feat: implement user inline policy for iam-user

igor-raits · igor-raits · commit c7b344af5f2f · 2025-08-22T19:22:20.000+02:00
diff --git a/examples/iam-user/README.md b/examples/iam-user/README.md
@@ -1,6 +1,6 @@
 # AWS IAM User Example
 
-Configuration in this directory creates an IAM user with a random password, a pair of IAM access/secret keys and uploads IAM SSH public key.
+Configuration in this directory creates an IAM user with a random password, a pair of IAM access/secret keys, uploads IAM SSH public key, and demonstrates inline policy creation.
 User password and secret key is encrypted using public key of keybase.io user named `test`.
 
 # Usage
@@ -35,6 +35,7 @@ No providers.
 | <a name="module_iam_user2"></a> [iam\_user2](#module\_iam\_user2) | ../../modules/iam-user | n/a |
 | <a name="module_iam_user3"></a> [iam\_user3](#module\_iam\_user3) | ../../modules/iam-user | n/a |
 | <a name="module_iam_user_disabled"></a> [iam\_user\_disabled](#module\_iam\_user\_disabled) | ../../modules/iam-user | n/a |
+| <a name="module_iam_user_with_inline_policy"></a> [iam\_user\_with\_inline\_policy](#module\_iam\_user\_with\_inline\_policy) | ../../modules/iam-user | n/a |
 
 ## Resources
 
@@ -93,4 +94,7 @@ No inputs.
 | <a name="output_iam_user_ssh_key_fingerprint"></a> [iam\_user\_ssh\_key\_fingerprint](#output\_iam\_user\_ssh\_key\_fingerprint) | The MD5 message digest of the SSH public key |
 | <a name="output_iam_user_ssh_key_public_key_id"></a> [iam\_user\_ssh\_key\_public\_key\_id](#output\_iam\_user\_ssh\_key\_public\_key\_id) | The unique identifier for the SSH public key |
 | <a name="output_iam_user_unique_id"></a> [iam\_user\_unique\_id](#output\_iam\_user\_unique\_id) | The unique ID assigned by AWS |
-<!-- END_TF_DOCS -->
+| <a name="output_iam_user_with_inline_policy_arn"></a> [iam\_user\_with\_inline\_policy\_arn](#output\_iam\_user\_with\_inline\_policy\_arn) | The ARN assigned by AWS for this user |
+| <a name="output_iam_user_with_inline_policy_name"></a> [iam\_user\_with\_inline\_policy\_name](#output\_iam\_user\_with\_inline\_policy\_name) | The user's name |
+| <a name="output_iam_user_with_inline_policy_unique_id"></a> [iam\_user\_with\_inline\_policy\_unique\_id](#output\_iam\_user\_with\_inline\_policy\_unique\_id) | The unique ID assigned by AWS |
+<!-- END_TF_DOCS -->
diff --git a/examples/iam-user/main.tf b/examples/iam-user/main.tf
@@ -71,3 +71,43 @@ module "iam_user_disabled" {
 
   tags = local.tags
 }
+
+################################################################################
+# IAM user with inline policy
+################################################################################
+
+module "iam_user_with_inline_policy" {
+  source = "../../modules/iam-user"
+
+  name          = "vasya.pupkin6"
+  force_destroy = true
+
+  # Enable inline policy
+  create_inline_policy = true
+
+  # Define inline policy permissions
+  inline_policy_permissions = {
+    s3_read_access = {
+      effect = "Allow"
+      actions = [
+        "s3:GetObject",
+        "s3:ListBucket"
+      ]
+      resources = [
+        "arn:aws:s3:::example-bucket",
+        "arn:aws:s3:::example-bucket/*"
+      ]
+    }
+    cloudwatch_logs = {
+      effect = "Allow"
+      actions = [
+        "logs:CreateLogGroup",
+        "logs:CreateLogStream",
+        "logs:PutLogEvents"
+      ]
+      resources = ["*"]
+    }
+  }
+
+  tags = local.tags
+}
diff --git a/modules/iam-user/README.md b/modules/iam-user/README.md
@@ -1,6 +1,6 @@
 # AWS IAM User Terraform Module
 
-Creates an IAM user with ability to create a login profile, access key, and SSH key.
+Creates an IAM user with ability to create a login profile, access key, SSH key, and inline policies.
 
