Added iam-user module (#4)

README.md

@@ -8,6 +8,7 @@ These types of resources are supported:
 * [IAM user login profile](https://www.terraform.io/docs/providers/aws/r/iam_user_login_profile.html)
 * [IAM group](https://www.terraform.io/docs/providers/aws/r/iam_group.html)
 * [IAM role](https://www.terraform.io/docs/providers/aws/r/iam_role.html)
+* [IAM access key](https://www.terraform.io/docs/providers/aws/r/iam_access_key.html)
 
 ## Usage
 
@@ -46,7 +47,16 @@ module "iam_assumable_roles" {
 
 `iam-user`:
 ```hcl
-# todo
+module "iam_user" {
+  source = "terraform-aws-modules/iam/aws//modules/iam-user"
+
+  name          = "vasya.pupkin"
+  force_destroy = true
+
+  pgp_key = "keybase:test"
+
+  password_reset_required = false
+}
 ```
 
 `iam-group-with-assumable-roles-policy`:
@@ -90,8 +100,9 @@ Terraform can't configure MFA for the user. It is only possible via [AWS Console
 ## Examples
 
 * [complete](https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/modules/complete) - Create all required resources to allow one group of users to assume privileged role, while another group of users can only assume readonly role.
-* [iam-account](https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/modules/iam-account) - Set AWS account alias and password policy
-* [iam-assumable-roles](https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/modules/iam-assumable-roles) - Create IAM roles which can be assumed from specified ARNs (AWS accounts, IAM users, etc)
+* [iam-account](https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/examples/iam-account) - Set AWS account alias and password policy
+* [iam-assumable-roles](https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/examples/iam-assumable-roles) - Create IAM roles which can be assumed from specified ARNs (AWS accounts, IAM users, etc)
+* [iam-user](https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/examples/iam-user) - Add IAM user, login profile and access keys
 
 
 ## Authors

examples/iam-user/README.md

+# IAM user example
+
+Configuration in this directory creates IAM user with a random password and a pair of IAM access/secret keys.
+User password and secret key is encrypted using public key of keybase.io user named `test`.
+
+# Usage
+
+To run this example you need to execute:
+
+```bash
+$ terraform init
+$ terraform plan
+$ terraform apply
+```
+
+Run `terraform destroy` when you don't need these resources.

examples/iam-user/main.tf

+provider "aws" {
+  region = "eu-west-1"
+}
+
+#########################################
+# IAM user, login profile and access key
+#########################################
+module "iam_user" {
+  source = "../../modules/iam-user"
+
+  name          = "vasya.pupkin"
+  force_destroy = true
+
+  # User "test" has uploaded his public key here - https://keybase.io/test/pgp_keys.asc
+  pgp_key = "keybase:test"
+
+  password_reset_required = false
+}

