@@ -231,6 +253,7 @@ Use [iam-policy module](https://github.com/terraform-aws-modules/terraform-aws-i
*[iam-account](https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/examples/iam-account) - Set AWS account alias and password policy
*[iam-assumable-role](https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/examples/iam-assumable-role) - Create individual IAM role which can be assumed from specified ARNs (AWS accounts, IAM users, etc)
*[iam-assumable-role-with-oidc](https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/examples/iam-assumable-role-with-oidc) - Create individual IAM role which can be assumed from specified subjects federated with a OIDC Identity Provider
*[iam-assumable-roles](https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/examples/iam-assumable-roles) - Create several IAM roles which can be assumed from specified ARNs (AWS accounts, IAM users, etc)
*[iam-assumable-roles-with-saml](https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/examples/iam-assumable-roles-with-saml) - Create several IAM roles which can be assumed by users with a SAML Identity Provider
*[iam-group-with-assumable-roles-policy](https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/examples/iam-group-with-assumable-roles-policy) - IAM group with users who are allowed to assume IAM roles in the same or in separate AWS account
Run `terraform destroy` when you don't need these resources.
<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
## Providers
No provider.
## Inputs
No input.
## Outputs
| Name | Description |
|------|-------------|
| this\_caller\_identity\_account\_id | The ID of the AWS account |
| this\_iam\_account\_password\_policy\_expire\_passwords | Indicates whether passwords in the account expire. Returns true if max_password_age contains a value greater than 0. Returns false if it is 0 or not present. |
| this\_iam\_account\_password\_policy\_expire\_passwords | Indicates whether passwords in the account expire. Returns true if max\_password\_age contains a value greater than 0. Returns false if it is 0 or not present. |
<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
## Providers
| Name | Version |
|------|---------|
| aws | ~> 2.23 |
## Inputs
| Name | Description | Type | Default | Required |
|------|-------------|:----:|:-----:|:-----:|
| account\_alias | AWS IAM account alias for this account | string | n/a | yes |
| allow\_users\_to\_change\_password | Whether to allow users to change their own password | bool | `"true"` | no |
| create\_account\_password\_policy | Whether to create AWS IAM account password policy | bool | `"true"` | no |
| get\_caller\_identity | Whether to get AWS account ID, User ID, and ARN in which Terraform is authorized | bool | `"true"` | no |
| hard\_expiry | Whether users are prevented from setting a new password after their password has expired (i.e. require administrator reset) | bool | `"false"` | no |
| max\_password\_age | The number of days that an user password is valid. | number | `"0"` | no |
| minimum\_password\_length | Minimum length to require for user passwords | number | `"8"` | no |
| password\_reuse\_prevention | The number of previous passwords that users are prevented from reusing | number | `"null"` | no |
| require\_lowercase\_characters | Whether to require lowercase characters for user passwords | bool | `"true"` | no |
| require\_numbers | Whether to require numbers for user passwords | bool | `"true"` | no |
| require\_symbols | Whether to require symbols for user passwords | bool | `"true"` | no |
| require\_uppercase\_characters | Whether to require uppercase characters for user passwords | bool | `"true"` | no |
|------|-------------|------|---------|:-----:|
| account\_alias | AWS IAM account alias for this account | `string` | n/a | yes |
| allow\_users\_to\_change\_password | Whether to allow users to change their own password | `bool` | `true` | no |
| create\_account\_password\_policy | Whether to create AWS IAM account password policy | `bool` | `true` | no |
| get\_caller\_identity | Whether to get AWS account ID, User ID, and ARN in which Terraform is authorized | `bool` | `true` | no |
| hard\_expiry | Whether users are prevented from setting a new password after their password has expired (i.e. require administrator reset) | `bool` | `false` | no |
| max\_password\_age | The number of days that an user password is valid. | `number` | `0` | no |
| minimum\_password\_length | Minimum length to require for user passwords | `number` | `8` | no |
| password\_reuse\_prevention | The number of previous passwords that users are prevented from reusing | `number` | n/a | yes |
| require\_lowercase\_characters | Whether to require lowercase characters for user passwords | `bool` | `true` | no |
| require\_numbers | Whether to require numbers for user passwords | `bool` | `true` | no |
| require\_symbols | Whether to require symbols for user passwords | `bool` | `true` | no |
| require\_uppercase\_characters | Whether to require uppercase characters for user passwords | `bool` | `true` | no |
## Outputs
...
