1.7 KiB
1.7 KiB
iam-user module
Module for creating IAM user. Credentials, if any, will be stored in secretsmanager.
Optionally, credentials can be encrypted with gpg key when pgp-key parameter is provided. To obtain gpg public key of a user, run
gpg --export key-owner-name | base64
To decrypt the encrypted data
terraform output iam-user-pass-pgp | tr -d \" | base64 -d | gpg -d
terraform output iam-user-secret-key-pgp | tr -d \" | base64 -d | gpg -d
Example
module iam-group {
source = "../../modules/security_identity_compliance/iam-group"
default-tags = local.default-tags
iam-group-name = "ViewOnlyUsers001"
iam-group-policy = ""
iam-group-policy-name = ""
managed-policy-arns = ["arn:aws:iam::aws:policy/job-function/ViewOnlyAccess"]
}
module iam-user1 {
source = "../../modules/security_identity_compliance/iam-user"
default-tags = local.default-tags
iam-user-name = "UserNoGroup001"
create-access-key = true
create-password = true
pgp-key = var.pgp-key
managed-policy-arns = ["arn:aws:iam::aws:policy/job-function/ViewOnlyAccess"]
}
module iam-user2 {
source = "../../modules/security_identity_compliance/iam-user"
default-tags = local.default-tags
iam-user-name = "UserInGroup001"
iam-user-policy = data.aws_iam_policy_document.user-policy.json
iam-user-policy-name = "S3AdminPermissions"
create-access-key = false
create-password = false
managed-policy-arns = ["arn:aws:iam::aws:policy/job-function/ViewOnlyAccess"]
add-to-groups = [module.iam-group.iam-group-name]
}
data aws_iam_policy_document user-policy {
statement {
sid = "s3admin"
actions = [
"s3:*"
]
effect = "Allow"
resources = ["*"]
}
}