97 lines
2.9 KiB
HCL
97 lines
2.9 KiB
HCL
resource "aws_iam_user" "iam-user" {
|
|
name = var.iam-user-name
|
|
force_destroy = true
|
|
}
|
|
|
|
resource "aws_iam_access_key" "iam-user-access-key" {
|
|
count = var.create-access-key ? 1 : 0
|
|
user = aws_iam_user.iam-user.name
|
|
}
|
|
|
|
resource "aws_iam_user_policy" "iam-user-policy" {
|
|
count = var.iam-user-policy != "" ? 1 : 0
|
|
name = var.iam-user-policy-name
|
|
user = aws_iam_user.iam-user.name
|
|
policy = var.iam-user-policy
|
|
}
|
|
|
|
resource "aws_iam_user_policy" "iam-user-selfservice-policy" {
|
|
name = "SelfServicePermissions"
|
|
user = aws_iam_user.iam-user.name
|
|
policy = data.aws_iam_policy_document.user-policy.json
|
|
}
|
|
|
|
data "aws_iam_policy_document" "user-policy" {
|
|
statement {
|
|
sid = "ManageOwnCredentials"
|
|
|
|
actions = [
|
|
"iam:ChangePassword",
|
|
"iam:CreateAccessKey",
|
|
"iam:DeleteAccessKey",
|
|
"iam:ListAccessKeys",
|
|
"iam:CreateVirtualMFADevice",
|
|
"iam:EnableMFADevice",
|
|
"iam:ListMFA*",
|
|
"iam:ListVirtualMFA*",
|
|
"iam:ResyncMFADevice"
|
|
]
|
|
|
|
effect = "Allow"
|
|
resources = ["arn:aws:iam::*:user/$${aws:username}"]
|
|
}
|
|
|
|
statement {
|
|
sid = "GetPasswordPolicy"
|
|
actions = ["iam:GetAccountPasswordPolicy"]
|
|
effect = "Allow"
|
|
resources = ["*"]
|
|
}
|
|
}
|
|
|
|
resource "aws_iam_user_policy_attachment" "iam-user-managed-policies" {
|
|
count = length(var.add-to-groups) > 0 ? 0 : length(var.managed-policy-arns)
|
|
user = aws_iam_user.iam-user.name
|
|
policy_arn = var.managed-policy-arns[count.index]
|
|
}
|
|
|
|
resource "random_password" "iam-user-pass" {
|
|
count = var.create-password ? 1 : 0
|
|
length = 20
|
|
special = true
|
|
}
|
|
|
|
resource "aws_iam_user_login_profile" "iam-user-profile" {
|
|
count = var.create-password ? 1 : 0
|
|
user = aws_iam_user.iam-user.name
|
|
pgp_key = null
|
|
}
|
|
|
|
resource "random_id" "secrets-random-id" {
|
|
byte_length = 2
|
|
}
|
|
|
|
resource "aws_secretsmanager_secret" "secretmanager" {
|
|
count = var.create-access-key || var.create-password ? 1 : 0
|
|
name = "IamUserCredential-${random_id.secrets-random-id.dec}-${var.iam-user-name}"
|
|
description = "AWS resource credential"
|
|
}
|
|
|
|
resource "aws_secretsmanager_secret_version" "iam-user-secret" {
|
|
count = var.create-access-key || var.create-password ? 1 : 0
|
|
secret_id = aws_secretsmanager_secret.secretmanager[0].id
|
|
secret_string = jsonencode(
|
|
{ "ConsolePassword" : length(random_password.iam-user-pass) > 0 ? random_password.iam-user-pass[0].result : "NotSet",
|
|
"AccessKeyId" : length(aws_iam_access_key.iam-user-access-key) > 0 ? aws_iam_access_key.iam-user-access-key[0].id : "NotSet",
|
|
"KeySecret" : length(aws_iam_access_key.iam-user-access-key) > 0 ? aws_iam_access_key.iam-user-access-key[0].secret : "NotSet"
|
|
})
|
|
}
|
|
|
|
resource "aws_iam_group_membership" "group-membership" {
|
|
for_each = toset(var.add-to-groups)
|
|
name = "MembershipToExistingGroups"
|
|
group = each.value
|
|
users = [aws_iam_user.iam-user.name]
|
|
}
|
|
|