...
@@ -46,6 +52,6 @@ Import successful!
| this\_caller\_identity\_account\_id | The AWS Account ID number of the account that owns or contains the calling entity |
| this\_caller\_identity\_arn | The AWS ARN associated with the calling entity |
| this\_caller\_identity\_user\_id | The unique identifier of the calling entity |
| this\_iam\_account\_password\_policy\_expire\_passwords | Indicates whether passwords in the account expire. Returns true if max_password_age contains a value greater than 0. Returns false if it is 0 or not present. |
| this\_iam\_account\_password\_policy\_expire\_passwords | Indicates whether passwords in the account expire. Returns true if max\_password\_age contains a value greater than 0. Returns false if it is 0 or not present. |
Creates single IAM role which can be assumed by trusted resources using OpenID Connect Federated Users.
[Creating IAM OIDC Identity Providers](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html)
This module supports IAM Roles for kubernetes service accounts as described in the [EKS documentation](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html).
<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
## Providers
| Name | Version |
|------|---------|
| aws | ~> 2.23 |
## Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:-----:|
| aws\_account\_id | The AWS account ID where the OIDC provider lives, leave empty to use the account fo the AWS provider | `string` | `""` | no |
| create\_role | Whether to create a role | `bool` | `false` | no |
| max\_session\_duration | Maximum CLI/API session duration in seconds between 3600 and 43200 | `number` | `3600` | no |
| oidc\_fully\_qualified\_subjects | The fully qualified OIDC subjects to be added to the role policy | `list(string)` | `[]` | no |
| oidc\_subjects\_with\_wildcards | The OIDC subject using wildcards to be added to the role policy | `list(string)` | `[]` | no |
| provider\_url | URL of the OIDC Provider | `string` | n/a | yes |
| role\_name | IAM role name | `string` | `""` | no |
| role\_path | Path of IAM role | `string` | `"/"` | no |
| role\_permissions\_boundary\_arn | Permissions boundary ARN to use for IAM role | `string` | `""` | no |
| role\_policy\_arns | List of ARNs of IAM policies to attach to IAM role | `list(string)` | `[]` | no |
| tags | A map of tags to add to IAM role resources | `map(string)` | `{}` | no |
@@ -5,27 +5,34 @@ Creates single IAM role which can be assumed by trusted resources.
Trusted resources can be any [IAM ARNs](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-arns) - typically, AWS accounts and users.
<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
## Providers
| Name | Version |
|------|---------|
| aws | ~> 2.23 |
## Inputs
| Name | Description | Type | Default | Required |
|------|-------------|:----:|:-----:|:-----:|
| admin\_role\_policy\_arn | Policy ARN to use for admin role | string | `"arn:aws:iam::aws:policy/AdministratorAccess"` | no |
| attach\_admin\_policy | Whether to attach an admin policy to a role | bool | `"false"` | no |
| attach\_poweruser\_policy | Whether to attach a poweruser policy to a role | bool | `"false"` | no |
| attach\_readonly\_policy | Whether to attach a readonly policy to a role | bool | `"false"` | no |
| create\_role | Whether to create a role | bool | `"false"` | no |
| custom\_role\_policy\_arns | List of ARNs of IAM policies to attach to IAM role | list(string) | `[]` | no |
| max\_session\_duration | Maximum CLI/API session duration in seconds between 3600 and 43200 | number | `"3600"` | no |
| mfa\_age | Max age of valid MFA (in seconds) for roles which require MFA | number | `"86400"` | no |
| poweruser\_role\_policy\_arn | Policy ARN to use for poweruser role | string | `"arn:aws:iam::aws:policy/PowerUserAccess"` | no |
| readonly\_role\_policy\_arn | Policy ARN to use for readonly role | string | `"arn:aws:iam::aws:policy/ReadOnlyAccess"` | no |
| role\_name | IAM role name | string | `""` | no |