examples/iam-user/outputs.tf

+output "this_iam_user_name" {
+  description = "The user's name"
+  value       = "${module.iam_user.this_iam_user_name}"
+}
+
+output "this_iam_user_arn" {
+  description = "The ARN assigned by AWS for this user"
+  value       = "${module.iam_user.this_iam_user_arn}"
+}
+
+output "this_iam_user_unique_id" {
+  description = "The unique ID assigned by AWS"
+  value       = "${module.iam_user.this_iam_user_unique_id}"
+}
+
+output "this_iam_user_login_profile_key_fingerprint" {
+  description = "The fingerprint of the PGP key used to encrypt the password"
+  value       = "${module.iam_user.this_iam_user_login_profile_key_fingerprint}"
+}
+
+output "this_iam_user_login_profile_encrypted_password" {
+  description = "The encrypted password, base64 encoded"
+  value       = "${module.iam_user.this_iam_user_login_profile_encrypted_password}"
+}
+
+output "this_iam_access_key_id" {
+  description = "The access key ID"
+  value       = "${module.iam_user.this_iam_access_key_id}"
+}
+
+output "this_iam_access_key_key_fingerprint" {
+  description = "The fingerprint of the PGP key used to encrypt the secret"
+  value       = "${module.iam_user.this_iam_access_key_key_fingerprint}"
+}
+
+output "this_iam_access_key_encrypted_secret" {
+  description = "The encrypted secret, base64 encoded"
+  value       = "${module.iam_user.this_iam_access_key_encrypted_secret}"
+}
+
+output "this_iam_access_key_ses_smtp_password" {
+  description = "The secret access key converted into an SES SMTP password"
+  value       = "${module.iam_user.this_iam_access_key_ses_smtp_password}"
+}
+
+output "this_iam_access_key_status" {
+  description = "Active or Inactive. Keys are initially active, but can be made inactive by other means."
+  value       = "${module.iam_user.this_iam_access_key_status}"
+}
+
+output "pgp_key" {
+  description = "PGP key used to encrypt sensitive data for this user (if empty - secrets are not encrypted)"
+  value       = "${module.iam_user.pgp_key}"
+}
+
+output "keybase_password_decrypt_command" {
+  value = "${module.iam_user.keybase_password_decrypt_command}"
+}
+
+output "keybase_password_pgp_message" {
+  value = "${module.iam_user.keybase_password_pgp_message}"
+}
+
+output "keybase_secret_key_decrypt_command" {
+  value = "${module.iam_user.keybase_secret_key_decrypt_command}"
+}
+
+output "keybase_secret_key_pgp_message" {
+  value = "${module.iam_user.keybase_secret_key_pgp_message}"
+}

modules/iam-user/README.md

+# iam-user
+
+Creates IAM user, IAM login profile and IAM access keys. All of these are optional resources.
+
+## Notes for keybase users
+
+**If possible, always use PGP encryption to prevent Terraform from keeping unencrypted password and access secret key in state file.**
+
+### Keybase pre-requisits
+
+When `pgp_key` is specified as `keybase:username`, make sure that that user has already uploaded public key to keybase.io. For example, user with username `test` has done it properly and you can [verify it here](https://keybase.io/test/pgp_keys.asc).
+
+### How to decrypt user's encrypted password and secret key
+
+This module outputs commands and PGP messages which can be decrypted either using [keybase.io web-site](https://keybase.io/decrypt) or using command line to get user's password and user's secret key:
+- `keybase_password_decrypt_command`
+- `keybase_secret_key_decrypt_command`
+- `keybase_password_pgp_message`
+- `keybase_secret_key_pgp_message`

modules/iam-user/main.tf

+resource "aws_iam_user" "this" {
+  count = "${var.create_user}"
+
+  name          = "${var.name}"
+  path          = "${var.path}"
+  force_destroy = "${var.force_destroy}"
+}
+
+resource "aws_iam_user_login_profile" "this" {
+  count = "${var.create_user && var.create_iam_user_login_profile ? 1 : 0}"
+
+  user                    = "${aws_iam_user.this.name}"
+  pgp_key                 = "${var.pgp_key}"
+  password_length         = "${var.password_length}"
+  password_reset_required = "${var.password_reset_required}"
+}
+
+resource "aws_iam_access_key" "this" {
+  count = "${var.create_user && var.create_iam_access_key ? 1 : 0}"
+
+  user    = "${aws_iam_user.this.name}"
+  pgp_key = "${var.pgp_key}"
+}

