Updated examples for iam-policy and formatting

.pre-commit-config.yaml

 repos:
 - repo: git://github.com/antonbabenko/pre-commit-terraform
-  rev: v1.7.1
+  rev: v1.9.0
   hooks:
     - id: terraform_fmt
     - id: terraform_docs
 - repo: git://github.com/pre-commit/pre-commit-hooks
-  rev: v1.2.3
+  rev: v2.1.0
   hooks:
     - id: check-merge-conflict

README.md

@@ -70,8 +70,20 @@ module "iam_policy" {
   path        = "/"
   description = "My example policy"
 
-  policy ="path/to/policy_file"
+  policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": [
+        "ec2:Describe*"
+      ],
+      "Effect": "Allow",
+      "Resource": "*"
     }
+  ]
+}
+EOF
 }
 ```
 
@@ -124,9 +136,6 @@ Use [iam-policy module](https://github.com/terraform-aws-modules/terraform-aws-i
 * [iam-user](https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/examples/iam-user) - Add IAM user, login profile and access keys
 * [iam-policy](https://github.com/terraform-aws-modules/terraform-aws-iam/tree/master/examples/iam-policy) - Create IAM policy
 
-<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
-<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
-
 ## Authors
 
 Module managed by [Anton Babenko](https://github.com/antonbabenko).

examples/iam-account/README.md

@@ -15,12 +15,11 @@ $ terraform apply
 Run `terraform destroy` when you don't need these resources.
 
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
-
 ## Outputs
 
 | Name | Description |
 |------|-------------|
-| this_caller_identity_account_id | The ID of the AWS account |
-| this_iam_account_password_policy_expire_passwords | Indicates whether passwords in the account expire. Returns true if max_password_age contains a value greater than 0. Returns false if it is 0 or not present. |
+| this\_caller\_identity\_account\_id | The ID of the AWS account |
+| this\_iam\_account\_password\_policy\_expire\_passwords | Indicates whether passwords in the account expire. Returns true if max_password_age contains a value greater than 0. Returns false if it is 0 or not present. |
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

examples/iam-assumable-roles/README.md

@@ -15,22 +15,21 @@ $ terraform apply
 Run `terraform destroy` when you don't need these resources.
 
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
-
 ## Outputs
 
 | Name | Description |
 |------|-------------|
-| admin_iam_role_arn | Admin |
-| admin_iam_role_name | Name of admin IAM role |
-| admin_iam_role_path | Path of admin IAM role |
-| admin_iam_role_requires_mfa | Whether admin IAM role requires MFA |
-| poweruser_iam_role_arn | Poweruser |
-| poweruser_iam_role_name | Name of poweruser IAM role |
-| poweruser_iam_role_path | Path of poweruser IAM role |
-| poweruser_iam_role_requires_mfa | Whether poweruser IAM role requires MFA |
-| readonly_iam_role_arn | Readonly |
-| readonly_iam_role_name | Name of readonly IAM role |
-| readonly_iam_role_path | Path of readonly IAM role |
-| readonly_iam_role_requires_mfa | Whether readonly IAM role requires MFA |
+| admin\_iam\_role\_arn | ARN of admin IAM role |
+| admin\_iam\_role\_name | Name of admin IAM role |
+| admin\_iam\_role\_path | Path of admin IAM role |
+| admin\_iam\_role\_requires\_mfa | Whether admin IAM role requires MFA |
+| poweruser\_iam\_role\_arn | ARN of poweruser IAM role |
+| poweruser\_iam\_role\_name | Name of poweruser IAM role |
+| poweruser\_iam\_role\_path | Path of poweruser IAM role |
+| poweruser\_iam\_role\_requires\_mfa | Whether poweruser IAM role requires MFA |
+| readonly\_iam\_role\_arn | ARN of readonly IAM role |
+| readonly\_iam\_role\_name | Name of readonly IAM role |
+| readonly\_iam\_role\_path | Path of readonly IAM role |
+| readonly\_iam\_role\_requires\_mfa | Whether readonly IAM role requires MFA |
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

examples/iam-policy/README.md

 # IAM user example
 
-Configuration in this directory creates IAM policy.
+Configuration in this directory creates IAM policies.
 
 # Usage
 
@@ -15,14 +15,13 @@ $ terraform apply
 Run `terraform destroy` when you don't need these resources.
 
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
-
