make all settings changable through account_settings variable

iam-account-settings/README.md

@@ -42,6 +42,7 @@ No modules.
 |------|-------------|------|---------|:--------:|
 | <a name="input_account_alias"></a> [account\_alias](#input\_account\_alias) | AWS Account Alias | `string` | `""` | no |
 | <a name="input_account_id"></a> [account\_id](#input\_account\_id) | AWS Account ID (default will pull from current user) | `string` | `""` | no |
+| <a name="input_account_settings"></a> [account\_settings](#input\_account\_settings) | Map of account setting values to change.  See resource docs for aws\_iam\_account\_password\_policy for values | `map(string)` | `{}` | no |
 | <a name="input_account_usage"></a> [account\_usage](#input\_account\_usage) | AWS Account Usage (what we are using it for) | `string` | `""` | no |
 | <a name="input_override_prefixes"></a> [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component (efs, s3, ebs, kms, role, policy, security-group). This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS).  Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |

iam-account-settings/main.tf

@@ -34,13 +34,22 @@ resource "aws_iam_account_alias" "alias" {
 }
 
 resource "aws_iam_account_password_policy" "account_settings" {
-  allow_users_to_change_password = true
-  hard_expiry                    = false
-  max_password_age               = 89
-  minimum_password_length        = 14
-  password_reuse_prevention      = 24
-  require_lowercase_characters   = true
-  require_numbers                = true
-  require_symbols                = true
-  require_uppercase_characters   = true
+  #   allow_users_to_change_password = true
+  #   hard_expiry                    = false
+  #   max_password_age               = 89
+  #   minimum_password_length        = 14
+  #   password_reuse_prevention      = 24
+  #   require_lowercase_characters   = true
+  #   require_numbers                = true
+  #   require_symbols                = true
+  #   require_uppercase_characters   = true
+  allow_users_to_change_password = lookup(var.account_settings, "allow_users_to_change_password", local_defaults["allow_users_to_change_password"])
+  hard_expiry                    = lookup(var.account_settings, "hard_expiry", local_defaults["hard_expiry"])
+  max_password_age               = lookup(var.account_settings, "max_password_age", local_defaults["max_password_age"])
+  minimum_password_length        = lookup(var.account_settings, "minimum_password_length", local_defaults["minimum_password_length"])
+  password_reuse_prevention      = lookup(var.account_settings, "password_reuse_prevention", local_defaults["password_reuse_prevention"])
+  require_lowercase_characters   = lookup(var.account_settings, "require_lowercase_characters", local_defaults["require_lowercase_characters"])
+  require_numbers                = lookup(var.account_settings, "require_numbers", local_defaults["require_numbers"])
+  require_symbols                = lookup(var.account_settings, "require_symbols", local_defaults["require_symbols"])
+  require_uppercase_characters   = lookup(var.account_settings, "require_uppercase_characters", local_defaults["require_uppercase_characters"])
 }

iam-account-settings/variables.tf

@@ -3,3 +3,9 @@ variable "account_usage" {
   type        = string
   default     = ""
 }
+
+variable "account_settings" {
+  description = "Map of account setting values to change.  See resource docs for aws_iam_account_password_policy for values"
+  type        = map(string)
+  default     = {}
+}