feat: Added direct policy attachment in iam-user module (#387)

Co-authored-by: Anton Babenko <[email protected]>

Author: SlavaDevOps

examples/iam-user/README.md

@@ -25,7 +25,9 @@ Run `terraform destroy` when you don't need these resources.
 
 ## Providers
 
-No providers.
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.0 |
 
 ## Modules
 
@@ -34,10 +36,13 @@ No providers.
 | <a name="module_iam_user"></a> [iam\_user](#module\_iam\_user) | ../../modules/iam-user | n/a |
 | <a name="module_iam_user2"></a> [iam\_user2](#module\_iam\_user2) | ../../modules/iam-user | n/a |
 | <a name="module_iam_user3"></a> [iam\_user3](#module\_iam\_user3) | ../../modules/iam-user | n/a |
+| <a name="module_iam_user4"></a> [iam\_user4](#module\_iam\_user4) | ../../modules/iam-user | n/a |
 
 ## Resources
 
-No resources.
+| Name | Type |
+|------|------|
+| [aws_iam_policy.example](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source |
 
 ## Inputs
 
@@ -64,4 +69,5 @@ No inputs.
 | <a name="output_keybase_secret_key_decrypt_command"></a> [keybase\_secret\_key\_decrypt\_command](#output\_keybase\_secret\_key\_decrypt\_command) | Decrypt access secret key command |
 | <a name="output_keybase_secret_key_pgp_message"></a> [keybase\_secret\_key\_pgp\_message](#output\_keybase\_secret\_key\_pgp\_message) | Encrypted access secret key |
 | <a name="output_pgp_key"></a> [pgp\_key](#output\_pgp\_key) | PGP key used to encrypt sensitive data for this user (if empty - secrets are not encrypted) |
+| <a name="output_policy_arns"></a> [policy\_arns](#output\_policy\_arns) | The list of ARNs of policies directly assigned to the IAM user |
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

examples/iam-user/main.tf

@@ -46,3 +46,21 @@ module "iam_user3" {
   create_iam_access_key         = true
   iam_access_key_status         = "Inactive"
 }
+
+###################################################################
+# IAM user with IAM policy attached
+###################################################################
+
+data "aws_iam_policy" "example" {
+  name = "AmazonS3ReadOnlyAccess"
+}
+
+module "iam_user4" {
+  source = "../../modules/iam-user"
+
+  name = "vasya.pupkin6"
+
+  create_iam_user_login_profile = false
+  create_iam_access_key         = true
+  policy_arns                   = [data.aws_iam_policy.example.arn]
+}

examples/iam-user/outputs.tf

@@ -85,3 +85,8 @@ output "keybase_secret_key_pgp_message" {
   description = "Encrypted access secret key"
   value       = module.iam_user.keybase_secret_key_pgp_message
 }
+
+output "policy_arns" {
+  description = "The list of ARNs of policies directly assigned to the IAM user"
+  value       = module.iam_user.policy_arns
+}

modules/iam-user/README.md

@@ -46,6 +46,7 @@ No modules.
 | [aws_iam_access_key.this_no_pgp](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_access_key) | resource |
 | [aws_iam_user.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user) | resource |
 | [aws_iam_user_login_profile.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_login_profile) | resource |
+| [aws_iam_user_policy_attachment.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy_attachment) | resource |
 | [aws_iam_user_ssh_key.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_ssh_key) | resource |
 
 ## Inputs
@@ -63,6 +64,7 @@ No modules.
 | <a name="input_path"></a> [path](#input\_path) | Desired path for the IAM user | `string` | `"/"` | no |
 | <a name="input_permissions_boundary"></a> [permissions\_boundary](#input\_permissions\_boundary) | The ARN of the policy that is used to set the permissions boundary for the user. | `string` | `""` | no |
 | <a name="input_pgp_key"></a> [pgp\_key](#input\_pgp\_key) | Either a base-64 encoded PGP public key, or a keybase username in the form `keybase:username`. Used to encrypt password and access key. | `string` | `""` | no |
+| <a name="input_policy_arns"></a> [policy\_arns](#input\_policy\_arns) | The list of ARNs of policies directly assigned to the IAM user | `list(string)` | `[]` | no |
 | <a name="input_ssh_key_encoding"></a> [ssh\_key\_encoding](#input\_ssh\_key\_encoding) | Specifies the public key encoding format to use in the response. To retrieve the public key in ssh-rsa format, use SSH. To retrieve the public key in PEM format, use PEM | `string` | `"SSH"` | no |
 | <a name="input_ssh_public_key"></a> [ssh\_public\_key](#input\_ssh\_public\_key) | The SSH public key. The public key must be encoded in ssh-rsa format or PEM format | `string` | `""` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to add to all resources. | `map(string)` | `{}` | no |
@@ -94,4 +96,5 @@ No modules.
 | <a name="output_keybase_ses_smtp_password_v4_decrypt_command"></a> [keybase\_ses\_smtp\_password\_v4\_decrypt\_command](#output\_keybase\_ses\_smtp\_password\_v4\_decrypt\_command) | Decrypt SES SMTP password command |
 | <a name="output_keybase_ses_smtp_password_v4_pgp_message"></a> [keybase\_ses\_smtp\_password\_v4\_pgp\_message](#output\_keybase\_ses\_smtp\_password\_v4\_pgp\_message) | Encrypted SES SMTP password |
 | <a name="output_pgp_key"></a> [pgp\_key](#output\_pgp\_key) | PGP key used to encrypt sensitive data for this user (if empty - secrets are not encrypted) |
+| <a name="output_policy_arns"></a> [policy\_arns](#output\_policy\_arns) | The list of ARNs of policies directly assigned to the IAM user |
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

modules/iam-user/main.tf

@@ -45,3 +45,10 @@ resource "aws_iam_user_ssh_key" "this" {
   encoding   = var.ssh_key_encoding
   public_key = var.ssh_public_key
 }
+
+resource "aws_iam_user_policy_attachment" "this" {
+  for_each = var.create_user ? toset(var.policy_arns) : []
+
+  user       = aws_iam_user.this[0].name
+  policy_arn = each.value
+}

modules/iam-user/outputs.tf

@@ -149,3 +149,8 @@ output "iam_user_ssh_key_fingerprint" {
   description = "The MD5 message digest of the SSH public key"
   value       = try(aws_iam_user_ssh_key.this[0].fingerprint, "")
 }
+
+output "policy_arns" {
+  description = "The list of ARNs of policies directly assigned to the IAM user"
+  value       = [for policy_attachment in aws_iam_user_policy_attachment.this : policy_attachment.policy_arn]
+}

modules/iam-user/variables.tf

@@ -81,6 +81,12 @@ variable "permissions_boundary" {
   default     = ""
 }
 
+variable "policy_arns" {
+  description = "The list of ARNs of policies directly assigned to the IAM user"
+  type        = list(string)
+  default     = []
+}
+
 variable "tags" {
   description = "A map of tags to add to all resources."
   type        = map(string)

wrappers/iam-user/main.tf

@@ -17,5 +17,6 @@ module "wrapper" {
   ssh_key_encoding              = try(each.value.ssh_key_encoding, var.defaults.ssh_key_encoding, "SSH")
   ssh_public_key                = try(each.value.ssh_public_key, var.defaults.ssh_public_key, "")
   permissions_boundary          = try(each.value.permissions_boundary, var.defaults.permissions_boundary, "")
+  policy_arns                   = try(each.value.policy_arns, var.defaults.policy_arns, [])
   tags                          = try(each.value.tags, var.defaults.tags, {})
 }