How to Create IAM User & Policy using Terraform on AWS

IAM Stands for Identity Access Management

IAM allows us to manage users, groups, roles, permissions, and their level of access to the AWS Console.

1. Let’s setup Terraform with Visual Studio Code (basic code editor)

• First you need to install Terraform on your local or remote machine using https://www.terraform.io/downloads.html & follow the instructions for the installation.
• Then install Visual Studio Code using https://code.visualstudio.com/download according to your OS type & go to the Extensions on left & install HashiCorp Terraform Plugin.
• Then create a file in Visual Studio Code, called Main.tf(or whatever you feel like depending if you wanna keep every block separate) copy & paste, then set default region & create access key in your AWS account and provide access key & secret key to authorize Terraform to function with your AWS account.

provider "aws" {
  region     = "us-west-2"
  access_key = "my-access-key"
  secret_key = "my-secret-key"
}

2. Let’s create IAM user using Terraform

• Add the below resource block to main.tf or create your_own.tf :

resource "aws_iam_user" "lb" {
  name = "Adam"
}

• But if you want to create more than one IAM Users, you can either copy-paste same resource block multiple times but this defeats the less repetition method which you are aiming for, isnt it?!
• The solution for this issue, If we combine count.index with interpolation functions built into Terraform, you can customize each “iteration” of the “loop” even more. To achieve this we need two interpolation functions length and element(list, index)
• The length function returns the number of items in the list(it also works with strings and maps) replace the previous resource block of aws_iam_user with the below one to use the variables by creating a file called variables.tf & copy-paste the variables block.
• Also, we need to use aws_iam_access_key (https://www.terraform.io/docs/providers/aws/r/iam_access_key.html) terraform resource to create Access keys for the users and that should imply that the user has Programmatic Access.

#variables.tf
variable "username" {
  type = "list"
  default = ["Adam","David","Moses"]}
#main.tf
resource "aws_iam_user" "example" {
  count = "${length(var.username)}"
  name = "${element(var.username,count.index )
  path = "/system/"
}
resource "aws_iam_access_key" "newemp" {
  count = length(var.username)
  user = element(var.username,count.index)
}

After creating & adding both files make sure to save it & point the command line towards the folder you have created all these files before you type command “terraform init” | “terraform plan” | terraform apply to deploy resources.

• Now you will see that Terraform wants to create three IAM users, each with unique names.
• You will note as we have used count on a resource, it becomes the list of resources rather than just a single resource.

3. Additionally, if you wanted to provide the Amazon Resource Name (ARN) of one of the IAM users as an output variable, you would need to do the following:

# outputs.tf
output “user_arn” {
 value = “${aws_iam_user.example.0.arn}”
}

• Also if you want the ARNs of all the IAM users then create outputs.tf & add the output block you need to use the splat character, “*”, instead of the index

4. Finally we are done with creating IAM user, now let attach some policy with these users(By default new user have no permissions or policy attached)

IAM Policies are JSON documents used to describe permissions within AWS. This is used to grant access to your AWS users to particular AWS resources.

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document

• Terraform provides a handy data source called the aws_iam_policy_document that gives you a more concise way to define the IAM policy
• Additionally, you can add aws_iam_account_password_policy for strict password creation strength when users log in for the first time.
• You can either add the resource block below to main.tf or create policy.tf & paste it to keep your resources more organized

#Policy.tf
resource "aws_iam_account_password_policy" "strict" {
  minimum_password_length        = 8
  require_lowercase_characters   = true
  require_numbers                = true
  require_uppercase_characters   = true
  require_symbols                = false
  allow_users_to_change_password = true
}
resource "aws_iam_user_policy" "newemp_policy" {
  count = length(var.username)
  name = "new"
  user = element(var.username,count.index)
policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "ec2:Describe*"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}
EOF
}

• IAM Policy consists of one or more statements
• Each of which specifies an effect (either “Allow” or “Deny”)
• One or more actions (e.g., “ec2:Describe*” allows all API calls to EC2 that start with the name “Describe”),
• One or more resources (e.g., “*” means “all resources”)

Do customize the resource names & policy according to your own needs.

Please Follow me|click the clap 👏 button below to encourage & support me to keep posting more content.

Join FAUN: Website 💻|Podcast 🎙️|Twitter 🐦|Facebook 👥|Instagram 📷|Facebook Group 🗣️|Linkedin Group 💬| Slack 📱|Cloud Native News 📰|More.

If this post was helpful, please click the clap 👏 button below a few times to show your support for the author 👇