| this\_caller\_identity\_account\_id | The ID of the AWS account |
| <aname="output_this_caller_identity_account_id"></a>[this\_caller\_identity\_account\_id](#output\_this\_caller\_identity\_account\_id) | The ID of the AWS account |
| this\_iam\_account\_password\_policy\_expire\_passwords | Indicates whether passwords in the account expire. Returns true if max\_password\_age contains a value greater than 0. Returns false if it is 0 or not present. |
| <aname="output_this_iam_account_password_policy_expire_passwords"></a>[this\_iam\_account\_password\_policy\_expire\_passwords](#output\_this\_iam\_account\_password\_policy\_expire\_passwords) | Indicates whether passwords in the account expire. Returns true if max\_password\_age contains a value greater than 0. Returns false if it is 0 or not present. |
| <aname="output_admin_iam_role_arn"></a>[admin\_iam\_role\_arn](#output\_admin\_iam\_role\_arn) | ARN of admin IAM role |
| admin\_iam\_role\_name | Name of admin IAM role |
| <aname="output_admin_iam_role_name"></a>[admin\_iam\_role\_name](#output\_admin\_iam\_role\_name) | Name of admin IAM role |
| admin\_iam\_role\_path | Path of admin IAM role |
| <aname="output_admin_iam_role_path"></a>[admin\_iam\_role\_path](#output\_admin\_iam\_role\_path) | Path of admin IAM role |
| admin\_iam\_role\_requires\_mfa | Whether admin IAM role requires MFA |
| <aname="output_admin_iam_role_requires_mfa"></a>[admin\_iam\_role\_requires\_mfa](#output\_admin\_iam\_role\_requires\_mfa) | Whether admin IAM role requires MFA |
| poweruser\_iam\_role\_arn | ARN of poweruser IAM role |
| <aname="output_poweruser_iam_role_arn"></a>[poweruser\_iam\_role\_arn](#output\_poweruser\_iam\_role\_arn) | ARN of poweruser IAM role |
| poweruser\_iam\_role\_name | Name of poweruser IAM role |
| <aname="output_poweruser_iam_role_name"></a>[poweruser\_iam\_role\_name](#output\_poweruser\_iam\_role\_name) | Name of poweruser IAM role |
| poweruser\_iam\_role\_path | Path of poweruser IAM role |
| <aname="output_poweruser_iam_role_path"></a>[poweruser\_iam\_role\_path](#output\_poweruser\_iam\_role\_path) | Path of poweruser IAM role |
| poweruser\_iam\_role\_requires\_mfa | Whether poweruser IAM role requires MFA |
| <aname="output_poweruser_iam_role_requires_mfa"></a>[poweruser\_iam\_role\_requires\_mfa](#output\_poweruser\_iam\_role\_requires\_mfa) | Whether poweruser IAM role requires MFA |
| readonly\_iam\_role\_arn | ARN of readonly IAM role |
| <aname="output_readonly_iam_role_arn"></a>[readonly\_iam\_role\_arn](#output\_readonly\_iam\_role\_arn) | ARN of readonly IAM role |
| readonly\_iam\_role\_name | Name of readonly IAM role |
| <aname="output_readonly_iam_role_name"></a>[readonly\_iam\_role\_name](#output\_readonly\_iam\_role\_name) | Name of readonly IAM role |
| readonly\_iam\_role\_path | Path of readonly IAM role |
| <aname="output_readonly_iam_role_path"></a>[readonly\_iam\_role\_path](#output\_readonly\_iam\_role\_path) | Path of readonly IAM role |
| readonly\_iam\_role\_requires\_mfa | Whether readonly IAM role requires MFA |
| <aname="output_readonly_iam_role_requires_mfa"></a>[readonly\_iam\_role\_requires\_mfa](#output\_readonly\_iam\_role\_requires\_mfa) | Whether readonly IAM role requires MFA |
| this\_assumable\_roles | List of ARNs of IAM roles which members of IAM group can assume |
| <aname="output_this_assumable_roles"></a>[this\_assumable\_roles](#output\_this\_assumable\_roles) | List of ARNs of IAM roles which members of IAM group can assume |
| this\_group\_users | List of IAM users in IAM group |
| <aname="output_this_group_users"></a>[this\_group\_users](#output\_this\_group\_users) | List of IAM users in IAM group |
| this\_policy\_arn | Assume role policy ARN for IAM group |
| <aname="output_this_policy_arn"></a>[this\_policy\_arn](#output\_this\_policy\_arn) | Assume role policy ARN for IAM group |
| [aws_caller_identity.iam](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
| [aws_caller_identity.production](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
## Inputs
## Inputs
No input.
No inputs.
## Outputs
## Outputs
| Name | Description |
| Name | Description |
|------|-------------|
|------|-------------|
| iam\_account\_id | IAM AWS account id (this code is managing resources in this account) |
| <aname="output_iam_account_id"></a>[iam\_account\_id](#output\_iam\_account\_id) | IAM AWS account id (this code is managing resources in this account) |
| production\_account\_id | Production AWS account id |
| <aname="output_production_account_id"></a>[production\_account\_id](#output\_production\_account\_id) | Production AWS account id |
| this\_assumable\_roles | List of ARNs of IAM roles which members of IAM group can assume |
| <aname="output_this_assumable_roles"></a>[this\_assumable\_roles](#output\_this\_assumable\_roles) | List of ARNs of IAM roles which members of IAM group can assume |
| this\_group\_users | List of IAM users in IAM group |
| <aname="output_this_group_users"></a>[this\_group\_users](#output\_this\_group\_users) | List of IAM users in IAM group |
| this\_policy\_arn | Assume role policy ARN for IAM group |
| <aname="output_this_policy_arn"></a>[this\_policy\_arn](#output\_this\_policy\_arn) | Assume role policy ARN for IAM group |
| pgp\_key | PGP key used to encrypt sensitive data for this user (if empty - secrets are not encrypted) |
| <aname="output_pgp_key"></a>[pgp\_key](#output\_pgp\_key) | PGP key used to encrypt sensitive data for this user (if empty - secrets are not encrypted) |
| this\_iam\_access\_key\_encrypted\_secret | The encrypted secret, base64 encoded |
| <aname="output_this_iam_access_key_encrypted_secret"></a>[this\_iam\_access\_key\_encrypted\_secret](#output\_this\_iam\_access\_key\_encrypted\_secret) | The encrypted secret, base64 encoded |
| this\_iam\_access\_key\_id | The access key ID |
| <aname="output_this_iam_access_key_id"></a>[this\_iam\_access\_key\_id](#output\_this\_iam\_access\_key\_id) | The access key ID |
| this\_iam\_access\_key\_key\_fingerprint | The fingerprint of the PGP key used to encrypt the secret |
| <aname="output_this_iam_access_key_key_fingerprint"></a>[this\_iam\_access\_key\_key\_fingerprint](#output\_this\_iam\_access\_key\_key\_fingerprint) | The fingerprint of the PGP key used to encrypt the secret |
| this\_iam\_access\_key\_secret | The access key secret |
| <aname="output_this_iam_access_key_secret"></a>[this\_iam\_access\_key\_secret](#output\_this\_iam\_access\_key\_secret) | The access key secret |
| this\_iam\_access\_key\_ses\_smtp\_password\_v4 | The secret access key converted into an SES SMTP password |
| <aname="output_this_iam_access_key_ses_smtp_password_v4"></a>[this\_iam\_access\_key\_ses\_smtp\_password\_v4](#output\_this\_iam\_access\_key\_ses\_smtp\_password\_v4) | The secret access key converted into an SES SMTP password |
| this\_iam\_access\_key\_status | Active or Inactive. Keys are initially active, but can be made inactive by other means. |
| <aname="output_this_iam_access_key_status"></a>[this\_iam\_access\_key\_status](#output\_this\_iam\_access\_key\_status) | Active or Inactive. Keys are initially active, but can be made inactive by other means. |
| this\_iam\_user\_arn | The ARN assigned by AWS for this user |
| <aname="output_this_iam_user_arn"></a>[this\_iam\_user\_arn](#output\_this\_iam\_user\_arn) | The ARN assigned by AWS for this user |
| this\_iam\_user\_login\_profile\_encrypted\_password | The encrypted password, base64 encoded |
| <aname="output_this_iam_user_login_profile_encrypted_password"></a>[this\_iam\_user\_login\_profile\_encrypted\_password](#output\_this\_iam\_user\_login\_profile\_encrypted\_password) | The encrypted password, base64 encoded |
