chore: implement module iam system user (hadenlabs#3)

luismayta · May 8, 2022 · 430a49e · 430a49e
1 parent 024d458
commit 430a49e
Show file tree

Hide file tree

Showing 6 changed files with 212 additions and 5 deletions.
diff --git a/data.tf b/data.tf
@@ -0,0 +1,9 @@
+data "aws_iam_policy_document" "this" {
+  count = local.outputs.enabled ? 1 : 0
+
+  statement {
+    actions   = local.outputs.s3_actions
+    resources = local.outputs.s3_resources
+    effect    = "Allow"
+  }
+}
diff --git a/docs/include/terraform.md b/docs/include/terraform.md
@@ -4,24 +4,51 @@
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.12.20, < 2.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 2.51, < 4.0 |
 
 ## Providers
 
-No providers.
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 2.51, < 4.0 |
 
 ## Modules
 
-No modules.
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_s3_user"></a> [s3\_user](#module\_s3\_user) | hadenlabs/iam-system-user/aws | 0.1.1 |
 
 ## Resources
 
-No resources.
+| Name | Type |
+|------|------|
+| [aws_iam_user_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy) | resource |
+| [aws_iam_policy_document.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 
 ## Inputs
 
-No inputs.
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_enabled"></a> [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `true` | no |
+| <a name="input_force_destroy"></a> [force\_destroy](#input\_force\_destroy) | Destroy even if it has non-Terraform-managed IAM access keys, login profiles or MFA devices | `bool` | `false` | no |
+| <a name="input_name"></a> [name](#input\_name) | name | `string` | n/a | yes |
+| <a name="input_namespace"></a> [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no |
+| <a name="input_path"></a> [path](#input\_path) | Path in which to create the user | `string` | `"/"` | no |
+| <a name="input_s3_actions"></a> [s3\_actions](#input\_s3\_actions) | Actions to allow in the policy | `list(string)` | <pre>[<br>  "s3:GetObject"<br>]</pre> | no |
+| <a name="input_s3_resources"></a> [s3\_resources](#input\_s3\_resources) | S3 resources to apply the actions specified in the policy | `list(string)` | n/a | yes |
+| <a name="input_stage"></a> [stage](#input\_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | Additional tags (e.g. `map('BusinessUnit','XYZ')` | `map(string)` | `{}` | no |
+| <a name="input_use_fullname"></a> [use\_fullname](#input\_use\_fullname) | If set to 'true' then the full ID for the IAM user name (e.g. `[var.namespace]-[var.stage]-[var.name]`) will be used. | `bool` | `false` | no |
 
 ## Outputs
 
-No outputs.
+| Name | Description |
+|------|-------------|
+| <a name="output_access_key_id"></a> [access\_key\_id](#output\_access\_key\_id) | Access Key ID |
+| <a name="output_enabled"></a> [enabled](#output\_enabled) | Enabled property of module |
+| <a name="output_secret_access_key"></a> [secret\_access\_key](#output\_secret\_access\_key) | Secret Access Key. This will be written to the state file in plain-text |
+| <a name="output_use_fullname"></a> [use\_fullname](#output\_use\_fullname) | return if enabled use fullname |
+| <a name="output_user_arn"></a> [user\_arn](#output\_user\_arn) | The ARN assigned by AWS for the user |
+| <a name="output_user_name"></a> [user\_name](#output\_user\_name) | Normalized IAM user name |
+| <a name="output_user_unique_id"></a> [user\_unique\_id](#output\_user\_unique\_id) | The user unique ID assigned by AWS |
 <!-- END_TF_DOCS -->
diff --git a/main.tf b/main.tf
@@ -1 +1,73 @@
+locals {
+  input = {
+    enabled       = var.enabled
+    force_destroy = var.force_destroy
+    name          = var.name
+    namespace     = var.namespace
+    path          = var.path
+    stage         = var.stage
+    use_fullname  = var.use_fullname
+    tags          = var.tags
+    s3_actions    = var.s3_actions
+    s3_resources  = var.s3_resources
+  }
+}
 
