From cd7c1f9872e80b127eb882ae7ed10115464214d6 Mon Sep 17 00:00:00 2001
From: Sarhad <sarhad@dasmeta.com>
Date: Wed, 2 Oct 2024 19:22:55 +0400
Subject: [PATCH] fix(DMVP-4760): Add iam user support

---
 modules/user/main.tf                  | 15 ++++++++++++++-
 modules/user/outputs.tf               | 15 +++++++++++++++
 modules/user/tests/basic/1-example.tf |  5 +++++
 modules/user/variables.tf             |  8 ++++++--
 4 files changed, 40 insertions(+), 3 deletions(-)

diff --git a/modules/user/main.tf b/modules/user/main.tf
index e29ae3d..d685f8d 100644
--- a/modules/user/main.tf
+++ b/modules/user/main.tf
@@ -21,11 +21,24 @@ resource "aws_iam_user_policy_attachment" "user-attach" {
 }
 
 data "aws_iam_policy_document" "policy" {
+  count = length(var.policy) > 0 ? 1 :0
+
   dynamic "statement" {
     for_each = var.policy
     content {
+      effect = statement.value.effect
       actions   = statement.value.actions
       resources = statement.value.resources
+
+      dynamic "condition" {
+        for_each = length(statement.value.conditions) > 0 ? statement.value.conditions : []
+
+        content {
+          test     = condition.value.test  # Condition type (e.g., StringEquals)
+          variable = condition.value.variable   # Condition variable (e.g., "SAML:aud")
+          values   = condition.value.values # Condition values (list of strings)
+        }
+      }
     }
   }
 }
@@ -35,5 +48,5 @@ resource "aws_iam_user_policy" "iam_user_policy" {
   name       = "policy-${var.username}"
   user       = var.username
   depends_on = [module.iam_user]
-  policy     = data.aws_iam_policy_document.policy.json
+  policy     = data.aws_iam_policy_document.policy.0.json
 }
diff --git a/modules/user/outputs.tf b/modules/user/outputs.tf
index 2d73f0d..b7e69fa 100644
--- a/modules/user/outputs.tf
+++ b/modules/user/outputs.tf
@@ -60,7 +60,22 @@ output "pgp_key" {
   value       = module.iam_user.pgp_key
 }
 
+output "keybase_password_decrypt_command" {
+  description = "Decrypt user password command"
+  value       = module.iam_user.keybase_password_decrypt_command
+}
+
 output "keybase_password_pgp_message" {
   description = "Encrypted password"
   value       = module.iam_user.keybase_password_pgp_message
 }
+
+output "keybase_secret_key_decrypt_command" {
+  description = "Decrypt access secret key command"
+  value       = module.iam_user.keybase_secret_key_decrypt_command
+}
+
+output "keybase_secret_key_pgp_message" {
+  description = "Encrypted access secret key"
+  value       = module.iam_user.keybase_secret_key_pgp_message
+}
\ No newline at end of file
diff --git a/modules/user/tests/basic/1-example.tf b/modules/user/tests/basic/1-example.tf
index aa5608d..16835b3 100644
--- a/modules/user/tests/basic/1-example.tf
+++ b/modules/user/tests/basic/1-example.tf
@@ -7,6 +7,11 @@ module "iam-user" {
     {
       actions   = ["ec2:*"]
       resources = ["*"]
+      conditions = [{
+        test = "StringEquals"
+        variable = "ec2:InstanceType"
+        values = ["t3.medium", "c5.2xlarge"]
+      }]
     }
   ]
 }
diff --git a/modules/user/variables.tf b/modules/user/variables.tf
index fb27b70..16ffb2e 100644
--- a/modules/user/variables.tf
+++ b/modules/user/variables.tf
@@ -40,10 +40,14 @@ variable "policy" {
     effect     = optional(string, "Allow")
     actions    = list(string)
     resources  = list(string)
-    principals = optional(any, [])
-    conditions = optional(any, [])
+    conditions = optional(list(object({
+      test  = string
+      variable   = string
+      values = list(string)
+    })), [])
   }))
   description = "AWS role assigne policy"
+  default = []
 }
 
 variable "create_policy" {