Manages an IAM User Login Profile with limited support for password creation during Terraform resource creation. Uses PGP to encrypt the password for safe transport to the user. PGP keys can be obtained from Keybase.
resource "aws_iam_user" "example" {
name = "example"
path = "/"
force_destroy = true
}
resource "aws_iam_user_login_profile" "example" {
user = aws_iam_user.example.name
pgp_key = "keybase:some_person_that_exists"
}
output "password" {
value = aws_iam_user_login_profile.example.encrypted_password
}
This resource supports the following arguments:
user
- (Required) The IAM user's name.pgp_key
- (Optional) Either a base-64 encoded PGP public key, or a keybase username in the form keybase:username
. Only applies on resource creation. Drift detection is not possible with this argument.password_length
- (Optional) The length of the generated password on resource creation. Only applies on resource creation. Drift detection is not possible with this argument. Default value is 20
.password_reset_required
- (Optional) Whether the user should be forced to reset the generated password on resource creation. Only applies on resource creation.This resource exports the following attributes in addition to the arguments above:
password
- The plain text password, only available when pgp_key
is not provided.key_fingerprint
- The fingerprint of the PGP key used to encrypt the password. Only available if password was handled on Terraform resource creation, not import.encrypted_password
- The encrypted password, base64 encoded. Only available if password was handled on Terraform resource creation, not import.In Terraform v1.5.0 and later, use an import
block to import IAM User Login Profiles without password information via the IAM User name. For example:
import {
to = aws_iam_user_login_profile.example
id = "myusername"
}
Using terraform import
, import IAM User Login Profiles without password information via the IAM User name. For example:
% terraform import aws_iam_user_login_profile.example myusername
Since Terraform has no method to read the PGP or password information during import, use the Terraform resource lifecycle
configuration block ignore_changes
argument to ignore them (unless you want to recreate a password). For example:
resource "aws_iam_user_login_profile" "example" {
# ... other configuration ...
lifecycle {
ignore_changes = [
password_length,
password_reset_required,
pgp_key,
]
}
}