initial commit

2026-02-13 15:44:24 +08:00
parent 66be8224f4
commit 09ce4c881a
570 changed files with 61807 additions and 0 deletions
@@ -0,0 +1,99 @@
+resource "aws_iam_user" "iam-user" {
+  name          = var.iam-user-name
+  force_destroy = true
+}
+
+resource "aws_iam_access_key" "iam-user-access-key" {
+  count = var.create-access-key ? 1 : 0
+  user  = aws_iam_user.iam-user.name
+}
+
+resource "aws_iam_user_policy" "iam-user-policy" {
+  count  = var.iam-user-policy != "" ? 1 : 0
+  name   = var.iam-user-policy-name
+  user   = aws_iam_user.iam-user.name
+  policy = var.iam-user-policy
+}
+
+resource "aws_iam_user_policy" "iam-user-selfservice-policy" {
+  name   = "SelfServicePermissions"
+  user   = aws_iam_user.iam-user.name
+  policy = data.aws_iam_policy_document.user-policy.json
+}
+
+data "aws_iam_policy_document" "user-policy" {
+  statement {
+    sid = "ManageOwnCredentials"
+
+    actions = [
+      "iam:ChangePassword",
+      "iam:UpdateLoginProfile",
+      "iam:CreateAccessKey",
+      "iam:DeleteAccessKey",
+      "iam:ListAccessKeys",
+      "iam:CreateVirtualMFADevice",
+      "iam:EnableMFADevice",
+      "iam:ListMFA*",
+      "iam:ListVirtualMFA*",
+      "iam:ResyncMFADevice",
+      "iam:GetUser"
+    ]
+
+    effect    = "Allow"
+    resources = ["arn:aws:iam::*:user/$${aws:username}"]
+  }
+
+  statement {
+    sid = "GetBasicUserInfo"
+    actions = [
+      "iam:GetAccountPasswordPolicy",
+      "iam:GetAccessKeyLastUsed",
+      "iam:GetUserPolicy"
+    ]
+    effect    = "Allow"
+    resources = ["*"]
+  }
+}
+
+resource "aws_iam_user_policy_attachment" "iam-user-managed-policies" {
+  count      = length(var.add-to-groups) > 0 ? 0 : length(var.managed-policy-arns)
+  user       = aws_iam_user.iam-user.name
+  policy_arn = var.managed-policy-arns[count.index]
+}
+
+resource "aws_iam_user_login_profile" "iam-user-profile" {
+  count           = var.create-password ? 1 : 0
+  user            = aws_iam_user.iam-user.name
+  password_length = 20
+  pgp_key         = null
+}
+
+resource "random_id" "secrets-random-id" {
+  byte_length = 2
+}
+
+resource "aws_secretsmanager_secret" "secretmanager" {
+  count       = var.create-access-key || var.create-password ? 1 : 0
+  name        = "IamUserCredential-${random_id.secrets-random-id.dec}-${var.iam-user-name}"
+  description = "AWS resource credential"
+}
+
+resource "aws_secretsmanager_secret_version" "iam-user-secret" {
+  count     = var.create-access-key || var.create-password ? 1 : 0
+  secret_id = aws_secretsmanager_secret.secretmanager[0].id
+  secret_string = jsonencode(
+    {
+      "ConsolePassword" : length(aws_iam_user_login_profile.iam-user-profile[0].password) > 0 ? aws_iam_user_login_profile.iam-user-profile[0].password : "NotSet",
+      "AccessKeyId" : length(aws_iam_access_key.iam-user-access-key) > 0 ? aws_iam_access_key.iam-user-access-key[0].id : "NotSet",
+      "KeySecret" : length(aws_iam_access_key.iam-user-access-key) > 0 ? aws_iam_access_key.iam-user-access-key[0].secret : "NotSet"
+    }
+  )
+}
+
+resource "aws_iam_group_membership" "group-membership" {
+  for_each = toset(var.add-to-groups)
+  name     = "MembershipToExistingGroups"
+  group    = each.value
+  users    = [aws_iam_user.iam-user.name]
+}
+