 ## Usage
 
@@ -21,6 +21,45 @@ module "iam_user" {
 }
 ```
 
+### Inline Policies
+
+You can also create inline policies for the IAM user:
+
+```hcl
+module "iam_user_with_inline_policy" {
+  source = "terraform-aws-modules/iam/aws//modules/iam-user"
+
+  name = "example-user"
+
+  # Enable inline policy
+  create_inline_policy = true
+
+  # Define inline policy permissions
+  inline_policy_permissions = {
+    s3_access = {
+      effect = "Allow"
+      actions = [
+        "s3:GetObject",
+        "s3:ListBucket"
+      ]
+      resources = [
+        "arn:aws:s3:::example-bucket",
+        "arn:aws:s3:::example-bucket/*"
+      ]
+    }
+    cloudwatch_logs = {
+      effect = "Allow"
+      actions = [
+        "logs:CreateLogGroup",
+        "logs:CreateLogStream",
+        "logs:PutLogEvents"
+      ]
+      resources = ["*"]
+    }
+  }
+}
+```
+
 ### Keybase
 
 If possible, always use PGP encryption to prevent Terraform from keeping unencrypted password and access secret key in state file.
@@ -52,8 +91,10 @@ No modules.
 | [aws_iam_access_key.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_access_key) | resource |
 | [aws_iam_user.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user) | resource |
 | [aws_iam_user_login_profile.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_login_profile) | resource |
+| [aws_iam_user_policy.inline](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy) | resource |
 | [aws_iam_user_policy_attachment.additional](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy_attachment) | resource |
 | [aws_iam_user_ssh_key.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_ssh_key) | resource |
+| [aws_iam_policy_document.inline](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 
 ## Inputs
 
@@ -62,16 +103,20 @@ No modules.
 | <a name="input_access_key_status"></a> [access\_key\_status](#input\_access\_key\_status) | Access key status to apply | `string` | `null` | no |
 | <a name="input_create"></a> [create](#input\_create) | Controls if resources should be created (affects all resources) | `bool` | `true` | no |
 | <a name="input_create_access_key"></a> [create\_access\_key](#input\_create\_access\_key) | Whether to create IAM access key | `bool` | `true` | no |
+| <a name="input_create_inline_policy"></a> [create\_inline\_policy](#input\_create\_inline\_policy) | Determines whether to create an inline policy | `bool` | `false` | no |
 | <a name="input_create_login_profile"></a> [create\_login\_profile](#input\_create\_login\_profile) | Whether to create IAM user login profile | `bool` | `true` | no |
 | <a name="input_create_ssh_key"></a> [create\_ssh\_key](#input\_create\_ssh\_key) | Whether to upload a public ssh key to the IAM user | `bool` | `false` | no |
 | <a name="input_force_destroy"></a> [force\_destroy](#input\_force\_destroy) | When destroying this user, destroy even if it has non-Terraform-managed IAM access keys, login profile or MFA devices. Without force\_destroy a user with non-Terraform-managed access keys and login profile will fail to be destroyed | `bool` | `false` | no |
+| <a name="input_inline_policy_permissions"></a> [inline\_policy\_permissions](#input\_inline\_policy\_permissions) | A map of IAM policy [statements](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#statement) for inline policy permissions | <pre>map(object({<br/>    sid           = optional(string)<br/>    actions       = optional(list(string))<br/>    not_actions   = optional(list(string))<br/>    effect        = optional(string, "Allow")<br/>    resources     = optional(list(string))<br/>    not_resources = optional(list(string))<br/>    principals = optional(list(object({<br/>      type        = string<br/>      identifiers = list(string)<br/>    })))<br/>    not_principals = optional(list(object({<br/>      type        = string<br/>      identifiers = list(string)<br/>    })))<br/>    condition = optional(list(object({<br/>      test     = string<br/>      variable = string<br/>      values   = list(string)<br/>    })))<br/>  }))</pre> | `null` | no |
 | <a name="input_name"></a> [name](#input\_name) | Desired name for the IAM user | `string` | `""` | no |
+| <a name="input_override_inline_policy_documents"></a> [override\_inline\_policy\_documents](#input\_override\_inline\_policy\_documents) | List of IAM policy documents that are merged together into the exported document. In merging, statements with non-blank `sid`s will override statements with the same `sid` | `list(string)` | `[]` | no |
 | <a name="input_password_length"></a> [password\_length](#input\_password\_length) | The length of the generated password | `number` | `null` | no |
 | <a name="input_password_reset_required"></a> [password\_reset\_required](#input\_password\_reset\_required) | Whether the user should be forced to reset the generated password on first login | `bool` | `true` | no |
 | <a name="input_path"></a> [path](#input\_path) | Desired path for the IAM user | `string` | `null` | no |
 | <a name="input_permissions_boundary"></a> [permissions\_boundary](#input\_permissions\_boundary) | The ARN of the policy that is used to set the permissions boundary for the user | `string` | `null` | no |
 | <a name="input_pgp_key"></a> [pgp\_key](#input\_pgp\_key) | Either a base-64 encoded PGP public key, or a keybase username in the form `keybase:username`. Used to encrypt password and access key | `string` | `null` | no |
 | <a name="input_policies"></a> [policies](#input\_policies) | Policies to attach to the IAM user in `{'static_name' = 'policy_arn'}` format | `map(string)` | `{}` | no |
