create an AWS Console user for stefantalpalaru

Signed-off-by: Jakub Sokołowski <jakub@status.im>

Makefile

@@ -50,12 +50,15 @@ install-provisioner:
 init-terraform:
 	terraform init -upgrade=true
 
-secrets:
+consul-certs:
+	@echo "Saving Consul certificates: ansible/files/consul*"
 	pass services/consul/ca-crt > ansible/files/consul-ca.crt
 	pass services/consul/ca-key > ansible/files/consul-ca.key
 	pass services/consul/client-crt > ansible/files/consul-client.crt
 	pass services/consul/client-key > ansible/files/consul-client.key
-	echo "Saving secrets to: terraform.tfvars"
+
+tf-secrets:
+	@echo "Saving secrets to: terraform.tfvars"
 	@echo -e "\
 # secrets extracted from password-store\n\
 cloudflare_token   = \"$(shell pass cloud/Cloudflare/token)\"\n\
@@ -65,5 +68,7 @@ aws_access_key     = \"$(shell pass cloud/AWS/Nimbus/access-key)\"\n\
 aws_secret_key     = \"$(shell pass cloud/AWS/Nimbus/secret-key)\"\n\
 " > terraform.tfvars
 
+secrets: consul-certs tf-secrets
+
 cleanup:
 	rm -r $(PLUGIN_DIR)/$(ARCHIVE)

files/stefantalpalaru.gpg

@@ -0,0 +1,40 @@
+mQINBFcJJPkBEADRxTiwfCiF6XoNnZonFIiISK9Lizp9zIYDQ/L3jlPnf2Ac+lAxD/HG/+B8faAv
+TPrNQNiGmzIf3ZhfJ88AQZvPxhAoFQbGcuRmMvkqkHO01hdcNwelg48qE4UT4NcsQUWBX3L8XPb0
+ewY4k3gUJsSsbF+nIEpQ0PF0Qo34cpNiRlAnmUUQckWkJ0E7WsVKm2hIugzAjSzZhgqrD/uio3Cj
+I4UJv5Sg49IlP8Vw1GxCmZNvmvrQ3P5vfBG/A/bfwHCnOT68efUlS66j5qApHHXktctYDYMpCtHR
+ilMdLAE19Mwutn28etj7zuVwy8zEqqqv5JxbmSBouR0n/rPlggcl5qH5te49qseVobmahyFpe3F+
+ebhqpodmnj3gemyaE9f4i+X83wbwvdIpoIHXiDl3oBNa52dMlL5MaJo/ELq3WYxc4iG7Vydj9a2n
+CQxEDcEjJMgU9M4U/yH01imHUm0Me58XQPySq2P630egSpxoYmFD87ThSdZHnwp7Y1jCtQAXD5Sn
+HXL61dGSQFPyui424nMLalNvl41yptajIJwZe+yR7WFfz9thZ243goAla9DhRNq/hr0Ct8L942Ig
+LsndWMC2lKMs5JrvI8OxKE2WlXsOxy4Xpx4nRzQK6+hoBCeDty+OJG47P5oo2IgyeZ6JDHP4fKad
+DICSS+orq7+XOwARAQABtC3ImHRlZmFuIFRhbHBhbGFydSA8c3RlZmFudGFscGFsYXJ1QHlhaG9v
+LmNvbT6JAlQEEwEKAD4CGwMFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AWIQTFjn8/pnAHBBRGuA7L
+95NCBPG2+QUCXonQigUJGkyukQAKCRDL95NCBPG2+aGRD/4nmQcA41QENsPivK91YFtUnn84TmjM
+stx6BkdpaECDsb1d7N3YVN4qEILLbpwT3J9fRhujT3CIhbin4qTNCZhm4ZMKU3PgHzjUbTKmmjKu
+0jN9yLHUsqq8r89jtCrZ7RcjIjZgoGBdH52LC0DNU8T95huJADuuc28xT1x3vaBTb4NMJIvOf9ol
+o/OD3BCLdT15mnSdlPw/MTBwLgxGQMEHbcJDghxz3cvVHN5bTfUwajk6aR/SZ2By+pQiSxuMr0ee
+UEUomWTiRcn7ujkENado8gXehVk3QDkKuDq8+3w+7Zs5SEaLmiHzh7UurmCGaerzrfgWrnGEPxhT
+UMsJmdqIuL7aLLBgpPwlk57wDjpYHYt56Isb1r1zwlqO6Qbp7Jjp11hffIPDywUDYKXFv8xOc58t
+nCMzAgl/XYn9nf9OQGKz7xDSUMTf5rWjQcurhyAdWs6FawF2hVDfE+sFCdD11+lXgsJBAAzSGI7M
+Ft98VvrNXGNTRfk5OvyU9d3C2SFHPrdV/HvhsXl3Jg/9X1G8Pr68Ii4Ag+V4nzRVHYh91hwRlksF
+lnho+LNZMkSJp4JGMDBogvmtssJIu6vC+piXbSv93i6iECfh/qQqz7H8W9+9VLL5idWBdZejUuuf
+5e/tK42fdNMx2VZQtmUaENKCbWi/2EpokX5eqv8etZffE7kCDQRXCST5ARAAw9xYcQlECssLLtsm
+44Ffr8rbnoKSLhXz6xBP2dcfBoiNbBUxdmzuCpIwNg6HPxlkLygH+VskWCuciagZulkdbQZd+VIL
+YYdiQH6TysEqAzErDf04Gloqx1UdA9EOBdhuDdgTJqJpLdcoL+FbN0qZfCCU9gGi+9vgkzqK6Lks
+nyLi15OgE38N4ORLxTrF7MwPz8QdzqVk7s3w9DbiWJCmM6e2s3J6N+CI8zbH8xKWcUWTJSXCRzlZ
+LKcrla29qBKimSrnkwXomPn1/a6OK8w6chYVFbk8lFQ1K+zBI1+lGLVFIcifStFNelBCICAddGVv
+jPvS1993Umw8yPAwH4W2Q7EgpQjQJ2s4AYa5DkQJ9psxzLEYh/Ap+xanpdjqD2Ley8xIlrDhBAcp
+Do6PCi4JFiAbjRE5zK/Ct/BLnWj8GRTgfLt0rqpmawgw9B+X1N6FLYiA7kQVKmu/1c1xLdTjrtpH
+L9pdebs52w/rXc5rswHN2Xdnqn9Kux92WJ0XNdJ9x8y3uXSzmhafQQf873PH4DJFgccNLke11fw0
+Kzc4Yrg5LMH5kSBW9Wa6tap4IMJEmR8k+xrPzuYDwwZwT4ZjYRdgDBXJahxFkLliIjojUv0RxyEc
+vXiF+5TUMwFr9cuLawQ/yakMxVGEAUxkD8QbZW6jiCBHpNECSHu3wgtt3A8AEQEAAYkCPAQYAQoA
+JgIbDBYhBMWOfz+mcAcEFEa4Dsv3k0IE8bb5BQJeic/qBQkaTK3xAAoJEMv3k0IE8bb5gEYP/2OD
+dP7219pmywMfxUijUqNs52LbvxO5rIZGd8eYaWti9SGQ5q9Dz5hb0XSlbcY4gAsIRB0qUbK0pV6K
+1FQBDsWV7ZaMsRtQXfJnACNlFmn8JvPeb6V/8zTnmDLsG3Hf0ZVl1bTXZ9eLmqmJXWEQ2desaciK
+3Tykl2VdOTG5+8XmRaJzEuLe7W6eRNppvD8I+cj+7PLgur1t5kvm3cw03BjOf7r+fA3kNOktjsmY
+XZ+Q8oWt/lqilZXFB6RhGUZw28sIgXPvyuZYPHQo6UsavRaybUlmMspzCWiBJuFHKKe71HtezZjF
+DHsJaaJemkeLV7Hnzk4lSkoK529xpSrU9WKBbVIzJ7q4NC63KG22esuSADtny1kgDeTXhHT7MRPD
+HjOTDubtjqVrVI+XULoy+xUFOO9JiGaMM6GTA5SRhplSNuaRIIeHfOpRBJZZ/OsTDVrwAy9Msd3v
+qXMGlM6LG7/Vl5Y0F0yLLv2G947Nu7jxV1GuZom5rbOhsQ4vRpDpFvwrEcP1ru5dh7AnDYSRyiN+
+KxuDfyFhfLuaVBLp0k4l5ICmh9XoFeqKNoB/I48Rie6eFzUfGtSd6mwufevYPodJOrXdWy3VTnzy
+kCbSKzz43WRDjBghwqLdAkvDU1OerxxAFw/cJ5+9ZeHOlLl/T8uXEeQprI1eaylMMpPeB9sN

