From f11b4fbc4479d1de1d5784026222a5a793db0dfd Mon Sep 17 00:00:00 2001
From: KF <ee@rackspace>
Date: Wed, 19 Oct 2022 22:09:15 +0800
Subject: [PATCH] UPD: decoupled iam group from iam user module. create new
 iam-group module

---
 .../iam-group/README.md                       | 24 ++++++++
 .../iam-group/main.tf                         | 17 ++++++
 .../iam-group/outputs.tf                      |  7 +++
 .../iam-group/variables.tf                    |  5 ++
 .../iam-user/main.tf                          | 59 +++++--------------
 .../iam-user/variables.tf                     |  8 ---
 6 files changed, 69 insertions(+), 51 deletions(-)
 create mode 100644 modules/security_identity_compliance/iam-group/README.md
 create mode 100644 modules/security_identity_compliance/iam-group/main.tf
 create mode 100644 modules/security_identity_compliance/iam-group/outputs.tf
 create mode 100644 modules/security_identity_compliance/iam-group/variables.tf

diff --git a/modules/security_identity_compliance/iam-group/README.md b/modules/security_identity_compliance/iam-group/README.md
new file mode 100644
index 0000000..df14578
--- /dev/null
+++ b/modules/security_identity_compliance/iam-group/README.md
@@ -0,0 +1,24 @@
+# iam-user module
+Module for creating IAM user. Credentials, if any, will be stored in secretsmanager
+
+## Example
+```terraform
+module iam-user {
+  source = "../../modules/security_identity_compliance/iam-user"
+
+  default-tags    = local.default-tags
+  iam-user-name   = var.iam-user-name
+  iam-user-policy = ""
+  iam-user-policy-name = "SelfServicePermissions"
+  create-access-key = false
+  create-password = false
+  managed-policy-arns = ["arn:aws:iam::aws:policy/job-function/ViewOnlyAccess"]
+  create-group = true
+  add-to-groups = []
+  iam-group-name = var.iam-group-name
+}
+
+output iam-user-arn {
+  value = module.iam-user.iam-user-arn
+}
+```
\ No newline at end of file
diff --git a/modules/security_identity_compliance/iam-group/main.tf b/modules/security_identity_compliance/iam-group/main.tf
new file mode 100644
index 0000000..39f8698
--- /dev/null
+++ b/modules/security_identity_compliance/iam-group/main.tf
@@ -0,0 +1,17 @@
+resource "aws_iam_group" "iam-group" {
+  name  = var.iam-group-name
+}
+
+resource "aws_iam_group_policy" "iam-group-policy-new-group" {
+  count  = var.iam-group-policy != "" ? 1 : 0
+  name   = var.iam-group-policy-name
+  group  = aws_iam_group.iam-group.name
+  policy = var.iam-group-policy
+}
+
+resource "aws_iam_group_policy_attachment" "iam-group-managed-policies" {
+  count      = length(var.managed-policy-arns) > 0 ? 1 : 0
+  group      = aws_iam_group.iam-group.name
+  policy_arn = var.managed-policy-arns[count.index]
+}
+
diff --git a/modules/security_identity_compliance/iam-group/outputs.tf b/modules/security_identity_compliance/iam-group/outputs.tf
new file mode 100644
index 0000000..e3b8efa
--- /dev/null
+++ b/modules/security_identity_compliance/iam-group/outputs.tf
@@ -0,0 +1,7 @@
+output iam-group-name {
+  value = aws_iam_group.iam-group.name
+}
+
+output iam-group-arn {
+  value = aws_iam_group.iam-group.arn
+}
\ No newline at end of file
diff --git a/modules/security_identity_compliance/iam-group/variables.tf b/modules/security_identity_compliance/iam-group/variables.tf
new file mode 100644
index 0000000..8e10add
--- /dev/null
+++ b/modules/security_identity_compliance/iam-group/variables.tf
@@ -0,0 +1,5 @@
+variable default-tags {}
+variable managed-policy-arns {}
+variable iam-group-name {}
+variable iam-group-policy {}
+variable iam-group-policy-name {}
\ No newline at end of file
diff --git a/modules/security_identity_compliance/iam-user/main.tf b/modules/security_identity_compliance/iam-user/main.tf
index f7341a2..b2e1846 100644
--- a/modules/security_identity_compliance/iam-user/main.tf
+++ b/modules/security_identity_compliance/iam-user/main.tf
@@ -9,21 +9,20 @@ resource "aws_iam_access_key" "iam-user-access-key" {
   user  = aws_iam_user.iam-user.name
 }
 
