From 03fdcbb698f43bd285b545d2d9dc82be7d6ca6ed Mon Sep 17 00:00:00 2001 From: badra001 Date: Mon, 9 May 2022 14:18:39 -0400 Subject: [PATCH] make all settings changable through account_settings variable --- iam-account-settings/README.md | 1 + iam-account-settings/main.tf | 27 ++++++++++++++++++--------- iam-account-settings/variables.tf | 6 ++++++ 3 files changed, 25 insertions(+), 9 deletions(-) diff --git a/iam-account-settings/README.md b/iam-account-settings/README.md index fdd7a38..1942268 100644 --- a/iam-account-settings/README.md +++ b/iam-account-settings/README.md @@ -42,6 +42,7 @@ No modules. |------|-------------|------|---------|:--------:| | [account\_alias](#input\_account\_alias) | AWS Account Alias | `string` | `""` | no | | [account\_id](#input\_account\_id) | AWS Account ID (default will pull from current user) | `string` | `""` | no | +| [account\_settings](#input\_account\_settings) | Map of account setting values to change. See resource docs for aws\_iam\_account\_password\_policy for values | `map(string)` | `{}` | no | | [account\_usage](#input\_account\_usage) | AWS Account Usage (what we are using it for) | `string` | `""` | no | | [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component (efs, s3, ebs, kms, role, policy, security-group). This should be used primarily for common infrastructure things | `map(string)` | `{}` | no | | [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS). Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no | diff --git a/iam-account-settings/main.tf b/iam-account-settings/main.tf index c11f6a4..2c08b51 100644 --- a/iam-account-settings/main.tf +++ b/iam-account-settings/main.tf @@ -34,13 +34,22 @@ resource "aws_iam_account_alias" "alias" { } resource "aws_iam_account_password_policy" "account_settings" { - allow_users_to_change_password = true - hard_expiry = false - max_password_age = 89 - minimum_password_length = 14 - password_reuse_prevention = 24 - require_lowercase_characters = true - require_numbers = true - require_symbols = true - require_uppercase_characters = true + # allow_users_to_change_password = true + # hard_expiry = false + # max_password_age = 89 + # minimum_password_length = 14 + # password_reuse_prevention = 24 + # require_lowercase_characters = true + # require_numbers = true + # require_symbols = true + # require_uppercase_characters = true + allow_users_to_change_password = lookup(var.account_settings, "allow_users_to_change_password", local_defaults["allow_users_to_change_password"]) + hard_expiry = lookup(var.account_settings, "hard_expiry", local_defaults["hard_expiry"]) + max_password_age = lookup(var.account_settings, "max_password_age", local_defaults["max_password_age"]) + minimum_password_length = lookup(var.account_settings, "minimum_password_length", local_defaults["minimum_password_length"]) + password_reuse_prevention = lookup(var.account_settings, "password_reuse_prevention", local_defaults["password_reuse_prevention"]) + require_lowercase_characters = lookup(var.account_settings, "require_lowercase_characters", local_defaults["require_lowercase_characters"]) + require_numbers = lookup(var.account_settings, "require_numbers", local_defaults["require_numbers"]) + require_symbols = lookup(var.account_settings, "require_symbols", local_defaults["require_symbols"]) + require_uppercase_characters = lookup(var.account_settings, "require_uppercase_characters", local_defaults["require_uppercase_characters"]) } diff --git a/iam-account-settings/variables.tf b/iam-account-settings/variables.tf index 1d1338b..5bb9d61 100644 --- a/iam-account-settings/variables.tf +++ b/iam-account-settings/variables.tf @@ -3,3 +3,9 @@ variable "account_usage" { type = string default = "" } + +variable "account_settings" { + description = "Map of account setting values to change. See resource docs for aws_iam_account_password_policy for values" + type = map(string) + default = {} +}