| this\_iam\_user\_login\_profile\_key\_fingerprint | The fingerprint of the PGP key used to encrypt the password |
| <aname="output_this_iam_user_login_profile_key_fingerprint"></a>[this\_iam\_user\_login\_profile\_key\_fingerprint](#output\_this\_iam\_user\_login\_profile\_key\_fingerprint) | The fingerprint of the PGP key used to encrypt the password |
| this\_iam\_user\_name | The user's name |
| <aname="output_this_iam_user_name"></a>[this\_iam\_user\_name](#output\_this\_iam\_user\_name) | The user's name |
| this\_iam\_user\_unique\_id | The unique ID assigned by AWS |
| <aname="output_this_iam_user_unique_id"></a>[this\_iam\_user\_unique\_id](#output\_this\_iam\_user\_unique\_id) | The unique ID assigned by AWS |
| account\_alias | AWS IAM account alias for this account | `string` | n/a | yes |
| <aname="input_account_alias"></a>[account\_alias](#input\_account\_alias) | AWS IAM account alias for this account | `string` | n/a | yes |
| allow\_users\_to\_change\_password | Whether to allow users to change their own password | `bool` | `true` | no |
| <aname="input_allow_users_to_change_password"></a>[allow\_users\_to\_change\_password](#input\_allow\_users\_to\_change\_password) | Whether to allow users to change their own password | `bool` | `true` | no |
| create\_account\_password\_policy | Whether to create AWS IAM account password policy | `bool` | `true` | no |
| <aname="input_create_account_password_policy"></a>[create\_account\_password\_policy](#input\_create\_account\_password\_policy) | Whether to create AWS IAM account password policy | `bool` | `true` | no |
| get\_caller\_identity | Whether to get AWS account ID, User ID, and ARN in which Terraform is authorized | `bool` | `true` | no |
| <aname="input_get_caller_identity"></a>[get\_caller\_identity](#input\_get\_caller\_identity) | Whether to get AWS account ID, User ID, and ARN in which Terraform is authorized | `bool` | `true` | no |
| hard\_expiry | Whether users are prevented from setting a new password after their password has expired (i.e. require administrator reset) | `bool` | `false` | no |
| <aname="input_hard_expiry"></a>[hard\_expiry](#input\_hard\_expiry) | Whether users are prevented from setting a new password after their password has expired (i.e. require administrator reset) | `bool` | `false` | no |
| max\_password\_age | The number of days that an user password is valid. | `number` | `0` | no |
| <aname="input_max_password_age"></a>[max\_password\_age](#input\_max\_password\_age) | The number of days that an user password is valid. | `number` | `0` | no |
| minimum\_password\_length | Minimum length to require for user passwords | `number` | `8` | no |
| <aname="input_minimum_password_length"></a>[minimum\_password\_length](#input\_minimum\_password\_length) | Minimum length to require for user passwords | `number` | `8` | no |
| password\_reuse\_prevention | The number of previous passwords that users are prevented from reusing | `number` | `null` | no |
| <aname="input_password_reuse_prevention"></a>[password\_reuse\_prevention](#input\_password\_reuse\_prevention) | The number of previous passwords that users are prevented from reusing | `number` | `null` | no |
| require\_lowercase\_characters | Whether to require lowercase characters for user passwords | `bool` | `true` | no |
| <aname="input_require_lowercase_characters"></a>[require\_lowercase\_characters](#input\_require\_lowercase\_characters) | Whether to require lowercase characters for user passwords | `bool` | `true` | no |
| require\_numbers | Whether to require numbers for user passwords | `bool` | `true` | no |
| <aname="input_require_numbers"></a>[require\_numbers](#input\_require\_numbers) | Whether to require numbers for user passwords | `bool` | `true` | no |
| require\_symbols | Whether to require symbols for user passwords | `bool` | `true` | no |
| <aname="input_require_symbols"></a>[require\_symbols](#input\_require\_symbols) | Whether to require symbols for user passwords | `bool` | `true` | no |
| require\_uppercase\_characters | Whether to require uppercase characters for user passwords | `bool` | `true` | no |
| <aname="input_require_uppercase_characters"></a>[require\_uppercase\_characters](#input\_require\_uppercase\_characters) | Whether to require uppercase characters for user passwords | `bool` | `true` | no |
## Outputs
## Outputs
| Name | Description |
| Name | Description |
|------|-------------|
|------|-------------|
| this\_caller\_identity\_account\_id | The AWS Account ID number of the account that owns or contains the calling entity |
| <aname="output_this_caller_identity_account_id"></a>[this\_caller\_identity\_account\_id](#output\_this\_caller\_identity\_account\_id) | The AWS Account ID number of the account that owns or contains the calling entity |
| this\_caller\_identity\_arn | The AWS ARN associated with the calling entity |
| <aname="output_this_caller_identity_arn"></a>[this\_caller\_identity\_arn](#output\_this\_caller\_identity\_arn) | The AWS ARN associated with the calling entity |
| this\_caller\_identity\_user\_id | The unique identifier of the calling entity |
| <aname="output_this_caller_identity_user_id"></a>[this\_caller\_identity\_user\_id](#output\_this\_caller\_identity\_user\_id) | The unique identifier of the calling entity |
| this\_iam\_account\_password\_policy\_expire\_passwords | Indicates whether passwords in the account expire. Returns true if max\_password\_age contains a value greater than 0. Returns false if it is 0 or not present. |
| <aname="output_this_iam_account_password_policy_expire_passwords"></a>[this\_iam\_account\_password\_policy\_expire\_passwords](#output\_this\_iam\_account\_password\_policy\_expire\_passwords) | Indicates whether passwords in the account expire. Returns true if max\_password\_age contains a value greater than 0. Returns false if it is 0 or not present. |
| aws\_account\_id | The AWS account ID where the OIDC provider lives, leave empty to use the account for the AWS provider | `string` | `""` | no |
| <aname="input_aws_account_id"></a>[aws\_account\_id](#input\_aws\_account\_id) | The AWS account ID where the OIDC provider lives, leave empty to use the account for the AWS provider | `string` | `""` | no |
| create\_role | Whether to create a role | `bool` | `false` | no |
| <aname="input_create_role"></a>[create\_role](#input\_create\_role) | Whether to create a role | `bool` | `false` | no |
| force\_detach\_policies | Whether policies should be detached from this role when destroying | `bool` | `false` | no |
| <aname="input_force_detach_policies"></a>[force\_detach\_policies](#input\_force\_detach\_policies) | Whether policies should be detached from this role when destroying | `bool` | `false` | no |
| max\_session\_duration | Maximum CLI/API session duration in seconds between 3600 and 43200 | `number` | `3600` | no |
| <aname="input_max_session_duration"></a>[max\_session\_duration](#input\_max\_session\_duration) | Maximum CLI/API session duration in seconds between 3600 and 43200 | `number` | `3600` | no |
| number\_of\_role\_policy\_arns | Number of IAM policies to attach to IAM role | `number` | `null` | no |
| <aname="input_number_of_role_policy_arns"></a>[number\_of\_role\_policy\_arns](#input\_number\_of\_role\_policy\_arns) | Number of IAM policies to attach to IAM role | `number` | `null` | no |
| oidc\_fully\_qualified\_subjects | The fully qualified OIDC subjects to be added to the role policy | `set(string)` | `[]` | no |
| <aname="input_oidc_fully_qualified_subjects"></a>[oidc\_fully\_qualified\_subjects](#input\_oidc\_fully\_qualified\_subjects) | The fully qualified OIDC subjects to be added to the role policy | `set(string)` | `[]` | no |
