feat: new iam-user module and secretsmanager-2025 module
This commit is contained in:
@@ -1,4 +1,47 @@
|
||||
<!-- This readme file is generated with terraform-docs -->
|
||||
## Example
|
||||
|
||||
```hcl
|
||||
module "example" {
|
||||
source = "../"
|
||||
user_name = "example-user"
|
||||
create_group_name = "example-group"
|
||||
create_access_key = false
|
||||
enable_console_access = true
|
||||
custom_iam_policy_json = data.aws_iam_policy_document.ec2-restart.json
|
||||
secretsmanager_kms_arn = "arn:aws:kms:ap-east-1:000011112222:key/0000"
|
||||
}
|
||||
|
||||
data "aws_iam_policy_document" "ec2-restart" {
|
||||
statement {
|
||||
sid = "StartStopEc2Instances"
|
||||
|
||||
actions = [
|
||||
"ec2:StartInstances",
|
||||
"ec2:StopInstances",
|
||||
"ec2:Describe*"
|
||||
]
|
||||
|
||||
resources = [
|
||||
"arn:aws:ec2:ap-east-1:${data.aws_caller_identity.this.account_id}:instance/i-00001",
|
||||
"arn:aws:ec2:ap-east-1:${data.aws_caller_identity.this.account_id}:instance/i-00002"
|
||||
]
|
||||
|
||||
effect = "Allow"
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
# iam-user module
|
||||
Creates iam user. If new group will be created for this user, use custom\_iam\_policy\_json to
|
||||
attach iam policy to the group. You can also use attach\_iam\_policies to attach AWS-managed policies.
|
||||
|
||||
## Security requirements
|
||||
IAM policies must be attached to iam group, not directly to iam user.
|
||||
This module requires a new group be created, or an existing group for the user to be added to.
|
||||
|
||||
User credentials are saved in secretsmanager, which must be encrypted with CMK
|
||||
|
||||
## Requirements
|
||||
|
||||
No requirements.
|
||||
@@ -6,51 +49,47 @@ No requirements.
|
||||
## Providers
|
||||
|
||||
| Name | Version |
|
||||
|------|---------|
|
||||
| ---- | ------- |
|
||||
| aws | n/a |
|
||||
| random | n/a |
|
||||
|
||||
## Modules
|
||||
|
||||
No modules.
|
||||
| Name | Source | Version |
|
||||
| ---- | ------ | ------- |
|
||||
| UserCredentials | ../secretsmanager-2025 | n/a |
|
||||
|
||||
## Resources
|
||||
|
||||
| Name | Type |
|
||||
|------|------|
|
||||
| [aws_iam_access_key.iam-user-access-key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_access_key) | resource |
|
||||
| [aws_iam_group_membership.group-membership](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_membership) | resource |
|
||||
| [aws_iam_user.iam-user](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user) | resource |
|
||||
| [aws_iam_user_login_profile.iam-user-profile](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_login_profile) | resource |
|
||||
| [aws_iam_user_policy.iam-user-policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy) | resource |
|
||||
| [aws_iam_user_policy.iam-user-selfservice-policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy) | resource |
|
||||
| [aws_iam_user_policy_attachment.iam-user-managed-policies](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy_attachment) | resource |
|
||||
| [aws_secretsmanager_secret.secretmanager](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret) | resource |
|
||||
| [aws_secretsmanager_secret_version.iam-user-secret](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_version) | resource |
|
||||
| [random_id.secrets-random-id](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource |
|
||||
| [random_password.iam-user-pass](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource |
|
||||
| [aws_iam_policy_document.user-policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
|
||||
| ---- | ---- |
|
||||
| [aws_iam_access_key.AccessKey](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_access_key) | resource |
|
||||
| [aws_iam_group.group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group) | resource |
|
||||
| [aws_iam_group_membership.membership](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_membership) | resource |
|
||||
| [aws_iam_group_policy_attachment.ManagedPolicies](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy_attachment) | resource |
|
||||
| [aws_iam_group_policy_attachment.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy_attachment) | resource |
|
||||
| [aws_iam_policy.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
|
||||
| [aws_iam_user.user](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user) | resource |
|
||||
| [aws_iam_user_login_profile.profile](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_login_profile) | resource |
