From 5db30db5c2c48d1b277bca59ecb046d3f19c1cf0 Mon Sep 17 00:00:00 2001 From: Marwin Baumann Date: Fri, 24 Feb 2023 17:59:48 +0100 Subject: [PATCH] initial commit --- README.md | 1 - main.tf | 69 ++++++++++++++++++++++++++++++++++++++++++++++++++++ outputs.tf | 41 +++++++++++++++++++++++++++++++ variables.tf | 63 +++++++++++++++++++++++++++++++++++++++++++++++ versions.tf | 9 +++++++ 5 files changed, 182 insertions(+), 1 deletion(-) create mode 100644 main.tf create mode 100644 outputs.tf create mode 100644 variables.tf create mode 100644 versions.tf diff --git a/README.md b/README.md index 46ce6ae..3a8861e 100644 --- a/README.md +++ b/README.md @@ -1,2 +1 @@ # github-actions-test -github-actions-test diff --git a/main.tf b/main.tf new file mode 100644 index 0000000..2986e0b --- /dev/null +++ b/main.tf @@ -0,0 +1,69 @@ +locals { + create_policy = var.create_policy != null ? var.create_policy : var.policy != null + groups = local.create_policy ? setunion(var.groups, [aws_iam_group.default[0].name]) : [aws_iam_group.default[0].name] + ssm_name = replace(var.name, "@", "_") +} + +resource "aws_iam_user" "default" { + name = "${var.name}${var.postfix ? "Account" : ""}" + path = var.path + permissions_boundary = var.permissions_boundary + tags = var.tags +} + +resource "aws_iam_access_key" "default" { + user = aws_iam_user.default.name +} + +// Our IAM users are not real users so not going to have MFA configured. Real users +// should instead use AWS SSO and assume a role. +// +// tfsec:ignore:aws-iam-enforce-group-mfa +resource "aws_iam_group" "default" { + count = local.create_policy || length(var.policy_arns) > 0 ? 1 : 0 + name = "${var.name}${var.postfix ? "Group" : ""}" +} + +resource "aws_iam_group_policy" "default" { + count = local.create_policy ? 1 : 0 + name = "${var.name}${var.postfix ? "Policy" : ""}" + group = aws_iam_group.default[0].name + policy = var.policy +} + +resource "aws_iam_group_policy_attachment" "default" { + for_each = var.policy_arns + + group = aws_iam_group.default[0].name + policy_arn = each.value +} + +resource "aws_iam_user_group_membership" "default" { + user = aws_iam_user.default.name + groups = local.groups +} + +resource "aws_ssm_parameter" "access_key_id" { + name = "/${lower(local.ssm_name)}${var.postfix ? "account" : ""}/credentials/access_key_id" + type = "SecureString" + value = aws_iam_access_key.default.id + key_id = var.kms_key_id + tags = var.tags +} + +resource "aws_ssm_parameter" "secret_access_key" { + name = "/${lower(local.ssm_name)}${var.postfix ? "account" : ""}/credentials/secret_access_key" + type = "SecureString" + value = aws_iam_access_key.default.secret + key_id = var.kms_key_id + tags = var.tags +} + +resource "aws_ssm_parameter" "ses_smtp_password_v4" { + count = var.ssm_ses_smtp_password_v4 ? 1 : 0 + name = "/${lower(local.ssm_name)}${var.postfix ? "account" : ""}/credentials/ses_smtp_password_v4" + type = "SecureString" + value = aws_iam_access_key.default.ses_smtp_password_v4 + key_id = var.kms_key_id + tags = var.tags +} diff --git a/outputs.tf b/outputs.tf new file mode 100644 index 0000000..0c346e1 --- /dev/null +++ b/outputs.tf @@ -0,0 +1,41 @@ +output "arn" { + value = aws_iam_user.default.arn + description = "The user ARN" +} + +output "name" { + value = aws_iam_user.default.name + description = "The user name" +} + +output "access_key_id" { + value = aws_iam_access_key.default.id + description = "The access key ID" +} + +output "secret_access_key" { + value = aws_iam_access_key.default.secret + description = "The secret access key" + sensitive = true +} + +output "ses_smtp_password_v4" { + value = aws_iam_access_key.default.ses_smtp_password_v4 + description = "The SES SMTP password" + sensitive = true +} + +output "ssm_access_key_id" { + value = aws_ssm_parameter.access_key_id.name + description = "The SSM access key ID parameter name" +} + +output "ssm_secret_access_key" { + value = aws_ssm_parameter.secret_access_key.name + description = "The SSM secret access key parameter name" +} + +output "ssm_ses_smtp_password_v4" { + value = try(aws_ssm_parameter.ses_smtp_password_v4.0.name, "") + description = "The SSM SES SMTP password parameter name" +} diff --git a/variables.tf b/variables.tf new file mode 100644 index 0000000..605a14c --- /dev/null +++ b/variables.tf @@ -0,0 +1,63 @@ +variable "name" { + type = string + description = "The name of the user" +} + +variable "create_policy" { + type = bool + default = null + description = "Overrule whether the user role policy has to be created" +} + +variable "groups" { + type = set(string) + default = [] + description = "Set of group names to attach to the user" +} + +variable "path" { + type = string + default = "/" + description = "Path in which to create the user" +} + +variable "permissions_boundary" { + type = string + default = null + description = "The ARN of the policy that is used to set the permissions boundary for the user." +} + +variable "policy" { + type = string + default = null + description = "The policy to attach to the user" +} + +variable "policy_arns" { + type = set(string) + default = [] + description = "A set of policy ARNs to attach to the user" +} + +variable "kms_key_id" { + type = string + default = null + description = "The KMS key ID used to encrypt all data" +} + +variable "postfix" { + type = bool + default = true + description = "Postfix the user, policy and group names with Account, Policy and Group" +} + +variable "ssm_ses_smtp_password_v4" { + type = bool + default = false + description = "Store the user's SES SMTP password in the SSM Parameter Store" +} + +variable "tags" { + type = map(string) + description = "A mapping of tags to assign to the user" +} diff --git a/versions.tf b/versions.tf new file mode 100644 index 0000000..92aa08e --- /dev/null +++ b/versions.tf @@ -0,0 +1,9 @@ +terraform { + required_version = ">= 0.13" + + required_providers { + aws = { + source = "hashicorp/aws" + } + } +}