xpk/terraform.examples
SHA256
1
0
Fork 0
Code Pull Requests Activity

feat: new iam-user module and secretsmanager-2025 module

Browse Source
This commit is contained in:
xpk
2026-04-25 21:42:02 +08:00
parent 5fd8aa807f
commit 2ef2ad1571
12 changed files with 473 additions and 140 deletions
Download Patch File Download Diff File Expand all files Collapse all files
modules/security_identity_compliance/iam-user/README.md
+69 -30
View File
@@ -1,4 +1,47 @@
<!-- This readme file is generated with terraform-docs -->
## Example
```hcl
module "example" {
source = "../"
user_name = "example-user"
create_group_name = "example-group"
create_access_key = false
enable_console_access = true
custom_iam_policy_json = data.aws_iam_policy_document.ec2-restart.json
secretsmanager_kms_arn = "arn:aws:kms:ap-east-1:000011112222:key/0000"
}
data "aws_iam_policy_document" "ec2-restart" {
statement {
sid = "StartStopEc2Instances"
actions = [
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:Describe*"
]
resources = [
"arn:aws:ec2:ap-east-1:${data.aws_caller_identity.this.account_id}:instance/i-00001",
"arn:aws:ec2:ap-east-1:${data.aws_caller_identity.this.account_id}:instance/i-00002"
]
effect = "Allow"
}
}
```
# iam-user module
Creates iam user. If new group will be created for this user, use custom\_iam\_policy\_json to
attach iam policy to the group. You can also use attach\_iam\_policies to attach AWS-managed policies.
## Security requirements
IAM policies must be attached to iam group, not directly to iam user.
This module requires a new group be created, or an existing group for the user to be added to.
User credentials are saved in secretsmanager, which must be encrypted with CMK
## Requirements
No requirements.
@@ -6,51 +49,47 @@ No requirements.
## Providers
| Name | Version |
|------|---------|
| ---- | ------- |
| aws | n/a |
| random | n/a |
## Modules
No modules.
| Name | Source | Version |
| ---- | ------ | ------- |
| UserCredentials | ../secretsmanager-2025 | n/a |
## Resources
| Name | Type |
|------|------|
| [aws_iam_access_key.iam-user-access-key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_access_key) | resource |
| [aws_iam_group_membership.group-membership](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_membership) | resource |
| [aws_iam_user.iam-user](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user) | resource |
| [aws_iam_user_login_profile.iam-user-profile](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_login_profile) | resource |
| [aws_iam_user_policy.iam-user-policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy) | resource |
| [aws_iam_user_policy.iam-user-selfservice-policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy) | resource |
| [aws_iam_user_policy_attachment.iam-user-managed-policies](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy_attachment) | resource |
| [aws_secretsmanager_secret.secretmanager](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret) | resource |
| [aws_secretsmanager_secret_version.iam-user-secret](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_version) | resource |
| [random_id.secrets-random-id](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource |
| [random_password.iam-user-pass](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource |
| [aws_iam_policy_document.user-policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| ---- | ---- |
| [aws_iam_access_key.AccessKey](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_access_key) | resource |
| [aws_iam_group.group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group) | resource |
| [aws_iam_group_membership.membership](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_membership) | resource |
| [aws_iam_group_policy_attachment.ManagedPolicies](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy_attachment) | resource |
| [aws_iam_group_policy_attachment.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy_attachment) | resource |
| [aws_iam_policy.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_user.user](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user) | resource |
| [aws_iam_user_login_profile.profile](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_login_profile) | resource |
| [aws_caller_identity.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
| [aws_iam_policy_document.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
## Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| add-to-groups | n/a | `list(string)` | `[]` | no |
| create-access-key | n/a | `bool` | n/a | yes |
| create-password | n/a | `bool` | n/a | yes |
| iam-user-name | n/a | `any` | n/a | yes |
| iam-user-policy | n/a | `string` | `""` | no |
| iam-user-policy-name | n/a | `string` | `""` | no |
| managed-policy-arns | n/a | `any` | n/a | yes |
| ---- | ----------- | ---- | ------- | :------: |
| attach\_iam\_policies | Aws-Managed iam policies to be attached | `list(string)` | `[]` | no |
| create\_access\_key | Create access key for user | `bool` | n/a | yes |
| create\_group\_name | Name of new group to be created and add user to | `string` | `null` | no |
| custom\_iam\_policy\_json | Json encoded aws\_iam\_policy\_document, only applicable when create\_group\_name is used. | `string` | n/a | yes |
| enable\_console\_access | Enable console access | `bool` | n/a | yes |
| existing\_group\_name | Name of existing group to add user to | `string` | `null` | no |
| secretsmanager\_kms\_arn | KMS key arn of secretsmanager | `string` | n/a | yes |
| user\_name | Name of IAM user | `string` | n/a | yes |
## Outputs
| Name | Description |
|------|-------------|
| iam-user-access-key | n/a |
| iam-user-arn | n/a |
| iam-user-name | n/a |
No outputs.
---
## Authorship
This module was developed by xpk.
This module was developed by Rackspace.