| role\_path | Path of IAM role | string | `"/"` | no |
| role\_permissions\_boundary\_arn | Permissions boundary ARN to use for IAM role | string | `""` | no |
| role\_requires\_mfa | Whether role requires MFA | bool | `"true"` | no |
| tags | A map of tags to add to IAM role resources | map(string) | `{}` | no |
| trusted\_role\_arns | ARNs of AWS entities who can assume these roles | list(string) | `[]` | no |
| trusted\_role\_services | AWS Services that can assume these roles | list(string) | `[]` | no |
|------|-------------|------|---------|:-----:|
| admin\_role\_policy\_arn | Policy ARN to use for admin role | `string` | `"arn:aws:iam::aws:policy/AdministratorAccess"` | no |
| attach\_admin\_policy | Whether to attach an admin policy to a role | `bool` | `false` | no |
| attach\_poweruser\_policy | Whether to attach a poweruser policy to a role | `bool` | `false` | no |
| attach\_readonly\_policy | Whether to attach a readonly policy to a role | `bool` | `false` | no |
| create\_role | Whether to create a role | `bool` | `false` | no |
| custom\_role\_policy\_arns | List of ARNs of IAM policies to attach to IAM role | `list(string)` | `[]` | no |
| max\_session\_duration | Maximum CLI/API session duration in seconds between 3600 and 43200 | `number` | `3600` | no |
| mfa\_age | Max age of valid MFA (in seconds) for roles which require MFA | `number` | `86400` | no |
| poweruser\_role\_policy\_arn | Policy ARN to use for poweruser role | `string` | `"arn:aws:iam::aws:policy/PowerUserAccess"` | no |
| readonly\_role\_policy\_arn | Policy ARN to use for readonly role | `string` | `"arn:aws:iam::aws:policy/ReadOnlyAccess"` | no |
| role\_description | IAM Role description | `string` | `""` | no |
| role\_name | IAM role name | `string` | `""` | no |
| role\_path | Path of IAM role | `string` | `"/"` | no |
| role\_permissions\_boundary\_arn | Permissions boundary ARN to use for IAM role | `string` | `""` | no |
| role\_requires\_mfa | Whether role requires MFA | `bool` | `true` | no |
| tags | A map of tags to add to IAM role resources | `map(string)` | `{}` | no |
| trusted\_role\_arns | ARNs of AWS entities who can assume these roles | `list(string)` | `[]` | no |
| trusted\_role\_services | AWS Services that can assume these roles | `list(string)` | `[]` | no |
| create\_admin\_role | Whether to create admin role | bool | `"false"` | no |
| create\_poweruser\_role | Whether to create poweruser role | bool | `"false"` | no |
| create\_readonly\_role | Whether to create readonly role | bool | `"false"` | no |
| max\_session\_duration | Maximum CLI/API session duration in seconds between 3600 and 43200 | number | `"3600"` | no |
| poweruser\_role\_name | IAM role with poweruser access | string | `"poweruser"` | no |
| poweruser\_role\_path | Path of poweruser IAM role | string | `"/"` | no |
| poweruser\_role\_permissions\_boundary\_arn | Permissions boundary ARN to use for poweruser role | string | `""` | no |
| poweruser\_role\_policy\_arns | List of policy ARNs to use for poweruser role | list(string) | `[ "arn:aws:iam::aws:policy/PowerUserAccess" ]` | no |
| poweruser\_role\_tags | A map of tags to add to poweruser role resource. | map(string) | `{}` | no |
| provider\_id | ID of the SAML Provider | string | n/a | yes |
| provider\_name | Name of the SAML Provider | string | n/a | yes |
| readonly\_role\_name | IAM role with readonly access | string | `"readonly"` | no |
| readonly\_role\_path | Path of readonly IAM role | string | `"/"` | no |
| readonly\_role\_permissions\_boundary\_arn | Permissions boundary ARN to use for readonly role | string | `""` | no |
| readonly\_role\_policy\_arns | List of policy ARNs to use for readonly role | list(string) | `[ "arn:aws:iam::aws:policy/ReadOnlyAccess" ]` | no |
| readonly\_role\_tags | A map of tags to add to readonly role resource. | map(string) | `{}` | no |
|------|-------------|------|---------|:-----:|
