terraform.aws-baseline-infra/modules/security_identity_compliance/iam-user
2022-10-20 09:12:29 +08:00
..
main.tf UPD: merged iam-user-pgp into iam-user module 2022-10-20 09:12:29 +08:00
outputs.tf UPD: merged iam-user-pgp into iam-user module 2022-10-20 09:12:29 +08:00
README.md UPD: merged iam-user-pgp into iam-user module 2022-10-20 09:12:29 +08:00
variables.tf UPD: merged iam-user-pgp into iam-user module 2022-10-20 09:12:29 +08:00

iam-user module

Module for creating IAM user. Credentials, if any, will be stored in secretsmanager. Optionally, credentials can be encrypted with gpg key when pgp-key parameter is provided. To obtain gpg public key of a user, run

gpg --export key-owner-name | base64

To decrypt the encrypted data

terraform output iam-user-pass-pgp  | tr -d \" | base64 -d | gpg -d
terraform output iam-user-secret-key-pgp  | tr -d \" | base64 -d | gpg -d

Example

module iam-group {
  source = "../../modules/security_identity_compliance/iam-group"
  default-tags    = local.default-tags

  iam-group-name        = "ViewOnlyUsers001"
  iam-group-policy      = ""
  iam-group-policy-name = ""
  managed-policy-arns   = ["arn:aws:iam::aws:policy/job-function/ViewOnlyAccess"]
}

module iam-user1 {
  source = "../../modules/security_identity_compliance/iam-user"

  default-tags    = local.default-tags
  iam-user-name   = "UserNoGroup001"
  create-access-key = true
  create-password = true
  pgp-key = var.pgp-key
  managed-policy-arns = ["arn:aws:iam::aws:policy/job-function/ViewOnlyAccess"]
}

module iam-user2 {
  source = "../../modules/security_identity_compliance/iam-user"

  default-tags    = local.default-tags
  iam-user-name   = "UserInGroup001"
  iam-user-policy = data.aws_iam_policy_document.user-policy.json
  iam-user-policy-name = "S3AdminPermissions"
  create-access-key = false
  create-password = false
  managed-policy-arns = ["arn:aws:iam::aws:policy/job-function/ViewOnlyAccess"]
  add-to-groups = [module.iam-group.iam-group-name]
}

data aws_iam_policy_document user-policy {
  statement {
    sid = "s3admin"

    actions = [
      "s3:*"
    ]

    effect = "Allow"
    resources = ["*"]
  }
}