Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Added direct policy attachment in iam-user module #387

Merged
10 changes: 8 additions & 2 deletions examples/iam-user/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,9 @@ Run `terraform destroy` when you don't need these resources.

## Providers

No providers.
| Name | Version |
|------|---------|
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.0 |

## Modules

Expand All @@ -34,10 +36,13 @@ No providers.
| <a name="module_iam_user"></a> [iam\_user](#module\_iam\_user) | ../../modules/iam-user | n/a |
| <a name="module_iam_user2"></a> [iam\_user2](#module\_iam\_user2) | ../../modules/iam-user | n/a |
| <a name="module_iam_user3"></a> [iam\_user3](#module\_iam\_user3) | ../../modules/iam-user | n/a |
| <a name="module_iam_user4"></a> [iam\_user4](#module\_iam\_user4) | ../../modules/iam-user | n/a |

## Resources

No resources.
| Name | Type |
|------|------|
| [aws_iam_policy.example](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source |

## Inputs

Expand All @@ -47,6 +52,7 @@ No inputs.

| Name | Description |
|------|-------------|
| <a name="output_custom_iam_policy_arns"></a> [custom\_iam\_policy\_arns](#output\_custom\_iam\_policy\_arns) | The list of ARNs of policies directly assigned to the IAM user |
| <a name="output_iam_access_key_encrypted_secret"></a> [iam\_access\_key\_encrypted\_secret](#output\_iam\_access\_key\_encrypted\_secret) | The encrypted secret, base64 encoded |
| <a name="output_iam_access_key_id"></a> [iam\_access\_key\_id](#output\_iam\_access\_key\_id) | The access key ID |
| <a name="output_iam_access_key_key_fingerprint"></a> [iam\_access\_key\_key\_fingerprint](#output\_iam\_access\_key\_key\_fingerprint) | The fingerprint of the PGP key used to encrypt the secret |
Expand Down
18 changes: 18 additions & 0 deletions examples/iam-user/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -46,3 +46,21 @@ module "iam_user3" {
create_iam_access_key = true
iam_access_key_status = "Inactive"
}

###################################################################
# IAM user with AmazonSNSReadOnlyAccess policy assigned
antonbabenko marked this conversation as resolved.
Show resolved Hide resolved
###################################################################

data "aws_iam_policy" "example" {
name = "AmazonS3ReadOnlyAccess"
}

module "iam_user4" {
source = "../../modules/iam-user"

name = "vasya.pupkin6"

create_iam_user_login_profile = false
create_iam_access_key = true
custom_iam_policy_arns = [data.aws_iam_policy.example.arn]
}
5 changes: 5 additions & 0 deletions examples/iam-user/outputs.tf
Original file line number Diff line number Diff line change
Expand Up @@ -85,3 +85,8 @@ output "keybase_secret_key_pgp_message" {
description = "Encrypted access secret key"
value = module.iam_user.keybase_secret_key_pgp_message
}

output "custom_iam_policy_arns" {
description = "The list of ARNs of policies directly assigned to the IAM user"
value = module.iam_user.policy_arns
}
3 changes: 3 additions & 0 deletions modules/iam-user/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,7 @@ No modules.
| [aws_iam_access_key.this_no_pgp](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_access_key) | resource |
| [aws_iam_user.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user) | resource |
| [aws_iam_user_login_profile.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_login_profile) | resource |
| [aws_iam_user_policy_attachment.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy_attachment) | resource |
| [aws_iam_user_ssh_key.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_ssh_key) | resource |

