diff --git a/iam-account-settings/README.md b/iam-account-settings/README.md
index fdd7a38..1942268 100644
--- a/iam-account-settings/README.md
+++ b/iam-account-settings/README.md
@@ -42,6 +42,7 @@ No modules.
|------|-------------|------|---------|:--------:|
| [account\_alias](#input\_account\_alias) | AWS Account Alias | `string` | `""` | no |
| [account\_id](#input\_account\_id) | AWS Account ID (default will pull from current user) | `string` | `""` | no |
+| [account\_settings](#input\_account\_settings) | Map of account setting values to change. See resource docs for aws\_iam\_account\_password\_policy for values | `map(string)` | `{}` | no |
| [account\_usage](#input\_account\_usage) | AWS Account Usage (what we are using it for) | `string` | `""` | no |
| [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component (efs, s3, ebs, kms, role, policy, security-group). This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
| [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS). Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
diff --git a/iam-account-settings/main.tf b/iam-account-settings/main.tf
index c11f6a4..2c08b51 100644
--- a/iam-account-settings/main.tf
+++ b/iam-account-settings/main.tf
@@ -34,13 +34,22 @@ resource "aws_iam_account_alias" "alias" {
}
resource "aws_iam_account_password_policy" "account_settings" {
- allow_users_to_change_password = true
- hard_expiry = false
- max_password_age = 89
- minimum_password_length = 14
- password_reuse_prevention = 24
- require_lowercase_characters = true
- require_numbers = true
- require_symbols = true
- require_uppercase_characters = true
+ # allow_users_to_change_password = true
+ # hard_expiry = false
+ # max_password_age = 89
+ # minimum_password_length = 14
+ # password_reuse_prevention = 24
+ # require_lowercase_characters = true
+ # require_numbers = true
+ # require_symbols = true
+ # require_uppercase_characters = true
+ allow_users_to_change_password = lookup(var.account_settings, "allow_users_to_change_password", local_defaults["allow_users_to_change_password"])
+ hard_expiry = lookup(var.account_settings, "hard_expiry", local_defaults["hard_expiry"])
+ max_password_age = lookup(var.account_settings, "max_password_age", local_defaults["max_password_age"])
+ minimum_password_length = lookup(var.account_settings, "minimum_password_length", local_defaults["minimum_password_length"])
+ password_reuse_prevention = lookup(var.account_settings, "password_reuse_prevention", local_defaults["password_reuse_prevention"])
+ require_lowercase_characters = lookup(var.account_settings, "require_lowercase_characters", local_defaults["require_lowercase_characters"])
+ require_numbers = lookup(var.account_settings, "require_numbers", local_defaults["require_numbers"])
+ require_symbols = lookup(var.account_settings, "require_symbols", local_defaults["require_symbols"])
+ require_uppercase_characters = lookup(var.account_settings, "require_uppercase_characters", local_defaults["require_uppercase_characters"])
}
diff --git a/iam-account-settings/variables.tf b/iam-account-settings/variables.tf
index 1d1338b..5bb9d61 100644
--- a/iam-account-settings/variables.tf
+++ b/iam-account-settings/variables.tf
@@ -3,3 +3,9 @@ variable "account_usage" {
type = string
default = ""
}
+
+variable "account_settings" {
+ description = "Map of account setting values to change. See resource docs for aws_iam_account_password_policy for values"
+ type = map(string)
+ default = {}
+}