These types of resources are supported:
- IAM account alias
- IAM password policy
- IAM user
- IAM user login profile
- IAM group
- IAM role
- IAM access key
- IAM SSH public key
iam-account
:
module "iam_account" {
source = "terraform-aws-modules/iam/aws//modules/iam-account"
account_alias = "awesome-company"
minimum_password_length = 37
require_numbers = false
}
iam-assumable-roles
:
module "iam_assumable_roles" {
source = "terraform-aws-modules/iam/aws//modules/iam-assumable-roles"
trusted_role_arns = [
"arn:aws:iam::307990089504:root",
"arn:aws:iam::835367859851:user/anton",
]
create_admin_role = true
create_poweruser_role = true
poweruser_role_name = "developer"
create_readonly_role = true
readonly_role_requires_mfa = false
}
iam-user
:
module "iam_user" {
source = "terraform-aws-modules/iam/aws//modules/iam-user"
name = "vasya.pupkin"
force_destroy = true
pgp_key = "keybase:test"
password_reset_required = false
}
iam-group-with-assumable-roles-policy
:
# todo
AWS published IAM Best Practices and this Terraform module was created to help with some of points listed there:
Use iam-user module module to manage IAM users.
Use iam-assumable-roles module to create IAM roles with managed policies to support common tasks (admin, poweruser or readonly).
Use iam-group-with-assumable-roles-policy module to manage IAM groups of users who can assume roles.
Use iam-account module to set password policy for your IAM users.
Terraform can't configure MFA for the user. It is only possible via AWS Console and AWS CLI.
iam-assumable-roles and iam-group-with-assumable-roles-policy modules provide complete set of functionality required for this.
iam-assumable-roles module can be configured to require valid MFA token when different roles are assumed (for example, admin role requires MFA, but readonly - does not).
- complete - Create all required resources to allow one group of users to assume privileged role, while another group of users can only assume readonly role.
- iam-account - Set AWS account alias and password policy
- iam-assumable-roles - Create IAM roles which can be assumed from specified ARNs (AWS accounts, IAM users, etc)
- iam-user - Add IAM user, login profile and access keys
Module managed by Anton Babenko.
Apache 2 Licensed. See LICENSE for full details.