## Inputs
Expand All @@ -55,6 +56,7 @@ No modules.
| <a name="input_create_iam_access_key"></a> [create\_iam\_access\_key](#input\_create\_iam\_access\_key) | Whether to create IAM access key | `bool` | `true` | no |
| <a name="input_create_iam_user_login_profile"></a> [create\_iam\_user\_login\_profile](#input\_create\_iam\_user\_login\_profile) | Whether to create IAM user login profile | `bool` | `true` | no |
| <a name="input_create_user"></a> [create\_user](#input\_create\_user) | Whether to create the IAM user | `bool` | `true` | no |
| <a name="input_custom_iam_policy_arns"></a> [custom\_iam\_policy\_arns](#input\_custom\_iam\_policy\_arns) | The list of ARNs of policies directly assigned to the IAM user | `list(string)` | `[]` | no |
| <a name="input_force_destroy"></a> [force\_destroy](#input\_force\_destroy) | When destroying this user, destroy even if it has non-Terraform-managed IAM access keys, login profile or MFA devices. Without force\_destroy a user with non-Terraform-managed access keys and login profile will fail to be destroyed. | `bool` | `false` | no |
| <a name="input_iam_access_key_status"></a> [iam\_access\_key\_status](#input\_iam\_access\_key\_status) | Access key status to apply. | `string` | `null` | no |
| <a name="input_name"></a> [name](#input\_name) | Desired name for the IAM user | `string` | n/a | yes |
Expand Down Expand Up @@ -94,4 +96,5 @@ No modules.
| <a name="output_keybase_ses_smtp_password_v4_decrypt_command"></a> [keybase\_ses\_smtp\_password\_v4\_decrypt\_command](#output\_keybase\_ses\_smtp\_password\_v4\_decrypt\_command) | Decrypt SES SMTP password command |
| <a name="output_keybase_ses_smtp_password_v4_pgp_message"></a> [keybase\_ses\_smtp\_password\_v4\_pgp\_message](#output\_keybase\_ses\_smtp\_password\_v4\_pgp\_message) | Encrypted SES SMTP password |
| <a name="output_pgp_key"></a> [pgp\_key](#output\_pgp\_key) | PGP key used to encrypt sensitive data for this user (if empty - secrets are not encrypted) |
| <a name="output_policy_arns"></a> [policy\_arns](#output\_policy\_arns) | The list of ARNs of policies directly assigned to the IAM user |
<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
7 changes: 7 additions & 0 deletions modules/iam-user/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -45,3 +45,10 @@ resource "aws_iam_user_ssh_key" "this" {
encoding = var.ssh_key_encoding
public_key = var.ssh_public_key
}

resource "aws_iam_user_policy_attachment" "this" {
for_each = var.create_user ? toset(var.custom_iam_policy_arns) : []

user = aws_iam_user.this[0].name
policy_arn = each.value
}
5 changes: 5 additions & 0 deletions modules/iam-user/outputs.tf
Original file line number Diff line number Diff line change
Expand Up @@ -149,3 +149,8 @@ output "iam_user_ssh_key_fingerprint" {
description = "The MD5 message digest of the SSH public key"
value = try(aws_iam_user_ssh_key.this[0].fingerprint, "")
}

output "policy_arns" {
description = "The list of ARNs of policies directly assigned to the IAM user"
value = [for policy_attachment in aws_iam_user_policy_attachment.this : policy_attachment.policy_arn]
}
6 changes: 6 additions & 0 deletions modules/iam-user/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -81,6 +81,12 @@ variable "permissions_boundary" {
default = ""
}

variable "custom_iam_policy_arns" {
description = "The list of ARNs of policies directly assigned to the IAM user"
type = list(string)
default = []
}

variable "tags" {
description = "A map of tags to add to all resources."
type = map(string)
Expand Down
1 change: 1 addition & 0 deletions wrappers/iam-user/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -17,5 +17,6 @@ module "wrapper" {
ssh_key_encoding = try(each.value.ssh_key_encoding, var.defaults.ssh_key_encoding, "SSH")
ssh_public_key = try(each.value.ssh_public_key, var.defaults.ssh_public_key, "")
permissions_boundary = try(each.value.permissions_boundary, var.defaults.permissions_boundary, "")
custom_iam_policy_arns = try(each.value.custom_iam_policy_arns, var.defaults.custom_iam_policy_arns, [])
tags = try(each.value.tags, var.defaults.tags, {})
}