Post

Terraform with AWS -Setup AWS IAM

Posted
Terraform with AWS -Setup AWS IAM
Terraform with AWS -Setup AWS IAM
By Abdul Hakim
3 min read
Terraform with AWS -Setup AWS IAM

Prerequisites

Scopes:

  • Create IAM users

  • Create IAM policies

  • IAM group

Terraform Intro

“HashiCorp Terraform is an infrastructure as code tool that lets you define both cloud and on-prem resources in human-readable configuration files that you can version, reuse, and share.” more detail about terraform here

Let’s create IAM user

%[https://gist.github.com/ahakimx/5a0bc49e1b34813078d542a7bc29b2e4]

Run terraform command

1
2
3
4
5

terraform init
terraform fmt
terraform validate

terraform plan


1

$ terraform apply

Check IAM list with aws-cli command

1

$ aws iam list-users

Ok. user has been created with terraform. then we will create iam policies to user was created.

Create IAM policies with terraform

%[https://gist.github.com/ahakimx/b87e90101547801a3cce5d8033bb88a3]

create iam policy, then attach policy to user

  • create admin-policy.json file

%[https://gist.github.com/ahakimx/06c77c12bfb3374912e6c531bd18c5e9]

above file is policy to user was created

  • Run terraform again
1

$ terraform plan


1

$ terraform apply

Check IAM policies

1

$ aws iam list-attached-user-policies --user-name ha

IAM policies has been created. Then we will update user to use password.

Add user login profile

useaws_iam_user_login_profile resource.

1
2
3
4

...
resource "aws_iam_user_login_profile" "userLogin" {
  user = aws_iam_user.admin_user.name
}

1
2
3
4

output "password" {
  value = aws_iam_user_login_profile.userLogin.password
}
...
  • run terraform plan and apply again.
1
2

$ terraform plan
$ terraform apply --auto-approve

We can login to AWS dashboard. Don’t share your password. for safe you can use PGP to encrypt the password.

To destroy IAM user we can use terraform destroy

1

$ terraform destroy --auto-approve

to make sure user was deleted we can check user with aws-cli command

1

$ aws iam list-users

Full Code for IAM user:

%[https://gist.github.com/ahakimx/55e6f6ca75acd158184bd84723c0a0c6]

Create IAM with multiple users

How to create multiple users with terraform?

OK let’s we create:

%[https://gist.github.com/ahakimx/a9649f0e2a1b273ae3fcc318db07109b]

The above we make three users with named “ha”, “lucy”,”john”. We will use for_each on terraform, more detail about for_each here.

update main.tf file as below:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29

resource "aws_iam_user" "admin_user" {
  name     = each.value
  for_each = toset(var.admin_users)
  tags = {
    Description = "Tech Lead"
  }
}

resource "aws_iam_user_login_profile" "userLogin" {
  for_each = aws_iam_user.admin_user
  user     = each.value.name
}

resource "aws_iam_policy" "adminUser" {
  name   = "AdminUsers"
  policy = file("admin-policy.json")
}

resource "aws_iam_user_policy_attachment" "admin-access" {
  for_each   = aws_iam_user.admin_user
  user       = each.value.name
  policy_arn = aws_iam_policy.adminUser.arn
}

output "password" {
  value = {
    for k, v in aws_iam_user_login_profile.userLogin : k => v.password
  }
}

check with aws-cli command

ok, try to login with dashboard. Don’t share your password. To destroy the resource use this command:

1

$ terraform destroy

Full Code for IAM users:

  • main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29

resource "aws_iam_user" "admin_user" {
  name     = each.value
  for_each = toset(var.admin_users)
  tags = {
    Description = "Tech Lead"
  }
}

resource "aws_iam_user_login_profile" "userLogin" {
  for_each = aws_iam_user.admin_user
  user     = each.value.name
}

resource "aws_iam_policy" "adminUser" {
  name   = "AdminUsers"
  policy = file("admin-policy.json")
}

resource "aws_iam_user_policy_attachment" "admin-access" {
  for_each   = aws_iam_user.admin_user
  user       = each.value.name
  policy_arn = aws_iam_policy.adminUser.arn
}

output "password" {
  value = {
    for k, v in aws_iam_user_login_profile.userLogin : k => v.password
  }
}
  • admin-policy.json
1
2
3
4
5
6
7
8
9
10

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "*",
            "Resource": "*"
        }
    ]
}
  • variable.tf
1
2
3
4

variable "admin_users" {
  type    = list(string)
  default = ["ha", "lucy", "john"]
}

Setup IAM Grup

  • update main.tf file. add aws_iam_groupand aws_iam_group_membershipresource. 
1
2
3

resource "aws_iam_group" "tech-lead" {
  name = "Tech-Lead"
}

1
2
3
4
5
6

resource "aws_iam_group_membership" "team" {
  name     = "tech-lead-group-membership"
  for_each = aws_iam_user.admin_user
  users    = [each.value.name]
  group    = aws_iam_group.tech-lead.name
}
  • terraform plan
1

$ terraform plan
  • terraform apply
1

$ terraform apply --auto-approve

  • add group policy attachment
1
2
3
4

resource "aws_iam_group_policy_attachment" "tech_lead_group_policy" {
  group      = aws_iam_group.tech-lead.name
  policy_arn = aws_iam_policy.adminUser.arn
}
  • terraform plan
1

$ terraform plan
  • terraform apply
1

$ terraform apply --auto--aprove

  • Check iam user with root account in AWS dashboard.

To destroy resources, run terraform destroy

1

$ terraform destroy

Full Code for IAM group:

%[https://gist.github.com/ahakimx/9fb59ac78358b524129152e8d29acd0b]

Repository:

https://github.com/ahakimx/terraform-aws

References:

https://developer.hashicorp.com/terraform/language/meta-arguments/for_each
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user

terraform aws-iam
This post is licensed under CC BY 4.0 by the author.