Skip to content

LaunchRack/terraform-aws-iam-user

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

10 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

LaunchRack logo

We are huge followers of the Cloud-Native DevOps movement and are firm believers in the power of treating Infrastructure as Code using immutable architecture & GitOps style deployments. We adhere to a strict automation mindset (automation first, as opposed to manual first with automation later) and strive to provide the best technical acumen that will enable organizations improve Cloud Security Posture, Release More Often, Scale with Demand, Brace Agility, Operate within Budget and focus on value derived by the time saved on the execution of a task rather than having to spend cycles on design & tool selection.

Our consistent and automated processes can help you improve:

✔ Better utilization of cloud resources by 40%
✔ Self-service infrastructure provisioning by 35%
Security and governance by 30%
✔ Return on value/investment by 20%
✔ Team management & governance by 15%
✔ Earlier detection of bugs by 32%
✔ Response to issues/events by 23%

Chat more? Email | Contact us

linkedin logo twitter logo facebook logo


Terraform AWS IAM user

GitHub license GitHub release (latest by date)

Creates IAM user, IAM login profile, IAM access key and Uploads IAM SSH user public key. All of these are optional resources.

Note:

  • If possible, always use PGP encryption (via keybase) to prevent Terraform from keeping unencrypted password and access secret key in state file
  • When pgp_key is specified as keybase:username, make sure that the user has already uploaded public key to keybase.io. For example, user's public key with username test can be verified here
  • This module outputs commands and PGP messages which can be decrypted either using keybase.io website or using command line to get user's password and user's secret key

Attribution: This module is a slightly improvised version of the community repository

Features

  • Creates IAM user
  • Creates IAM login profile
  • Creates IAM access key
  • Uploads IAM SSH user public key

Usage

module "aws_iam_user" {
  source         = "git::https://github.com/LaunchRack/terraform-aws-iam-user.git"

  name           = "test"
  force_destroy  = true
  pgp_key        = "keybase:test" # keybase user name

  tags = {
    BusinessUnit = "tools"
    Application  = "cicd"
  }
}

Setup Instructions

terraform init

terraform plan # use -var-file=terraform.tfvars if you plan to use a different file for the value overrides. See examples folder

terraform apply -auto-approve # use -var-file=terraform.tfvars if you plan to use a different file for the value overrides. See examples folder

Note: The terraform.tfvars file will need to be created in the root directory with value overrides

Requirements

Name Version
terraform ~> 1.0
aws ~> 4.0
local ~> 2.0
null ~> 3.0

Providers

Name Version
aws ~> 4.0

Resources

Name Type
aws_iam_access_key.this resource
aws_iam_access_key.this_no_pgp resource
aws_iam_user.this resource
aws_iam_user_login_profile.this resource
aws_iam_user_ssh_key.this resource

Inputs

Name Description Type Default Required
create_iam_access_key Whether to create IAM access key. bool true no
create_iam_user_login_profile Whether to create IAM user login profile. bool true no
create_user Whether to create the IAM user. bool true no
force_destroy When destroying this user, destroy even if it has non-Terraform-managed IAM access keys, login profile or MFA devices. Without force_destroy a user with non-Terraform-managed access keys and login profile will fail to be destroyed. bool false no
name Desired name for the IAM user. string n/a yes
password_length The length of the generated password. number 20 no
password_reset_required Whether the user should be forced to reset the generated password on first login. bool true no
path Desired path for the IAM user. string "/" no
permissions_boundary The ARN of the policy that is used to set the permissions boundary for the user. string "" no
pgp_key Either a base-64 encoded PGP public key, or a keybase username in the form keybase:username. Used to encrypt password and access key. string "" yes
ssh_key_encoding Specifies the public key encoding format to use in the response. To retrieve the public key in ssh-rsa format, use SSH. To retrieve the public key in PEM format, use PEM. string "SSH" no
ssh_public_key The SSH public key. The public key must be encoded in ssh-rsa format or PEM format. string "" no
tags A map of tags for the resources. map(string) {} no
upload_iam_user_ssh_key Whether to upload a public ssh key to the IAM user. bool false no

Outputs

Name Description
keybase_password_decrypt_command The keybase password decrypt command.
keybase_password_pgp_message The keybase password pgp message.
keybase_secret_key_decrypt_command The keybase secret key decrypt command.
keybase_secret_key_pgp_message The keybase secret key pgp message.
pgp_key PGP key used to encrypt sensitive data for this user. (if empty - secrets are not encrypted)
this_iam_access_key_encrypted_secret The encrypted secret, base64 encoded.
this_iam_access_key_id The access key ID.
this_iam_access_key_key_fingerprint The fingerprint of the PGP key used to encrypt the secret.
this_iam_access_key_secret The access key secret.
this_iam_access_key_ses_smtp_password The secret access key converted into an SES SMTP password.
this_iam_access_key_status Active or Inactive. Keys are initially active, but can be made inactive by other means.
this_iam_user_arn The ARN assigned by AWS for this user.
this_iam_user_login_profile_encrypted_password The encrypted password, base64 encoded.
this_iam_user_login_profile_key_fingerprint The fingerprint of the PGP key used to encrypt the password.
this_iam_user_name The user's name.
this_iam_user_ssh_key_fingerprint The MD5 message digest of the SSH public key.
this_iam_user_ssh_key_ssh_public_key_id The unique identifier for the SSH public key.
this_iam_user_unique_id The unique ID assigned by AWS.

Authors

This module is maintained by our awsome platform engineering team. Here are our contributors

License

See LICENSE for full details

Trademarks

All other trademarks referenced herein are the property of their respective owners