|
||||
| [aws_caller_identity.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
|
||||
| [aws_iam_policy_document.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
|
||||
|
||||
## Inputs
|
||||
|
||||
| Name | Description | Type | Default | Required |
|
||||
|------|-------------|------|---------|:--------:|
|
||||
| add-to-groups | n/a | `list(string)` | `[]` | no |
|
||||
| create-access-key | n/a | `bool` | n/a | yes |
|
||||
| create-password | n/a | `bool` | n/a | yes |
|
||||
| iam-user-name | n/a | `any` | n/a | yes |
|
||||
| iam-user-policy | n/a | `string` | `""` | no |
|
||||
| iam-user-policy-name | n/a | `string` | `""` | no |
|
||||
| managed-policy-arns | n/a | `any` | n/a | yes |
|
||||
| ---- | ----------- | ---- | ------- | :------: |
|
||||
| attach\_iam\_policies | Aws-Managed iam policies to be attached | `list(string)` | `[]` | no |
|
||||
| create\_access\_key | Create access key for user | `bool` | n/a | yes |
|
||||
| create\_group\_name | Name of new group to be created and add user to | `string` | `null` | no |
|
||||
| custom\_iam\_policy\_json | Json encoded aws\_iam\_policy\_document, only applicable when create\_group\_name is used. | `string` | n/a | yes |
|
||||
| enable\_console\_access | Enable console access | `bool` | n/a | yes |
|
||||
| existing\_group\_name | Name of existing group to add user to | `string` | `null` | no |
|
||||
| secretsmanager\_kms\_arn | KMS key arn of secretsmanager | `string` | n/a | yes |
|
||||
| user\_name | Name of IAM user | `string` | n/a | yes |
|
||||
|
||||
## Outputs
|
||||
|
||||
| Name | Description |
|
||||
|------|-------------|
|
||||
| iam-user-access-key | n/a |
|
||||
| iam-user-arn | n/a |
|
||||
| iam-user-name | n/a |
|
||||
No outputs.
|
||||
|
||||
---
|
||||
## Authorship
|
||||
This module was developed by xpk.
|
||||
This module was developed by Rackspace.
|
||||
@@ -0,0 +1,28 @@
|
||||
module "example" {
|
||||
source = "../"
|
||||
user_name = "example-user"
|
||||
create_group_name = "example-group"
|
||||
create_access_key = false
|
||||
enable_console_access = true
|
||||
custom_iam_policy_json = data.aws_iam_policy_document.ec2-restart.json
|
||||
secretsmanager_kms_arn = "arn:aws:kms:ap-east-1:000011112222:key/0000"
|
||||
}
|
||||
|
||||
data "aws_iam_policy_document" "ec2-restart" {
|
||||
statement {
|
||||
sid = "StartStopEc2Instances"
|
||||
|
||||
actions = [
|
||||
"ec2:StartInstances",
|
||||
"ec2:StopInstances",
|
||||
"ec2:Describe*"
|
||||
]
|
||||
|
||||
resources = [
|
||||
"arn:aws:ec2:ap-east-1:${data.aws_caller_identity.this.account_id}:instance/i-00001",
|
||||
"arn:aws:ec2:ap-east-1:${data.aws_caller_identity.this.account_id}:instance/i-00002"
|
||||
]
|
||||
|
||||
effect = "Allow"
|
||||
}
|
||||
}
|
||||
@@ -1,27 +1,90 @@
|
||||
resource "aws_iam_user" "iam-user" {
|
||||
name = var.iam-user-name
|
||||
/**
|
||||
* # iam-user module
|
||||
* Creates iam user. If new group will be created for this user, use custom_iam_policy_json to
|
||||
* attach iam policy to the group. You can also use attach_iam_policies to attach AWS-managed policies.
|
||||
*
|
||||
* ## Security requirements
|
||||
* IAM policies must be attached to iam group, not directly to iam user.
|
||||
* This module requires a new group be created, or an existing group for the user to be added to.
|
||||
*
|
||||
* User credentials are saved in secretsmanager, which must be encrypted with CMK
|
||||
*/
|
||||
|
||||
resource "aws_iam_group" "group" {
|
||||
count = var.create_group_name != null ? 1 : 0
|
||||
name = var.create_group_name
|
||||
}
|
||||
|
||||
resource "aws_iam_user" "user" {
|
||||
name = var.user_name
|
||||
force_destroy = true
|
||||
}
|
||||
|
||||
resource "aws_iam_access_key" "iam-user-access-key" {
|
||||
count = var.create-access-key ? 1 : 0
|
||||
user = aws_iam_user.iam-user.name
|
||||
resource "aws_iam_group_membership" "membership" {
|
||||
group = coalesce(var.create_group_name, var.existing_group_name)
|
||||
users = [aws_iam_user.user.name]
|
||||
name = "${var.user_name} membership"
|
||||
|
||||
lifecycle {
|
||||
precondition {
|
||||
condition = var.create_group_name != null || var.existing_group_name != null
|
||||
error_message = "You must provide either 'create_group_name' or 'existing_group_name'."
|
||||
}
|
||||
|
||||
precondition {
|
||||
condition = !(var.create_group_name != null && var.existing_group_name != null)
|
||||
error_message = "You cannot provide both 'create_group_name' and 'existing_group_name' at the same time."
