Added iam-account (#1)

* Added iam-account

Author: antonbabenko

.editorconfig

@@ -0,0 +1,30 @@
+# EditorConfig is awesome: http://EditorConfig.org
+# Uses editorconfig to maintain consistent coding styles
+
+# top-most EditorConfig file
+root = true
+
+# Unix-style newlines with a newline ending every file
+[*]
+charset = utf-8
+end_of_line = lf
+indent_size = 2
+indent_style = space
+insert_final_newline = true
+max_line_length = 80
+trim_trailing_whitespace = true
+
+[*.{tf,tfvars}]
+indent_size = 2
+indent_style = space
+
+[*.md]
+max_line_length = 0
+trim_trailing_whitespace = false
+
+[Makefile]
+tab_width = 2
+indent_style = tab
+
+[COMMIT_EDITMSG]
+max_line_length = 0

.gitignore

@@ -0,0 +1,4 @@
+.terraform
+terraform.tfstate
+*.tfstate*
+terraform.tfvars

.pre-commit-config.yaml

@@ -0,0 +1,9 @@
+repos:
+- repo: git://github.com/antonbabenko/pre-commit-terraform
+  sha: v1.4.0
+  hooks:
+    - id: terraform_fmt
+- repo: git://github.com/pre-commit/pre-commit-hooks
+  sha: v1.2.0
+  hooks:
+    - id: check-merge-conflict

LICENSE

@@ -0,0 +1,11 @@
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.

README.md

@@ -1,2 +1,8 @@
 # terraform-aws-iam
 Terraform module which creates IAM resources on AWS
+
+- [ ] IAM account
+- [ ] IAM groups
+- [ ] IAM users
+- [ ] IAM assumable roles
+- [ ] IAM group with assumable roles policy

examples/iam-account/README.md

@@ -0,0 +1,19 @@
+HTTP Security Group example
+===========================
+
+Configuration in this directory creates set of Security Group and Security Group Rules resources in various combination.
+
+Data sources are used to discover existing VPC resources (VPC and default security group).
+
+Usage
+=====
+
+To run this example you need to execute:
+
+```bash
+$ terraform init
+$ terraform plan
+$ terraform apply
+```
+
+Note that this example may create resources which cost money. Run `terraform destroy` when you don't need these resources.

examples/iam-account/main.tf

@@ -0,0 +1,15 @@
+provider "aws" {
+  region = "eu-west-1"
+}
+
+##############
+# IAM account
+##############
+module "iam_account" {
+  source = "../../modules/iam-account"
+
+  account_alias = "test-account-awesome-company"
+
+  minimum_password_length = 6
+  require_numbers         = false
+}

examples/iam-account/outputs.tf

@@ -0,0 +1,9 @@
+output "this_caller_identity_account_id" {
+  description = "The ID of the AWS account"
+  value       = "${module.iam_account.this_caller_identity_account_id}"
+}
+
+output "this_iam_account_password_policy_expire_passwords" {
+  description = "Indicates whether passwords in the account expire. Returns true if max_password_age contains a value greater than 0. Returns false if it is 0 or not present."
+  value       = "${module.iam_account.this_iam_account_password_policy_expire_passwords}"
+}

modules/iam-account/README.md

@@ -0,0 +1,22 @@
+# iam-account
+
+Manage IAM account alias and password policy.
+
+## Notes
+
+* If IAM account alias was previously set (either via AWS console or during the creation of an account from AWS Organizations) you will see this error:
+```
+* aws_iam_account_alias.this: Error creating account alias with name my-account-alias
+```
+
+If you want to manage IAM alias using Terraform (otherwise why are you reading this?) you need to import this resource like this:
+```
+$ terraform import module.iam_account.aws_iam_account_alias.this this
+
+module.iam_account.aws_iam_account_alias.this: Importing from ID "this"...
+module.iam_account.aws_iam_account_alias.this: Import complete!
+  Imported aws_iam_account_alias (ID: this)
+module.iam_account.aws_iam_account_alias.this: Refreshing state... (ID: this)
+
+Import successful!
+``` 

modules/iam-account/main.tf

@@ -0,0 +1,20 @@
+data "aws_caller_identity" "this" {
+  count = "${var.get_caller_identity}"
+}
+
+resource "aws_iam_account_alias" "this" {
+  account_alias = "${var.account_alias}"
+}
+
+resource "aws_iam_account_password_policy" "this" {
+  count = "${var.create_account_password_policy ? 1 : 0}"
+
+  minimum_password_length        = "${var.minimum_password_length}"
+  allow_users_to_change_password = "${var.allow_users_to_change_password}"
+  hard_expiry                    = "${var.hard_expiry}"
+  password_reuse_prevention      = "${var.password_reuse_prevention}"
+  require_lowercase_characters   = "${var.require_lowercase_characters}"
+  require_uppercase_characters   = "${var.require_uppercase_characters}"
+  require_numbers                = "${var.require_numbers}"
+  require_symbols                = "${var.require_symbols}"
+}

modules/iam-account/outputs.tf

@@ -0,0 +1,19 @@
+output "this_caller_identity_account_id" {
+  description = "The AWS Account ID number of the account that owns or contains the calling entity"
+  value       = "${element(concat(data.aws_caller_identity.this.*.account_id, list("")), 0)}"
+}
+
+output "this_caller_identity_arn" {
+  description = "The AWS ARN associated with the calling entity"
+  value       = "${element(concat(data.aws_caller_identity.this.*.arn, list("")), 0)}"
+}
+
+output "this_caller_identity_user_id" {
+  description = "The unique identifier of the calling entity"
+  value       = "${element(concat(data.aws_caller_identity.this.*.user_id, list("")), 0)}"
+}
+
+output "this_iam_account_password_policy_expire_passwords" {
+  description = "Indicates whether passwords in the account expire. Returns true if max_password_age contains a value greater than 0. Returns false if it is 0 or not present."
+  value       = "${element(concat(aws_iam_account_password_policy.this.*.expire_passwords, list("")), 0)}"
+}

modules/iam-account/variables.tf

@@ -0,0 +1,53 @@
+variable "get_caller_identity" {
+  description = "Whether to get AWS account ID, User ID, and ARN in which Terraform is authorized"
+  default     = true
+}
+
+variable "account_alias" {
+  description = "AWS IAM account alias for this account"
+}
+
+variable "create_account_password_policy" {
+  description = "Whether to create AWS IAM account password policy"
+  default     = true
+}
+
+variable "minimum_password_length" {
+  description = "Minimum length to require for user passwords"
+  default     = 8
+}
+
+variable "allow_users_to_change_password" {
+  description = "Whether to allow users to change their own password"
+  default     = true
+}
+
+variable "hard_expiry" {
+  description = "Whether users are prevented from setting a new password after their password has expired (i.e. require administrator reset)"
+  default     = false
+}
+
+variable "password_reuse_prevention" {
+  description = "The number of previous passwords that users are prevented from reusing"
+  default     = true
+}
+
+variable "require_lowercase_characters" {
+  description = "Whether to require lowercase characters for user passwords"
+  default     = true
+}
+
+variable "require_uppercase_characters" {
+  description = "Whether to require uppercase characters for user passwords"
+  default     = true
+}
+
+variable "require_numbers" {
+  description = "Whether to require numbers for user passwords"
+  default     = true
+}
+
+variable "require_symbols" {
+  description = "Whether to require symbols for user passwords"
+  default     = true
+}