infra-nimbus/users.tf

56 lines
1.6 KiB
HCL

resource "aws_iam_user" "nimbus_team" {
name = var.nimbus_team_members[count.index]
count = length(var.nimbus_team_members)
tags = { Purpose = "Nimbus team Console access" }
}
resource "aws_iam_group" "nimbus_team" {
name = "nimbus-team-members"
path = "/users/"
}
resource "aws_iam_access_key" "nimbus_team" {
user = aws_iam_user.nimbus_team[count.index].name
count = length(aws_iam_user.nimbus_team)
/* GPG key for encrypting the secret key */
pgp_key = file("files/${aws_iam_user.nimbus_team[count.index].name}.gpg")
}
resource "aws_iam_user_login_profile" "nimbus_team" {
user = aws_iam_user.nimbus_team[count.index].name
count = length(var.nimbus_team_members)
/* GPG key for encrypting the secret key */
pgp_key = file("files/${aws_iam_user.nimbus_team[count.index].name}.gpg")
/* Make user change password after first login */
password_reset_required = true
/* Avoid re-creating due to password change */
lifecycle {
ignore_changes = [password_length, password_reset_required, pgp_key]
}
}
resource "aws_iam_group_membership" "nimbus_team" {
name = "nimbus-team-group-membership"
group = aws_iam_group.nimbus_team.name
users = aws_iam_user.nimbus_team.*.name
}
resource "aws_iam_group_policy_attachment" "nimbus_team" {
group = aws_iam_group.nimbus_team.name
policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
}
/* These are encrypted using the GPG key, uncomment to get the password. */
/*
output "nimbus_team_passwords" {
value = {
for profile in aws_iam_user_login_profile.nimbus_team:
profile.user => profile.encrypted_password
}
}
*/