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
resource "aws_iam_user_policy" "iam-user-policy" {
|
||||
count = var.iam-user-policy != "" ? 1 : 0
|
||||
name = var.iam-user-policy-name
|
||||
user = aws_iam_user.iam-user.name
|
||||
policy = var.iam-user-policy
|
||||
resource "aws_iam_user_login_profile" "profile" {
|
||||
count = var.enable_console_access ? 1 : 0
|
||||
user = var.user_name
|
||||
}
|
||||
|
||||
resource "aws_iam_user_policy" "iam-user-selfservice-policy" {
|
||||
name = "SelfServicePermissions"
|
||||
user = aws_iam_user.iam-user.name
|
||||
policy = data.aws_iam_policy_document.user-policy.json
|
||||
resource "aws_iam_policy" "policy" {
|
||||
name_prefix = var.user_name
|
||||
description = "Policy for ${var.user_name}"
|
||||
policy = data.aws_iam_policy_document.policy.json
|
||||
}
|
||||
|
||||
data "aws_iam_policy_document" "user-policy" {
|
||||
resource "aws_iam_group_policy_attachment" "policy" {
|
||||
depends_on = [aws_iam_group.group] # attach policy only to new group
|
||||
group = var.create_group_name
|
||||
policy_arn = aws_iam_policy.policy.arn
|
||||
}
|
||||
|
||||
resource "aws_iam_group_policy_attachment" "ManagedPolicies" {
|
||||
for_each = toset(var.attach_iam_policies)
|
||||
group = coalesce(var.create_group_name, var.existing_group_name)
|
||||
policy_arn = each.value
|
||||
}
|
||||
|
||||
resource "aws_iam_access_key" "AccessKey" {
|
||||
count = var.create_access_key ? 1 : 0
|
||||
user = aws_iam_user.user.name
|
||||
}
|
||||
|
||||
module "UserCredentials" {
|
||||
source = "../secretsmanager-2025"
|
||||
|
||||
name = "${var.user_name}-IamUser-Credentials"
|
||||
description = "Credentials for iam user ${var.user_name}"
|
||||
generate_secret = false
|
||||
secret = jsonencode(
|
||||
{
|
||||
"ConsolePassword" : var.enable_console_access ? aws_iam_user_login_profile.profile[0].password : "NotSet"
|
||||
"AccessKeyId" : var.create_access_key ? aws_iam_access_key.AccessKey[0].id : "NotSet"
|
||||
"SecretKey" : var.create_access_key ? aws_iam_access_key.AccessKey[0].secret : "NotSet"
|
||||
}
|
||||
)
|
||||
kms_key_id = var.secretsmanager_kms_arn
|
||||
}
|
||||
|
||||
data "aws_iam_policy_document" "policy" {
|
||||
source_policy_documents = [var.custom_iam_policy_json]
|
||||
|
||||
statement {
|
||||
sid = "ManageOwnCredentials"
|
||||
|
||||
@@ -42,58 +105,4 @@ data "aws_iam_policy_document" "user-policy" {
|
||||
effect = "Allow"
|
||||
resources = ["arn:aws:iam::*:user/$${aws:username}"]
|
||||
}
|
||||
|
||||
statement {
|
||||
sid = "GetBasicUserInfo"
|
||||
actions = [
|
||||
"iam:GetAccountPasswordPolicy",
|
||||
"iam:GetAccessKeyLastUsed",
|
||||
"iam:GetUserPolicy"
|
||||
]
|
||||
effect = "Allow"
|
||||
resources = ["*"]
|
||||
}
|
||||
}
|
||||
|
||||
resource "aws_iam_user_policy_attachment" "iam-user-managed-policies" {
|
||||
count = length(var.add-to-groups) > 0 ? 0 : length(var.managed-policy-arns)
|
||||
user = aws_iam_user.iam-user.name
|
||||
policy_arn = var.managed-policy-arns[count.index]
|
||||
}
|
||||
|
||||
resource "aws_iam_user_login_profile" "iam-user-profile" {
|
||||
count = var.create-password ? 1 : 0
|
||||
user = aws_iam_user.iam-user.name
|
||||
password_length = 20
|
||||
pgp_key = null
|
||||
}
|
||||
|
||||
resource "random_id" "secrets-random-id" {
|
||||
byte_length = 2
|
||||
}
|
||||
|
||||
resource "aws_secretsmanager_secret" "secretmanager" {
|
||||
count = var.create-access-key || var.create-password ? 1 : 0
|
||||