users.tf

@@ -0,0 +1,55 @@
+resource "aws_iam_user" "nimbus_team" {
+  name  = var.nimbus_team_members[count.index]
+  count = length(var.nimbus_team_members)
+  tags  = { Purpose = "Nimbus team Console access" }
+}
+
+resource "aws_iam_group" "nimbus_team" {
+  name = "nimbus-team-members"
+  path = "/users/"
+}
+
+resource "aws_iam_access_key" "nimbus_team" {
+  user    = aws_iam_user.nimbus_team[count.index].name
+  count   = length(aws_iam_user.nimbus_team)
+
+  /* GPG key for encrypting the secret key */
+  pgp_key = file("files/${aws_iam_user.nimbus_team[count.index].name}.gpg")
+}
+
+resource "aws_iam_user_login_profile" "nimbus_team" {
+  user  = aws_iam_user.nimbus_team[count.index].name
+  count = length(var.nimbus_team_members)
+
+  /* GPG key for encrypting the secret key */
+  pgp_key = file("files/${aws_iam_user.nimbus_team[count.index].name}.gpg")
+
+  /* Make user change password after first login */
+  password_reset_required = true
+
+  /* Avoid re-creating due to password change */
+  lifecycle {
+    ignore_changes = [password_length, password_reset_required, pgp_key]
+  }
+}
+
+resource "aws_iam_group_membership" "nimbus_team" {
+  name  = "nimbus-team-group-membership"
+  group = aws_iam_group.nimbus_team.name
+  users = aws_iam_user.nimbus_team.*.name
+}
+
+resource "aws_iam_group_policy_attachment" "nimbus_team" {
+  group      = aws_iam_group.nimbus_team.name
+  policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
+}
+
+/* These are encrypted using the GPG key, uncomment to get the password. */
+/*
+output "nimbus_team_passwords" {
+  value = {
+    for profile in aws_iam_user_login_profile.nimbus_team:
+      profile.user => profile.encrypted_password
+  }
+}
+*/

variables.tf

@@ -48,3 +48,11 @@ variable "log_stores_count" {
   description = "Count of ElasticSearch cluster hosts."
   default     = 3
 }
+
+/* NIMBUS TEAM -----------------------------------*/
+
+variable "nimbus_team_members" {
+  description = "List of Nimbus team members with Console access."
+  type        = list(string)
+  default     = [ "stefantalpalaru" ]
+}