| oidc\_subjects\_with\_wildcards | The OIDC subject using wildcards to be added to the role policy | `set(string)` | `[]` | no |
| <aname="input_oidc_subjects_with_wildcards"></a>[oidc\_subjects\_with\_wildcards](#input\_oidc\_subjects\_with\_wildcards) | The OIDC subject using wildcards to be added to the role policy | `set(string)` | `[]` | no |
| provider\_url | URL of the OIDC Provider. Use provider\_urls to specify several URLs. | `string` | `""` | no |
| <aname="input_provider_url"></a>[provider\_url](#input\_provider\_url) | URL of the OIDC Provider. Use provider\_urls to specify several URLs. | `string` | `""` | no |
| provider\_urls | List of URLs of the OIDC Providers | `list(string)` | `[]` | no |
| <aname="input_provider_urls"></a>[provider\_urls](#input\_provider\_urls) | List of URLs of the OIDC Providers | `list(string)` | `[]` | no |
| role\_description | IAM Role description | `string` | `""` | no |
| <aname="input_role_description"></a>[role\_description](#input\_role\_description) | IAM Role description | `string` | `""` | no |
| role\_name | IAM role name | `string` | `null` | no |
| <aname="input_role_name"></a>[role\_name](#input\_role\_name) | IAM role name | `string` | `null` | no |
| role\_name\_prefix | IAM role name prefix | `string` | `null` | no |
| <aname="input_role_name_prefix"></a>[role\_name\_prefix](#input\_role\_name\_prefix) | IAM role name prefix | `string` | `null` | no |
| role\_path | Path of IAM role | `string` | `"/"` | no |
| <aname="input_role_path"></a>[role\_path](#input\_role\_path) | Path of IAM role | `string` | `"/"` | no |
| role\_permissions\_boundary\_arn | Permissions boundary ARN to use for IAM role | `string` | `""` | no |
| <aname="input_role_permissions_boundary_arn"></a>[role\_permissions\_boundary\_arn](#input\_role\_permissions\_boundary\_arn) | Permissions boundary ARN to use for IAM role | `string` | `""` | no |
| role\_policy\_arns | List of ARNs of IAM policies to attach to IAM role | `list(string)` | `[]` | no |
| <aname="input_role_policy_arns"></a>[role\_policy\_arns](#input\_role\_policy\_arns) | List of ARNs of IAM policies to attach to IAM role | `list(string)` | `[]` | no |
| tags | A map of tags to add to IAM role resources | `map(string)` | `{}` | no |
| <aname="input_tags"></a>[tags](#input\_tags) | A map of tags to add to IAM role resources | `map(string)` | `{}` | no |
## Outputs
## Outputs
| Name | Description |
| Name | Description |
|------|-------------|
|------|-------------|
| this\_iam\_role\_arn | ARN of IAM role |
| <aname="output_this_iam_role_arn"></a>[this\_iam\_role\_arn](#output\_this\_iam\_role\_arn) | ARN of IAM role |
| this\_iam\_role\_name | Name of IAM role |
| <aname="output_this_iam_role_name"></a>[this\_iam\_role\_name](#output\_this\_iam\_role\_name) | Name of IAM role |
| this\_iam\_role\_path | Path of IAM role |
| <aname="output_this_iam_role_path"></a>[this\_iam\_role\_path](#output\_this\_iam\_role\_path) | Path of IAM role |
| create\_role | Whether to create a role | `bool` | `false` | no |
| <aname="input_create_role"></a>[create\_role](#input\_create\_role) | Whether to create a role | `bool` | `false` | no |
| force\_detach\_policies | Whether policies should be detached from this role when destroying | `bool` | `false` | no |
| <aname="input_force_detach_policies"></a>[force\_detach\_policies](#input\_force\_detach\_policies) | Whether policies should be detached from this role when destroying | `bool` | `false` | no |
| max\_session\_duration | Maximum CLI/API session duration in seconds between 3600 and 43200 | `number` | `3600` | no |
| <aname="input_max_session_duration"></a>[max\_session\_duration](#input\_max\_session\_duration) | Maximum CLI/API session duration in seconds between 3600 and 43200 | `number` | `3600` | no |
| number\_of\_role\_policy\_arns | Number of IAM policies to attach to IAM role | `number` | `null` | no |
| <aname="input_number_of_role_policy_arns"></a>[number\_of\_role\_policy\_arns](#input\_number\_of\_role\_policy\_arns) | Number of IAM policies to attach to IAM role | `number` | `null` | no |
| provider\_id | ID of the SAML Provider. Use provider\_ids to specify several IDs. | `string` | `""` | no |
| <aname="input_provider_id"></a>[provider\_id](#input\_provider\_id) | ID of the SAML Provider. Use provider\_ids to specify several IDs. | `string` | `""` | no |
| provider\_ids | List of SAML Provider IDs | `list(string)` | `[]` | no |
| <aname="input_provider_ids"></a>[provider\_ids](#input\_provider\_ids) | List of SAML Provider IDs | `list(string)` | `[]` | no |
| role\_description | IAM Role description | `string` | `""` | no |
| <aname="input_role_description"></a>[role\_description](#input\_role\_description) | IAM Role description | `string` | `""` | no |
| role\_name | IAM role name | `string` | `null` | no |
| <aname="input_role_name"></a>[role\_name](#input\_role\_name) | IAM role name | `string` | `null` | no |
| role\_name\_prefix | IAM role name prefix | `string` | `null` | no |
| <aname="input_role_name_prefix"></a>[role\_name\_prefix](#input\_role\_name\_prefix) | IAM role name prefix | `string` | `null` | no |
| role\_path | Path of IAM role | `string` | `"/"` | no |
| <aname="input_role_path"></a>[role\_path](#input\_role\_path) | Path of IAM role | `string` | `"/"` | no |
| role\_permissions\_boundary\_arn | Permissions boundary ARN to use for IAM role | `string` | `""` | no |
| <aname="input_role_permissions_boundary_arn"></a>[role\_permissions\_boundary\_arn](#input\_role\_permissions\_boundary\_arn) | Permissions boundary ARN to use for IAM role | `string` | `""` | no |
| role\_policy\_arns | List of ARNs of IAM policies to attach to IAM role | `list(string)` | `[]` | no |
| <aname="input_role_policy_arns"></a>[role\_policy\_arns](#input\_role\_policy\_arns) | List of ARNs of IAM policies to attach to IAM role | `list(string)` | `[]` | no |
| tags | A map of tags to add to IAM role resources | `map(string)` | `{}` | no |
| <aname="input_tags"></a>[tags](#input\_tags) | A map of tags to add to IAM role resources | `map(string)` | `{}` | no |
## Outputs
## Outputs
| Name | Description |
| Name | Description |
|------|-------------|
|------|-------------|
| this\_iam\_role\_arn | ARN of IAM role |
| <aname="output_this_iam_role_arn"></a>[this\_iam\_role\_arn](#output\_this\_iam\_role\_arn) | ARN of IAM role |
| this\_iam\_role\_name | Name of IAM role |
| <aname="output_this_iam_role_name"></a>[this\_iam\_role\_name](#output\_this\_iam\_role\_name) | Name of IAM role |
| this\_iam\_role\_path | Path of IAM role |
| <aname="output_this_iam_role_path"></a>[this\_iam\_role\_path](#output\_this\_iam\_role\_path) | Path of IAM role |
| admin\_role\_policy\_arn | Policy ARN to use for admin role | `string` | `"arn:aws:iam::aws:policy/AdministratorAccess"` | no |
| <aname="input_admin_role_policy_arn"></a>[admin\_role\_policy\_arn](#input\_admin\_role\_policy\_arn) | Policy ARN to use for admin role | `string` | `"arn:aws:iam::aws:policy/AdministratorAccess"` | no |
| attach\_admin\_policy | Whether to attach an admin policy to a role | `bool` | `false` | no |
| <aname="input_attach_admin_policy"></a>[attach\_admin\_policy](#input\_attach\_admin\_policy) | Whether to attach an admin policy to a role | `bool` | `false` | no |
| attach\_poweruser\_policy | Whether to attach a poweruser policy to a role | `bool` | `false` | no |
| <aname="input_attach_poweruser_policy"></a>[attach\_poweruser\_policy](#input\_attach\_poweruser\_policy) | Whether to attach a poweruser policy to a role | `bool` | `false` | no |
| attach\_readonly\_policy | Whether to attach a readonly policy to a role | `bool` | `false` | no |