| admin\_role\_name | IAM role with admin access | `string` | `"admin"` | no |
| admin\_role\_path | Path of admin IAM role | `string` | `"/"` | no |
| admin\_role\_permissions\_boundary\_arn | Permissions boundary ARN to use for admin role | `string` | `""` | no |
| admin\_role\_policy\_arns | List of policy ARNs to use for admin role | `list(string)` | <pre>[<br> "arn:aws:iam::aws:policy/AdministratorAccess"<br>]<br></pre> | no |
| admin\_role\_tags | A map of tags to add to admin role resource. | `map(string)` | `{}` | no |
| create\_admin\_role | Whether to create admin role | `bool` | `false` | no |
| create\_poweruser\_role | Whether to create poweruser role | `bool` | `false` | no |
| create\_readonly\_role | Whether to create readonly role | `bool` | `false` | no |
| max\_session\_duration | Maximum CLI/API session duration in seconds between 3600 and 43200 | `number` | `3600` | no |
| poweruser\_role\_name | IAM role with poweruser access | `string` | `"poweruser"` | no |
| poweruser\_role\_path | Path of poweruser IAM role | `string` | `"/"` | no |
| poweruser\_role\_permissions\_boundary\_arn | Permissions boundary ARN to use for poweruser role | `string` | `""` | no |
| poweruser\_role\_policy\_arns | List of policy ARNs to use for poweruser role | `list(string)` | <pre>[<br> "arn:aws:iam::aws:policy/PowerUserAccess"<br>]<br></pre> | no |
| poweruser\_role\_tags | A map of tags to add to poweruser role resource. | `map(string)` | `{}` | no |
| provider\_id | ID of the SAML Provider | `string` | n/a | yes |
| provider\_name | Name of the SAML Provider | `string` | n/a | yes |
| readonly\_role\_name | IAM role with readonly access | `string` | `"readonly"` | no |
| readonly\_role\_path | Path of readonly IAM role | `string` | `"/"` | no |
| readonly\_role\_permissions\_boundary\_arn | Permissions boundary ARN to use for readonly role | `string` | `""` | no |
| readonly\_role\_policy\_arns | List of policy ARNs to use for readonly role | `list(string)` | <pre>[<br> "arn:aws:iam::aws:policy/ReadOnlyAccess"<br>]<br></pre> | no |
| readonly\_role\_tags | A map of tags to add to readonly role resource. | `map(string)` | `{}` | no |
@@ -5,35 +5,41 @@ Creates predefined IAM roles (admin, poweruser and readonly) which can be assume
Trusted resources can be any [IAM ARNs](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-arns) - typically, AWS accounts and users.
<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
## Providers
| Name | Version |
|------|---------|
| aws | ~> 2.23 |
## Inputs
| Name | Description | Type | Default | Required |
|------|-------------|:----:|:-----:|:-----:|
| admin\_role\_name | IAM role with admin access | string | `"admin"` | no |
| admin\_role\_path | Path of admin IAM role | string | `"/"` | no |
| admin\_role\_permissions\_boundary\_arn | Permissions boundary ARN to use for admin role | string | `""` | no |
| admin\_role\_policy\_arns | List of policy ARNs to use for admin role | list(string) | `[ "arn:aws:iam::aws:policy/AdministratorAccess" ]` | no |
| admin\_role\_requires\_mfa | Whether admin role requires MFA | bool | `"true"` | no |
| admin\_role\_tags | A map of tags to add to admin role resource. | map(string) | `{}` | no |
| create\_admin\_role | Whether to create admin role | bool | `"false"` | no |
| create\_poweruser\_role | Whether to create poweruser role | bool | `"false"` | no |
| create\_readonly\_role | Whether to create readonly role | bool | `"false"` | no |
| max\_session\_duration | Maximum CLI/API session duration in seconds between 3600 and 43200 | number | `"3600"` | no |
| mfa\_age | Max age of valid MFA (in seconds) for roles which require MFA | number | `"86400"` | no |
| poweruser\_role\_name | IAM role with poweruser access | string | `"poweruser"` | no |
| poweruser\_role\_path | Path of poweruser IAM role | string | `"/"` | no |
| poweruser\_role\_permissions\_boundary\_arn | Permissions boundary ARN to use for poweruser role | string | `""` | no |
