Merge pull request #9 from dasmeta/DMVP-4760

feat(DMVP-4760): Add iam user support

modules/role/README.md

@@ -0,0 +1,40 @@
+# role
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_iam_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_role.aws-role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role_policy_attachment.awsrole](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_policy_document.assume_role_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_description"></a> [description](#input\_description) | Role description | `string` | n/a | yes |
+| <a name="input_name"></a> [name](#input\_name) | Role name | `string` | n/a | yes |
+| <a name="input_policy"></a> [policy](#input\_policy) | AWS role assigne policy | <pre>list(object({<br/>    actions   = list(string)<br/>    resources = list(string)<br/>  }))</pre> | n/a | yes |
+| <a name="input_trust_relationship"></a> [trust\_relationship](#input\_trust\_relationship) | AWS role trust relationship | <pre>list(object({<br/>    effect     = optional(string, "Allow") # Effect of the policy (Allow or Deny)<br/>    actions    = list(string)              # Actions like sts:AssumeRole<br/>    principals = any                       # Principals (e.g., AWS, Service, Federated)<br/>    conditions = optional(any, [])         # Optional conditions for assume role<br/>  }))</pre> | n/a | yes |
+
+## Outputs
+
+No outputs.
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

modules/role/tests/basic/README.md

@@ -0,0 +1,29 @@
+# basic
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Requirements
+
+No requirements.
+
+## Providers
+
+No providers.
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_test"></a> [test](#module\_test) | ../../ | n/a |
+
+## Resources
+
+No resources.
+
+## Inputs
+
+No inputs.
+
+## Outputs
+
+No outputs.
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

modules/role/tests/without-trust-relationship/README.md

@@ -0,0 +1,29 @@
+# without-trust-relationship
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Requirements
+
+No requirements.
+
+## Providers
+
+No providers.
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_test"></a> [test](#module\_test) | ../../ | n/a |
+
+## Resources
+
+No resources.
+
+## Inputs
+
+No inputs.
+
+## Outputs
+
+No outputs.
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

modules/sso/modules/account-assignments/README.md

@@ -73,7 +73,7 @@ No modules.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_account_assignments"></a> [account\_assignments](#input\_account\_assignments) | n/a | <pre>list(object({<br>    account             = string<br>    permission_set_name = string<br>    permission_set_arn  = string<br>    principal_name      = string<br>    principal_type      = string<br>  }))</pre> | n/a | yes |
+| <a name="input_account_assignments"></a> [account\_assignments](#input\_account\_assignments) | n/a | <pre>list(object({<br/>    account             = string<br/>    permission_set_name = string<br/>    permission_set_arn  = string<br/>    principal_name      = string<br/>    principal_type      = string<br/>  }))</pre> | n/a | yes |
 
 ## Outputs
 

modules/sso/modules/permission-sets/README.md

@@ -95,7 +95,7 @@ No modules.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_permission_sets"></a> [permission\_sets](#input\_permission\_sets) | n/a | <pre>list(object({<br>    name               = string<br>    description        = string<br>    relay_state        = string<br>    session_duration   = string<br>    tags               = map(string)<br>    inline_policy      = string<br>    policy_attachments = list(string)<br>    customer_managed_policy_attachments = list(object({<br>      name = string<br>      path = string<br>    }))<br>  }))</pre> | `[]` | no |
+| <a name="input_permission_sets"></a> [permission\_sets](#input\_permission\_sets) | n/a | <pre>list(object({<br/>    name               = string<br/>    description        = string<br/>    relay_state        = string<br/>    session_duration   = string<br/>    tags               = map(string)<br/>    inline_policy      = string<br/>    policy_attachments = list(string)<br/>    customer_managed_policy_attachments = list(object({<br/>      name = string<br/>      path = string<br/>    }))<br/>  }))</pre> | `[]` | no |
 
