feat(module): initial import

2025-04-10 12:37:36 +02:00 · 2025-04-10 12:37:36 +02:00 · a046131bd2
commit a046131bd2
8 changed files with 415 additions and 0 deletions
--- a/main.tf
+++ b/main.tf
@ -0,0 +1,61 @@
+data "aws_organizations_organization" "main" {}
+
+locals {
+  aws_account_ids = { for info in data.aws_organizations_organization.main.accounts :
+    info.name => info.id
+  }
+}
+
+resource "aws_iam_user" "main" {
+  force_destroy = true
+  name          = var.name
+}
+
+resource "aws_iam_user_policy" "main" {
+  name = var.name
+  policy = jsonencode({
+    Statement = concat([
+      { # Assume roles in AWS sub-accounts
+        Action = "sts:AssumeRole"
+        Effect = "Allow"
+        Resource = [for name in var.assume_role_account_names :
+          format(
+            "arn:aws:iam::%s:role/%s",
+            local.aws_account_ids[name],
+            var.name,
+          )
+        ]
+      },
+      {
+        Action = [
+          # Manage the user's own IAM access key
+          "iam:CreateAccessKey",
+          "iam:DeleteAccessKey",
+          "iam:UpdateAccessKey",
+          # Read only access to the user's IAM object
+          "iam:Get*",
+          "iam:List*",
+        ]
+        Effect   = "Allow"
+        Resource = aws_iam_user.main.arn
+      },
+      {
+        Action = [
+          # Necessary for removing an IAM user
+          "iam:ListVirtualMFADevices",
+          # Describe and list the organization accounts
+          "organizations:DescribeOrganization",
+          "organizations:List*",
+        ]
+        Effect   = "Allow"
+        Resource = "*"
+      },
+    ])
+    Version = "2012-10-17"
+  })
+  user = aws_iam_user.main.name
+}
+
+resource "aws_iam_access_key" "main" {
+  user = aws_iam_user.main.name
+}