provider/aws: aws_iam_user_login_profile resource #9605
Conversation
This commit implements reusable functions for when resources have no need to implement a particular operation: - Noop - does nothing and returns no error. - RemoveFromState - sets the resource ID to empty string (removing it from state) and returns no error.
This commit introduces an `aws_iam_user_login_profile` resource which
creates a password for an IAM user, and encrypts it using a PGP key
specified in the configuration or obtained from Keybase.
For example:
```
resource "aws_iam_user" "u" {
name = "auser"
path = "/"
force_destroy = true
}
resource "aws_iam_user_login_profile" "u" {
user = "${aws_iam_user.u.name}"
pgp_key = "keybase:some_person_that_exists"
}
output "password" {
value = "${aws_iam_user_login_profile.u.encrypted_password}"
}
```
The resulting attribute "encrypted_password" can be decrypted using
PGP or Keybase - for example:
```
terraform output password | base64 --decode | keybase pgp decrypt
```
Optionally the user can retain the password rather than the default of
being forced to change it at first login. Generated passwords are
currently 20 characters long.
This commit modifies password generation such that it is highly likely to match any AWS password policy.
jen20
force-pushed
the
keybase-aws-login-profile
branch
from
aa35bac
to
586ad44
Compare
If an IAM user already has a login profile, we bring it under management - we will NOT modify it - but we cannot set the password.
jen20
force-pushed
the
keybase-aws-login-profile
branch
from
586ad44
to
e5fb6c9
Compare
|
Looks great, but I think the following should be done: Destroy: Exists: Testing: I think the easiest way to test this is just a basic create/destory test that just verifies it succeeds. We could go more hardcore and actually use the resulting password to try to run more API calls. I don't think its necessary but if you want. We can probably skip update for now. |
jen20
force-pushed
the
keybase-aws-login-profile
branch
from
c2532d9
to
2e04623
Compare
Add a test with a bad explicitly specified GPG key and a keybase user (that we own) with no public keys.
|
Hi @mitchellh! I added some acceptance tests that verify the behaviour for good and bad keys. For the non-keybase keys we verify that the password is usable (by changing it to something else random). I don't think we should implement destroy (and thus exists is not necessary) - there is too much risk of removing a user's login credentials, and Acceptance test run: |
|
Awesome, LGTM! |
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further. |
ghost
locked and limited conversation to collaborators
This commit introduces an
aws_iam_user_login_profileresource which creates a password for an IAM user, and encrypts it using a PGP key specified in the configuration or obtained from Keybase.For example:
The resulting attribute "encrypted_password" can be decrypted using PGP or Keybase - for example:
Optionally the user can retain the password rather than the default of being forced to change it at first login. Generated passwords are currently 20 characters long by default, though this can be overriden.
It is unclear how to test this correctly - we should discuss!