+| <a name="input_source_inline_policy_documents"></a> [source\_inline\_policy\_documents](#input\_source\_inline\_policy\_documents) | List of IAM policy documents that are merged together into the exported document. Statements must have unique `sid`s | `list(string)` | `[]` | no |
 | <a name="input_ssh_key_encoding"></a> [ssh\_key\_encoding](#input\_ssh\_key\_encoding) | Specifies the public key encoding format to use in the response. To retrieve the public key in ssh-rsa format, use SSH. To retrieve the public key in PEM format, use PEM | `string` | `"SSH"` | no |
 | <a name="input_ssh_public_key"></a> [ssh\_public\_key](#input\_ssh\_public\_key) | The SSH public key. The public key must be encoded in ssh-rsa format or PEM format | `string` | `""` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to add to all resources | `map(string)` | `{}` | no |
diff --git a/modules/iam-user/main.tf b/modules/iam-user/main.tf
@@ -1,3 +1,11 @@
+################################################################################
+# Locals
+################################################################################
+
+locals {
+  create_iam_user_inline_policy = var.create && var.create_inline_policy
+}
+
 ################################################################################
 # User
 ################################################################################
@@ -20,6 +28,66 @@ resource "aws_iam_user_policy_attachment" "additional" {
   policy_arn = each.value
 }
 
+################################################################################
+# IAM User Inline policy
+################################################################################
+
+data "aws_iam_policy_document" "inline" {
+  count = local.create_iam_user_inline_policy ? 1 : 0
+
+  source_policy_documents   = var.source_inline_policy_documents
+  override_policy_documents = var.override_inline_policy_documents
+
+  dynamic "statement" {
+    for_each = var.inline_policy_permissions != null ? var.inline_policy_permissions : {}
+
+    content {
+      sid           = try(coalesce(statement.value.sid, statement.key))
+      actions       = statement.value.actions
+      not_actions   = statement.value.not_actions
+      effect        = statement.value.effect
+      resources     = statement.value.resources
+      not_resources = statement.value.not_resources
+
+      dynamic "principals" {
+        for_each = statement.value.principals != null ? statement.value.principals : []
+
+        content {
+          type        = principals.value.type
+          identifiers = principals.value.identifiers
+        }
+      }
+
+      dynamic "not_principals" {
+        for_each = statement.value.not_principals != null ? statement.value.not_principals : []
+
+        content {
+          type        = not_principals.value.type
+          identifiers = not_principals.value.identifiers
+        }
+      }
+
+      dynamic "condition" {
+        for_each = statement.value.condition != null ? statement.value.condition : []
+
+        content {
+          test     = condition.value.test
+          values   = condition.value.values
+          variable = condition.value.variable
+        }
+      }
+    }
+  }
+}
+
+resource "aws_iam_user_policy" "inline" {
+  count = local.create_iam_user_inline_policy ? 1 : 0
+
+  user   = aws_iam_user.this[0].name
+  name   = var.name
+  policy = data.aws_iam_policy_document.inline[0].json
+}
+
 ################################################################################
 # User Login Profile
 ################################################################################
diff --git a/modules/iam-user/variables.tf b/modules/iam-user/variables.tf
@@ -109,3 +109,51 @@ variable "ssh_public_key" {
   type        = string
   default     = ""
 }
+
+################################################################################
+# IAM User Inline policy
+################################################################################
+
+variable "create_inline_policy" {
+  description = "Determines whether to create an inline policy"
+  type        = bool
+  default     = false
+}
+
+variable "source_inline_policy_documents" {
+  description = "List of IAM policy documents that are merged together into the exported document. Statements must have unique `sid`s"
+  type        = list(string)
+  default     = []
+}
+
+variable "override_inline_policy_documents" {
+  description = "List of IAM policy documents that are merged together into the exported document. In merging, statements with non-blank `sid`s will override statements with the same `sid`"
+  type        = list(string)
+  default     = []
+}
+
+variable "inline_policy_permissions" {
+  description = "A map of IAM policy [statements](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#statement) for inline policy permissions"
+  type = map(object({
+    sid           = optional(string)
+    actions       = optional(list(string))
+    not_actions   = optional(list(string))
+    effect        = optional(string, "Allow")
+    resources     = optional(list(string))
+    not_resources = optional(list(string))
+    principals = optional(list(object({
+      type        = string
+      identifiers = list(string)
+    })))
+    not_principals = optional(list(object({
+      type        = string
+      identifiers = list(string)
+    })))
+    condition = optional(list(object({
+      test     = string
+      variable = string
+      values   = list(string)
+    })))
+  }))
+  default = null
+}
diff --git a/wrappers/iam-user/README.md b/wrappers/iam-user/README.md
@@ -64,37 +64,80 @@ module "wrapper" {
 }
 ```
 