| <aname="input_attach_readonly_policy"></a>[attach\_readonly\_policy](#input\_attach\_readonly\_policy) | Whether to attach a readonly policy to a role | `bool` | `false` | no |
| create\_instance\_profile | Whether to create an instance profile | `bool` | `false` | no |
| <aname="input_create_instance_profile"></a>[create\_instance\_profile](#input\_create\_instance\_profile) | Whether to create an instance profile | `bool` | `false` | no |
| create\_role | Whether to create a role | `bool` | `false` | no |
| <aname="input_create_role"></a>[create\_role](#input\_create\_role) | Whether to create a role | `bool` | `false` | no |
| custom\_role\_policy\_arns | List of ARNs of IAM policies to attach to IAM role | `list(string)` | `[]` | no |
| <aname="input_custom_role_policy_arns"></a>[custom\_role\_policy\_arns](#input\_custom\_role\_policy\_arns) | List of ARNs of IAM policies to attach to IAM role | `list(string)` | `[]` | no |
| force\_detach\_policies | Whether policies should be detached from this role when destroying | `bool` | `false` | no |
| <aname="input_force_detach_policies"></a>[force\_detach\_policies](#input\_force\_detach\_policies) | Whether policies should be detached from this role when destroying | `bool` | `false` | no |
| max\_session\_duration | Maximum CLI/API session duration in seconds between 3600 and 43200 | `number` | `3600` | no |
| <aname="input_max_session_duration"></a>[max\_session\_duration](#input\_max\_session\_duration) | Maximum CLI/API session duration in seconds between 3600 and 43200 | `number` | `3600` | no |
| mfa\_age | Max age of valid MFA (in seconds) for roles which require MFA | `number` | `86400` | no |
| <aname="input_mfa_age"></a>[mfa\_age](#input\_mfa\_age) | Max age of valid MFA (in seconds) for roles which require MFA | `number` | `86400` | no |
| number\_of\_custom\_role\_policy\_arns | Number of IAM policies to attach to IAM role | `number` | `null` | no |
| <aname="input_number_of_custom_role_policy_arns"></a>[number\_of\_custom\_role\_policy\_arns](#input\_number\_of\_custom\_role\_policy\_arns) | Number of IAM policies to attach to IAM role | `number` | `null` | no |
| poweruser\_role\_policy\_arn | Policy ARN to use for poweruser role | `string` | `"arn:aws:iam::aws:policy/PowerUserAccess"` | no |
| <aname="input_poweruser_role_policy_arn"></a>[poweruser\_role\_policy\_arn](#input\_poweruser\_role\_policy\_arn) | Policy ARN to use for poweruser role | `string` | `"arn:aws:iam::aws:policy/PowerUserAccess"` | no |
| readonly\_role\_policy\_arn | Policy ARN to use for readonly role | `string` | `"arn:aws:iam::aws:policy/ReadOnlyAccess"` | no |
| <aname="input_readonly_role_policy_arn"></a>[readonly\_role\_policy\_arn](#input\_readonly\_role\_policy\_arn) | Policy ARN to use for readonly role | `string` | `"arn:aws:iam::aws:policy/ReadOnlyAccess"` | no |
| role\_description | IAM Role description | `string` | `""` | no |
| <aname="input_role_description"></a>[role\_description](#input\_role\_description) | IAM Role description | `string` | `""` | no |
| role\_name | IAM role name | `string` | `""` | no |
| <aname="input_role_name"></a>[role\_name](#input\_role\_name) | IAM role name | `string` | `""` | no |
| role\_path | Path of IAM role | `string` | `"/"` | no |
| <aname="input_role_path"></a>[role\_path](#input\_role\_path) | Path of IAM role | `string` | `"/"` | no |
| role\_permissions\_boundary\_arn | Permissions boundary ARN to use for IAM role | `string` | `""` | no |
| <aname="input_role_permissions_boundary_arn"></a>[role\_permissions\_boundary\_arn](#input\_role\_permissions\_boundary\_arn) | Permissions boundary ARN to use for IAM role | `string` | `""` | no |
| role\_requires\_mfa | Whether role requires MFA | `bool` | `true` | no |
| <aname="input_role_requires_mfa"></a>[role\_requires\_mfa](#input\_role\_requires\_mfa) | Whether role requires MFA | `bool` | `true` | no |
| role\_sts\_externalid | STS ExternalId condition values to use with a role (when MFA is not required) | `any` | `[]` | no |
| <aname="input_role_sts_externalid"></a>[role\_sts\_externalid](#input\_role\_sts\_externalid) | STS ExternalId condition values to use with a role (when MFA is not required) | `any` | `[]` | no |
| tags | A map of tags to add to IAM role resources | `map(string)` | `{}` | no |
| <aname="input_tags"></a>[tags](#input\_tags) | A map of tags to add to IAM role resources | `map(string)` | `{}` | no |
| trusted\_role\_actions | Actions of STS | `list(string)` | <pre>[<br> "sts:AssumeRole"<br>]</pre> | no |
| <aname="input_trusted_role_actions"></a>[trusted\_role\_actions](#input\_trusted\_role\_actions) | Actions of STS | `list(string)` | <pre>[<br> "sts:AssumeRole"<br>]</pre> | no |
| trusted\_role\_arns | ARNs of AWS entities who can assume these roles | `list(string)` | `[]` | no |
| <aname="input_trusted_role_arns"></a>[trusted\_role\_arns](#input\_trusted\_role\_arns) | ARNs of AWS entities who can assume these roles | `list(string)` | `[]` | no |
| trusted\_role\_services | AWS Services that can assume these roles | `list(string)` | `[]` | no |
| <aname="input_trusted_role_services"></a>[trusted\_role\_services](#input\_trusted\_role\_services) | AWS Services that can assume these roles | `list(string)` | `[]` | no |
## Outputs
## Outputs
| Name | Description |
| Name | Description |
|------|-------------|
|------|-------------|
| role\_requires\_mfa | Whether IAM role requires MFA |
| <aname="output_role_requires_mfa"></a>[role\_requires\_mfa](#output\_role\_requires\_mfa) | Whether IAM role requires MFA |
| role\_sts\_externalid | STS ExternalId condition value to use with a role |
| <aname="output_role_sts_externalid"></a>[role\_sts\_externalid](#output\_role\_sts\_externalid) | STS ExternalId condition value to use with a role |
| this\_iam\_instance\_profile\_arn | ARN of IAM instance profile |
| <aname="output_this_iam_instance_profile_arn"></a>[this\_iam\_instance\_profile\_arn](#output\_this\_iam\_instance\_profile\_arn) | ARN of IAM instance profile |
| this\_iam\_instance\_profile\_name | Name of IAM instance profile |
| <aname="output_this_iam_instance_profile_name"></a>[this\_iam\_instance\_profile\_name](#output\_this\_iam\_instance\_profile\_name) | Name of IAM instance profile |
| this\_iam\_instance\_profile\_path | Path of IAM instance profile |
| <aname="output_this_iam_instance_profile_path"></a>[this\_iam\_instance\_profile\_path](#output\_this\_iam\_instance\_profile\_path) | Path of IAM instance profile |
| this\_iam\_role\_arn | ARN of IAM role |
| <aname="output_this_iam_role_arn"></a>[this\_iam\_role\_arn](#output\_this\_iam\_role\_arn) | ARN of IAM role |
| this\_iam\_role\_name | Name of IAM role |
| <aname="output_this_iam_role_name"></a>[this\_iam\_role\_name](#output\_this\_iam\_role\_name) | Name of IAM role |
| this\_iam\_role\_path | Path of IAM role |
| <aname="output_this_iam_role_path"></a>[this\_iam\_role\_path](#output\_this\_iam\_role\_path) | Path of IAM role |
| admin\_role\_name | IAM role with admin access | `string` | `"admin"` | no |
| <aname="input_admin_role_name"></a>[admin\_role\_name](#input\_admin\_role\_name) | IAM role with admin access | `string` | `"admin"` | no |
| admin\_role\_path | Path of admin IAM role | `string` | `"/"` | no |
| <aname="input_admin_role_path"></a>[admin\_role\_path](#input\_admin\_role\_path) | Path of admin IAM role | `string` | `"/"` | no |
| admin\_role\_permissions\_boundary\_arn | Permissions boundary ARN to use for admin role | `string` | `""` | no |
| <aname="input_admin_role_permissions_boundary_arn"></a>[admin\_role\_permissions\_boundary\_arn](#input\_admin\_role\_permissions\_boundary\_arn) | Permissions boundary ARN to use for admin role | `string` | `""` | no |
