aws_iam_user_login_profile without PGP

[akingscote]

I'd like to create a aws_iam_user_login_profile resource without the need for PGP.

I understand the security risks, but for my use case I want to provision user login profiles in a sandbox environment using automated methods, which I dont want the overhead of using PGP.
I feel that the PGP approach should be recommended, but not mandated for use.

I can have a stab at implementing it myself, but I dont want to waste time if the functionality is intentionally left out and not approved.

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

The ability to either provide a string password to the aws_iam_user_login_profile or at least not have any dependencies on PGP or a public store like keybase.

New or Affected Resource(s)

• iam_user_login_profile

Potential Terraform Configuration

Potentially the configuration could be a case of omitting the pgp_key field.

resource "aws_iam_user_login_profile" "il" {
  user                    = xxxx
  password_length         = var.password_length
  password_reset_required = var.password_reset_required
}

or even specify the password in configuration. perhaps this would be better as we can allow the password to come from external sources (like a secret in a key vault).

resource "aws_iam_user_login_profile" "il" {
  user                    = xxxx
  password_reset_required = var.password_reset_required
  password            = xxxxxx
}

References

https://github.com/hashicorp/terraform-provider-aws/blob/main/aws/resource_aws_iam_user_login_profile.go

[YakDriver]

@akingscote In my opinion, this seems like a valid use case. In automated situations and test environments, especially with the password_reset_required argument, there ought to be this ability. In order to have something like this, we would need a very clear notice in the documentation about the risks. I see nothing in the AWS API that would cause a problem.

[DrFaust92]

Possibly related #12384

[Jahsis]

Yes, we need this!

[jsmilani]

We got tripped up on this too but due to gpg 2.3.0 using ed25519/cv25519 as the new default (https://lists.gnupg.org/pipermail/gnupg-announce/2021q2/000458.html) which is incompatible with terraform-provider-aws and throws errors like "creation: Error encrypting Password: error parsing given PGP key: openpgp: unsupported feature: unsupported oid: 2b060104019755010501". A ticket that was (#15384) reported to fix this incompatibility was closed as won't fix due to the fact it uses encryption and according to the Terraform docs explicitly state that PGP was a failed experiment and should no longer be used (https://www.terraform.io/docs/extend/best-practices/sensitive-state.html#don-39-t-encrypt-state). There needs to be a plain-text alternative much like aws_iam_access_key.

[akingscote]

@jsmilani I submitted a PR ages ago to get around this, but its buried in the backlog.

#18929

[bestrocker221]

it has not been resolved yet, is there any other way to create a user without the keybase pgp key?

[jsmilani]

@bestrocker221 Technically you can still create a user (aws_iam_user) without a profile, but it won't have a password until someone manually enables login in the Console UI. When you create the user you probably want the force_destroy = true set otherwise terraform will refuse to delete the user later on if any changes are made by the user to their own account or a login password is enabled.

[akingscote]

@bestrocker221 I ended up creating a little application in golang which just creates a login profile. I then call that with local-exec. But for my use case, i dont need to worry about state files.

resource "aws_iam_user" "user1" {
  name  = "user1"
  path  = "/"

  provisioner "local-exec" {
    command = format("main create loginProfile --name %s --password %s", self.name, "ThisIsMyPassW0rd!")
  }
}

happy to share the app if it helps

[act-mreeves]

Is it a terrible idea to do something like this?

The idea is the aws cli is run to create an initial password only when a new user is created and then you can hand that off to the user via some out of band method. Only issue that I see is logs. State has no details of the password.

resource "aws_iam_user" "jdoe" {
  name          = "jdoe"
  path          = "/"
  force_destroy = "true"
}

resource "null_resource" "jdoe" {
  # "id" = run script only when user is created; "every_time" = run every time
  triggers = {
    id = aws_iam_user.jdoe.id # implies only once
    # every_time = uuid() # useful for iterating during testing
  }

  provisioner "local-exec" {
    command = <<EOF
      TMP_PASS=$(LC_ALL=C tr -dc A-Za-z0-9 </dev/urandom | head -c 20 ; echo ''); \
      echo "password: $TMP_PASS"; \
      aws iam create-login-profile --password-reset-required --profile ${var.aws_profile} \
        --user-name ${aws_iam_user.jdoe.name} --password "$TMP_PASS";
EOF
  }
}