 ## Outputs
 
 | Name | Description |
 |------|-------------|
-| id | The policy's ID |
 | arn | The ARN assigned by AWS to this policy |
 | description | The description of the policy |
+| id | The policy ID |
 | name | The name of the policy |
 | path | The path of the policy in IAM |
 | policy | The policy document |

examples/iam-policy/main.tf

@@ -2,6 +2,14 @@ provider "aws" {
   region = "eu-west-1"
 }
 
+data "aws_iam_policy_document" "bucket_policy" {
+  statement {
+    sid       = "AllowFullS3Access"
+    actions   = ["s3:ListBuckets"]
+    resources = ["*"]
+  }
+}
+
 #########################################
 # IAM policy
 #########################################
@@ -12,5 +20,28 @@ module "iam_policy" {
   path        = "/"
   description = "My example policy"
 
-  policy ="./policy.tpl"
+  policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": [
+        "ec2:Describe*"
+      ],
+      "Effect": "Allow",
+      "Resource": "*"
     }
+  ]
+}
+EOF
+}
+
+module "iam_policy_from_data_source" {
+  source = "../../modules/iam-policy"
+
+  name        = "example_from_data_source"
+  path        = "/"
+  description = "My example policy"
+
+  policy = "${data.aws_iam_policy_document.bucket_policy.json}"
+}

examples/iam-policy/outputs.tf

 output "id" {
-  description = "The policy's ID"
+  description = "The policy ID"
   value       = "${module.iam_policy.id}"
 }
 

examples/iam-policy/policy.tpl

-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Action": [
-        "ec2:Describe*"
-      ],
-      "Effect": "Allow",
-      "Resource": "*"
-    }
-  ]
-}

examples/iam-user/README.md

@@ -16,25 +16,24 @@ $ terraform apply
 Run `terraform destroy` when you don't need these resources.
 
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
-
 ## Outputs
 
 | Name | Description |
 |------|-------------|
-| keybase_password_decrypt_command |  |
-| keybase_password_pgp_message |  |
-| keybase_secret_key_decrypt_command |  |
-| keybase_secret_key_pgp_message |  |
-| pgp_key | PGP key used to encrypt sensitive data for this user (if empty - secrets are not encrypted) |
-| this_iam_access_key_encrypted_secret | The encrypted secret, base64 encoded |
-| this_iam_access_key_id | The access key ID |
-| this_iam_access_key_key_fingerprint | The fingerprint of the PGP key used to encrypt the secret |
-| this_iam_access_key_ses_smtp_password | The secret access key converted into an SES SMTP password |
-| this_iam_access_key_status | Active or Inactive. Keys are initially active, but can be made inactive by other means. |
-| this_iam_user_arn | The ARN assigned by AWS for this user |
-| this_iam_user_login_profile_encrypted_password | The encrypted password, base64 encoded |
-| this_iam_user_login_profile_key_fingerprint | The fingerprint of the PGP key used to encrypt the password |
-| this_iam_user_name | The user's name |
-| this_iam_user_unique_id | The unique ID assigned by AWS |
+| keybase\_password\_decrypt\_command |  |
+| keybase\_password\_pgp\_message |  |
+| keybase\_secret\_key\_decrypt\_command |  |
+| keybase\_secret\_key\_pgp\_message |  |
+| pgp\_key | PGP key used to encrypt sensitive data for this user (if empty - secrets are not encrypted) |
+| this\_iam\_access\_key\_encrypted\_secret | The encrypted secret, base64 encoded |
+| this\_iam\_access\_key\_id | The access key ID |
+| this\_iam\_access\_key\_key\_fingerprint | The fingerprint of the PGP key used to encrypt the secret |
+| this\_iam\_access\_key\_ses\_smtp\_password | The secret access key converted into an SES SMTP password |
+| this\_iam\_access\_key\_status | Active or Inactive. Keys are initially active, but can be made inactive by other means. |
+| this\_iam\_user\_arn | The ARN assigned by AWS for this user |
+| this\_iam\_user\_login\_profile\_encrypted\_password | The encrypted password, base64 encoded |
+| this\_iam\_user\_login\_profile\_key\_fingerprint | The fingerprint of the PGP key used to encrypt the password |
+| this\_iam\_user\_name | The user's name |
+| this\_iam\_user\_unique\_id | The unique ID assigned by AWS |
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

modules/iam-account/README.md

@@ -22,31 +22,30 @@ Import successful!
 ``` 
 
