Follow-up after #12, added possibility to upload IAM SSH public keys

8b04e3e3 · Anton Babenko · 48bd8f9b · 8b04e3e3 · 8b04e3e3 · 8b04e3e3
Commit 8b04e3e3 authored Aug 19, 2018 by Anton Babenko
8 changed files
--- a/README.md
+++ b/README.md
@@ -9,6 +9,7 @@ These types of resources are supported:
 * [IAM group](https://www.terraform.io/docs/providers/aws/r/iam_group.html)
 * [IAM role](https://www.terraform.io/docs/providers/aws/r/iam_role.html)
 * [IAM access key](https://www.terraform.io/docs/providers/aws/r/iam_access_key.html)
+* [IAM SSH public key](https://www.terraform.io/docs/providers/aws/r/iam_user_ssh_key.html)

 ## Usage


--- a/examples/iam-user/README.md
+++ b/examples/iam-user/README.md
 # IAM user example

-Configuration in this directory creates IAM user with a random password and a pair of IAM access/secret keys.
+Configuration in this directory creates IAM user with a random password, a pair of IAM access/secret keys and uploads IAM SSH public key.
 User password and secret key is encrypted using public key of keybase.io user named `test`.

 # Usage

--- a/examples/iam-user/main.tf
+++ b/examples/iam-user/main.tf
@@ -15,4 +15,9 @@ module "iam_user" {
  pgp_key = "keybase:test"

  password_reset_required = false
+
+  # SSH public key
+  upload_iam_user_ssh_key = true
+
+  ssh_public_key = "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA0sUjdTEcOWYgQ7ESnHsSkvPUO2tEvZxxQHUZYh9j6BPZgfn13iYhfAP2cfZznzrV+2VMamMtfiAiWR39LKo/bMN932HOp2Qx2la14IbiZ91666FD+yZ4+vhR2IVhZMe4D+g8FmhCfw1+zZhgl8vQBgsRZIcYqpYux59FcPv0lP1EhYahoRsUt1SEU2Gj+jvgyZpe15lnWk2VzfIpIsZ++AeUqyHoJHV0RVOK4MLRssqGHye6XkA3A+dMm2Mjgi8hxoL5uuwtkIsAll0kSfL5O2G26nsxm/Fpcl+SKSO4gs01d9V83xiOwviyOxmoXzwKy4qaUGtgq1hWncDNIVG/aQ=="
 }
--- a/modules/iam-assumable-roles/README.md
+++ b/modules/iam-assumable-roles/README.md
@@ -16,15 +16,16 @@ Trusted resources can be any [IAM ARNs](https://docs.aws.amazon.com/IAM/latest/U
 | admin_role_requires_mfa | Whether admin role requires MFA | string | `true` | no |
 | create_admin_role | Whether to create admin role | string | `false` | no |
 | create_poweruser_role | Whether to create poweruser role | string | `false` | no |
-| create_readonly_role | Whether to create poweruser role | string | `false` | no |
+| create_readonly_role | Whether to create readonly role | string | `false` | no |
+| max_session_duration | Maximum CLI/API session duration in seconds between 3600 and 43200 | string | `3600` | no |
 | mfa_age | Max age of valid MFA (in seconds) for roles which require MFA | string | `86400` | no |
 | poweruser_role_name | IAM role with poweruser access | string | `poweruser` | no |
 | poweruser_role_path | Path of poweruser IAM role | string | `/` | no |
 | poweruser_role_policy_arn | Policy ARN to use for admin role | string | `arn:aws:iam::aws:policy/PowerUserAccess` | no |
 | poweruser_role_requires_mfa | Whether poweruser role requires MFA | string | `true` | no |
 | readonly_role_name | IAM role with readonly access | string | `readonly` | no |
-| readonly_role_path | Path of poweruser IAM role | string | `/` | no |
-| readonly_role_policy_arn | Policy ARN to use for admin role | string | `arn:aws:iam::aws:policy/ReadOnlyAccess` | no |
+| readonly_role_path | Path of readonly IAM role | string | `/` | no |
+| readonly_role_policy_arn | Policy ARN to use for readonly role | string | `arn:aws:iam::aws:policy/ReadOnlyAccess` | no |
 | readonly_role_requires_mfa | Whether readonly role requires MFA | string | `true` | no |
 | trusted_role_arns | ARNs of AWS entities who can assume these roles | string | `<list>` | no |


--- a/modules/iam-user/README.md
+++ b/modules/iam-user/README.md
 # iam-user

-Creates IAM user, IAM login profile and IAM access keys. All of these are optional resources.
+Creates IAM user, IAM login profile, IAM access key and uploads IAM SSH user public key. All of these are optional resources.

