terraform-aws-iam-system-user

terraform-aws-iam-system-user for project

Requirements

This is a list of plugins that need to be installed previously to enjoy all the goodies of this configuration:

• gomplate
• terraform
• python
• taskfile

Usage

How to use this project

  module "main" {
    source  = "hadenlabs/terraform-aws-iam-system-user/aws"
    version = "0.1.0"
    namespace  = "gitlab"
    stage      = "dev"
    name       = "bot"
  }

Full working examples can be found in examples folder.

Examples

common

  module "main" {
    source  = "hadenlabs/terraform-aws-iam-system-user/aws"
    version = "0.1.0"
  }

Basic

data

data "aws_iam_policy_document" "base_s3" {
  statement {
    actions = [
      "s3:GetObject",
      "s3:GetObjectAcl",
      "s3:ListObjects",
      "s3:ListBucket",
    ]
    effect = "Allow"

    resources = [
      "arn:aws:s3:::hadenlabs-core-backup",
    ]

  }
}

data "aws_iam_policy_document" "s3_policy" {
  source_json = data.aws_iam_policy_document.base_s3.json

  statement {
    actions = [
      "s3:ListAllMyBuckets"
    ]

    effect = "Allow"
    resources = [
      "arn:aws:s3:::*"
    ]

  }
}

module "s3_user" {
  source  = "hadenlabs/terraform-aws-iam-system-user/aws"
  version = "0.1.0"
  namespace  = "gitlab"
  stage      = "dev"
  name       = "bot"

  policy_arns_map = {
    logs = "arn:aws:iam::aws:policy/CloudWatchLogsFullAccess"
  }

  inline_policies_map = {
    s3 = data.aws_iam_policy_document.s3_policy.json
  }
}

use fullname

data "aws_iam_policy_document" "base_s3" {
  statement {
    actions = [
      "s3:GetObject",
      "s3:GetObjectAcl",
      "s3:ListObjects",
      "s3:ListBucket",
    ]
    effect = "Allow"

    resources = [
      "arn:aws:s3:::hadenlabs-core-backup",
    ]

  }
}

data "aws_iam_policy_document" "s3_policy" {
  source_json = data.aws_iam_policy_document.base_s3.json

  statement {
    actions = [
      "s3:ListAllMyBuckets"
    ]

    effect = "Allow"
    resources = [
      "arn:aws:s3:::*"
    ]

  }
}

module "s3_user" {
  source  = "hadenlabs/terraform-aws-iam-system-user/aws"
  version = "0.1.0"
  namespace  = "gitlab"
  stage      = "dev"
  name       = "bot"
  use_fullname = true

  policy_arns_map = {
    logs = "arn:aws:iam::aws:policy/CloudWatchLogsFullAccess"
  }

  inline_policies_map = {
    s3 = data.aws_iam_policy_document.s3_policy.json
  }
}

Requirements

Name	Version
terraform	>= 0.12.20, < 2.0
aws	>= 2.51, < 4.0

Providers

Name	Version
aws	>= 2.51, < 4.0

Modules

Name	Source	Version
tags	hadenlabs/tags/null	>=0.2

Resources

Name	Type
aws_iam_access_key.this	resource
aws_iam_user.this	resource
aws_iam_user_policy.inline_policies	resource
aws_iam_user_policy_attachment.policies	resource

Inputs

Name	Description	Type	Default	Required
create_iam_access_key	Whether or not to create IAM access keys	bool	true	no
enabled	Set to false to prevent the module from creating any resources	bool	true	no
force_destroy	Destroy the user even if it has non-Terraform-managed IAM access keys, login profile or MFA devices	bool	false	no
inline_policies	Inline policies to attach to our created user	list(string)	[]	no
inline_policies_map	Inline policies to attach (descriptive key => policy)	map(string)	{}	no
name	name	string	n/a	yes
namespace	ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique	string	null	no
path	Path in which to create the user	string	"/system/"	no
permissions_boundary	Permissions Boundary ARN to attach to our created user	string	null	no
policy_arns	Policy ARNs to attach to our created user	list(string)	[]	no
policy_arns_map	Policy ARNs to attach (descriptive key => arn)	map(string)	{}	no
prefix	prefix name for user	string	"system"	no
stage	ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release'	string	null	no
tags	Additional tags (e.g. map('BusinessUnit','XYZ')	map(string)	{}	no
use_fullname	If set to 'true' then the full ID for the IAM user name (e.g. [var.namespace]-[var.stage]-[var.name]) will be used.	bool	false	no

Outputs

Name	Description
access_key_id	The access key ID
enabled	Enabled property of module
secret_access_key	The secret access key. This will be written to the state file in plain-text
use_fullname	return if enabled use fullname
user_arn	The ARN assigned by AWS for this user
user_name	Normalized IAM user name
user_unique_id	The unique ID assigned by AWS

Help

Got a question?

File a GitHub issue.

Contributing

See Contributing.

Module Versioning

This Module follows the principles of Semantic Versioning (SemVer).

Using the given version number of MAJOR.MINOR.PATCH, we apply the following constructs:

1. Use the MAJOR version for incompatible changes.
2. Use the MINOR version when adding functionality in a backwards compatible manner.
3. Use the PATCH version when introducing backwards compatible bug fixes.

Backwards compatibility in 0.0.z and 0.y.z version

• In the context of initial development, backwards compatibility in versions 0.0.z is not guaranteed when z is increased. (Initial development)
• In the context of pre-release, backwards compatibility in versions 0.y.z is not guaranteed when y is increased. (Pre-release)

Copyright

Copyright © 2018-2022 Hadenlabs

Trademarks

All other trademarks referenced herein are the property of their respective owners.

License

The code and styles are licensed under the LGPL-3.0 license See project license..

Don't forget to 🌟 Star 🌟 the repo if you like terraform-aws-iam-system-user

Your feedback is appreciated