 ## Outputs
 

modules/user/README.md

@@ -0,0 +1,60 @@
+# user
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_iam_user"></a> [iam\_user](#module\_iam\_user) | terraform-aws-modules/iam/aws//modules/iam-user | 5.44.1 |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_iam_user_policy.iam_user_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy) | resource |
+| [aws_iam_user_policy_attachment.user-attach](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy_attachment) | resource |
+| [aws_iam_policy_document.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_api"></a> [api](#input\_api) | Whether to create IAM access key | `bool` | `true` | no |
+| <a name="input_console"></a> [console](#input\_console) | Whether to create IAM user login profile | `bool` | `true` | no |
+| <a name="input_create_user"></a> [create\_user](#input\_create\_user) | Whether to create the IAM user | `bool` | `true` | no |
+| <a name="input_pgp_key"></a> [pgp\_key](#input\_pgp\_key) | Either a base-64 encoded PGP public key, or a keybase username in the form `keybase:username`. Used to encrypt password and access key. `pgp_key` is required when `create_iam_user_login_profile` is set to `true` | `string` | `""` | no |
+| <a name="input_policy"></a> [policy](#input\_policy) | AWS role assigne policy | <pre>list(object({<br/>    effect    = optional(string, "Allow")<br/>    actions   = list(string)<br/>    resources = list(string)<br/>    conditions = optional(list(object({<br/>      test     = string<br/>      variable = string<br/>      values   = list(string)<br/>    })), [])<br/>  }))</pre> | `[]` | no |
+| <a name="input_policy_attachment"></a> [policy\_attachment](#input\_policy\_attachment) | The list of ARN-s of the policy you want to apply | `list(string)` | `[]` | no |
+| <a name="input_username"></a> [username](#input\_username) | Desired name for the IAM user | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_iam_access_key_encrypted_secret"></a> [iam\_access\_key\_encrypted\_secret](#output\_iam\_access\_key\_encrypted\_secret) | The encrypted secret, base64 encoded |
+| <a name="output_iam_access_key_id"></a> [iam\_access\_key\_id](#output\_iam\_access\_key\_id) | The access key ID |
+| <a name="output_iam_access_key_key_fingerprint"></a> [iam\_access\_key\_key\_fingerprint](#output\_iam\_access\_key\_key\_fingerprint) | The fingerprint of the PGP key used to encrypt the secret |
+| <a name="output_iam_access_key_secret"></a> [iam\_access\_key\_secret](#output\_iam\_access\_key\_secret) | The access key secret |
+| <a name="output_iam_access_key_ses_smtp_password_v4"></a> [iam\_access\_key\_ses\_smtp\_password\_v4](#output\_iam\_access\_key\_ses\_smtp\_password\_v4) | The secret access key converted into an SES SMTP password |
+| <a name="output_iam_access_key_status"></a> [iam\_access\_key\_status](#output\_iam\_access\_key\_status) | Active or Inactive. Keys are initially active, but can be made inactive by other means. |
+| <a name="output_iam_user_arn"></a> [iam\_user\_arn](#output\_iam\_user\_arn) | The ARN assigned by AWS for this user |
+| <a name="output_iam_user_login_profile_encrypted_password"></a> [iam\_user\_login\_profile\_encrypted\_password](#output\_iam\_user\_login\_profile\_encrypted\_password) | The encrypted password, base64 encoded |
+| <a name="output_iam_user_login_profile_key_fingerprint"></a> [iam\_user\_login\_profile\_key\_fingerprint](#output\_iam\_user\_login\_profile\_key\_fingerprint) | The fingerprint of the PGP key used to encrypt the password |
+| <a name="output_iam_user_name"></a> [iam\_user\_name](#output\_iam\_user\_name) | The user's name |
+| <a name="output_iam_user_unique_id"></a> [iam\_user\_unique\_id](#output\_iam\_user\_unique\_id) | The unique ID assigned by AWS |
+| <a name="output_keybase_password_decrypt_command"></a> [keybase\_password\_decrypt\_command](#output\_keybase\_password\_decrypt\_command) | Decrypt user password command |
+| <a name="output_keybase_password_pgp_message"></a> [keybase\_password\_pgp\_message](#output\_keybase\_password\_pgp\_message) | Encrypted password |
+| <a name="output_keybase_secret_key_decrypt_command"></a> [keybase\_secret\_key\_decrypt\_command](#output\_keybase\_secret\_key\_decrypt\_command) | Decrypt access secret key command |
+| <a name="output_keybase_secret_key_pgp_message"></a> [keybase\_secret\_key\_pgp\_message](#output\_keybase\_secret\_key\_pgp\_message) | Encrypted access secret key |
+| <a name="output_pgp_key"></a> [pgp\_key](#output\_pgp\_key) | PGP key used to encrypt sensitive data for this user (if empty - secrets are not encrypted) |
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

