returns boolean if a user has access to console login (#2012)

returns boolean if a user has access to console login

Summary
I've introduced a new feature that includes in the response a console_access parameter, which is a boolean indicating whether an iam user has the ability to log in through the AWS console. This addition is particularly useful for scenarios where administrative constraints require users to access AWS services exclusively via API keys or through controlled environments, such as landing zones, without using the AWS console login interface.
Issue Type

Feature Pull Request
Component Name: botocore
includes the botocore interaction, specifically regarding the console_access information retrievals

Additional Information
With this update, the module now provides visibility into whether an IAM user is permitted console access. This could be pivotal for enforcing stricter security protocols, ensuring users do not bypass VPN requirements, API keys, or other access control measures by logging in through the AWS console
Before the change a normal response:
{
    "arn": "arn:aws:iam::11111111:user/terraform",
    "create_date": "2018-04-18T14:12:44+00:00",
    "path": "/",
    "tags": {},
    "user_id": "12345abcd",
    "user_name": "terraform"
}

After the change:
{
    "arn": "arn:aws:iam::11111111:user/terraform",
    "console_access": false,
    "create_date": "2018-04-18T14:12:44+00:00",
    "path": "/",
    "tags": {},
    "user_id": "12345abcd",
    "user_name": "terraform"
}

Reviewed-by: Bikouo Aubin
Reviewed-by: Mark Chappell

changelogs/fragments/20240321-iam-user-info.yml

@@ -0,0 +1,3 @@
+---
+minor_changes:
+  - iam_user_info - Add ``login_profile`` to return info that is get from a user, to know if they can login from AWS console (https://github.com/ansible-collections/amazon.aws/pull/2012).

plugins/modules/iam_user_info.py

@@ -103,14 +103,27 @@
             type: dict
             returned: if user exists
             sample: '{"Env": "Prod"}'
+        login_profile:
+            description: Detailed login profile information if the user has access to log in from AWS default console. Returns an empty object {} if no access.
+            returned: always
+            type: dict
+            sample: {"create_date": "2024-03-20T12:50:56+00:00", "password_reset_required": false, "user_name": "i_am_a_user"}
 """
 
 from ansible_collections.amazon.aws.plugins.module_utils.iam import AnsibleIAMError
+from ansible_collections.amazon.aws.plugins.module_utils.iam import IAMErrorHandler
 from ansible_collections.amazon.aws.plugins.module_utils.iam import get_iam_group
 from ansible_collections.amazon.aws.plugins.module_utils.iam import get_iam_user
 from ansible_collections.amazon.aws.plugins.module_utils.iam import list_iam_users
 from ansible_collections.amazon.aws.plugins.module_utils.iam import normalize_iam_user
 from ansible_collections.amazon.aws.plugins.module_utils.modules import AnsibleAWSModule
+from ansible_collections.amazon.aws.plugins.module_utils.retries import AWSRetry
+
+
+@IAMErrorHandler.list_error_handler("get login profile", {})
+@AWSRetry.jittered_backoff()
+def check_console_access(connection, user_name):
+    return connection.get_login_profile(UserName=user_name)["LoginProfile"]
 
 
 def _list_users(connection, name, group, path):
@@ -136,6 +149,8 @@ def _list_users(connection, name, group, path):
 def list_users(connection, name, group, path):
     users = _list_users(connection, name, group, path)
     users = [u for u in users if u is not None]
+    for user in users:
+        user["LoginProfile"] = check_console_access(connection, user["UserName"])
     return [normalize_iam_user(user) for user in users]
 
 
@@ -147,7 +162,9 @@ def main():
     )
 
     module = AnsibleAWSModule(
-        argument_spec=argument_spec, mutually_exclusive=[["group", "path_prefix"]], supports_check_mode=True
+        argument_spec=argument_spec,
+        mutually_exclusive=[["group", "path_prefix"]],
+        supports_check_mode=True,
     )
 
     name = module.params.get("name")