| poweruser\_role\_policy\_arns | List of policy ARNs to use for poweruser role | list(string) | `[ "arn:aws:iam::aws:policy/PowerUserAccess" ]` | no |
| poweruser\_role\_requires\_mfa | Whether poweruser role requires MFA | bool | `"true"` | no |
| poweruser\_role\_tags | A map of tags to add to poweruser role resource. | map(string) | `{}` | no |
| readonly\_role\_name | IAM role with readonly access | string | `"readonly"` | no |
| readonly\_role\_path | Path of readonly IAM role | string | `"/"` | no |
| readonly\_role\_permissions\_boundary\_arn | Permissions boundary ARN to use for readonly role | string | `""` | no |
| readonly\_role\_policy\_arns | List of policy ARNs to use for readonly role | list(string) | `[ "arn:aws:iam::aws:policy/ReadOnlyAccess" ]` | no |
| readonly\_role\_requires\_mfa | Whether readonly role requires MFA | bool | `"true"` | no |
| readonly\_role\_tags | A map of tags to add to readonly role resource. | map(string) | `{}` | no |
| trusted\_role\_arns | ARNs of AWS entities who can assume these roles | list(string) | `[]` | no |
| trusted\_role\_services | AWS Services that can assume these roles | list(string) | `[]` | no |
|------|-------------|------|---------|:-----:|
| admin\_role\_name | IAM role with admin access | `string` | `"admin"` | no |
| admin\_role\_path | Path of admin IAM role | `string` | `"/"` | no |
| admin\_role\_permissions\_boundary\_arn | Permissions boundary ARN to use for admin role | `string` | `""` | no |
| admin\_role\_policy\_arns | List of policy ARNs to use for admin role | `list(string)` | <pre>[<br> "arn:aws:iam::aws:policy/AdministratorAccess"<br>]<br></pre> | no |
| admin\_role\_requires\_mfa | Whether admin role requires MFA | `bool` | `true` | no |
| admin\_role\_tags | A map of tags to add to admin role resource. | `map(string)` | `{}` | no |
| create\_admin\_role | Whether to create admin role | `bool` | `false` | no |
| create\_poweruser\_role | Whether to create poweruser role | `bool` | `false` | no |
| create\_readonly\_role | Whether to create readonly role | `bool` | `false` | no |
| max\_session\_duration | Maximum CLI/API session duration in seconds between 3600 and 43200 | `number` | `3600` | no |
| mfa\_age | Max age of valid MFA (in seconds) for roles which require MFA | `number` | `86400` | no |
| poweruser\_role\_name | IAM role with poweruser access | `string` | `"poweruser"` | no |
| poweruser\_role\_path | Path of poweruser IAM role | `string` | `"/"` | no |
| poweruser\_role\_permissions\_boundary\_arn | Permissions boundary ARN to use for poweruser role | `string` | `""` | no |
| poweruser\_role\_policy\_arns | List of policy ARNs to use for poweruser role | `list(string)` | <pre>[<br> "arn:aws:iam::aws:policy/PowerUserAccess"<br>]<br></pre> | no |
| poweruser\_role\_requires\_mfa | Whether poweruser role requires MFA | `bool` | `true` | no |
| poweruser\_role\_tags | A map of tags to add to poweruser role resource. | `map(string)` | `{}` | no |
| readonly\_role\_name | IAM role with readonly access | `string` | `"readonly"` | no |
| readonly\_role\_path | Path of readonly IAM role | `string` | `"/"` | no |
| readonly\_role\_permissions\_boundary\_arn | Permissions boundary ARN to use for readonly role | `string` | `""` | no |
| readonly\_role\_policy\_arns | List of policy ARNs to use for readonly role | `list(string)` | <pre>[<br> "arn:aws:iam::aws:policy/ReadOnlyAccess"<br>]<br></pre> | no |
| readonly\_role\_requires\_mfa | Whether readonly role requires MFA | `bool` | `true` | no |
| readonly\_role\_tags | A map of tags to add to readonly role resource. | `map(string)` | `{}` | no |
| trusted\_role\_arns | ARNs of AWS entities who can assume these roles | `list(string)` | `[]` | no |
| trusted\_role\_services | AWS Services that can assume these roles | `list(string)` | `[]` | no |
Creates IAM group with users who are allowed to assume IAM roles. This is typically done in resource AWS account where IAM users can jump into from IAM AWS account.
