initial commit

README.md

@@ -1,2 +1 @@
 # github-actions-test
-github-actions-test

main.tf

@@ -0,0 +1,69 @@
+locals {
+  create_policy = var.create_policy != null ? var.create_policy : var.policy != null
+  groups        = local.create_policy ? setunion(var.groups, [aws_iam_group.default[0].name]) : [aws_iam_group.default[0].name]
+  ssm_name      = replace(var.name, "@", "_")
+}
+
+resource "aws_iam_user" "default" {
+  name                 = "${var.name}${var.postfix ? "Account" : ""}"
+  path                 = var.path
+  permissions_boundary = var.permissions_boundary
+  tags                 = var.tags
+}
+
+resource "aws_iam_access_key" "default" {
+  user = aws_iam_user.default.name
+}
+
+// Our IAM users are not real users so not going to have MFA configured. Real users
+// should instead use AWS SSO and assume a role.
+//
+// tfsec:ignore:aws-iam-enforce-group-mfa
+resource "aws_iam_group" "default" {
+  count = local.create_policy || length(var.policy_arns) > 0 ? 1 : 0
+  name  = "${var.name}${var.postfix ? "Group" : ""}"
+}
+
+resource "aws_iam_group_policy" "default" {
+  count  = local.create_policy ? 1 : 0
+  name   = "${var.name}${var.postfix ? "Policy" : ""}"
+  group  = aws_iam_group.default[0].name
+  policy = var.policy
+}
+
+resource "aws_iam_group_policy_attachment" "default" {
+  for_each = var.policy_arns
+
+  group      = aws_iam_group.default[0].name
+  policy_arn = each.value
+}
+
+resource "aws_iam_user_group_membership" "default" {
+  user   = aws_iam_user.default.name
+  groups = local.groups
+}
+
+resource "aws_ssm_parameter" "access_key_id" {
+  name   = "/${lower(local.ssm_name)}${var.postfix ? "account" : ""}/credentials/access_key_id"
+  type   = "SecureString"
+  value  = aws_iam_access_key.default.id
+  key_id = var.kms_key_id
+  tags   = var.tags
+}
+
+resource "aws_ssm_parameter" "secret_access_key" {
+  name   = "/${lower(local.ssm_name)}${var.postfix ? "account" : ""}/credentials/secret_access_key"
+  type   = "SecureString"
+  value  = aws_iam_access_key.default.secret
+  key_id = var.kms_key_id
+  tags   = var.tags
+}
+
+resource "aws_ssm_parameter" "ses_smtp_password_v4" {
+  count  = var.ssm_ses_smtp_password_v4 ? 1 : 0
+  name   = "/${lower(local.ssm_name)}${var.postfix ? "account" : ""}/credentials/ses_smtp_password_v4"
+  type   = "SecureString"
+  value  = aws_iam_access_key.default.ses_smtp_password_v4
+  key_id = var.kms_key_id
+  tags   = var.tags
+}

outputs.tf

@@ -0,0 +1,41 @@
+output "arn" {
+  value       = aws_iam_user.default.arn
+  description = "The user ARN"
+}
+
+output "name" {
+  value       = aws_iam_user.default.name
+  description = "The user name"
+}
+
+output "access_key_id" {
+  value       = aws_iam_access_key.default.id
+  description = "The access key ID"
+}
+
+output "secret_access_key" {
+  value       = aws_iam_access_key.default.secret
+  description = "The secret access key"
+  sensitive   = true
+}
+
+output "ses_smtp_password_v4" {
+  value       = aws_iam_access_key.default.ses_smtp_password_v4
+  description = "The SES SMTP password"
+  sensitive   = true
+}
+
+output "ssm_access_key_id" {
+  value       = aws_ssm_parameter.access_key_id.name
+  description = "The SSM access key ID parameter name"
+}
+
+output "ssm_secret_access_key" {
+  value       = aws_ssm_parameter.secret_access_key.name
+  description = "The SSM secret access key parameter name"
+}
+
+output "ssm_ses_smtp_password_v4" {
+  value       = try(aws_ssm_parameter.ses_smtp_password_v4.0.name, "")
+  description = "The SSM SES SMTP password parameter name"
+}

variables.tf

@@ -0,0 +1,63 @@
+variable "name" {
+  type        = string
+  description = "The name of the user"
+}
+
+variable "create_policy" {
+  type        = bool
+  default     = null
+  description = "Overrule whether the user role policy has to be created"
+}
+
+variable "groups" {
+  type        = set(string)
+  default     = []
+  description = "Set of group names to attach to the user"
+}
+
+variable "path" {
+  type        = string
+  default     = "/"
+  description = "Path in which to create the user"
+}
+
+variable "permissions_boundary" {
+  type        = string
+  default     = null
+  description = "The ARN of the policy that is used to set the permissions boundary for the user."
+}
+
+variable "policy" {
+  type        = string
+  default     = null
+  description = "The policy to attach to the user"
+}
+
+variable "policy_arns" {
+  type        = set(string)
+  default     = []
+  description = "A set of policy ARNs to attach to the user"
+}
+
+variable "kms_key_id" {
+  type        = string
+  default     = null
+  description = "The KMS key ID used to encrypt all data"
+}
+
+variable "postfix" {
+  type        = bool
+  default     = true
+  description = "Postfix the user, policy and group names with Account, Policy and Group"
+}
+
+variable "ssm_ses_smtp_password_v4" {
+  type        = bool
+  default     = false
+  description = "Store the user's SES SMTP password in the SSM Parameter Store"
+}
+
+variable "tags" {
+  type        = map(string)
+  description = "A mapping of tags to assign to the user"
+}

versions.tf

@@ -0,0 +1,9 @@
+terraform {
+  required_version = ">= 0.13"
+
+  required_providers {
+    aws = {
+      source = "hashicorp/aws"
+    }
+  }
+}