modules/iam-user/outputs.tf

+output "this_iam_user_name" {
+  description = "The user's name"
+  value       = "${element(concat(aws_iam_user.this.*.name, list("")), 0)}"
+}
+
+output "this_iam_user_arn" {
+  description = "The ARN assigned by AWS for this user"
+  value       = "${element(concat(aws_iam_user.this.*.arn, list("")), 0)}"
+}
+
+output "this_iam_user_unique_id" {
+  description = "The unique ID assigned by AWS"
+  value       = "${element(concat(aws_iam_user.this.*.unique_id, list("")), 0)}"
+}
+
+output "this_iam_user_login_profile_key_fingerprint" {
+  description = "The fingerprint of the PGP key used to encrypt the password"
+  value       = "${element(concat(aws_iam_user_login_profile.this.*.key_fingerprint, list("")), 0)}"
+}
+
+output "this_iam_user_login_profile_encrypted_password" {
+  description = "The encrypted password, base64 encoded"
+  value       = "${element(concat(aws_iam_user_login_profile.this.*.encrypted_password, list("")), 0)}"
+}
+
+output "this_iam_access_key_id" {
+  description = "The access key ID"
+  value       = "${element(concat(aws_iam_access_key.this.*.id, list("")), 0)}"
+}
+
+output "this_iam_access_key_key_fingerprint" {
+  description = "The fingerprint of the PGP key used to encrypt the secret"
+  value       = "${element(concat(aws_iam_access_key.this.*.key_fingerprint, list("")), 0)}"
+}
+
+output "this_iam_access_key_encrypted_secret" {
+  description = "The encrypted secret, base64 encoded"
+  value       = "${element(concat(aws_iam_access_key.this.*.encrypted_secret, list("")), 0)}"
+}
+
+output "this_iam_access_key_ses_smtp_password" {
+  description = "The secret access key converted into an SES SMTP password"
+  value       = "${element(concat(aws_iam_access_key.this.*.ses_smtp_password, list("")), 0)}"
+}
+
+output "this_iam_access_key_status" {
+  description = "Active or Inactive. Keys are initially active, but can be made inactive by other means."
+  value       = "${element(concat(aws_iam_access_key.this.*.status, list("")), 0)}"
+}
+
+output "pgp_key" {
+  description = "PGP key used to encrypt sensitive data for this user (if empty - secrets are not encrypted)"
+  value       = "${var.pgp_key}"
+}
+
+output "keybase_password_decrypt_command" {
+  value = <<EOF
+echo "${element(concat(aws_iam_user_login_profile.this.*.encrypted_password, list("")), 0)}" | base64 --decode | keybase pgp decrypt
+EOF
+}
+
+output "keybase_password_pgp_message" {
+  value = <<EOF
+-----BEGIN PGP MESSAGE-----
+Version: Keybase OpenPGP v2.0.76
+Comment: https://keybase.io/crypto
+
+${element(concat(aws_iam_user_login_profile.this.*.encrypted_password, list("")), 0)}
+-----END PGP MESSAGE-----
+EOF
+}
+
+output "keybase_secret_key_decrypt_command" {
+  value = <<EOF
+echo "${element(concat(aws_iam_access_key.this.*.encrypted_secret, list("")), 0)}" | base64 --decode | keybase pgp decrypt
+EOF
+}
+
+output "keybase_secret_key_pgp_message" {
+  value = <<EOF
+-----BEGIN PGP MESSAGE-----
+Version: Keybase OpenPGP v2.0.76
+Comment: https://keybase.io/crypto
+
+${element(concat(aws_iam_access_key.this.*.encrypted_secret, list("")), 0)}
+-----END PGP MESSAGE-----
+EOF
+}

modules/iam-user/variables.tf

+variable "create_user" {
+  description = "Whether to create the IAM user"
+  default     = true
+}
+
+variable "create_iam_user_login_profile" {
+  description = "Whether to create IAM user login profile"
+  default     = true
+}
+
+variable "create_iam_access_key" {
+  description = "Whether to create IAM access key"
+  default     = true
+}
+
+variable "name" {
+  description = "Desired name for the IAM user"
+}
+
+variable "path" {
+  description = "Desired path for the IAM user"
+  default     = "/"
+}
+
+variable "force_destroy" {
+  description = "When destroying this user, destroy even if it has non-Terraform-managed IAM access keys, login profile or MFA devices. Without force_destroy a user with non-Terraform-managed access keys and login profile will fail to be destroyed."
+  default     = false
+}
+
+variable "pgp_key" {
+  description = "Either a base-64 encoded PGP public key, or a keybase username in the form keybase:username. Used to encrypt password and access key."
+  default     = ""
+}
+
+variable "password_reset_required" {
+  description = "Whether the user should be forced to reset the generated password on first login."
+  default     = true
+}
+
+variable "password_length" {
+  description = "The length of the generated password"
+  default     = 20
+}