| admin\_role\_policy\_arns | List of policy ARNs to use for admin role | `list(string)` | <pre>[<br> "arn:aws:iam::aws:policy/AdministratorAccess"<br>]</pre> | no |
| <aname="input_admin_role_policy_arns"></a>[admin\_role\_policy\_arns](#input\_admin\_role\_policy\_arns) | List of policy ARNs to use for admin role | `list(string)` | <pre>[<br> "arn:aws:iam::aws:policy/AdministratorAccess"<br>]</pre> | no |
| admin\_role\_tags | A map of tags to add to admin role resource. | `map(string)` | `{}` | no |
| <aname="input_admin_role_tags"></a>[admin\_role\_tags](#input\_admin\_role\_tags) | A map of tags to add to admin role resource. | `map(string)` | `{}` | no |
| create\_admin\_role | Whether to create admin role | `bool` | `false` | no |
| <aname="input_create_admin_role"></a>[create\_admin\_role](#input\_create\_admin\_role) | Whether to create admin role | `bool` | `false` | no |
| create\_poweruser\_role | Whether to create poweruser role | `bool` | `false` | no |
| <aname="input_create_poweruser_role"></a>[create\_poweruser\_role](#input\_create\_poweruser\_role) | Whether to create poweruser role | `bool` | `false` | no |
| create\_readonly\_role | Whether to create readonly role | `bool` | `false` | no |
| <aname="input_create_readonly_role"></a>[create\_readonly\_role](#input\_create\_readonly\_role) | Whether to create readonly role | `bool` | `false` | no |
| force\_detach\_policies | Whether policies should be detached from this role when destroying | `bool` | `false` | no |
| <aname="input_force_detach_policies"></a>[force\_detach\_policies](#input\_force\_detach\_policies) | Whether policies should be detached from this role when destroying | `bool` | `false` | no |
| max\_session\_duration | Maximum CLI/API session duration in seconds between 3600 and 43200 | `number` | `3600` | no |
| <aname="input_max_session_duration"></a>[max\_session\_duration](#input\_max\_session\_duration) | Maximum CLI/API session duration in seconds between 3600 and 43200 | `number` | `3600` | no |
| poweruser\_role\_name | IAM role with poweruser access | `string` | `"poweruser"` | no |
| <aname="input_poweruser_role_name"></a>[poweruser\_role\_name](#input\_poweruser\_role\_name) | IAM role with poweruser access | `string` | `"poweruser"` | no |
| poweruser\_role\_path | Path of poweruser IAM role | `string` | `"/"` | no |
| <aname="input_poweruser_role_path"></a>[poweruser\_role\_path](#input\_poweruser\_role\_path) | Path of poweruser IAM role | `string` | `"/"` | no |
| poweruser\_role\_permissions\_boundary\_arn | Permissions boundary ARN to use for poweruser role | `string` | `""` | no |
| <aname="input_poweruser_role_permissions_boundary_arn"></a>[poweruser\_role\_permissions\_boundary\_arn](#input\_poweruser\_role\_permissions\_boundary\_arn) | Permissions boundary ARN to use for poweruser role | `string` | `""` | no |
| poweruser\_role\_policy\_arns | List of policy ARNs to use for poweruser role | `list(string)` | <pre>[<br> "arn:aws:iam::aws:policy/PowerUserAccess"<br>]</pre> | no |
| <aname="input_poweruser_role_policy_arns"></a>[poweruser\_role\_policy\_arns](#input\_poweruser\_role\_policy\_arns) | List of policy ARNs to use for poweruser role | `list(string)` | <pre>[<br> "arn:aws:iam::aws:policy/PowerUserAccess"<br>]</pre> | no |
| poweruser\_role\_tags | A map of tags to add to poweruser role resource. | `map(string)` | `{}` | no |
| <aname="input_poweruser_role_tags"></a>[poweruser\_role\_tags](#input\_poweruser\_role\_tags) | A map of tags to add to poweruser role resource. | `map(string)` | `{}` | no |
| provider\_id | ID of the SAML Provider. Use provider\_ids to specify several IDs. | `string` | `""` | no |
| <aname="input_provider_id"></a>[provider\_id](#input\_provider\_id) | ID of the SAML Provider. Use provider\_ids to specify several IDs. | `string` | `""` | no |
| provider\_ids | List of SAML Provider IDs | `list(string)` | `[]` | no |
| <aname="input_provider_ids"></a>[provider\_ids](#input\_provider\_ids) | List of SAML Provider IDs | `list(string)` | `[]` | no |
| readonly\_role\_name | IAM role with readonly access | `string` | `"readonly"` | no |
| <aname="input_readonly_role_name"></a>[readonly\_role\_name](#input\_readonly\_role\_name) | IAM role with readonly access | `string` | `"readonly"` | no |
| readonly\_role\_path | Path of readonly IAM role | `string` | `"/"` | no |
| <aname="input_readonly_role_path"></a>[readonly\_role\_path](#input\_readonly\_role\_path) | Path of readonly IAM role | `string` | `"/"` | no |
| readonly\_role\_permissions\_boundary\_arn | Permissions boundary ARN to use for readonly role | `string` | `""` | no |
| <aname="input_readonly_role_permissions_boundary_arn"></a>[readonly\_role\_permissions\_boundary\_arn](#input\_readonly\_role\_permissions\_boundary\_arn) | Permissions boundary ARN to use for readonly role | `string` | `""` | no |
| readonly\_role\_policy\_arns | List of policy ARNs to use for readonly role | `list(string)` | <pre>[<br> "arn:aws:iam::aws:policy/ReadOnlyAccess"<br>]</pre> | no |
| <aname="input_readonly_role_policy_arns"></a>[readonly\_role\_policy\_arns](#input\_readonly\_role\_policy\_arns) | List of policy ARNs to use for readonly role | `list(string)` | <pre>[<br> "arn:aws:iam::aws:policy/ReadOnlyAccess"<br>]</pre> | no |
| readonly\_role\_tags | A map of tags to add to readonly role resource. | `map(string)` | `{}` | no |
| <aname="input_readonly_role_tags"></a>[readonly\_role\_tags](#input\_readonly\_role\_tags) | A map of tags to add to readonly role resource. | `map(string)` | `{}` | no |
## Outputs
## Outputs
| Name | Description |
| Name | Description |
|------|-------------|
|------|-------------|
| admin\_iam\_role\_arn | ARN of admin IAM role |
| <aname="output_admin_iam_role_arn"></a>[admin\_iam\_role\_arn](#output\_admin\_iam\_role\_arn) | ARN of admin IAM role |
| admin\_iam\_role\_name | Name of admin IAM role |
| <aname="output_admin_iam_role_name"></a>[admin\_iam\_role\_name](#output\_admin\_iam\_role\_name) | Name of admin IAM role |
| admin\_iam\_role\_path | Path of admin IAM role |
| <aname="output_admin_iam_role_path"></a>[admin\_iam\_role\_path](#output\_admin\_iam\_role\_path) | Path of admin IAM role |
| poweruser\_iam\_role\_arn | ARN of poweruser IAM role |
| <aname="output_poweruser_iam_role_arn"></a>[poweruser\_iam\_role\_arn](#output\_poweruser\_iam\_role\_arn) | ARN of poweruser IAM role |
| poweruser\_iam\_role\_name | Name of poweruser IAM role |
| <aname="output_poweruser_iam_role_name"></a>[poweruser\_iam\_role\_name](#output\_poweruser\_iam\_role\_name) | Name of poweruser IAM role |
| poweruser\_iam\_role\_path | Path of poweruser IAM role |
| <aname="output_poweruser_iam_role_path"></a>[poweruser\_iam\_role\_path](#output\_poweruser\_iam\_role\_path) | Path of poweruser IAM role |
| readonly\_iam\_role\_arn | ARN of readonly IAM role |
| <aname="output_readonly_iam_role_arn"></a>[readonly\_iam\_role\_arn](#output\_readonly\_iam\_role\_arn) | ARN of readonly IAM role |
| readonly\_iam\_role\_name | Name of readonly IAM role |
| <aname="output_readonly_iam_role_name"></a>[readonly\_iam\_role\_name](#output\_readonly\_iam\_role\_name) | Name of readonly IAM role |
| readonly\_iam\_role\_path | Path of readonly IAM role |
| <aname="output_readonly_iam_role_path"></a>[readonly\_iam\_role\_path](#output\_readonly\_iam\_role\_path) | Path of readonly IAM role |
| admin\_role\_name | IAM role with admin access | `string` | `"admin"` | no |
| <aname="input_admin_role_name"></a>[admin\_role\_name](#input\_admin\_role\_name) | IAM role with admin access | `string` | `"admin"` | no |
| admin\_role\_path | Path of admin IAM role | `string` | `"/"` | no |
| <aname="input_admin_role_path"></a>[admin\_role\_path](#input\_admin\_role\_path) | Path of admin IAM role | `string` | `"/"` | no |
