boundary/enos/modules/aws_iam_setup/main.tf

# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: BUSL-1.1

data "aws_caller_identity" "current" {}

variable "test_id" {}
variable "test_email" {}
variable "enable_credential_rotation" {
  description = "Sets up the IAM user to support the use of credential rotation in Boundary"
  type        = bool
  default     = false
}


locals {
  # Use the AWS provided email if users are running this, override with variable for CI
  user_email = var.test_email == null ? split(":", data.aws_caller_identity.current.user_id)[1] : var.test_email
}

resource "aws_iam_user" "boundary" {
  name                 = "demo-${local.user_email}-${var.test_id}"
  tags                 = { boundary-demo = local.user_email }
  permissions_boundary = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/DemoUser"
  # If credential rotation is used, this is necessary to delete the user since a new access
  # key will be generated.
  force_destroy = var.enable_credential_rotation ? true : false
}

resource "aws_iam_user_policy" "boundary" {
  name = "boundary_e2e_${var.test_id}"
  user = aws_iam_user.boundary.name
  policy = jsonencode({
    "Version" : "2012-10-17",
    "Statement" : [
      {
        "Action" : [
          "ec2:DescribeInstances"
        ],
        "Effect" : "Allow",
        "Resource" : "*"
      }
    ]
  })
}

resource "aws_iam_user_policy" "rotate_keys" {
  count = var.enable_credential_rotation ? 1 : 0
  name  = "boundary_e2e_${var.test_id}_rotate_keys"
  user  = aws_iam_user.boundary.name
  policy = jsonencode({
    "Version" : "2012-10-17",
    "Statement" : [
      {
        "Action" : [
          "iam:DeleteAccessKey",
          "iam:GetUser",
          "iam:CreateAccessKey"
        ],
        "Effect" : "Allow",
        "Resource" : "${aws_iam_user.boundary.arn}",
      }
    ]
  })
}


resource "aws_iam_access_key" "boundary" {
  user = aws_iam_user.boundary.name
}

output "access_key_id" {
  value = aws_iam_access_key.boundary.id
}

output "secret_access_key" {
  value = nonsensitive(aws_iam_access_key.boundary.secret)
}

output "user_name" {
  description = "The name of the user created by this module."
  value       = aws_iam_user.boundary.name
}