terraform-aws-iam-user

A Terraform base module for deploying and managing IAM Users on Amazon Web Services.

This module supports Terraform v1.x, v0.15, v0.14, v0.13 as well as v0.12.20 and above and is compatible with the terraform AWS provider v3 as well as v2.0 and above.

• Module Features
• Getting Started
• Module Argument Reference
  • Module Configuration
  • Top-level Arguments
    • Main Resource Configuration
    • Extended Resource configuration
      • Custom & Managed Policies
      • Inline Policy
• Module Outputs
• External Documentation
  • AWS Documentation IAM
  • Terraform AWS Provider Documentation
• Module Versioning
  • Backwards compatibility in 0.0.z and 0.y.z version
• About Mineiros
• Reporting Issues
• Contributing
• Makefile Targets
• License

Module Features

In contrast to the plain aws_iam_user resource, this module has extended features allowing you to add custom & managed IAM and/or inline policies and adding user to groups. While all security features can be disabled as needed, best practices are pre-configured.

• Standard Module Features:

  Add IAM users

• Extended Module Features: Attach custom & managed IAM policies, attach an inline policy, add users to a set of groups

Getting Started

Most basic usage showing how to add three users and assigning two policies:

module "iam-users" {
  source  = "mineiros-io/iam-user/aws"
  version = "~> 0.5.0"

  names = [
    "user.one",
    "user.two",
    "user.three",
  ]

  policy_arns = [
    "arn:aws:iam::aws:policy/ReadOnlyAccess",
    "arn:aws:iam::aws:policy/job-function/Billing",
  ]
}

Module Argument Reference

See variables.tf and [examples] for details and use-cases.

Module Configuration

• module_enabled: (Optional bool)

  Specifies whether resources in the module will be created.

  Default is true.

• module_depends_on: (Optional set(any))

  A set of dependencies. Any object can be assigned to this list to define a hidden external dependency.

Top-level Arguments

Main Resource Configuration

• names: (Required set(string))

  A set of names of IAM users that will be created. Forces new resource.

• groups: (Optional set(string))

  A set of IAM groups to add the user(s) to.

  Default is [].

• force_destroy: (Optional bool)

  When destroying this user, destroy even if it has non-Terraform-managed IAM access keys, login profile or MFA devices. Without force_destroy a user with non-Terraform-managed access keys and login profile will fail to be destroyed.

  Default is false.

• path: (Optional string)

  The path in which to create the user(s). See IAM Identifiers for more information.

  Default is "/".

• permissions_boundary: (Optional string)

  The ARN of the policy that is used to set the permissions boundary for the user. Default is not to set any boundary.

• tags: (Optional map(string))

  Key-value map of tags for the IAM user.

  Default is {}.

Extended Resource configuration

Custom & Managed Policies

• policy_arns: (Optional list(string))

  List of custom or managed IAM policy ARNs to attach to the user.

  Default is [].

Inline Policy

• policy_statements: (Optional list(statement))

  List of IAM policy statements to attach to the user as an inline policy.

  Default is [].

  Example:

  policy_statements = [
    {
      sid = "FullS3Access"
  
      effect = "Allow"
  
      actions     = ["s3:*"]
      not_actions = []
  
      resources     = ["*"]
      not_resources = []
  
      conditions = [
        {
          test     = "Bool"
          variable = "aws:MultiFactorAuthPresent"
          values   = ["true"]
        }
      ]
    }
  ]

Module Outputs

The following attributes are exported by the module:

• users: (list(user))

  The aws_iam_user object(s).

• user_policy: (object(user_policy))

  The aws_iam_user_policy object(s).

• user_policy_attachment: (object(user_policy_attachment))

  The aws_iam_user_policy_attachment object(s).

• names: (set(string))

  The user names.

• path: (string)

  Path in which to create the user.

• permissions_boundary: (string)

  The ARN of the policy that is used to set the permissions boundary for the user.

• force_destroy: (bool)

  When destroying this user, destroy even if it has non-Terraform-managed IAM access keys, login profile or MFA devices.

• tags: (map(string))

  Key-value map of tags for the IAM user.

• policy_statements: (list(policy_statement))

  List of IAM policy statements to attach to the User as an inline policy.

• policy_arns: (set(string))

  Set of IAM custom or managed policies ARNs attached to the User.

• groups: (list(string))

  List of IAM groups the users were added to.

External Documentation

AWS Documentation IAM

• User: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users.html
• Policies: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html

Terraform AWS Provider Documentation

• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy_attachment
• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_group_membership

Module Versioning

This Module follows the principles of Semantic Versioning (SemVer).

Given a version number MAJOR.MINOR.PATCH, we increment the:

1. MAJOR version when we make incompatible changes,
2. MINOR version when we add functionality in a backwards compatible manner, and
3. PATCH version when we make backwards compatible bug fixes.

Backwards compatibility in 0.0.z and 0.y.z version

• Backwards compatibility in versions 0.0.z is not guaranteed when z is increased. (Initial development)
• Backwards compatibility in versions 0.y.z is not guaranteed when y is increased. (Pre-release)

About Mineiros

Mineiros is a DevOps as a Service company based in Berlin, Germany. We offer commercial support for all of our projects and encourage you to reach out if you have any questions or need help. Feel free to send us an email at [email protected] or join our Community Slack channel.

We can also help you with:

• Terraform modules for all types of infrastructure such as VPCs, Docker clusters, databases, logging and monitoring, CI, etc.
• Consulting & training on AWS, Terraform and DevOps

Reporting Issues

We use GitHub Issues to track community reported issues and missing features.

Contributing

Contributions are always encouraged and welcome! For the process of accepting changes, we use Pull Requests. If you'd like more information, please see our Contribution Guidelines.

Makefile Targets

This repository comes with a handy Makefile. Run make help to see details on each available target.

License

This module is licensed under the Apache License Version 2.0, January 2004. Please see LICENSE for full details.

Copyright © 2020-2022 Mineiros GmbH