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
-
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|:----:|:-----:|:-----:|
-| account_alias | AWS IAM account alias for this account | string | - | yes |
-| allow_users_to_change_password | Whether to allow users to change their own password | string | `true` | no |
-| create_account_password_policy | Whether to create AWS IAM account password policy | string | `true` | no |
-| get_caller_identity | Whether to get AWS account ID, User ID, and ARN in which Terraform is authorized | string | `true` | no |
-| hard_expiry | Whether users are prevented from setting a new password after their password has expired (i.e. require administrator reset) | string | `false` | no |
-| max_password_age | The number of days that an user password is valid. | string | `0` | no |
-| minimum_password_length | Minimum length to require for user passwords | string | `8` | no |
-| password_reuse_prevention | The number of previous passwords that users are prevented from reusing | string | `true` | no |
-| require_lowercase_characters | Whether to require lowercase characters for user passwords | string | `true` | no |
-| require_numbers | Whether to require numbers for user passwords | string | `true` | no |
-| require_symbols | Whether to require symbols for user passwords | string | `true` | no |
-| require_uppercase_characters | Whether to require uppercase characters for user passwords | string | `true` | no |
+| account\_alias | AWS IAM account alias for this account | string | n/a | yes |
+| allow\_users\_to\_change\_password | Whether to allow users to change their own password | string | `"true"` | no |
+| create\_account\_password\_policy | Whether to create AWS IAM account password policy | string | `"true"` | no |
+| get\_caller\_identity | Whether to get AWS account ID, User ID, and ARN in which Terraform is authorized | string | `"true"` | no |
+| hard\_expiry | Whether users are prevented from setting a new password after their password has expired (i.e. require administrator reset) | string | `"false"` | no |
+| max\_password\_age | The number of days that an user password is valid. | string | `"0"` | no |
+| minimum\_password\_length | Minimum length to require for user passwords | string | `"8"` | no |
+| password\_reuse\_prevention | The number of previous passwords that users are prevented from reusing | string | `"true"` | no |
+| require\_lowercase\_characters | Whether to require lowercase characters for user passwords | string | `"true"` | no |
+| require\_numbers | Whether to require numbers for user passwords | string | `"true"` | no |
+| require\_symbols | Whether to require symbols for user passwords | string | `"true"` | no |
+| require\_uppercase\_characters | Whether to require uppercase characters for user passwords | string | `"true"` | no |
 
 ## Outputs
 
 | Name | Description |
 |------|-------------|
-| this_caller_identity_account_id | The AWS Account ID number of the account that owns or contains the calling entity |
-| this_caller_identity_arn | The AWS ARN associated with the calling entity |
-| this_caller_identity_user_id | The unique identifier of the calling entity |
-| this_iam_account_password_policy_expire_passwords | Indicates whether passwords in the account expire. Returns true if max_password_age contains a value greater than 0. Returns false if it is 0 or not present. |
+| this\_caller\_identity\_account\_id | The AWS Account ID number of the account that owns or contains the calling entity |
+| this\_caller\_identity\_arn | The AWS ARN associated with the calling entity |
+| this\_caller\_identity\_user\_id | The unique identifier of the calling entity |
+| this\_iam\_account\_password\_policy\_expire\_passwords | Indicates whether passwords in the account expire. Returns true if max_password_age contains a value greater than 0. Returns false if it is 0 or not present. |
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

modules/iam-assumable-roles/README.md

@@ -5,48 +5,47 @@ Creates predefined IAM roles (admin, poweruser and readonly) which can be assume
 Trusted resources can be any [IAM ARNs](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-arns) - typically, AWS accounts and users.
 
