creating IAM User and Group with Password change policy using Terraform

creating IAM User and Group with Password change policy using Terraform

Introduction:-

Managing user access and permissions in AWS is a critical aspect of ensuring the security and compliance of your infrastructure. With Terraform, you can automate the process of adding a user to a group in #AWS Identity and Access Management (IAM), as well as assigning specific permissions such as configuring password policies.

In this guide, we will walk you through the process of using #Terraform to add a user to a group, and configure the password policy in AWS IAM. By leveraging Terraform’s #infrastructure-as-code approach, you can define and manage these configurations as code, enabling easy replication, #version control, and collaboration within your infrastructure workflow.

Pre-Requestisites:-

  1. #Terraform should be installed.

  2. Aws account with #Iam permissions.

  3. AWS credentials should be configured.

step1: open an editor like visual studio code.

step2: create a one folder and name as per your wish.using that folder create a terraform file called main.tf and insert the following code:

#main.tfprovider "aws" {
  region = var.aws_region
}resource "aws_iam_user" "mahira_user" {
  name = var.user_name
}resource "aws_iam_group" "mahira_group" {
  name = var.group_name
}resource "aws_iam_group_membership" "group_membership" {
  name  = "user-group_membership"
  users = [
          aws_iam_user.mahira_user.name
         ]
  group = aws_iam_group.mahira_group.name
}resource "aws_iam_policy" "iam_policy" {
  name = "user_policy"
  policy = jsonencode({
    "Version" : "2012-10-17",
    "Statement" : [
      {
        "Sid" : "AllowViewAccountInfo",
        "Effect" : "Allow",
        "Action" : [
          "iam:GetAccountPasswordPolicy",
          "iam:GetAccountSummary"
        ],
        "Resource" : "*"
      },
      {
        "Sid" : "AllowManageOwnPasswords",
        "Effect" : "Allow",
        "Action" : [
          "iam:ChangePassword",
          "iam:GetUser"
        ],
        "Resource" : "arn:aws:iam::*:user/$${aws:username}"
      },
      {
        "Sid" : "AllowManageOwnAccessKeys",
        "Effect" = "Allow",
        "Action" : [
          "iam:CreateAccessKey",
          "iam:DeleteAccessKey",
          "iam:ListAccessKeys",
          "iam:UpdateAccessKey"
        ],
        "Resource" : "arn:aws:iam::*:user/$${aws:username}"
      },
      {
        "Sid" : "AllowManageOwnSSHPublicKeys",
        "Effect" : "Allow",
        "Action" : [
          "iam:DeleteSSHPublicKey",
          "iam:GetSSHPublicKey",
          "iam:ListSSHPublicKeys",
          "iam:UpdateSSHPublicKey",
          "iam:UploadSSHPublicKey"
        ],
        "Resource" : "arn:aws:iam::*:user/$${aws:username}"
      }
    ]
  })
}resource "aws_iam_policy_attachment" "policy_attachment" {
  policy_arn = aws_iam_policy.example_policy.arn
  groups     = [aws_iam_group.example_group.name]
  name       = "example-attachment"
}resource "aws_iam_account_password_policy" "password_policy" {
  minimum_password_length        = 08
  require_lowercase_characters   = true
  require_uppercase_characters   = true
  require_numbers                = false
  require_symbols                = true
  allow_users_to_change_password = true
}

step3: create one more file called variable.tf and insert the following code:

#variable.tfvariable "aws_region" {
  default = "us-east-1"
}variable "user_name" {
  default = "open-source"
}variable "group_name" {
  default = "mahira"
}

step4: define the outputs with a file called output.tf and insert the following code:

#output.tfoutput "region" {
  value = var.aws_region
}output "user_name" {
  value = aws_iam_user.mahira_user.name
}output "group_name" {
  value = aws_iam_group.mahira_group.name
}

step5: After setup everything open terminal go to same directory where the folder having with code and perform terraform init.

step6: once Initialization completed and perform terraform plan.you may get same result.

step 7: After plan executed successfully and need to perform terraform apply.It will ask Do you want to perform these actions? #Terraform will perform the actions described above.Only ‘yes’ will be accepted to approve.we need enter ‘yes’.Then only it will perform further.

step 8: open the code part over . open aws cosole login and search iam and you can able to see the user created and group created and user added to group and permission full access and password field altered.

step 9: If the user and group you don’t need perform this command terraform destroy it will destroy the user and group from the Iam user.

Conclusion: -

Using Terraform to add a user to a group, assign S3 full access, and configure the password policy in #AWS IAM offers a #scalable and automated solution for managing user access and enforcing #security policies. By following the steps outlined in this guide, you have learned how to leverage Terraform’s #infrastructure-as-code approach to streamline the process.

#Terraform enables you to define user configurations, #group memberships, permissions, and password policies as code. This allows for easy replication, #version control, and #collaboration within your infrastructure workflow. By #automating these processes, you ensure consistent and auditable user management practices across your AWS accounts.