provider/aws: Added aws_iam_login_profile custom password setting

[Ninir]

Reasoning for this change

This is the continuation of #9605.

The previous PR introduced PGP-based keys, encrypting and decrypting using keybase.io.
As the login_profile password was generated, it was missing the ability to generate a custom password.
This allows to set it, making this even more flexible.

Real Configuration

 resource "aws_iam_user" "user" {
     name = "demo"
     path = "/"
     force_destroy = true
 }
 
 data "aws_caller_identity" "current" {}
 
 data "aws_iam_policy_document" "user" {
     statement {
         effect = "Allow"
         actions = ["iam:GetAccountPasswordPolicy"]
         resources = ["*"]
     }
     statement {
         effect = "Allow"
         actions = ["iam:ChangePassword"]
         resources = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:user/&{aws:username}"]
     }
 }
 
 resource "aws_iam_user_policy" "user" {
     name = "AllowChangeOwnPassword"
     user = "${aws_iam_user.user.name}"
     policy = "${data.aws_iam_policy_document.user.json}"
 }
 
 resource "aws_iam_access_key" "user" {
     user = "${aws_iam_user.user.name}"
 }
 
 resource "aws_iam_user_login_profile" "user" {
     user = "${aws_iam_user.user.name}"
     password = "test"
 }

Use cases

Demos, trainings or handsons.

Acceptance tests

$ make testacc TEST=./builtin/providers/aws TESTARGS='-run=TestAccAWSUserLoginProfile_'
==> Checking that code complies with gofmt requirements...
go generate $(go list ./... | grep -v /terraform/vendor/)
2016/12/14 21:58:25 Generated command/internal_plugin_list.go
TF_ACC=1 go test ./builtin/providers/aws -v -run=TestAccAWSUserLoginProfile_ -timeout 120m
=== RUN   TestAccAWSUserLoginProfile_basic
--- PASS: TestAccAWSUserLoginProfile_basic (22.11s)
=== RUN   TestAccAWSUserLoginProfile_keybase
--- PASS: TestAccAWSUserLoginProfile_keybase (20.71s)
=== RUN   TestAccAWSUserLoginProfile_keybaseDoesntExist
--- PASS: TestAccAWSUserLoginProfile_keybaseDoesntExist (12.11s)
=== RUN   TestAccAWSUserLoginProfile_notAKey
--- PASS: TestAccAWSUserLoginProfile_notAKey (14.28s)
=== RUN   TestAccAWSUserLoginProfile_customPassword
--- PASS: TestAccAWSUserLoginProfile_customPassword (19.61s)
PASS
ok  	github.com/hashicorp/terraform/builtin/providers/aws	88.850s

[Ninir]

There was a typo here for password, with error:

* aws_iam_user_login_profile.user: Error encrypting Password: Error parsing given PGP key: unexpected EOF

[Ninir]

This is required since I encountered this error:

Check failed: Check 2/2 error: Error changing decrypted password: EntityTemporarilyUnmodifiable: Login Profile for User test-user-5423997845776594466 cannot be modified while login profile is being created.

[jen20]

Hi @Ninir! The issue with setting a custom password is that it then appears in configuration unencrypted - is this the desired outcome?

[Ninir]

Hi @jen20 !

It is. In my case, it is sometimes useful to provide sequence-based passwords, like "user1", "user2" etc (training purposes for instance).

Also, the variable can be passed using -var file, or using a Vault Provider in cases you really need to hide it.

[Ninir]

If you try to change the password without impersonating the user, the following error will be thrown:

InvalidUserType: Only IAM Users can change their own password.

I am able to do the update stuff, but it will require to impersonate the user, and update the profile.
Do you think we should go this way?

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.