resource "aws_iam_user" "nimbus_team" {
  name  = var.nimbus_team_members[count.index]
  count = length(var.nimbus_team_members)
  tags  = { Purpose = "Nimbus team Console access" }
}

resource "aws_iam_group" "nimbus_team" {
  name = "nimbus-team-members"
  path = "/users/"
}

resource "aws_iam_access_key" "nimbus_team" {
  user  = aws_iam_user.nimbus_team[count.index].name
  count = length(aws_iam_user.nimbus_team)

  /* GPG key for encrypting the secret key */
  pgp_key = file("files/${aws_iam_user.nimbus_team[count.index].name}.gpg")
}

resource "aws_iam_user_login_profile" "nimbus_team" {
  user  = aws_iam_user.nimbus_team[count.index].name
  count = length(var.nimbus_team_members)

  /* GPG key for encrypting the secret key */
  pgp_key = file("files/${aws_iam_user.nimbus_team[count.index].name}.gpg")

  /* Make user change password after first login */
  password_reset_required = true

  /* Avoid re-creating due to password change */
  lifecycle {
    ignore_changes = [password_length, password_reset_required, pgp_key]
  }
}

resource "aws_iam_group_membership" "nimbus_team" {
  name  = "nimbus-team-group-membership"
  group = aws_iam_group.nimbus_team.name
  users = aws_iam_user.nimbus_team.*.name
}

resource "aws_iam_group_policy_attachment" "nimbus_team" {
  group      = aws_iam_group.nimbus_team.name
  policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
}

/* These are encrypted using the GPG key, uncomment to get the password. */
/*
output "nimbus_team_passwords" {
  value = {
    for profile in aws_iam_user_login_profile.nimbus_team:
      profile.user => profile.encrypted_password
  }
}
*/