fix(DMVP-4760): Add iam user support

dasmeta · Oct 2, 2024 · cd7c1f9 · cd7c1f9
1 parent 91050ff
commit cd7c1f9
Show file tree

Hide file tree

Showing 4 changed files with 40 additions and 3 deletions.
diff --git a/modules/user/main.tf b/modules/user/main.tf
@@ -21,11 +21,24 @@ resource "aws_iam_user_policy_attachment" "user-attach" {
 }
 
 data "aws_iam_policy_document" "policy" {
+  count = length(var.policy) > 0 ? 1 :0
+
   dynamic "statement" {
     for_each = var.policy
     content {
+      effect = statement.value.effect
       actions   = statement.value.actions
       resources = statement.value.resources
+
+      dynamic "condition" {
+        for_each = length(statement.value.conditions) > 0 ? statement.value.conditions : []
+
+        content {
+          test     = condition.value.test  # Condition type (e.g., StringEquals)
+          variable = condition.value.variable   # Condition variable (e.g., "SAML:aud")
+          values   = condition.value.values # Condition values (list of strings)
+        }
+      }
     }
   }
 }
@@ -35,5 +48,5 @@ resource "aws_iam_user_policy" "iam_user_policy" {
   name       = "policy-${var.username}"
   user       = var.username
   depends_on = [module.iam_user]
-  policy     = data.aws_iam_policy_document.policy.json
+  policy     = data.aws_iam_policy_document.policy.0.json
 }
diff --git a/modules/user/outputs.tf b/modules/user/outputs.tf
@@ -60,7 +60,22 @@ output "pgp_key" {
   value       = module.iam_user.pgp_key
 }
 
+output "keybase_password_decrypt_command" {
+  description = "Decrypt user password command"
+  value       = module.iam_user.keybase_password_decrypt_command
+}
+
 output "keybase_password_pgp_message" {
   description = "Encrypted password"
   value       = module.iam_user.keybase_password_pgp_message
 }
+
+output "keybase_secret_key_decrypt_command" {
+  description = "Decrypt access secret key command"
+  value       = module.iam_user.keybase_secret_key_decrypt_command
+}
+
+output "keybase_secret_key_pgp_message" {
+  description = "Encrypted access secret key"
+  value       = module.iam_user.keybase_secret_key_pgp_message
+}
diff --git a/modules/user/tests/basic/1-example.tf b/modules/user/tests/basic/1-example.tf
@@ -7,6 +7,11 @@ module "iam-user" {
     {
       actions   = ["ec2:*"]
       resources = ["*"]
+      conditions = [{
+        test = "StringEquals"
+        variable = "ec2:InstanceType"
+        values = ["t3.medium", "c5.2xlarge"]
+      }]
     }
   ]
 }
diff --git a/modules/user/variables.tf b/modules/user/variables.tf
@@ -40,10 +40,14 @@ variable "policy" {
     effect     = optional(string, "Allow")
     actions    = list(string)
     resources  = list(string)
-    principals = optional(any, [])
-    conditions = optional(any, [])
+    conditions = optional(list(object({
+      test  = string
+      variable   = string
+      values = list(string)
+    })), [])
   }))
   description = "AWS role assigne policy"
+  default = []
 }
 
 variable "create_policy" {