-## Example: Manage multiple S3 buckets in one Terragrunt layer
+## Example: Manage multiple IAM users in one Terragrunt layer
 
-`eu-west-1/s3-buckets/terragrunt.hcl`:
+`eu-west-1/iam-users/terragrunt.hcl`:
 
 ```hcl
 terraform {
-  source = "tfr:///terraform-aws-modules/s3-bucket/aws//wrappers"
+  source = "tfr:///terraform-aws-modules/iam/aws//wrappers/iam-user"
   # Alternative source:
-  # source = "git::git@github.com:terraform-aws-modules/terraform-aws-s3-bucket.git//wrappers?ref=master"
+  # source = "git::git@github.com:terraform-aws-modules/terraform-aws-iam.git//wrappers/iam-user?ref=master"
 }
 
 inputs = {
   defaults = {
     force_destroy = true
-
-    attach_elb_log_delivery_policy        = true
-    attach_lb_log_delivery_policy         = true
-    attach_deny_insecure_transport_policy = true
-    attach_require_latest_tls_policy      = true
+    pgp_key       = "keybase:test"
+    tags = {
+      Terraform   = "true"
+      Environment = "dev"
+    }
   }
 
   items = {
-    bucket1 = {
-      bucket = "my-random-bucket-1"
-    }
-    bucket2 = {
-      bucket = "my-random-bucket-2"
-      tags = {
-        Secure = "probably"
+    user1 = {
+      name = "john.doe"
+      create_inline_policy = true
+      inline_policy_permissions = {
+        s3_access = {
+          effect = "Allow"
+          actions = ["s3:GetObject", "s3:ListBucket"]
+          resources = ["arn:aws:s3:::example-bucket", "arn:aws:s3:::example-bucket/*"]
+        }
       }
     }
+    user2 = {
+      name = "jane.smith"
+      create_login_profile = false
+      create_access_key = true
+    }
   }
 }
 ```
+
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.7 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.0 |
+
+## Providers
+
+No providers.
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_wrapper"></a> [wrapper](#module\_wrapper) | ../../modules/iam-user | n/a |
+
+## Resources
+
+No resources.
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_defaults"></a> [defaults](#input\_defaults) | Map of default values which will be used for each item. | `any` | `{}` | no |
+| <a name="input_items"></a> [items](#input\_items) | Maps of items to create a wrapper from. Values are passed through to the module. | `any` | `{}` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_wrapper"></a> [wrapper](#output\_wrapper) | Map of outputs of a wrapper. |
+<!-- END_TF_DOCS -->
diff --git a/wrappers/iam-user/main.tf b/wrappers/iam-user/main.tf