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
-
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|:----:|:-----:|:-----:|
-| admin_role_name | IAM role with admin access | string | `admin` | no |
-| admin_role_path | Path of admin IAM role | string | `/` | no |
-| admin_role_policy_arn | Policy ARN to use for admin role | string | `arn:aws:iam::aws:policy/AdministratorAccess` | no |
-| admin_role_permissions_boundary_arn | Policy ARN to use for admin permission boundary | string | `` | no |
-| admin_role_requires_mfa | Whether admin role requires MFA | string | `true` | no |
-| create_admin_role | Whether to create admin role | string | `false` | no |
-| create_poweruser_role | Whether to create poweruser role | string | `false` | no |
-| create_readonly_role | Whether to create readonly role | string | `false` | no |
-| max_session_duration | Maximum CLI/API session duration in seconds between 3600 and 43200 | string | `3600` | no |
-| mfa_age | Max age of valid MFA (in seconds) for roles which require MFA | string | `86400` | no |
-| poweruser_role_name | IAM role with poweruser access | string | `poweruser` | no |
-| poweruser_role_path | Path of poweruser IAM role | string | `/` | no |
-| poweruser_role_policy_arn | Policy ARN to use for poweruser role | string | `arn:aws:iam::aws:policy/PowerUserAccess` | no |
-| poweruser_role_permissions_boundary_arn | Policy ARN to use for poweruser permission boundary | string | `` | no |
-| poweruser_role_requires_mfa | Whether poweruser role requires MFA | string | `true` | no |
-| readonly_role_name | IAM role with readonly access | string | `readonly` | no |
-| readonly_role_path | Path of readonly IAM role | string | `/` | no |
-| readonly_role_policy_arn | Policy ARN to use for readonly role | string | `arn:aws:iam::aws:policy/ReadOnlyAccess` | no |
-| readonly_role_permissions_boundary_arn | Policy ARN to use for readonly permission boundary | string | `` | no |
-| readonly_role_requires_mfa | Whether readonly role requires MFA | string | `true` | no |
-| trusted_role_arns | ARNs of AWS entities who can assume these roles | string | `<list>` | no |
+| admin\_role\_name | IAM role with admin access | string | `"admin"` | no |
+| admin\_role\_path | Path of admin IAM role | string | `"/"` | no |
+| admin\_role\_permissions\_boundary\_arn | Permissions boundary ARN to use for admin role | string | `""` | no |
+| admin\_role\_policy\_arn | Policy ARN to use for admin role | string | `"arn:aws:iam::aws:policy/AdministratorAccess"` | no |
+| admin\_role\_requires\_mfa | Whether admin role requires MFA | string | `"true"` | no |
+| create\_admin\_role | Whether to create admin role | string | `"false"` | no |
+| create\_poweruser\_role | Whether to create poweruser role | string | `"false"` | no |
+| create\_readonly\_role | Whether to create readonly role | string | `"false"` | no |
+| max\_session\_duration | Maximum CLI/API session duration in seconds between 3600 and 43200 | string | `"3600"` | no |
+| mfa\_age | Max age of valid MFA (in seconds) for roles which require MFA | string | `"86400"` | no |
+| poweruser\_role\_name | IAM role with poweruser access | string | `"poweruser"` | no |
+| poweruser\_role\_path | Path of poweruser IAM role | string | `"/"` | no |
+| poweruser\_role\_permissions\_boundary\_arn | Permissions boundary ARN to use for admin role | string | `""` | no |
+| poweruser\_role\_policy\_arn | Policy ARN to use for admin role | string | `"arn:aws:iam::aws:policy/PowerUserAccess"` | no |
+| poweruser\_role\_requires\_mfa | Whether poweruser role requires MFA | string | `"true"` | no |
+| readonly\_role\_name | IAM role with readonly access | string | `"readonly"` | no |
+| readonly\_role\_path | Path of readonly IAM role | string | `"/"` | no |
+| readonly\_role\_permissions\_boundary\_arn | Permissions boundary ARN to use for admin role | string | `""` | no |
+| readonly\_role\_policy\_arn | Policy ARN to use for readonly role | string | `"arn:aws:iam::aws:policy/ReadOnlyAccess"` | no |
+| readonly\_role\_requires\_mfa | Whether readonly role requires MFA | string | `"true"` | no |
+| trusted\_role\_arns | ARNs of AWS entities who can assume these roles | list | `[]` | no |
 