| admin\_role\_permissions\_boundary\_arn | Permissions boundary ARN to use for admin role | `string` | `""` | no |
| <aname="input_admin_role_permissions_boundary_arn"></a>[admin\_role\_permissions\_boundary\_arn](#input\_admin\_role\_permissions\_boundary\_arn) | Permissions boundary ARN to use for admin role | `string` | `""` | no |
| admin\_role\_policy\_arns | List of policy ARNs to use for admin role | `list(string)` | <pre>[<br> "arn:aws:iam::aws:policy/AdministratorAccess"<br>]</pre> | no |
| <aname="input_admin_role_policy_arns"></a>[admin\_role\_policy\_arns](#input\_admin\_role\_policy\_arns) | List of policy ARNs to use for admin role | `list(string)` | <pre>[<br> "arn:aws:iam::aws:policy/AdministratorAccess"<br>]</pre> | no |
| admin\_role\_requires\_mfa | Whether admin role requires MFA | `bool` | `true` | no |
| <aname="input_admin_role_requires_mfa"></a>[admin\_role\_requires\_mfa](#input\_admin\_role\_requires\_mfa) | Whether admin role requires MFA | `bool` | `true` | no |
| admin\_role\_tags | A map of tags to add to admin role resource. | `map(string)` | `{}` | no |
| <aname="input_admin_role_tags"></a>[admin\_role\_tags](#input\_admin\_role\_tags) | A map of tags to add to admin role resource. | `map(string)` | `{}` | no |
| create\_admin\_role | Whether to create admin role | `bool` | `false` | no |
| <aname="input_create_admin_role"></a>[create\_admin\_role](#input\_create\_admin\_role) | Whether to create admin role | `bool` | `false` | no |
| create\_poweruser\_role | Whether to create poweruser role | `bool` | `false` | no |
| <aname="input_create_poweruser_role"></a>[create\_poweruser\_role](#input\_create\_poweruser\_role) | Whether to create poweruser role | `bool` | `false` | no |
| create\_readonly\_role | Whether to create readonly role | `bool` | `false` | no |
| <aname="input_create_readonly_role"></a>[create\_readonly\_role](#input\_create\_readonly\_role) | Whether to create readonly role | `bool` | `false` | no |
| force\_detach\_policies | Whether policies should be detached from this role when destroying | `bool` | `false` | no |
| <aname="input_force_detach_policies"></a>[force\_detach\_policies](#input\_force\_detach\_policies) | Whether policies should be detached from this role when destroying | `bool` | `false` | no |
| max\_session\_duration | Maximum CLI/API session duration in seconds between 3600 and 43200 | `number` | `3600` | no |
| <aname="input_max_session_duration"></a>[max\_session\_duration](#input\_max\_session\_duration) | Maximum CLI/API session duration in seconds between 3600 and 43200 | `number` | `3600` | no |
| mfa\_age | Max age of valid MFA (in seconds) for roles which require MFA | `number` | `86400` | no |
| <aname="input_mfa_age"></a>[mfa\_age](#input\_mfa\_age) | Max age of valid MFA (in seconds) for roles which require MFA | `number` | `86400` | no |
| poweruser\_role\_name | IAM role with poweruser access | `string` | `"poweruser"` | no |
| <aname="input_poweruser_role_name"></a>[poweruser\_role\_name](#input\_poweruser\_role\_name) | IAM role with poweruser access | `string` | `"poweruser"` | no |
| poweruser\_role\_path | Path of poweruser IAM role | `string` | `"/"` | no |
| <aname="input_poweruser_role_path"></a>[poweruser\_role\_path](#input\_poweruser\_role\_path) | Path of poweruser IAM role | `string` | `"/"` | no |
| poweruser\_role\_permissions\_boundary\_arn | Permissions boundary ARN to use for poweruser role | `string` | `""` | no |
| <aname="input_poweruser_role_permissions_boundary_arn"></a>[poweruser\_role\_permissions\_boundary\_arn](#input\_poweruser\_role\_permissions\_boundary\_arn) | Permissions boundary ARN to use for poweruser role | `string` | `""` | no |
| poweruser\_role\_policy\_arns | List of policy ARNs to use for poweruser role | `list(string)` | <pre>[<br> "arn:aws:iam::aws:policy/PowerUserAccess"<br>]</pre> | no |
| <aname="input_poweruser_role_policy_arns"></a>[poweruser\_role\_policy\_arns](#input\_poweruser\_role\_policy\_arns) | List of policy ARNs to use for poweruser role | `list(string)` | <pre>[<br> "arn:aws:iam::aws:policy/PowerUserAccess"<br>]</pre> | no |
| poweruser\_role\_requires\_mfa | Whether poweruser role requires MFA | `bool` | `true` | no |
| <aname="input_poweruser_role_requires_mfa"></a>[poweruser\_role\_requires\_mfa](#input\_poweruser\_role\_requires\_mfa) | Whether poweruser role requires MFA | `bool` | `true` | no |
| poweruser\_role\_tags | A map of tags to add to poweruser role resource. | `map(string)` | `{}` | no |
| <aname="input_poweruser_role_tags"></a>[poweruser\_role\_tags](#input\_poweruser\_role\_tags) | A map of tags to add to poweruser role resource. | `map(string)` | `{}` | no |
| readonly\_role\_name | IAM role with readonly access | `string` | `"readonly"` | no |
| <aname="input_readonly_role_name"></a>[readonly\_role\_name](#input\_readonly\_role\_name) | IAM role with readonly access | `string` | `"readonly"` | no |
| readonly\_role\_path | Path of readonly IAM role | `string` | `"/"` | no |
| <aname="input_readonly_role_path"></a>[readonly\_role\_path](#input\_readonly\_role\_path) | Path of readonly IAM role | `string` | `"/"` | no |
| readonly\_role\_permissions\_boundary\_arn | Permissions boundary ARN to use for readonly role | `string` | `""` | no |
| <aname="input_readonly_role_permissions_boundary_arn"></a>[readonly\_role\_permissions\_boundary\_arn](#input\_readonly\_role\_permissions\_boundary\_arn) | Permissions boundary ARN to use for readonly role | `string` | `""` | no |
| readonly\_role\_policy\_arns | List of policy ARNs to use for readonly role | `list(string)` | <pre>[<br> "arn:aws:iam::aws:policy/ReadOnlyAccess"<br>]</pre> | no |
| <aname="input_readonly_role_policy_arns"></a>[readonly\_role\_policy\_arns](#input\_readonly\_role\_policy\_arns) | List of policy ARNs to use for readonly role | `list(string)` | <pre>[<br> "arn:aws:iam::aws:policy/ReadOnlyAccess"<br>]</pre> | no |
| readonly\_role\_requires\_mfa | Whether readonly role requires MFA | `bool` | `true` | no |
| <aname="input_readonly_role_requires_mfa"></a>[readonly\_role\_requires\_mfa](#input\_readonly\_role\_requires\_mfa) | Whether readonly role requires MFA | `bool` | `true` | no |
| readonly\_role\_tags | A map of tags to add to readonly role resource. | `map(string)` | `{}` | no |
| <aname="input_readonly_role_tags"></a>[readonly\_role\_tags](#input\_readonly\_role\_tags) | A map of tags to add to readonly role resource. | `map(string)` | `{}` | no |
| trusted\_role\_arns | ARNs of AWS entities who can assume these roles | `list(string)` | `[]` | no |
| <aname="input_trusted_role_arns"></a>[trusted\_role\_arns](#input\_trusted\_role\_arns) | ARNs of AWS entities who can assume these roles | `list(string)` | `[]` | no |
| trusted\_role\_services | AWS Services that can assume these roles | `list(string)` | `[]` | no |
| <aname="input_trusted_role_services"></a>[trusted\_role\_services](#input\_trusted\_role\_services) | AWS Services that can assume these roles | `list(string)` | `[]` | no |
## Outputs
## Outputs
| Name | Description |
| Name | Description |
|------|-------------|
|------|-------------|
| admin\_iam\_role\_arn | ARN of admin IAM role |
| <aname="output_admin_iam_role_arn"></a>[admin\_iam\_role\_arn](#output\_admin\_iam\_role\_arn) | ARN of admin IAM role |
| admin\_iam\_role\_name | Name of admin IAM role |
| <aname="output_admin_iam_role_name"></a>[admin\_iam\_role\_name](#output\_admin\_iam\_role\_name) | Name of admin IAM role |
| admin\_iam\_role\_path | Path of admin IAM role |
| <aname="output_admin_iam_role_path"></a>[admin\_iam\_role\_path](#output\_admin\_iam\_role\_path) | Path of admin IAM role |
| admin\_iam\_role\_requires\_mfa | Whether admin IAM role requires MFA |
