Skip to content

Resource: awsIamUserLoginProfile

Manages an IAM User Login Profile with limited support for password creation during Terraform resource creation. Uses PGP to encrypt the password for safe transport to the user. PGP keys can be obtained from Keybase.

-> To reset an IAM User login password via Terraform, you can use the terraformTaint command or change any of the arguments.

Example Usage

import * as cdktf from "cdktf";
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const awsIamUserExample = new aws.iamUser.IamUser(this, "example", {
  forceDestroy: true,
  name: "example",
  path: "/",
});
const awsIamUserLoginProfileExample =
  new aws.iamUserLoginProfile.IamUserLoginProfile(this, "example_1", {
    pgpKey: "keybase:some_person_that_exists",
    user: awsIamUserExample.name,
  });
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsIamUserLoginProfileExample.overrideLogicalId("example");
new cdktf.TerraformOutput(this, "password", {
  value: awsIamUserLoginProfileExample.encryptedPassword,
});

Argument Reference

The following arguments are supported:

  • user - (Required) The IAM user's name.
  • pgpKey - (Optional) Either a base-64 encoded PGP public key, or a keybase username in the form keybase:username. Only applies on resource creation. Drift detection is not possible with this argument.
  • passwordLength - (Optional) The length of the generated password on resource creation. Only applies on resource creation. Drift detection is not possible with this argument. Default value is 20.
  • passwordResetRequired - (Optional) Whether the user should be forced to reset the generated password on resource creation. Only applies on resource creation.

Attributes Reference

In addition to all arguments above, the following attributes are exported:

  • password - The plain text password, only available when pgpKey is not provided.
  • keyFingerprint - The fingerprint of the PGP key used to encrypt the password. Only available if password was handled on Terraform resource creation, not import.
  • encryptedPassword - The encrypted password, base64 encoded. Only available if password was handled on Terraform resource creation, not import.

\~> NOTE: The encrypted password may be decrypted using the command line, for example: terraformOutputPassword |Base64Decode |KeybasePgpDecrypt.

Import

IAM User Login Profiles can be imported without password information support via the IAM User name, e.g.,

$ terraform import aws_iam_user_login_profile.example myusername

Since Terraform has no method to read the PGP or password information during import, use the Terraform resource lifecycle configuration block ignoreChanges argument to ignore them unless password recreation is desiredE.g.,

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const awsIamUserLoginProfileExample =
  new aws.iamUserLoginProfile.IamUserLoginProfile(this, "example", {});
awsIamUserLoginProfileExample.addOverride("lifecycle", [
  {
    ignore_changes: [
      "${password_length}",
      "${password_reset_required}",
      "${pgp_key}",
    ],
  },
]);