Module: iam-system-user
Terraform Module to provision a basic IAM system user suitable for CI/CD Systems (e.g. TravisCI, CircleCI) or systems which are external to AWS that cannot leverage AWS IAM Instance Profiles or AWS OIDC.
We do not recommend creating IAM users this way for any other purpose.
By default, IAM users, groups, and roles have no access to AWS resources. IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended that IAM policies be applied directly to groups and roles but not users. This module intentionally attaches an IAM policy directly to the user and does not use groups
The IAM user name is constructed using terraform-null-label
and some input is required. The simplest input is name. By default the name will be converted to lower case
and all non-alphanumeric characters except for hyphen will be removed. See the documentation for terraform-null-label
to learn how to override these defaults if desired.
If an AWS Access Key is created, it is stored either in SSM Parameter Store or is provided as a module output, but not both. Using SSM Parameter Store is recommended because module outputs are stored in plaintext in the Terraform state file.
Usage
module "circleci" {
source = "cloudposse/iam-system-user/aws"
# Cloud Posse recommends pinning every module to a specific version
# version = "x.x.x"
namespace = "eg"
stage = "circleci"
name = "assets"
}
Examples
module "fluentd_user" {
source = "cloudposse/iam-system-user/aws"
# Cloud Posse recommends pinning every module to a specific version
# version = "x.x.x"
namespace = "eg"
stage = "dev"
name = "fluentd"
policy_arns_map = {
logs = "arn:aws:iam::aws:policy/CloudWatchLogsFullAccess"
}
inline_policies_map = {
s3 = data.aws_iam_policy_document.s3_policy.json
}
}
data "aws_iam_policy_document" "s3_policy" {
statement {
actions = [
"s3:PutObject",
"s3:GetObjectAcl",
"s3:GetObject",
"s3:ListBucket",
"s3:PutObjectAcl"
]
resources = [
"arn:aws:s3:::bucket_name/*",
"arn:aws:s3:::bucket_name/"
]
}
}