 ## Notes for keybase users

@@ -33,9 +33,9 @@ This module outputs commands and PGP messages which can be decrypted either usin
 | password_reset_required | Whether the user should be forced to reset the generated password on first login. | string | `true` | no |
 | path | Desired path for the IAM user | string | `/` | no |
 | pgp_key | Either a base-64 encoded PGP public key, or a keybase username in the form keybase:username. Used to encrypt password and access key. | string | `` | no |
-| ssh_key_encoding | Which encoding format the uploaded SSH key is in. `SSH` for ssh-rsa or `PEM` for pem. | string | `SSH` | no |
-| ssh_public_key | Public key that is to be attached to this IAM account | string | - | no |
-| upload_ssh_key | Whether to upload and manage users public SSH key. | string | `false` | no |
+| ssh_key_encoding | Specifies the public key encoding format to use in the response. To retrieve the public key in ssh-rsa format, use SSH. To retrieve the public key in PEM format, use PEM | string | `SSH` | no |
+| ssh_public_key | The SSH public key. The public key must be encoded in ssh-rsa format or PEM format | string | `` | no |
+| upload_iam_user_ssh_key | Whether to upload a public ssh key to the IAM user | string | `false` | no |

 ## Outputs

@@ -51,11 +51,12 @@ This module outputs commands and PGP messages which can be decrypted either usin
 | this_iam_access_key_key_fingerprint | The fingerprint of the PGP key used to encrypt the secret |
 | this_iam_access_key_ses_smtp_password | The secret access key converted into an SES SMTP password |
 | this_iam_access_key_status | Active or Inactive. Keys are initially active, but can be made inactive by other means. |
-| this_iam_ssh_public_key_id | The AWS ID for the public key |
 | this_iam_user_arn | The ARN assigned by AWS for this user |
 | this_iam_user_login_profile_encrypted_password | The encrypted password, base64 encoded |
 | this_iam_user_login_profile_key_fingerprint | The fingerprint of the PGP key used to encrypt the password |
 | this_iam_user_name | The user's name |
+| this_iam_user_ssh_key_fingerprint | The MD5 message digest of the SSH public key |
+| this_iam_user_ssh_key_ssh_public_key_id | The unique identifier for the SSH public key |
 | this_iam_user_unique_id | The unique ID assigned by AWS |

 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
--- a/modules/iam-user/main.tf
+++ b/modules/iam-user/main.tf
@@ -23,7 +23,7 @@ resource "aws_iam_access_key" "this" {
 }

 resource "aws_iam_user_ssh_key" "this" {
-  count = "${var.upload_ssh_key}"
+  count = "${var.create_user && var.upload_iam_user_ssh_key ? 1 : 0}"

  username   = "${aws_iam_user.this.name}"
  encoding   = "${var.ssh_key_encoding}"

--- a/modules/iam-user/outputs.tf
+++ b/modules/iam-user/outputs.tf
@@ -87,6 +87,12 @@ ${element(concat(aws_iam_access_key.this.*.encrypted_secret, list("")), 0)}
 EOF
 }

-output "this_iam_ssh_public_key_id" {
-  value = "SSH Key ID: ${element(concat(aws_iam_user_ssh_key.this.*.ssh_public_key_id, list("")), 0)}"
+output "this_iam_user_ssh_key_ssh_public_key_id" {
+  description = "The unique identifier for the SSH public key"
+  value       = "${element(concat(aws_iam_user_ssh_key.this.*.ssh_public_key_id, list("")), 0)}"
+}
+
+output "this_iam_user_ssh_key_fingerprint" {
+  description = "The MD5 message digest of the SSH public key"
+  value       = "${element(concat(aws_iam_user_ssh_key.this.*.fingerprint, list("")), 0)}"
 }
--- a/modules/iam-user/variables.tf
+++ b/modules/iam-user/variables.tf
@@ -42,15 +42,17 @@ variable "password_length" {
  default     = 20
 }

-variable "upload_ssh_key" {
+variable "upload_iam_user_ssh_key" {
  description = "Whether to upload a public ssh key to the IAM user"
  default     = false
 }
+
 variable "ssh_key_encoding" {
  description = "Specifies the public key encoding format to use in the response. To retrieve the public key in ssh-rsa format, use SSH. To retrieve the public key in PEM format, use PEM"
  default     = "SSH"
 }

 variable "ssh_public_key" {
-  description = "Public SSH key"
+  description = "The SSH public key. The public key must be encoded in ssh-rsa format or PEM format"
+  default     = ""
 }