feat: Support IAM access key status (#315)

* support iam access key status * revert test * Apply suggestions from code review Co-authored-by: magreenbaum <magreenbaum> Co-authored-by: Bryant Biggs <bryantbiggs@gmail.com>
terraform-aws-modules · Dec 1, 2022 · 705040a · 705040a
1 parent 2984b29
commit 705040a
Show file tree

Hide file tree

Showing 5 changed files with 24 additions and 1 deletion.
diff --git a/examples/iam-user/README.md b/examples/iam-user/README.md
@@ -33,6 +33,7 @@ No providers.
 |------|--------|---------|
 | <a name="module_iam_user"></a> [iam\_user](#module\_iam\_user) | ../../modules/iam-user | n/a |
 | <a name="module_iam_user2"></a> [iam\_user2](#module\_iam\_user2) | ../../modules/iam-user | n/a |
+| <a name="module_iam_user3"></a> [iam\_user3](#module\_iam\_user3) | ../../modules/iam-user | n/a |
 
 ## Resources
 

diff --git a/examples/iam-user/main.tf b/examples/iam-user/main.tf
@@ -33,3 +33,16 @@ module "iam_user2" {
   create_iam_user_login_profile = false
   create_iam_access_key         = true
 }
+
+###################################################################
+# IAM user with inactive IAM access key
+###################################################################
+module "iam_user3" {
+  source = "../../modules/iam-user"
+
+  name = "vasya.pupkin5"
+
+  create_iam_user_login_profile = false
+  create_iam_access_key         = true
+  iam_access_key_status         = "Inactive"
+}
diff --git a/modules/iam-user/README.md b/modules/iam-user/README.md
@@ -56,6 +56,7 @@ No modules.
 | <a name="input_create_iam_user_login_profile"></a> [create\_iam\_user\_login\_profile](#input\_create\_iam\_user\_login\_profile) | Whether to create IAM user login profile | `bool` | `true` | no |
 | <a name="input_create_user"></a> [create\_user](#input\_create\_user) | Whether to create the IAM user | `bool` | `true` | no |
 | <a name="input_force_destroy"></a> [force\_destroy](#input\_force\_destroy) | When destroying this user, destroy even if it has non-Terraform-managed IAM access keys, login profile or MFA devices. Without force\_destroy a user with non-Terraform-managed access keys and login profile will fail to be destroyed. | `bool` | `false` | no |
+| <a name="input_iam_access_key_status"></a> [iam\_access\_key\_status](#input\_iam\_access\_key\_status) | Access key status to apply. | `string` | `null` | no |
 | <a name="input_name"></a> [name](#input\_name) | Desired name for the IAM user | `string` | n/a | yes |
 | <a name="input_password_length"></a> [password\_length](#input\_password\_length) | The length of the generated password | `number` | `20` | no |
 | <a name="input_password_reset_required"></a> [password\_reset\_required](#input\_password\_reset\_required) | Whether the user should be forced to reset the generated password on first login. | `bool` | `true` | no |

diff --git a/modules/iam-user/main.tf b/modules/iam-user/main.tf
@@ -28,12 +28,14 @@ resource "aws_iam_access_key" "this" {
 
   user    = aws_iam_user.this[0].name
   pgp_key = var.pgp_key
+  status  = var.iam_access_key_status
 }
 
 resource "aws_iam_access_key" "this_no_pgp" {
   count = var.create_user && var.create_iam_access_key && var.pgp_key == "" ? 1 : 0
 
-  user = aws_iam_user.this[0].name
+  user   = aws_iam_user.this[0].name
+  status = var.iam_access_key_status
 }
 
 resource "aws_iam_user_ssh_key" "this" {

diff --git a/modules/iam-user/variables.tf b/modules/iam-user/variables.tf
@@ -39,6 +39,12 @@ variable "pgp_key" {
   default     = ""
 }
 
+variable "iam_access_key_status" {
+  description = "Access key status to apply."
+  type        = string
+  default     = null
+}
+
 variable "password_reset_required" {
   description = "Whether the user should be forced to reset the generated password on first login."
   type        = bool