From 1cca98ea0c9b2d6f0e4033deb42503318351c33b Mon Sep 17 00:00:00 2001
From: David Redmin <david.redmin@gwe.cisa.dhs.gov>
Date: Wed, 18 Dec 2024 14:33:46 -0500
Subject: [PATCH 1/4] Add a user login profile

This enables console access for the user and creates an initial password, which must be changed the first time they login.  This saves us from having to manually set up their initial password in the AWS console.
---
 users.tf | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/users.tf b/users.tf
index 018b6da..6664530 100644
--- a/users.tf
+++ b/users.tf
@@ -7,6 +7,27 @@ resource "aws_iam_user" "users" {
   name = each.key
 }
 
+# The login profile for each user; note that the user's initial console
+# password is set here, and the user is required to change it at first login.
+resource "aws_iam_user_login_profile" "users" {
+  provider = aws.users
+
+  for_each = toset(keys(var.users))
+
+  password_reset_required = true
+  user                    = aws_iam_user.users[each.key].name
+
+  lifecycle {
+    # Required so that Terraform doesn't reset the password if the user login
+    # profile was created outside of Terraform (password_length) or after the
+    # user has changed their initial password (password_reset_required).
+    ignore_changes = [
+      password_length,
+      password_reset_required
+    ]
+  }
+}
+
 # Attach the self-administration (with MFA required) policy to each user
 # where self_managed is true and require_mfa is true
 resource "aws_iam_user_policy_attachment" "self_managed_creds_with_mfa" {

From 860c379fb497abedf3e5c70036959cd566d74a24 Mon Sep 17 00:00:00 2001
From: David Redmin <david.redmin@gwe.cisa.dhs.gov>
Date: Wed, 18 Dec 2024 14:35:03 -0500
Subject: [PATCH 2/4] Add an output to show the initial password for each user

---
 outputs.tf | 4 ++++
 1 file changed, 4 insertions(+)
 create mode 100644 outputs.tf

diff --git a/outputs.tf b/outputs.tf
new file mode 100644
index 0000000..9f8b9e4
--- /dev/null
+++ b/outputs.tf
@@ -0,0 +1,4 @@
+output "initial_passwords" {
+  description = "The initial password for each user, which must be changed at first login."
+  value       = { for k, v in aws_iam_user_login_profile.users : k => v.password }
+}

From 0e69e0d996ac657d04888d8667cd210e54c6f364 Mon Sep 17 00:00:00 2001
From: David Redmin <david.redmin@gwe.cisa.dhs.gov>
Date: Wed, 18 Dec 2024 14:35:34 -0500
Subject: [PATCH 3/4] Update the README with the latest output from
 terraform-docs

---
 README.md | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index df99414..a6ebf32 100644
--- a/README.md
+++ b/README.md
@@ -58,6 +58,7 @@ No modules.
 | Name | Type |
 |------|------|
 | [aws_iam_user.users](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user) | resource |
+| [aws_iam_user_login_profile.users](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_login_profile) | resource |
 | [aws_iam_user_policy_attachment.self_managed_creds_with_mfa](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy_attachment) | resource |
 | [aws_iam_user_policy_attachment.self_managed_creds_without_mfa](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy_attachment) | resource |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
@@ -73,7 +74,9 @@ No modules.
 
 ## Outputs ##
 
-No outputs.
+| Name | Description |
+|------|-------------|
+| initial\_passwords | The initial password for each user, which must be changed at first login. |
 <!-- END_TF_DOCS -->
 
 ## Notes ##

From c965088cf38ffe06c1706e0e45d9803528e6e3fc Mon Sep 17 00:00:00 2001
From: David Redmin <david.redmin@gwe.cisa.dhs.gov>
Date: Thu, 19 Dec 2024 11:22:32 -0500
Subject: [PATCH 4/4] Improve output description

Co-authored-by: Jeremy Frasier <jeremy.frasier@gwe.cisa.dhs.gov>
---
 README.md  | 2 +-
 outputs.tf | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index a6ebf32..ef7034c 100644
--- a/README.md
+++ b/README.md
@@ -76,7 +76,7 @@ No modules.
 
 | Name | Description |
 |------|-------------|
-| initial\_passwords | The initial password for each user, which must be changed at first login. |
+| initial\_passwords | A map whose keys are the usernames of each non-admin user and whose values are the initial password (which must be changed at first login) for that user. |
 <!-- END_TF_DOCS -->
 
 ## Notes ##
diff --git a/outputs.tf b/outputs.tf
index 9f8b9e4..4ec1d6f 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -1,4 +1,4 @@
 output "initial_passwords" {
-  description = "The initial password for each user, which must be changed at first login."
+  description = "A map whose keys are the usernames of each non-admin user and whose values are the initial password (which must be changed at first login) for that user."
   value       = { for k, v in aws_iam_user_login_profile.users : k => v.password }
 }