| <aname="output_admin_iam_role_requires_mfa"></a>[admin\_iam\_role\_requires\_mfa](#output\_admin\_iam\_role\_requires\_mfa) | Whether admin IAM role requires MFA |
| poweruser\_iam\_role\_arn | ARN of poweruser IAM role |
| <aname="output_poweruser_iam_role_arn"></a>[poweruser\_iam\_role\_arn](#output\_poweruser\_iam\_role\_arn) | ARN of poweruser IAM role |
| poweruser\_iam\_role\_name | Name of poweruser IAM role |
| <aname="output_poweruser_iam_role_name"></a>[poweruser\_iam\_role\_name](#output\_poweruser\_iam\_role\_name) | Name of poweruser IAM role |
| poweruser\_iam\_role\_path | Path of poweruser IAM role |
| <aname="output_poweruser_iam_role_path"></a>[poweruser\_iam\_role\_path](#output\_poweruser\_iam\_role\_path) | Path of poweruser IAM role |
| poweruser\_iam\_role\_requires\_mfa | Whether poweruser IAM role requires MFA |
| <aname="output_poweruser_iam_role_requires_mfa"></a>[poweruser\_iam\_role\_requires\_mfa](#output\_poweruser\_iam\_role\_requires\_mfa) | Whether poweruser IAM role requires MFA |
| readonly\_iam\_role\_arn | ARN of readonly IAM role |
| <aname="output_readonly_iam_role_arn"></a>[readonly\_iam\_role\_arn](#output\_readonly\_iam\_role\_arn) | ARN of readonly IAM role |
| readonly\_iam\_role\_name | Name of readonly IAM role |
| <aname="output_readonly_iam_role_name"></a>[readonly\_iam\_role\_name](#output\_readonly\_iam\_role\_name) | Name of readonly IAM role |
| readonly\_iam\_role\_path | Path of readonly IAM role |
| <aname="output_readonly_iam_role_path"></a>[readonly\_iam\_role\_path](#output\_readonly\_iam\_role\_path) | Path of readonly IAM role |
| readonly\_iam\_role\_requires\_mfa | Whether readonly IAM role requires MFA |
| <aname="output_readonly_iam_role_requires_mfa"></a>[readonly\_iam\_role\_requires\_mfa](#output\_readonly\_iam\_role\_requires\_mfa) | Whether readonly IAM role requires MFA |
| assumable\_roles | List of IAM roles ARNs which can be assumed by the group | `list(string)` | `[]` | no |
| <aname="input_assumable_roles"></a>[assumable\_roles](#input\_assumable\_roles) | List of IAM roles ARNs which can be assumed by the group | `list(string)` | `[]` | no |
| group\_users | List of IAM users to have in an IAM group which can assume the role | `list(string)` | `[]` | no |
| <aname="input_group_users"></a>[group\_users](#input\_group\_users) | List of IAM users to have in an IAM group which can assume the role | `list(string)` | `[]` | no |
| name | Name of IAM policy and IAM group | `string` | n/a | yes |
| <aname="input_name"></a>[name](#input\_name) | Name of IAM policy and IAM group | `string` | n/a | yes |
## Outputs
## Outputs
| Name | Description |
| Name | Description |
|------|-------------|
|------|-------------|
| group\_arn | IAM group arn |
| <aname="output_group_arn"></a>[group\_arn](#output\_group\_arn) | IAM group arn |
| group\_name | IAM group name |
| <aname="output_group_name"></a>[group\_name](#output\_group\_name) | IAM group name |
| this\_assumable\_roles | List of ARNs of IAM roles which members of IAM group can assume |
| <aname="output_this_assumable_roles"></a>[this\_assumable\_roles](#output\_this\_assumable\_roles) | List of ARNs of IAM roles which members of IAM group can assume |
| this\_group\_users | List of IAM users in IAM group |
| <aname="output_this_group_users"></a>[this\_group\_users](#output\_this\_group\_users) | List of IAM users in IAM group |
| this\_policy\_arn | Assume role policy ARN of IAM group |
| <aname="output_this_policy_arn"></a>[this\_policy\_arn](#output\_this\_policy\_arn) | Assume role policy ARN of IAM group |
| attach\_iam\_self\_management\_policy | Whether to attach IAM policy which allows IAM users to manage their credentials and MFA | `bool` | `true` | no |
| <aname="input_attach_iam_self_management_policy"></a>[attach\_iam\_self\_management\_policy](#input\_attach\_iam\_self\_management\_policy) | Whether to attach IAM policy which allows IAM users to manage their credentials and MFA | `bool` | `true` | no |
| aws\_account\_id | AWS account id to use inside IAM policies. If empty, current AWS account ID will be used. | `string` | `""` | no |
| <aname="input_aws_account_id"></a>[aws\_account\_id](#input\_aws\_account\_id) | AWS account id to use inside IAM policies. If empty, current AWS account ID will be used. | `string` | `""` | no |
| create\_group | Whether to create IAM group | `bool` | `true` | no |
| <aname="input_create_group"></a>[create\_group](#input\_create\_group) | Whether to create IAM group | `bool` | `true` | no |
| custom\_group\_policies | List of maps of inline IAM policies to attach to IAM group. Should have `name` and `policy` keys in each element. | `list(map(string))` | `[]` | no |
| <aname="input_custom_group_policies"></a>[custom\_group\_policies](#input\_custom\_group\_policies) | List of maps of inline IAM policies to attach to IAM group. Should have `name` and `policy` keys in each element. | `list(map(string))` | `[]` | no |
| custom\_group\_policy\_arns | List of IAM policies ARNs to attach to IAM group | `list(string)` | `[]` | no |
| <aname="input_custom_group_policy_arns"></a>[custom\_group\_policy\_arns](#input\_custom\_group\_policy\_arns) | List of IAM policies ARNs to attach to IAM group | `list(string)` | `[]` | no |
| group\_users | List of IAM users to have in an IAM group which can assume the role | `list(string)` | `[]` | no |
| <aname="input_group_users"></a>[group\_users](#input\_group\_users) | List of IAM users to have in an IAM group which can assume the role | `list(string)` | `[]` | no |
| iam\_self\_management\_policy\_name\_prefix | Name prefix for IAM policy to create with IAM self-management permissions | `string` | `"IAMSelfManagement-"` | no |
| <aname="input_iam_self_management_policy_name_prefix"></a>[iam\_self\_management\_policy\_name\_prefix](#input\_iam\_self\_management\_policy\_name\_prefix) | Name prefix for IAM policy to create with IAM self-management permissions | `string` | `"IAMSelfManagement-"` | no |
| name | Name of IAM group | `string` | `""` | no |
| <aname="input_name"></a>[name](#input\_name) | Name of IAM group | `string` | `""` | no |
## Outputs
## Outputs
| Name | Description |
| Name | Description |
|------|-------------|
|------|-------------|
| aws\_account\_id | IAM AWS account id |
| <aname="output_aws_account_id"></a>[aws\_account\_id](#output\_aws\_account\_id) | IAM AWS account id |
| this\_group\_name | IAM group name |
| <aname="output_this_group_name"></a>[this\_group\_name](#output\_this\_group\_name) | IAM group name |
| this\_group\_users | List of IAM users in IAM group |
| <aname="output_this_group_users"></a>[this\_group\_users](#output\_this\_group\_users) | List of IAM users in IAM group |
| create\_iam\_access\_key | Whether to create IAM access key | `bool` | `true` | no |
| <aname="input_create_iam_access_key"></a>[create\_iam\_access\_key](#input\_create\_iam\_access\_key) | Whether to create IAM access key | `bool` | `true` | no |
| create\_iam\_user\_login\_profile | Whether to create IAM user login profile | `bool` | `true` | no |
| <aname="input_create_iam_user_login_profile"></a>[create\_iam\_user\_login\_profile](#input\_create\_iam\_user\_login\_profile) | Whether to create IAM user login profile | `bool` | `true` | no |
| create\_user | Whether to create the IAM user | `bool` | `true` | no |
| <aname="input_create_user"></a>[create\_user](#input\_create\_user) | Whether to create the IAM user | `bool` | `true` | no |
| force\_destroy | When destroying this user, destroy even if it has non-Terraform-managed IAM access keys, login profile or MFA devices. Without force\_destroy a user with non-Terraform-managed access keys and login profile will fail to be destroyed. | `bool` | `false` | no |
