Terraform Module to provision a basic IAM user suitable for CI/CD Systems or systems which are external to AWS that cannot leverage AWS IAM Instance Profiles or AWS OIDC. By default, IAM users, groups, and roles have no access to AWS resources. IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended that IAM policies be applied directly to groups and roles but not users. This module intentionally attaches an IAM policy directly to the user and does not use groups If an AWS Access Key is created, it is stored either in AWS Secret Manager or is provided as a module output, but not both. Using AWS Secret Manager is recommended because module outputs are stored in plaintext in the Terraform state file. AWS Secret Manager is provisioning by external module.
The MIT License (MIT)
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in
all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
THE SOFTWARE.
Source: <https://opensource.org/licenses/MIT>
See LICENSE for full details.
| Name | Version |
|---|---|
| terraform | >= 0.14 |
| aws | >= 2.0.0 |
| Name | Source | Version |
|---|---|---|
| secret_iam | Infrastrukturait/secret-manager/aws | 0.2.0 |
| Name | Type |
|---|---|
| aws_iam_access_key.this | resource |
| aws_iam_user.this | resource |
| aws_iam_user_policy.this | resource |
| aws_iam_user_policy_attachment.this | resource |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| create_iam_access_key | Whether or not to create IAM access keys. | bool |
true |
no |
| force_destroy | Destroy the user even if it has non-Terraform-managed IAM access keys, login profile or MFA devices. | bool |
false |
no |
| inline_policies | Inline policies to attach to our created user. | list(string) |
[] |
no |
| inline_policies_map | Inline policies to attach (descriptive key => policy). | map(string) |
{} |
no |
| name | Name of the created user. | string |
n/a | yes |
| path | Path in which to create the user. | string |
"/" |
no |
| permissions_boundary | Permissions Boundary ARN to attach to our created user. | string |
null |
no |
| policy_arns | Policy ARNs to attach to our created user. | list(string) |
[] |
no |
| policy_arns_map | Policy ARNs to attach (descriptive key => arn). | map(string) |
{} |
no |
| sm_base_path | The base path for AWS Secret Manager parameters where secrets are stored. | string |
"/system_user/" |
no |
| sm_enabled | Set true to store secrets in AWS Secret Manager, <br>false to store secrets in Terraform state as outputs.Since Terraform state would contain the secrets in plaintext, use of AWS Secret Manager is recommended. |
bool |
true |
no |
| sm_ses_smtp_password_enabled | Whether or not to create an SES SMTP password. | bool |
false |
no |
| tags | Resource tags. | map(string) |
{} |
no |
| Name | Description |
|---|---|
| access_key_id | The access key ID |
| secret_access_key | When sm_enabled is false, this is the secret access key for the IAM user.This will be written to the state file in plain-text. When sm_enabled is true, this output will be empty to keep the value secure. |
| secret_arn | Secret Manager ARN under which the IAM User's access and private key ID is stored |
| ses_smtp_password_v4 | When sm_enabled is false, this is the secret access key converted into an SES SMTP passwordby applying AWS's Sigv4 conversion algorithm. It will be written to the Terraform state file in plaintext. When sm_enabled is true, this output will be empty to keep the value secure. |
| sm_enabled | true when secrets are stored in Secret Manager, false when secrets are stored in Terraform state as outputs. |
| user_arn | The ARN assigned by AWS for this user |
| user_name | Normalized IAM user name |
| user_unique_id | The unique ID assigned by AWS |
data "aws_iam_policy_document" "deny" {
statement {
sid = "DenyAll"
effect = "Deny"
actions = ["*"]
resources = ["*"]
}
}
module "iam_deny" {
source = "../../"
name = var.name
force_destroy = true
create_iam_access_key = var.create_iam_access_key
inline_policies = [data.aws_iam_policy_document.deny.json]
sm_enabled = var.sm_enabled
sm_base_path = var.sm_base_path
sm_ses_smtp_password_enabled = var.sm_ses_smtp_password_enabled
}