enh: configure AWS account password policy (#287)

Author: mglotov

terraform/layer1-aws/README.md

@@ -34,6 +34,7 @@
 |------|------|
 | [aws_cloudtrail.main](https://registry.terraform.io/providers/aws/4.10.0/docs/resources/cloudtrail) | resource |
 | [aws_ebs_encryption_by_default.this](https://registry.terraform.io/providers/aws/4.10.0/docs/resources/ebs_encryption_by_default) | resource |
+| [aws_iam_account_password_policy.default](https://registry.terraform.io/providers/aws/4.10.0/docs/resources/iam_account_password_policy) | resource |
 | [aws_kms_key.eks](https://registry.terraform.io/providers/aws/4.10.0/docs/resources/kms_key) | resource |
 | [aws_s3_bucket.cloudtrail](https://registry.terraform.io/providers/aws/4.10.0/docs/resources/s3_bucket) | resource |
 | [aws_s3_bucket_acl.cloudtrail](https://registry.terraform.io/providers/aws/4.10.0/docs/resources/s3_bucket_acl) | resource |
@@ -59,6 +60,7 @@
 |------|-------------|------|---------|:--------:|
 | <a name="input_allowed_account_ids"></a> [allowed\_account\_ids](#input\_allowed\_account\_ids) | List of allowed AWS account IDs | `list` | `[]` | no |
 | <a name="input_allowed_ips"></a> [allowed\_ips](#input\_allowed\_ips) | IP addresses allowed to connect to private resources | `list(any)` | `[]` | no |
+| <a name="input_aws_account_password_policy"></a> [aws\_account\_password\_policy](#input\_aws\_account\_password\_policy) | n/a | `any` | <pre>{<br>  "allow_users_to_change_password": true,<br>  "create": true,<br>  "hard_expiry": true,<br>  "max_password_age": "90",<br>  "minimum_password_length": "14",<br>  "password_reuse_prevention": "10",<br>  "require_lowercase_characters": true,<br>  "require_numbers": true,<br>  "require_symbols": true,<br>  "require_uppercase_characters": true<br>}</pre> | no |
 | <a name="input_aws_cis_benchmark_alerts"></a> [aws\_cis\_benchmark\_alerts](#input\_aws\_cis\_benchmark\_alerts) | AWS CIS Benchmark alerts configuration | `any` | <pre>{<br>  "email": "[email protected]",<br>  "enabled": "false",<br>  "rules": {<br>    "aws_config_changes_enabled": true,<br>    "cloudtrail_configuration_changes_enabled": true,<br>    "console_login_failed_enabled": true,<br>    "consolelogin_without_mfa_enabled": true,<br>    "iam_policy_changes_enabled": true,<br>    "kms_cmk_delete_or_disable_enabled": true,<br>    "nacl_changes_enabled": true,<br>    "network_gateway_changes_enabled": true,<br>    "organization_changes_enabled": true,<br>    "parameter_store_actions_enabled": true,<br>    "route_table_changes_enabled": true,<br>    "s3_bucket_policy_changes_enabled": true,<br>    "secrets_manager_actions_enabled": true,<br>    "security_group_changes_enabled": true,<br>    "unauthorized_api_calls_enabled": true,<br>    "usage_of_root_account_enabled": true,<br>    "vpc_changes_enabled": true<br>  }<br>}</pre> | no |
 | <a name="input_az_count"></a> [az\_count](#input\_az\_count) | Count of avaiablity zones, min 2 | `number` | `3` | no |
 | <a name="input_cidr"></a> [cidr](#input\_cidr) | Default CIDR block for VPC | `string` | `"10.0.0.0/16"` | no |

terraform/layer1-aws/aws-iam.tf

@@ -1,3 +1,16 @@
+resource "aws_iam_account_password_policy" "default" {
+  count = var.aws_account_password_policy.create ? 1 : 0
+
+  minimum_password_length        = var.aws_account_password_policy.minimum_password_length
+  password_reuse_prevention      = var.aws_account_password_policy.password_reuse_prevention
+  require_lowercase_characters   = var.aws_account_password_policy.require_lowercase_characters
+  require_numbers                = var.aws_account_password_policy.require_numbers
+  require_uppercase_characters   = var.aws_account_password_policy.require_uppercase_characters
+  require_symbols                = var.aws_account_password_policy.require_symbols
+  allow_users_to_change_password = var.aws_account_password_policy.allow_users_to_change_password
+  max_password_age               = var.aws_account_password_policy.max_password_age
+}
+
 module "vpc_cni_irsa" {
   source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
   version = "4.14.0"

terraform/layer1-aws/variables.tf

@@ -5,6 +5,22 @@ variable "allowed_account_ids" {
   default     = []
 }
 
+variable "aws_account_password_policy" {
+  type = any
+  default = {
+    create                         = true
+    minimum_password_length        = "14"  # Minimum length to require for user passwords
+    password_reuse_prevention      = "10"  # The number of previous passwords that users are prevented from reusing
+    require_lowercase_characters   = true  # If true, password must contain at least 1 lowercase symbol
+    require_numbers                = true  # If true, password must contain at least 1 number symbol
+    require_uppercase_characters   = true  # If true, password must contain at least 1 uppercase symbol
+    require_symbols                = true  # If true, password must contain at least 1 special symbol
+    allow_users_to_change_password = true  # Whether to allow users to change their own password
+    max_password_age               = "90"  # How many days user's password is valid
+    hard_expiry                    = false # Don't allow users to set a new password after their password has expired 
+  }
+}
+
 variable "name" {
   description = "Project name, required to create unique resource names"
 }