<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
## Providers
| Name | Version |
|------|---------|
| aws | ~> 2.23 |
## Inputs
| Name | Description | Type | Default | Required |
|------|-------------|:----:|:-----:|:-----:|
| assumable\_roles | List of IAM roles ARNs which can be assumed by the group | list(string) | `[]` | no |
| group\_users | List of IAM users to have in an IAM group which can assume the role | list(string) | `[]` | no |
| name | Name of IAM policy and IAM group | string | n/a | yes |
|------|-------------|------|---------|:-----:|
| assumable\_roles | List of IAM roles ARNs which can be assumed by the group | `list(string)` | `[]` | no |
| group\_users | List of IAM users to have in an IAM group which can assume the role | `list(string)` | `[]` | no |
| name | Name of IAM policy and IAM group | `string` | n/a | yes |
Creates IAM group with specified IAM policies, and add users into a group.
<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
## Providers
| Name | Version |
|------|---------|
| aws | ~> 2.23 |
## Inputs
| Name | Description | Type | Default | Required |
|------|-------------|:----:|:-----:|:-----:|
| attach\_iam\_self\_management\_policy | Whether to attach IAM policy which allows IAM users to manage their credentials and MFA | bool | `"true"` | no |
| aws\_account\_id | AWS account id to use inside IAM policies. If empty, current AWS account ID will be used. | string | `""` | no |
| create\_group | Whether to create IAM group | bool | `"true"` | no |
| custom\_group\_policies | List of maps of inline IAM policies to attach to IAM group. Should have `name` and `policy` keys in each element. | list(map(string)) | `[]` | no |
| custom\_group\_policy\_arns | List of IAM policies ARNs to attach to IAM group | list(string) | `[]` | no |
| group\_users | List of IAM users to have in an IAM group which can assume the role | list(string) | `[]` | no |
| iam\_self\_management\_policy\_name\_prefix | Name prefix for IAM policy to create with IAM self-management permissions | string | `"IAMSelfManagement-"` | no |
| name | Name of IAM group | string | `""` | no |
|------|-------------|------|---------|:-----:|
| attach\_iam\_self\_management\_policy | Whether to attach IAM policy which allows IAM users to manage their credentials and MFA | `bool` | `true` | no |
| aws\_account\_id | AWS account id to use inside IAM policies. If empty, current AWS account ID will be used. | `string` | `""` | no |
| create\_group | Whether to create IAM group | `bool` | `true` | no |
| custom\_group\_policies | List of maps of inline IAM policies to attach to IAM group. Should have `name` and `policy` keys in each element. | `list(map(string))` | `[]` | no |
| custom\_group\_policy\_arns | List of IAM policies ARNs to attach to IAM group | `list(string)` | `[]` | no |
| group\_users | List of IAM users to have in an IAM group which can assume the role | `list(string)` | `[]` | no |
| iam\_self\_management\_policy\_name\_prefix | Name prefix for IAM policy to create with IAM self-management permissions | `string` | `"IAMSelfManagement-"` | no |
| name | Name of IAM group | `string` | `""` | no |
@@ -19,33 +19,39 @@ This module outputs commands and PGP messages which can be decrypted either usin
-`keybase_secret_key_pgp_message`
<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
## Providers
| Name | Version |
|------|---------|
| aws | ~> 2.23 |
## Inputs
| Name | Description | Type | Default | Required |
|------|-------------|:----:|:-----:|:-----:|
| create\_iam\_access\_key | Whether to create IAM access key | bool | `"true"` | no |
| create\_iam\_user\_login\_profile | Whether to create IAM user login profile | bool | `"true"` | no |
| create\_user | Whether to create the IAM user | bool | `"true"` | no |