name = "IamUserCredential-${random_id.secrets-random-id.dec}-${var.iam-user-name}"
|
||||
description = "AWS resource credential"
|
||||
}
|
||||
|
||||
resource "aws_secretsmanager_secret_version" "iam-user-secret" {
|
||||
count = var.create-access-key || var.create-password ? 1 : 0
|
||||
secret_id = aws_secretsmanager_secret.secretmanager[0].id
|
||||
secret_string = jsonencode(
|
||||
{
|
||||
"ConsolePassword" : length(aws_iam_user_login_profile.iam-user-profile[0].password) > 0 ? aws_iam_user_login_profile.iam-user-profile[0].password : "NotSet",
|
||||
"AccessKeyId" : length(aws_iam_access_key.iam-user-access-key) > 0 ? aws_iam_access_key.iam-user-access-key[0].id : "NotSet",
|
||||
"KeySecret" : length(aws_iam_access_key.iam-user-access-key) > 0 ? aws_iam_access_key.iam-user-access-key[0].secret : "NotSet"
|
||||
}
|
||||
)
|
||||
}
|
||||
|
||||
resource "aws_iam_group_membership" "group-membership" {
|
||||
for_each = toset(var.add-to-groups)
|
||||
name = "MembershipToExistingGroups"
|
||||
group = each.value
|
||||
users = [aws_iam_user.iam-user.name]
|
||||
}
|
||||
|
||||
}
|
||||
@@ -1,15 +0,0 @@
|
||||
output "iam-user-name" {
|
||||
value = aws_iam_user.iam-user.name
|
||||
}
|
||||
|
||||
output "iam-user-arn" {
|
||||
value = aws_iam_user.iam-user.arn
|
||||
}
|
||||
|
||||
output "iam-user-access-key" {
|
||||
value = try(aws_iam_access_key.iam-user-access-key[0].id, "none")
|
||||
}
|
||||
|
||||
output "iam-user-secret-arn" {
|
||||
value = try(aws_secretsmanager_secret_version.iam-user-secret[0].arn, "none")
|
||||
}
|
||||
@@ -1,20 +1,44 @@
|
||||
variable "iam-user-name" {}
|
||||
variable "iam-user-policy" {
|
||||
type = string
|
||||
default = ""
|
||||
variable "create_group_name" {
|
||||
type = string
|
||||
description = "Name of new group to be created and add user to"
|
||||
default = null
|
||||
}
|
||||
variable "iam-user-policy-name" {
|
||||
type = string
|
||||
default = ""
|
||||
|
||||
variable "user_name" {
|
||||
type = string
|
||||
description = "Name of IAM user"
|
||||
}
|
||||
variable "create-access-key" {
|
||||
type = bool
|
||||
|
||||
variable "existing_group_name" {
|
||||
type = string
|
||||
description = "Name of existing group to add user to"
|
||||
default = null
|
||||
}
|
||||
variable "create-password" {
|
||||
type = bool
|
||||
|
||||
variable "enable_console_access" {
|
||||
type = bool
|
||||
description = "Enable console access"
|
||||
}
|
||||
variable "managed-policy-arns" {}
|
||||
variable "add-to-groups" {
|
||||
type = list(string)
|
||||
default = []
|
||||
}
|
||||
|
||||
variable "custom_iam_policy_json" {
|
||||
type = string
|
||||
description = "Json encoded aws_iam_policy_document, only applicable when create_group_name is used."
|
||||
}
|
||||
|
||||
variable "attach_iam_policies" {
|
||||
type = list(string)
|
||||
description = "Aws-Managed iam policies to be attached"
|
||||
default = []
|
||||
}
|
||||
|
||||
variable "create_access_key" {
|
||||
type = bool
|
||||
description = "Create access key for user"
|
||||
}
|
||||
|
||||
variable "secretsmanager_kms_arn" {
|
||||
type = string
|
||||
description = "KMS key arn of secretsmanager"
|
||||
}
|
||||
|
||||
data "aws_caller_identity" "this" {}
|
||||
|
||||
@@ -1,9 +0,0 @@
|
||||
terraform {
|
||||
required_version = ">= 1.3.9"
|
||||
required_providers {
|
||||
aws = {
|
||||
source = "hashicorp/aws"
|
||||
version = ">= 5.0"
|
||||
}
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user