+locals {
+
+  generated = {
+    enabled       = local.input.enabled
+    force_destroy = local.input.force_destroy
+    name          = local.input.name
+    namespace     = local.input.namespace
+    path          = local.input.path
+    stage         = local.input.stage
+    use_fullname  = local.input.use_fullname
+    tags          = local.input.tags
+    s3_actions    = local.input.s3_actions
+    s3_resources  = local.input.s3_resources
+  }
+
+}
+
+locals {
+
+  outputs = {
+    enabled       = local.generated.enabled
+    force_destroy = local.generated.force_destroy
+    namespace     = local.generated.namespace
+    path          = local.generated.path
+    stage         = local.generated.stage
+    use_fullname  = local.generated.use_fullname
+    name          = local.generated.name
+    tags = merge(local.generated.tags, {
+      Name = local.generated.name
+    })
+    s3_actions   = local.generated.s3_actions
+    s3_resources = local.generated.s3_resources
+  }
+}
+
+module "s3_user" {
+  source        = "hadenlabs/iam-system-user/aws"
+  version       = "0.1.1"
+  enabled       = local.outputs.enabled
+  force_destroy = local.outputs.force_destroy
+  path          = local.outputs.path
+  namespace     = local.outputs.namespace
+  stage         = local.outputs.stage
+  name          = local.outputs.name
+  use_fullname  = local.outputs.use_fullname
+  tags          = local.outputs.tags
+}
+
+resource "aws_iam_user_policy" "this" {
+  depends_on = [
+    module.s3_user,
+  ]
+  #bridgecrew:skip=BC_AWS_IAM_16:Skipping `Ensure IAM policies are attached only to groups or roles` check because this module intentionally attaches IAM policy directly to a user.
+  count  = local.outputs.enabled ? 1 : 0
+  name   = module.s3_user.user_name
+  user   = module.s3_user.user_name
+  policy = join("", data.aws_iam_policy_document.this.*.json)
+}
diff --git a/outputs.tf b/outputs.tf
@@ -0,0 +1,36 @@
+output "enabled" {
+  description = "Enabled property of module"
+  value       = local.outputs.enabled
+}
+
+output "user_name" {
+  value       = module.s3_user.user_name
+  description = "Normalized IAM user name"
+}
+
+output "user_arn" {
+  value       = module.s3_user.user_arn
+  description = "The ARN assigned by AWS for the user"
+}
+
+output "user_unique_id" {
+  value       = module.s3_user.user_unique_id
+  description = "The user unique ID assigned by AWS"
+}
+
+output "access_key_id" {
+  sensitive   = true
+  value       = module.s3_user.access_key_id
+  description = "Access Key ID"
+}
+
+output "secret_access_key" {
+  sensitive   = true
+  value       = module.s3_user.secret_access_key
+  description = "Secret Access Key. This will be written to the state file in plain-text"
+}
+
+output "use_fullname" {
+  value       = local.outputs.use_fullname
+  description = "return if enabled use fullname"
+}
diff --git a/variables.tf b/variables.tf
@@ -0,0 +1,59 @@
+variable "namespace" {
+  type        = string
+  default     = null
+  description = "ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique"
+}
+
+variable "stage" {
+  type        = string
+  default     = null
+  description = "ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release'"
+}
+
+variable "name" {
+  type        = string
+  description = "name"
+}
+
+variable "tags" {
+  type        = map(string)
+  description = "Additional tags (e.g. `map('BusinessUnit','XYZ')`"
+  default     = {}
+}
+
+variable "enabled" {
+  type        = bool
+  default     = true
+  description = "Set to false to prevent the module from creating any resources"
+}
+
+variable "use_fullname" {
+  type        = bool
+  default     = false
+  description = <<-EOT
+  If set to 'true' then the full ID for the IAM user name (e.g. `[var.namespace]-[var.stage]-[var.name]`) will be used.
+  EOT
+}
+
+variable "s3_actions" {
+  type        = list(string)
+  default     = ["s3:GetObject"]
+  description = "Actions to allow in the policy"
+}
+
+variable "s3_resources" {
+  type        = list(string)
+  description = "S3 resources to apply the actions specified in the policy"
+}
+
+variable "force_destroy" {
+  type        = bool
+  default     = false
+  description = "Destroy even if it has non-Terraform-managed IAM access keys, login profiles or MFA devices"
+}
+
+variable "path" {
+  type        = string
+  default     = "/"
+  description = "Path in which to create the user"
+}
diff --git a/versions.tf b/versions.tf
@@ -2,5 +2,9 @@ terraform {
   required_version = ">= 0.12.20, < 2.0"
 
   required_providers {
+    aws = {
+      version = ">= 2.51, < 4.0"
+      source  = "hashicorp/aws"
+    }
   }
 }