modules/user/main.tf

@@ -0,0 +1,52 @@
+
+
+###
+module "iam_user" {
+  source                        = "terraform-aws-modules/iam/aws//modules/iam-user"
+  version                       = "5.44.1"
+  name                          = var.username
+  create_user                   = var.create_user
+  create_iam_user_login_profile = var.console
+  create_iam_access_key         = var.api
+  pgp_key                       = var.pgp_key
+}
+
+resource "aws_iam_user_policy_attachment" "user-attach" {
+  for_each   = toset(var.policy_attachment)
+  user       = var.username
+  policy_arn = each.value
+  depends_on = [
+    module.iam_user
+  ]
+}
+
+data "aws_iam_policy_document" "policy" {
+  count = length(var.policy) > 0 ? 1 : 0
+
+  dynamic "statement" {
+    for_each = var.policy
+    content {
+      effect    = statement.value.effect
+      actions   = statement.value.actions
+      resources = statement.value.resources
+
+      dynamic "condition" {
+        for_each = length(statement.value.conditions) > 0 ? statement.value.conditions : []
+
+        content {
+          test     = condition.value.test     # Condition type (e.g., StringEquals)
+          variable = condition.value.variable # Condition variable (e.g., "SAML:aud")
+          values   = condition.value.values   # Condition values (list of strings)
+        }
+      }
+    }
+  }
+}
+
+resource "aws_iam_user_policy" "iam_user_policy" {
+  count      = length(var.policy) > 0 && var.create_user ? 1 : 0
+  name       = "policy-${var.username}"
+  user       = var.username
+  depends_on = [module.iam_user]
+  policy     = data.aws_iam_policy_document.policy.0.json
+}

modules/user/outputs.tf

@@ -0,0 +1,81 @@
+output "iam_user_name" {
+  description = "The user's name"
+  value       = module.iam_user.iam_user_name
+}
+
+output "iam_user_arn" {
+  description = "The ARN assigned by AWS for this user"
+  value       = module.iam_user.iam_user_arn
+}
+
+output "iam_user_unique_id" {
+  description = "The unique ID assigned by AWS"
+  value       = module.iam_user.iam_user_unique_id
+}
+
+output "iam_user_login_profile_key_fingerprint" {
+  description = "The fingerprint of the PGP key used to encrypt the password"
+  value       = module.iam_user.iam_user_login_profile_key_fingerprint
+}
+
+output "iam_user_login_profile_encrypted_password" {
+  description = "The encrypted password, base64 encoded"
+  value       = module.iam_user.iam_user_login_profile_encrypted_password
+}
+
+output "iam_access_key_id" {
+  description = "The access key ID"
+  value       = module.iam_user.iam_access_key_id
+}
+
+output "iam_access_key_key_fingerprint" {
+  description = "The fingerprint of the PGP key used to encrypt the secret"
+  value       = module.iam_user.iam_access_key_key_fingerprint
+}
+
+output "iam_access_key_encrypted_secret" {
+  description = "The encrypted secret, base64 encoded"
+  value       = module.iam_user.iam_access_key_encrypted_secret
+}
+
+output "iam_access_key_secret" {
+  description = "The access key secret"
+  value       = module.iam_user.iam_access_key_secret
+  sensitive   = true
+}
+
+output "iam_access_key_ses_smtp_password_v4" {
+  description = "The secret access key converted into an SES SMTP password"
+  value       = module.iam_user.iam_access_key_ses_smtp_password_v4
+  sensitive   = true
+}
+
+output "iam_access_key_status" {
+  description = "Active or Inactive. Keys are initially active, but can be made inactive by other means."
+  value       = module.iam_user.iam_access_key_status
+}
+
+output "pgp_key" {
+  description = "PGP key used to encrypt sensitive data for this user (if empty - secrets are not encrypted)"
+  value       = module.iam_user.pgp_key
+}
+
+output "keybase_password_decrypt_command" {
+  description = "Decrypt user password command"
+  value       = module.iam_user.keybase_password_decrypt_command
+}
+
+output "keybase_password_pgp_message" {
+  description = "Encrypted password"
+  value       = module.iam_user.keybase_password_pgp_message
+}
+
+output "keybase_secret_key_decrypt_command" {
+  description = "Decrypt access secret key command"
+  value       = module.iam_user.keybase_secret_key_decrypt_command
+}
+
+output "keybase_secret_key_pgp_message" {
+  description = "Encrypted access secret key"
+  value       = module.iam_user.keybase_secret_key_pgp_message
+}

modules/user/tests/basic/0-setup.tf

@@ -0,0 +1,14 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
+  }
+
+  required_version = ">= 1.3.0"
+}
+
+provider "aws" {
+  region = "eu-central-1"
+}

modules/user/tests/basic/1-example.tf

@@ -0,0 +1,16 @@
+module "iam-user" {
+  source   = "../.."
+  username = "sample-user"
+
+  policy = [
+    {
+      actions   = ["ec2:*"]
+      resources = ["*"]
+      conditions = [{
+        test     = "StringEquals"
+        variable = "ec2:InstanceType"
+        values   = ["t3.medium", "c5.2xlarge"]
+      }]
+    }
+  ]
+}

modules/user/tests/basic/README.md

@@ -0,0 +1,32 @@
+# basic
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 5.0 |
+
+## Providers
+
+No providers.
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_iam-user"></a> [iam-user](#module\_iam-user) | ../.. | n/a |
+
+## Resources
+
+No resources.
+
+## Inputs
+
+No inputs.
+
+## Outputs
+
+No outputs.
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->