| <aname="input_force_destroy"></a>[force\_destroy](#input\_force\_destroy) | When destroying this user, destroy even if it has non-Terraform-managed IAM access keys, login profile or MFA devices. Without force\_destroy a user with non-Terraform-managed access keys and login profile will fail to be destroyed. | `bool` | `false` | no |
| name | Desired name for the IAM user | `string` | n/a | yes |
| <aname="input_name"></a>[name](#input\_name) | Desired name for the IAM user | `string` | n/a | yes |
| password\_length | The length of the generated password | `number` | `20` | no |
| <aname="input_password_length"></a>[password\_length](#input\_password\_length) | The length of the generated password | `number` | `20` | no |
| password\_reset\_required | Whether the user should be forced to reset the generated password on first login. | `bool` | `true` | no |
| <aname="input_password_reset_required"></a>[password\_reset\_required](#input\_password\_reset\_required) | Whether the user should be forced to reset the generated password on first login. | `bool` | `true` | no |
| path | Desired path for the IAM user | `string` | `"/"` | no |
| <aname="input_path"></a>[path](#input\_path) | Desired path for the IAM user | `string` | `"/"` | no |
| permissions\_boundary | The ARN of the policy that is used to set the permissions boundary for the user. | `string` | `""` | no |
| <aname="input_permissions_boundary"></a>[permissions\_boundary](#input\_permissions\_boundary) | The ARN of the policy that is used to set the permissions boundary for the user. | `string` | `""` | no |
| pgp\_key | Either a base-64 encoded PGP public key, or a keybase username in the form `keybase:username`. Used to encrypt password and access key. `pgp_key` is required when `create_iam_user_login_profile` is set to `true` | `string` | `""` | no |
| <aname="input_pgp_key"></a>[pgp\_key](#input\_pgp\_key) | Either a base-64 encoded PGP public key, or a keybase username in the form `keybase:username`. Used to encrypt password and access key. `pgp_key` is required when `create_iam_user_login_profile` is set to `true` | `string` | `""` | no |
| ssh\_key\_encoding | Specifies the public key encoding format to use in the response. To retrieve the public key in ssh-rsa format, use SSH. To retrieve the public key in PEM format, use PEM | `string` | `"SSH"` | no |
| <aname="input_ssh_key_encoding"></a>[ssh\_key\_encoding](#input\_ssh\_key\_encoding) | Specifies the public key encoding format to use in the response. To retrieve the public key in ssh-rsa format, use SSH. To retrieve the public key in PEM format, use PEM | `string` | `"SSH"` | no |
| ssh\_public\_key | The SSH public key. The public key must be encoded in ssh-rsa format or PEM format | `string` | `""` | no |
| <aname="input_ssh_public_key"></a>[ssh\_public\_key](#input\_ssh\_public\_key) | The SSH public key. The public key must be encoded in ssh-rsa format or PEM format | `string` | `""` | no |
| tags | A map of tags to add to all resources. | `map(string)` | `{}` | no |
| <aname="input_tags"></a>[tags](#input\_tags) | A map of tags to add to all resources. | `map(string)` | `{}` | no |
| upload\_iam\_user\_ssh\_key | Whether to upload a public ssh key to the IAM user | `bool` | `false` | no |
| <aname="input_upload_iam_user_ssh_key"></a>[upload\_iam\_user\_ssh\_key](#input\_upload\_iam\_user\_ssh\_key) | Whether to upload a public ssh key to the IAM user | `bool` | `false` | no |
## Outputs
## Outputs
| Name | Description |
| Name | Description |
|------|-------------|
|------|-------------|
| keybase\_password\_decrypt\_command | Decrypt user password command |
| <aname="output_keybase_password_decrypt_command"></a>[keybase\_password\_decrypt\_command](#output\_keybase\_password\_decrypt\_command) | Decrypt user password command |
| pgp\_key | PGP key used to encrypt sensitive data for this user (if empty - secrets are not encrypted) |
| <aname="output_pgp_key"></a>[pgp\_key](#output\_pgp\_key) | PGP key used to encrypt sensitive data for this user (if empty - secrets are not encrypted) |
| this\_iam\_access\_key\_encrypted\_secret | The encrypted secret, base64 encoded |
| <aname="output_this_iam_access_key_encrypted_secret"></a>[this\_iam\_access\_key\_encrypted\_secret](#output\_this\_iam\_access\_key\_encrypted\_secret) | The encrypted secret, base64 encoded |
| this\_iam\_access\_key\_id | The access key ID |
| <aname="output_this_iam_access_key_id"></a>[this\_iam\_access\_key\_id](#output\_this\_iam\_access\_key\_id) | The access key ID |
| this\_iam\_access\_key\_key\_fingerprint | The fingerprint of the PGP key used to encrypt the secret |
| <aname="output_this_iam_access_key_key_fingerprint"></a>[this\_iam\_access\_key\_key\_fingerprint](#output\_this\_iam\_access\_key\_key\_fingerprint) | The fingerprint of the PGP key used to encrypt the secret |
| this\_iam\_access\_key\_secret | The access key secret |
| <aname="output_this_iam_access_key_secret"></a>[this\_iam\_access\_key\_secret](#output\_this\_iam\_access\_key\_secret) | The access key secret |
| this\_iam\_access\_key\_ses\_smtp\_password\_v4 | The secret access key converted into an SES SMTP password by applying AWS's Sigv4 conversion algorithm |
| <aname="output_this_iam_access_key_ses_smtp_password_v4"></a>[this\_iam\_access\_key\_ses\_smtp\_password\_v4](#output\_this\_iam\_access\_key\_ses\_smtp\_password\_v4) | The secret access key converted into an SES SMTP password by applying AWS's Sigv4 conversion algorithm |
| this\_iam\_access\_key\_status | Active or Inactive. Keys are initially active, but can be made inactive by other means. |
| <aname="output_this_iam_access_key_status"></a>[this\_iam\_access\_key\_status](#output\_this\_iam\_access\_key\_status) | Active or Inactive. Keys are initially active, but can be made inactive by other means. |
| this\_iam\_user\_arn | The ARN assigned by AWS for this user |
| <aname="output_this_iam_user_arn"></a>[this\_iam\_user\_arn](#output\_this\_iam\_user\_arn) | The ARN assigned by AWS for this user |
| this\_iam\_user\_login\_profile\_encrypted\_password | The encrypted password, base64 encoded |
| <aname="output_this_iam_user_login_profile_encrypted_password"></a>[this\_iam\_user\_login\_profile\_encrypted\_password](#output\_this\_iam\_user\_login\_profile\_encrypted\_password) | The encrypted password, base64 encoded |
| this\_iam\_user\_login\_profile\_key\_fingerprint | The fingerprint of the PGP key used to encrypt the password |
| <aname="output_this_iam_user_login_profile_key_fingerprint"></a>[this\_iam\_user\_login\_profile\_key\_fingerprint](#output\_this\_iam\_user\_login\_profile\_key\_fingerprint) | The fingerprint of the PGP key used to encrypt the password |
| this\_iam\_user\_name | The user's name |
| <aname="output_this_iam_user_name"></a>[this\_iam\_user\_name](#output\_this\_iam\_user\_name) | The user's name |
| this\_iam\_user\_ssh\_key\_fingerprint | The MD5 message digest of the SSH public key |
| <aname="output_this_iam_user_ssh_key_fingerprint"></a>[this\_iam\_user\_ssh\_key\_fingerprint](#output\_this\_iam\_user\_ssh\_key\_fingerprint) | The MD5 message digest of the SSH public key |
| this\_iam\_user\_ssh\_key\_ssh\_public\_key\_id | The unique identifier for the SSH public key |
| <aname="output_this_iam_user_ssh_key_ssh_public_key_id"></a>[this\_iam\_user\_ssh\_key\_ssh\_public\_key\_id](#output\_this\_iam\_user\_ssh\_key\_ssh\_public\_key\_id) | The unique identifier for the SSH public key |
| this\_iam\_user\_unique\_id | The unique ID assigned by AWS |
| <aname="output_this_iam_user_unique_id"></a>[this\_iam\_user\_unique\_id](#output\_this\_iam\_user\_unique\_id) | The unique ID assigned by AWS |
