terraform-iam-user
A demonstration of automating the onboarding of AWS IAM users using terraform. 😉
- It creates two users named
Adam
andDavid
. - Use aws_iam_access_key for
Programmatic Access
. - Test the users and policies attached to the account by heading over to IAM policy similator.
- For loop with terraform.
Installation and Usage
⚠️ Need to installterraform: >=1.0.0
andkeybase
.
Create the S3 bucket to store the state file,
aws s3api create-bucket --bucket terraform-hadoop-openvpn --region us-east-1 --acl private --profile <aws_profile_name>
Apply the Changes using terraform,
git clone git@github.com:murshidazher/terraform-iam-user.git
cd terraform
terraform init
pgp_key
? 🤔
What does it mean by More information on gpg key
By encrypting out terraform secrets, we are not only protecting them when they are output by terraform on screen, but also when they are written to our terraform state files. This is crucial because should our state file go missing, an attacker would not be able to use any of the credentials to compromise our infrastructure.
gpg -k
gpg --batch --gen-key key-gen-template
# Success! Now, we are in a position to use our newly created key to sign, encrypt, and decrypt messages. Note: remember the passphrase
Export the gpg
key to terraform/keys
directory,
💡 If you need to change the path where you keep the keys, just add it to variables.tf
pgp_key_path
as default path or add it to alliam-users.tfvar
files as a variables.
cd terraform && mkdir keys && cd keys
gpg --output public-key-binary.gpg --export hello@murshidazher.com
Note
One of the problems that we face now is that GPG gets “confused” when we pipe things into it, so before doing so, we need to tell it that we are going to pipe an encrypted message into it:
export GPG_TTY=$(tty)
By correctly setting the environment variable GPG_TTY as per above, GPG clearly understands that we are going to pipe a secret into it.
Provisioning
⚠️ It is important to note down the key generated in the output. Which will be required to decrypt the temporary password for iam user created. Only generated during user creation.
See if the terraform script is valid,
terraform validate
Apply the terraform scripts,
# create Adam's profile
# terraform <command> -var-file="<tfvar_file_location>"
terraform plan -var-file="iam-users/adam.prod.tfvars"
terraform apply -var-file="iam-users/adam.prod.tfvars"
# create David's profile
terraform plan -var-file="iam-users/david.prod.tfvars"
terraform apply -var-file="iam-users/david.prod.tfvars"
Get the outputs and decode it using the passphrase used to generate the pgp
key,
terraform output -raw iam_user_password | base64 --decode | gpg --decrypt
# gives you the raw console password
terraform output -raw iam_user_secret | base64 --decode | gpg --decrypt
# gives you the raw programmatic access secret
terraform output -raw iam_user_access_key_id
# gives you the programmatic access key_id
## Test
Add the credentials to `~/.aws/config` and `~/.aws/credentials`,
```bash
# ~/.aws/credentials
[adam]
aws_access_key_id = <<iam_user_access_key_id>>
aws_secret_access_key = <<iam_user_access_key_secret gpg decrypted>
# ~/.aws/config
[profile adam]
region=<<default_region>>
output=json
Test the console permissions,
💡 Note: Reference to aws-cli-cheatsheet
# should be possible
aws s3api list-buckets --profile adam
# shouldn't be possible
aws ec2 describe-instances --profile adam
# An error occurred (UnauthorizedOperation) when calling the DescribeInstances operation: You are not authorized to perform this operation.
Teardown
terraform destroy
LICENSE
MIT © 2021 Murshid Azher.