Merge pull request #51 from cisagov/improvement/iam-user-login-profile

Add IAM user login profile
cisagov · Dec 20, 2024 · 55a490e · 55a490e
2 parents 6701f52 + c965088
commit 55a490e
Show file tree

Hide file tree

Showing 3 changed files with 29 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -58,6 +58,7 @@ No modules.
 | Name | Type |
 |------|------|
 | [aws_iam_user.users](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user) | resource |
+| [aws_iam_user_login_profile.users](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_login_profile) | resource |
 | [aws_iam_user_policy_attachment.self_managed_creds_with_mfa](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy_attachment) | resource |
 | [aws_iam_user_policy_attachment.self_managed_creds_without_mfa](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy_attachment) | resource |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
@@ -73,7 +74,9 @@ No modules.
 
 ## Outputs ##
 
-No outputs.
+| Name | Description |
+|------|-------------|
+| initial\_passwords | A map whose keys are the usernames of each non-admin user and whose values are the initial password (which must be changed at first login) for that user. |
 <!-- END_TF_DOCS -->
 
 ## Notes ##

diff --git a/outputs.tf b/outputs.tf
@@ -0,0 +1,4 @@
+output "initial_passwords" {
+  description = "A map whose keys are the usernames of each non-admin user and whose values are the initial password (which must be changed at first login) for that user."
+  value       = { for k, v in aws_iam_user_login_profile.users : k => v.password }
+}
diff --git a/users.tf b/users.tf
@@ -7,6 +7,27 @@ resource "aws_iam_user" "users" {
   name = each.key
 }
 
+# The login profile for each user; note that the user's initial console
+# password is set here, and the user is required to change it at first login.
+resource "aws_iam_user_login_profile" "users" {
+  provider = aws.users
+
+  for_each = toset(keys(var.users))
+
+  password_reset_required = true
+  user                    = aws_iam_user.users[each.key].name
+
+  lifecycle {
+    # Required so that Terraform doesn't reset the password if the user login
+    # profile was created outside of Terraform (password_length) or after the
+    # user has changed their initial password (password_reset_required).
+    ignore_changes = [
+      password_length,
+      password_reset_required
+    ]
+  }
+}
+
 # Attach the self-administration (with MFA required) policy to each user
 # where self_managed is true and require_mfa is true
 resource "aws_iam_user_policy_attachment" "self_managed_creds_with_mfa" {