-# need to work on attaching additional user policy
-#resource "aws_iam_user_policy" "iam-user-policy" {
-#  count = var.create-group ? 0 : 1
-#  name   = var.iam-user-policy-name
-#  user   = aws_iam_user.iam-user.name
-#  policy = var.iam-user-policy
-#}
+resource "aws_iam_user_policy" "iam-user-policy" {
+  count  = var.iam-user-policy != "" ? 1 : 0
+  name   = var.iam-user-policy-name
+  user   = aws_iam_user.iam-user.name
+  policy = var.iam-user-policy
+}
 
-resource "aws_iam_user_policy" iam-user-selfservice-policy {
-  name = "SelfServicePermissions"
+resource "aws_iam_user_policy" "iam-user-selfservice-policy" {
+  name   = "SelfServicePermissions"
   user   = aws_iam_user.iam-user.name
   policy = data.aws_iam_policy_document.user-policy.json
 }
 
-data aws_iam_policy_document user-policy {
+data "aws_iam_policy_document" "user-policy" {
   statement {
     sid = "ManageOwnCredentials"
 
@@ -39,13 +38,13 @@ data aws_iam_policy_document user-policy {
       "iam:ResyncMFADevice"
     ]
 
-    effect = "Allow"
+    effect    = "Allow"
     resources = ["arn:aws:iam::account-id:user/${var.iam-user-name}"]
   }
 }
 
 resource "aws_iam_user_policy_attachment" "iam-user-managed-policies" {
-  count = var.create-group ? 0: length(var.managed-policy-arns)
+  count      = length(var.add-to-groups) > 0 ? 0 : length(var.managed-policy-arns)
   user       = aws_iam_user.iam-user.name
   policy_arn = var.managed-policy-arns[count.index]
 }
@@ -78,36 +77,10 @@ resource "aws_secretsmanager_secret_version" "iam-user-secret" {
   })
 }
 
-resource aws_iam_group iam-group {
-  count = var.create-group ? 1 : 0
-  name = var.iam-group-name
-}
-
-resource aws_iam_group_membership new-group-membership {
-  for_each = aws_iam_group.iam-group
-  name = "MembershipToNewGroups"
-  group = each.value
-  users = [aws_iam_user.iam-user.name]
-}
-
-resource aws_iam_group_membership existing-group-membership {
-  for_each = var.add-to-groups
-  name = "MembershipToExistingGroups"
-  group = each.value
-  users = [aws_iam_user.iam-user.name]
-}
-
-# need to work on attaching additional group policy
-#resource "aws_iam_group_policy" "iam-group-policy" {
-#  count = var.create-group ? 1 : 0
-#  name   = "SelfServiceAccess"
-#  group   = aws_iam_group.iam-group[0].name
-#  policy = var.iam-user-policy
-#}
-
-resource "aws_iam_group_policy_attachment" "iam-group-managed-policies" {
-  count = var.create-group ? length(var.managed-policy-arns) : 0
-  group       = aws_iam_group.iam-group[0].name
-  policy_arn = var.managed-policy-arns[count.index]
+resource "aws_iam_group_membership" "group-membership" {
+  for_each = toset(var.add-to-groups)
+  name     = "MembershipToExistingGroups"
+  group    = each.value
+  users    = [aws_iam_user.iam-user.name]
 }
 
diff --git a/modules/security_identity_compliance/iam-user/variables.tf b/modules/security_identity_compliance/iam-user/variables.tf
index f046c0d..e7a1640 100644
--- a/modules/security_identity_compliance/iam-user/variables.tf
+++ b/modules/security_identity_compliance/iam-user/variables.tf
@@ -8,14 +8,6 @@ variable create-password {
 }
 variable default-tags {}
 variable managed-policy-arns {}
-variable create-group {
-  type = bool
-}
-variable iam-group-name {
-  type = string
-  default = ""
-}
-
 variable add-to-groups {
   type = list
   default = []