/security_identity_compliance/iam-user/main.tf
+++ b/modules/security_identity_compliance/iam-user/main.tf
@ -84,9 +84,9 @@ resource aws_iam_group iam-group {
 }

 resource aws_iam_group_membership new-group-membership {
-  count = length(aws_iam_group.iam-group)
+  for_each = aws_iam_group.iam-group
  name = "MembershipToNewGroups"
-  group = aws_iam_group.iam-group[0].name
+  group = each.value
  users = [aws_iam_user.iam-user.name]
 }