 ## Outputs
 
 | Name | Description |
 |------|-------------|
-| admin_iam_role_arn | Admin |
-| admin_iam_role_name | Name of admin IAM role |
-| admin_iam_role_path | Path of admin IAM role |
-| admin_iam_role_requires_mfa | Whether admin IAM role requires MFA |
-| poweruser_iam_role_arn | Poweruser |
-| poweruser_iam_role_name | Name of poweruser IAM role |
-| poweruser_iam_role_path | Path of poweruser IAM role |
-| poweruser_iam_role_requires_mfa | Whether poweruser IAM role requires MFA |
-| readonly_iam_role_arn | Readonly |
-| readonly_iam_role_name | Name of readonly IAM role |
-| readonly_iam_role_path | Path of readonly IAM role |
-| readonly_iam_role_requires_mfa | Whether readonly IAM role requires MFA |
+| admin\_iam\_role\_arn | ARN of admin IAM role |
+| admin\_iam\_role\_name | Name of admin IAM role |
+| admin\_iam\_role\_path | Path of admin IAM role |
+| admin\_iam\_role\_requires\_mfa | Whether admin IAM role requires MFA |
+| poweruser\_iam\_role\_arn | ARN of poweruser IAM role |
+| poweruser\_iam\_role\_name | Name of poweruser IAM role |
+| poweruser\_iam\_role\_path | Path of poweruser IAM role |
+| poweruser\_iam\_role\_requires\_mfa | Whether poweruser IAM role requires MFA |
+| readonly\_iam\_role\_arn | ARN of readonly IAM role |
+| readonly\_iam\_role\_name | Name of readonly IAM role |
+| readonly\_iam\_role\_path | Path of readonly IAM role |
+| readonly\_iam\_role\_requires\_mfa | Whether readonly IAM role requires MFA |
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

modules/iam-policy/README.md

@@ -3,23 +3,22 @@
 Creates IAM policy.
 
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
-
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|:----:|:-----:|:-----:|
-| name | The name of the policy | string | `` | no |
-| path | The path of the policy in IAM | string | `/` | no |
-| description | The description of the policy | string | `IAM Policy` | no |
-| policy | The path of the policy in IAM (tpl file) | string | `` | yes |
+| description | The description of the policy | string | `"IAM Policy"` | no |
+| name | The name of the policy | string | `""` | no |
+| path | The path of the policy in IAM | string | `"/"` | no |
+| policy | The path of the policy in IAM (tpl file) | string | `""` | no |
 
 ## Outputs
 
 | Name | Description |
 |------|-------------|
-| id | The policy's ID |
 | arn | The ARN assigned by AWS to this policy |
 | description | The description of the policy |
+| id | The policy's ID |
 | name | The name of the policy |
 | path | The path of the policy in IAM |
 | policy | The policy document |

modules/iam-policy/main.tf

-
-data "template_file" "policy" {
-    template = "${file("${var.policy}")}"
-}
-
 resource "aws_iam_policy" "policy" {
   name        = "${var.name}"
   path        = "${var.path}"
   description = "${var.description}"
 
-  policy = "${data.template_file.policy.rendered}"
+  policy = "${var.policy}"
 }

modules/iam-user/README.md

@@ -19,45 +19,44 @@ This module outputs commands and PGP messages which can be decrypted either usin
 - `keybase_secret_key_pgp_message`
 
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
-
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|:----:|:-----:|:-----:|
-| create_iam_access_key | Whether to create IAM access key | string | `true` | no |
-| create_iam_user_login_profile | Whether to create IAM user login profile | string | `true` | no |
-| create_user | Whether to create the IAM user | string | `true` | no |
-| force_destroy | When destroying this user, destroy even if it has non-Terraform-managed IAM access keys, login profile or MFA devices. Without force_destroy a user with non-Terraform-managed access keys and login profile will fail to be destroyed. | string | `false` | no |
-| name | Desired name for the IAM user | string | - | yes |
-| password_length | The length of the generated password | string | `20` | no |
-| password_reset_required | Whether the user should be forced to reset the generated password on first login. | string | `true` | no |
-| path | Desired path for the IAM user | string | `/` | no |
-| permissions_boundary | The policy that is used to set the permissions boundary for the user | string | `` | no |
-| pgp_key | Either a base-64 encoded PGP public key, or a keybase username in the form keybase:username. Used to encrypt password and access key. | string | `` | no |
-| ssh_key_encoding | Specifies the public key encoding format to use in the response. To retrieve the public key in ssh-rsa format, use SSH. To retrieve the public key in PEM format, use PEM | string | `SSH` | no |
-| ssh_public_key | The SSH public key. The public key must be encoded in ssh-rsa format or PEM format | string | `` | no |
-| upload_iam_user_ssh_key | Whether to upload a public ssh key to the IAM user | string | `false` | no |
+| create\_iam\_access\_key | Whether to create IAM access key | string | `"true"` | no |
+| create\_iam\_user\_login\_profile | Whether to create IAM user login profile | string | `"true"` | no |
+| create\_user | Whether to create the IAM user | string | `"true"` | no |
+| force\_destroy | When destroying this user, destroy even if it has non-Terraform-managed IAM access keys, login profile or MFA devices. Without force_destroy a user with non-Terraform-managed access keys and login profile will fail to be destroyed. | string | `"false"` | no |
+| name | Desired name for the IAM user | string | n/a | yes |
+| password\_length | The length of the generated password | string | `"20"` | no |
+| password\_reset\_required | Whether the user should be forced to reset the generated password on first login. | string | `"true"` | no |
+| path | Desired path for the IAM user | string | `"/"` | no |
+| permissions\_boundary | The ARN of the policy that is used to set the permissions boundary for the user. | string | `""` | no |
+| pgp\_key | Either a base-64 encoded PGP public key, or a keybase username in the form keybase:username. Used to encrypt password and access key. | string | `""` | no |
+| ssh\_key\_encoding | Specifies the public key encoding format to use in the response. To retrieve the public key in ssh-rsa format, use SSH. To retrieve the public key in PEM format, use PEM | string | `"SSH"` | no |
+| ssh\_public\_key | The SSH public key. The public key must be encoded in ssh-rsa format or PEM format | string | `""` | no |
+| upload\_iam\_user\_ssh\_key | Whether to upload a public ssh key to the IAM user | string | `"false"` | no |
 
