114 lines
3.4 KiB
HCL
114 lines
3.4 KiB
HCL
resource "aws_iam_user" "iam-user" {
|
|
name = var.iam-user-name
|
|
tags = var.default-tags
|
|
force_destroy = true
|
|
}
|
|
|
|
resource "aws_iam_access_key" "iam-user-access-key" {
|
|
count = var.create-access-key ? 1 : 0
|
|
user = aws_iam_user.iam-user.name
|
|
}
|
|
|
|
# need to work on attaching additional user policy
|
|
#resource "aws_iam_user_policy" "iam-user-policy" {
|
|
# count = var.create-group ? 0 : 1
|
|
# name = var.iam-user-policy-name
|
|
# user = aws_iam_user.iam-user.name
|
|
# policy = var.iam-user-policy
|
|
#}
|
|
|
|
resource "aws_iam_user_policy" iam-user-selfservice-policy {
|
|
name = "SelfServicePermissions"
|
|
user = aws_iam_user.iam-user.name
|
|
policy = data.aws_iam_policy_document.user-policy.json
|
|
}
|
|
|
|
data aws_iam_policy_document user-policy {
|
|
statement {
|
|
sid = "ManageOwnCredentials"
|
|
|
|
actions = [
|
|
"iam:ChangePassword",
|
|
"iam:CreateAccessKey",
|
|
"iam:DeleteAccessKey",
|
|
"iam:ListAccessKey",
|
|
"iam:CreateVirtualMFADevice",
|
|
"iam:EnableMFADevice",
|
|
"iam:ListMFA*",
|
|
"iam:ListVirtualMFA*",
|
|
"iam:ResyncMFADevice"
|
|
]
|
|
|
|
effect = "Allow"
|
|
resources = ["arn:aws:iam::account-id:user/${var.iam-user-name}"]
|
|
}
|
|
}
|
|
|
|
resource "aws_iam_user_policy_attachment" "iam-user-managed-policies" {
|
|
count = var.create-group ? 0: length(var.managed-policy-arns)
|
|
user = aws_iam_user.iam-user.name
|
|
policy_arn = var.managed-policy-arns[count.index]
|
|
}
|
|
|
|
resource "random_password" "iam-user-pass" {
|
|
count = var.create-password ? 1 : 0
|
|
length = 20
|
|
special = true
|
|
}
|
|
|
|
resource "aws_iam_user_login_profile" "iam-user-profile" {
|
|
count = var.create-password ? 1 : 0
|
|
user = aws_iam_user.iam-user.name
|
|
}
|
|
|
|
resource "aws_secretsmanager_secret" "secretmanager" {
|
|
count = var.create-access-key || var.create-password ? 1 : 0
|
|
name = "IamUserCredential-${var.iam-user-name}"
|
|
description = "AWS resource credential"
|
|
tags = var.default-tags
|
|
}
|
|
|
|
resource "aws_secretsmanager_secret_version" "iam-user-secret" {
|
|
count = var.create-access-key || var.create-password ? 1 : 0
|
|
secret_id = aws_secretsmanager_secret.secretmanager[0].id
|
|
secret_string = jsonencode(
|
|
{ "ConsolePassword" : length(random_password.iam-user-pass) > 0 ? random_password.iam-user-pass[0].result : "NotSet",
|
|
"AccessKeyId" : length(aws_iam_access_key.iam-user-access-key) > 0 ? aws_iam_access_key.iam-user-access-key[0].id : "NotSet",
|
|
"KeySecret" : length(aws_iam_access_key.iam-user-access-key) > 0 ? aws_iam_access_key.iam-user-access-key[0].secret : "NotSet"
|
|
})
|
|
}
|
|
|
|
resource aws_iam_group iam-group {
|
|
count = var.create-group ? 1 : 0
|
|
name = var.iam-group-name
|
|
}
|
|
|
|
resource aws_iam_group_membership new-group-membership {
|
|
for_each = aws_iam_group.iam-group
|
|
name = "MembershipToNewGroups"
|
|
group = each.value
|
|
users = [aws_iam_user.iam-user.name]
|
|
}
|
|
|
|
resource aws_iam_group_membership existing-group-membership {
|
|
for_each = var.add-to-groups
|
|
name = "MembershipToExistingGroups"
|
|
group = each.value
|
|
users = [aws_iam_user.iam-user.name]
|
|
}
|
|
|
|
# need to work on attaching additional group policy
|
|
#resource "aws_iam_group_policy" "iam-group-policy" {
|
|
# count = var.create-group ? 1 : 0
|
|
# name = "SelfServiceAccess"
|
|
# group = aws_iam_group.iam-group[0].name
|
|
# policy = var.iam-user-policy
|
|
#}
|
|
|
|
resource "aws_iam_group_policy_attachment" "iam-group-managed-policies" {
|
|
count = var.create-group ? length(var.managed-policy-arns) : 0
|
|
group = aws_iam_group.iam-group[0].name
|
|
policy_arn = var.managed-policy-arns[count.index]
|
|
}
|
|
|