initial commit

2026-02-13 15:44:24 +08:00
parent 66be8224f4
commit 09ce4c881a
570 changed files with 61807 additions and 0 deletions
@@ -0,0 +1,56 @@
+<!-- This readme file is generated with terraform-docs -->
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| aws | n/a |
+| random | n/a |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_iam_access_key.iam-user-access-key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_access_key) | resource |
+| [aws_iam_group_membership.group-membership](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_membership) | resource |
+| [aws_iam_user.iam-user](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user) | resource |
+| [aws_iam_user_login_profile.iam-user-profile](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_login_profile) | resource |
+| [aws_iam_user_policy.iam-user-policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy) | resource |
+| [aws_iam_user_policy.iam-user-selfservice-policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy) | resource |
+| [aws_iam_user_policy_attachment.iam-user-managed-policies](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy_attachment) | resource |
+| [aws_secretsmanager_secret.secretmanager](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret) | resource |
+| [aws_secretsmanager_secret_version.iam-user-secret](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_version) | resource |
+| [random_id.secrets-random-id](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource |
+| [random_password.iam-user-pass](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource |
+| [aws_iam_policy_document.user-policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| add-to-groups | n/a | `list(string)` | `[]` | no |
+| create-access-key | n/a | `bool` | n/a | yes |
+| create-password | n/a | `bool` | n/a | yes |
+| iam-user-name | n/a | `any` | n/a | yes |
+| iam-user-policy | n/a | `string` | `""` | no |
+| iam-user-policy-name | n/a | `string` | `""` | no |
+| managed-policy-arns | n/a | `any` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| iam-user-access-key | n/a |
+| iam-user-arn | n/a |
+| iam-user-name | n/a |
+ 
+---
+## Authorship
+This module was developed by xpk.
@@ -0,0 +1,99 @@
+resource "aws_iam_user" "iam-user" {
+  name          = var.iam-user-name
+  force_destroy = true
+}
+
+resource "aws_iam_access_key" "iam-user-access-key" {
+  count = var.create-access-key ? 1 : 0
+  user  = aws_iam_user.iam-user.name
+}
+
+resource "aws_iam_user_policy" "iam-user-policy" {
+  count  = var.iam-user-policy != "" ? 1 : 0
+  name   = var.iam-user-policy-name
+  user   = aws_iam_user.iam-user.name
+  policy = var.iam-user-policy
+}
+
+resource "aws_iam_user_policy" "iam-user-selfservice-policy" {
+  name   = "SelfServicePermissions"
+  user   = aws_iam_user.iam-user.name
+  policy = data.aws_iam_policy_document.user-policy.json
+}
+
+data "aws_iam_policy_document" "user-policy" {
+  statement {
+    sid = "ManageOwnCredentials"
+
+    actions = [
+      "iam:ChangePassword",
+      "iam:UpdateLoginProfile",
+      "iam:CreateAccessKey",
+      "iam:DeleteAccessKey",
+      "iam:ListAccessKeys",
+      "iam:CreateVirtualMFADevice",
+      "iam:EnableMFADevice",
+      "iam:ListMFA*",
+      "iam:ListVirtualMFA*",
+      "iam:ResyncMFADevice",
+      "iam:GetUser"
+    ]
+
+    effect    = "Allow"
+    resources = ["arn:aws:iam::*:user/$${aws:username}"]
+  }
+
+  statement {
+    sid = "GetBasicUserInfo"
+    actions = [
+      "iam:GetAccountPasswordPolicy",
+      "iam:GetAccessKeyLastUsed",
+      "iam:GetUserPolicy"
+    ]
+    effect    = "Allow"
+    resources = ["*"]
+  }
+}
+
+resource "aws_iam_user_policy_attachment" "iam-user-managed-policies" {
+  count      = length(var.add-to-groups) > 0 ? 0 : length(var.managed-policy-arns)
+  user       = aws_iam_user.iam-user.name
+  policy_arn = var.managed-policy-arns[count.index]
+}
+
+resource "aws_iam_user_login_profile" "iam-user-profile" {
+  count           = var.create-password ? 1 : 0
+  user            = aws_iam_user.iam-user.name
+  password_length = 20
+  pgp_key         = null
+}
+
+resource "random_id" "secrets-random-id" {
+  byte_length = 2
+}
+
+resource "aws_secretsmanager_secret" "secretmanager" {
+  count       = var.create-access-key || var.create-password ? 1 : 0
+  name        = "IamUserCredential-${random_id.secrets-random-id.dec}-${var.iam-user-name}"
+  description = "AWS resource credential"
+}
+
+resource "aws_secretsmanager_secret_version" "iam-user-secret" {
+  count     = var.create-access-key || var.create-password ? 1 : 0
+  secret_id = aws_secretsmanager_secret.secretmanager[0].id
+  secret_string = jsonencode(
+    {
+      "ConsolePassword" : length(aws_iam_user_login_profile.iam-user-profile[0].password) > 0 ? aws_iam_user_login_profile.iam-user-profile[0].password : "NotSet",
+      "AccessKeyId" : length(aws_iam_access_key.iam-user-access-key) > 0 ? aws_iam_access_key.iam-user-access-key[0].id : "NotSet",
+      "KeySecret" : length(aws_iam_access_key.iam-user-access-key) > 0 ? aws_iam_access_key.iam-user-access-key[0].secret : "NotSet"
+    }
+  )
+}
+
+resource "aws_iam_group_membership" "group-membership" {
+  for_each = toset(var.add-to-groups)
+  name     = "MembershipToExistingGroups"
+  group    = each.value
+  users    = [aws_iam_user.iam-user.name]
+}
+
@@ -0,0 +1,15 @@
+output "iam-user-name" {
+  value = aws_iam_user.iam-user.name
+}
+
+output "iam-user-arn" {
+  value = aws_iam_user.iam-user.arn
+}
+
+output "iam-user-access-key" {
+  value = try(aws_iam_access_key.iam-user-access-key[0].id, "none")
+}
+
+output "iam-user-secret-arn" {
+  value = try(aws_secretsmanager_secret_version.iam-user-secret[0].arn, "none")
+}
@@ -0,0 +1,20 @@
+variable "iam-user-name" {}
+variable "iam-user-policy" {
+  type    = string
+  default = ""
+}
+variable "iam-user-policy-name" {
+  type    = string
+  default = ""
+}
+variable "create-access-key" {
+  type = bool
+}
+variable "create-password" {
+  type = bool
+}
+variable "managed-policy-arns" {}
+variable "add-to-groups" {
+  type    = list(string)
+  default = []
+}
@@ -0,0 +1,9 @@
+terraform {
+  required_version = ">= 1.3.9"
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 5.0"
+    }
+  }
+}