 ## Outputs
 
 | Name | Description |
 |------|-------------|
-| keybase_password_decrypt_command |  |
-| keybase_password_pgp_message |  |
-| keybase_secret_key_decrypt_command |  |
-| keybase_secret_key_pgp_message |  |
-| pgp_key | PGP key used to encrypt sensitive data for this user (if empty - secrets are not encrypted) |
-| this_iam_access_key_encrypted_secret | The encrypted secret, base64 encoded |
-| this_iam_access_key_id | The access key ID |
-| this_iam_access_key_key_fingerprint | The fingerprint of the PGP key used to encrypt the secret |
-| this_iam_access_key_ses_smtp_password | The secret access key converted into an SES SMTP password |
-| this_iam_access_key_status | Active or Inactive. Keys are initially active, but can be made inactive by other means. |
-| this_iam_user_arn | The ARN assigned by AWS for this user |
-| this_iam_user_login_profile_encrypted_password | The encrypted password, base64 encoded |
-| this_iam_user_login_profile_key_fingerprint | The fingerprint of the PGP key used to encrypt the password |
-| this_iam_user_name | The user's name |
-| this_iam_user_ssh_key_fingerprint | The MD5 message digest of the SSH public key |
-| this_iam_user_ssh_key_ssh_public_key_id | The unique identifier for the SSH public key |
-| this_iam_user_unique_id | The unique ID assigned by AWS |
+| keybase\_password\_decrypt\_command |  |
+| keybase\_password\_pgp\_message |  |
+| keybase\_secret\_key\_decrypt\_command |  |
+| keybase\_secret\_key\_pgp\_message |  |
+| pgp\_key | PGP key used to encrypt sensitive data for this user (if empty - secrets are not encrypted) |
+| this\_iam\_access\_key\_encrypted\_secret | The encrypted secret, base64 encoded |
+| this\_iam\_access\_key\_id | The access key ID |
+| this\_iam\_access\_key\_key\_fingerprint | The fingerprint of the PGP key used to encrypt the secret |
+| this\_iam\_access\_key\_ses\_smtp\_password | The secret access key converted into an SES SMTP password |
+| this\_iam\_access\_key\_status | Active or Inactive. Keys are initially active, but can be made inactive by other means. |
+| this\_iam\_user\_arn | The ARN assigned by AWS for this user |
+| this\_iam\_user\_login\_profile\_encrypted\_password | The encrypted password, base64 encoded |
+| this\_iam\_user\_login\_profile\_key\_fingerprint | The fingerprint of the PGP key used to encrypt the password |
+| this\_iam\_user\_name | The user's name |
+| this\_iam\_user\_ssh\_key\_fingerprint | The MD5 message digest of the SSH public key |
+| this\_iam\_user\_ssh\_key\_ssh\_public\_key\_id | The unique identifier for the SSH public key |
+| this\_iam\_user\_unique\_id | The unique ID assigned by AWS |
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->