Terraform module to create an IAM user. Suitable for e.g. CI/CD systems or systems which are external to AWS that cannot leverage AWS IAM Roles, AWS IAM Instance Profiles or AWS OIDC.
It's not recommended creating IAM users this way for any other purpose.
It is recommended that IAM policies be applied directly to groups and roles but not users. This module by default attaches the IAM policy to an IAM group with the same name instead of directly to the user.
If an AWS Access Key is created, it is stored in the SSM Parameter Store and is provided as a module output.
IMPORTANT: We do not pin modules to versions in our examples. We highly recommend that in your code you pin the version to the exact version you are using so that your infrastructure remains stable.
100% Open Source and licensed under the Apache License Version 2.0.
| Name | Version |
|---|---|
| terraform | >= 0.13 |
| aws | >= 3.13.0 |
| Name | Version |
|---|---|
| aws | >= 3.13.0 |
No modules.
| Name | Type |
|---|---|
| aws_iam_access_key.default | resource |
| aws_iam_group.default | resource |
| aws_iam_group_policy.default | resource |
| aws_iam_group_policy_attachment.default | resource |
| aws_iam_user.default | resource |
| aws_iam_user_group_membership.default | resource |
| aws_ssm_parameter.access_key_id | resource |
| aws_ssm_parameter.secret_access_key | resource |
| aws_ssm_parameter.ses_smtp_password_v4 | resource |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| name | The name of the user. | string |
n/a | yes |
| tags | A mapping of tags to assign to the user. | map(string) |
n/a | yes |
| create_policy | Overrule whether the user role policy has to be created. | bool |
null |
no |
| force_destroy | Destroy the user even if it has non-terraform-managed IAM access keys, login profile or MFA devices | bool |
false |
no |
| groups | Set of group names to attach to the user. | set(string) |
[] |
no |
| kms_key_id | The KMS key ID used to encrypt the SSM parameters. | string |
null |
no |
| path | Path in which to create the user. | string |
"/" |
no |
| permissions_boundary | The ARN of the policy that is used to set the permissions boundary for the user. | string |
null |
no |
| policy | The policy to attach to the user. | string |
null |
no |
| policy_arns | A set of policy ARNs to attach to the user. | set(string) |
[] |
no |
| postfix | Postfix the user, policy and group names with Account, Policy and Group. | bool |
true |
no |
| ssm_ses_smtp_password_v4 | Store the user's SES SMTP password in the SSM Parameter Store. | bool |
false |
no |
| Name | Description |
|---|---|
| access_key_id | The access key ID |
| arn | The user ARN |
| name | The user name |
| secret_access_key | The secret access key |
| ses_smtp_password_v4 | The SES SMTP password |
| ssm_access_key_id | The SSM access key ID parameter name |
| ssm_secret_access_key | The SSM secret access key parameter name |
| ssm_ses_smtp_password_v4 | The SSM SES SMTP password parameter name |
To make local development easier, we have added a pre-commit configuration to the repo. to use it, follow these steps:
Install the following tools:
brew install tflint
Install pre-commit:
pip3 install pre-commit --upgrade
To run the pre-commit hooks to see if everything working as expected, (the first time run might take a few minutes):
pre-commit run -a
To install the pre-commit hooks to run before each commit:
pre-commit install
-
Every time a PR is merged, the draft release note is updated to add a entry for this change.
-
The release version is incremented if this is the first PR for a new release. Note: This will only update the draft release note.
-
When ready to publish the release, we use the drafted release note to do so.
Release drafter categorizes the changes in the release into Features, Bug Fixes, Documentation and Other Changes categories as per the labels added to the PR. Add one or multiple of the following labels to the PR:
-
breaking,bug,documentation,enhancement,feature,fix,misc,security) -
We require pull request titles to follow the Conventional Commits specification