| force\_destroy | When destroying this user, destroy even if it has non-Terraform-managed IAM access keys, login profile or MFA devices. Without force_destroy a user with non-Terraform-managed access keys and login profile will fail to be destroyed. | bool | `"false"` | no |
| name | Desired name for the IAM user | string | n/a | yes |
| password\_length | The length of the generated password | number | `"20"` | no |
| password\_reset\_required | Whether the user should be forced to reset the generated password on first login. | bool | `"true"` | no |
| path | Desired path for the IAM user | string | `"/"` | no |
| permissions\_boundary | The ARN of the policy that is used to set the permissions boundary for the user. | string | `""` | no |
| pgp\_key | Either a base-64 encoded PGP public key, or a keybase username in the form keybase:username. Used to encrypt password and access key. | string | `""` | no |
| ssh\_key\_encoding | Specifies the public key encoding format to use in the response. To retrieve the public key in ssh-rsa format, use SSH. To retrieve the public key in PEM format, use PEM | string | `"SSH"` | no |
| ssh\_public\_key | The SSH public key. The public key must be encoded in ssh-rsa format or PEM format | string | `""` | no |
| tags | A map of tags to add to all resources. | map(string) | `{}` | no |
| upload\_iam\_user\_ssh\_key | Whether to upload a public ssh key to the IAM user | bool | `"false"` | no |
|------|-------------|------|---------|:-----:|
| create\_iam\_access\_key | Whether to create IAM access key | `bool` | `true` | no |
| create\_iam\_user\_login\_profile | Whether to create IAM user login profile | `bool` | `true` | no |
| create\_user | Whether to create the IAM user | `bool` | `true` | no |
| force\_destroy | When destroying this user, destroy even if it has non-Terraform-managed IAM access keys, login profile or MFA devices. Without force\_destroy a user with non-Terraform-managed access keys and login profile will fail to be destroyed. | `bool` | `false` | no |
| name | Desired name for the IAM user | `string` | n/a | yes |
| password\_length | The length of the generated password | `number` | `20` | no |
| password\_reset\_required | Whether the user should be forced to reset the generated password on first login. | `bool` | `true` | no |
| path | Desired path for the IAM user | `string` | `"/"` | no |
| permissions\_boundary | The ARN of the policy that is used to set the permissions boundary for the user. | `string` | `""` | no |
| pgp\_key | Either a base-64 encoded PGP public key, or a keybase username in the form keybase:username. Used to encrypt password and access key. | `string` | `""` | no |
| ssh\_key\_encoding | Specifies the public key encoding format to use in the response. To retrieve the public key in ssh-rsa format, use SSH. To retrieve the public key in PEM format, use PEM | `string` | `"SSH"` | no |
| ssh\_public\_key | The SSH public key. The public key must be encoded in ssh-rsa format or PEM format | `string` | `""` | no |
| tags | A map of tags to add to all resources. | `map(string)` | `{}` | no |
| upload\_iam\_user\_ssh\_key | Whether to upload a public ssh key to the IAM user | `bool` | `false` | no |
## Outputs
| Name | Description |
|------|-------------|
| keybase\_password\_decrypt\_command | |
| keybase\_password\_pgp\_message | |
| keybase\_secret\_key\_decrypt\_command | |
| keybase\_secret\_key\_pgp\_message | |
| keybase\_password\_decrypt\_command | n/a |
| keybase\_password\_pgp\_message | n/a |
| keybase\_secret\_key\_decrypt\_command | n/a |
| keybase\_secret\_key\_pgp\_message | n/a |
| pgp\_key | PGP key used to encrypt sensitive data for this user (if empty - secrets are not encrypted) |
| this\_iam\_access\_key\_encrypted\_secret | The encrypted secret, base64 encoded |
| this\_iam\_access\_key\_id | The access key ID |
