Resource: awsIamUserLoginProfile
Manages an IAM User Login Profile with limited support for password creation during Terraform resource creation. Uses PGP to encrypt the password for safe transport to the user. PGP keys can be obtained from Keybase.
-> To reset an IAM User login password via Terraform, you can use the terraformTaint
command or change any of the arguments.
Example Usage
import * as cdktf from "cdktf";
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const awsIamUserExample = new aws.iamUser.IamUser(this, "example", {
forceDestroy: true,
name: "example",
path: "/",
});
const awsIamUserLoginProfileExample =
new aws.iamUserLoginProfile.IamUserLoginProfile(this, "example_1", {
pgpKey: "keybase:some_person_that_exists",
user: awsIamUserExample.name,
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsIamUserLoginProfileExample.overrideLogicalId("example");
new cdktf.TerraformOutput(this, "password", {
value: awsIamUserLoginProfileExample.encryptedPassword,
});
Argument Reference
The following arguments are supported:
user
- (Required) The IAM user's name.pgpKey
- (Optional) Either a base-64 encoded PGP public key, or a keybase username in the formkeybase:username
. Only applies on resource creation. Drift detection is not possible with this argument.passwordLength
- (Optional) The length of the generated password on resource creation. Only applies on resource creation. Drift detection is not possible with this argument. Default value is20
.passwordResetRequired
- (Optional) Whether the user should be forced to reset the generated password on resource creation. Only applies on resource creation.
Attributes Reference
In addition to all arguments above, the following attributes are exported:
password
- The plain text password, only available whenpgpKey
is not provided.keyFingerprint
- The fingerprint of the PGP key used to encrypt the password. Only available if password was handled on Terraform resource creation, not import.encryptedPassword
- The encrypted password, base64 encoded. Only available if password was handled on Terraform resource creation, not import.
\~> NOTE: The encrypted password may be decrypted using the command line, for example: terraformOutputPassword |Base64Decode |KeybasePgpDecrypt
.
Import
IAM User Login Profiles can be imported without password information support via the IAM User name, e.g.,
Since Terraform has no method to read the PGP or password information during import, use the Terraform resource lifecycle
configuration block ignoreChanges
argument to ignore them unless password recreation is desiredE.g.,
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const awsIamUserLoginProfileExample =
new aws.iamUserLoginProfile.IamUserLoginProfile(this, "example", {});
awsIamUserLoginProfileExample.addOverride("lifecycle", [
{
ignore_changes: [
"${password_length}",
"${password_reset_required}",
"${pgp_key}",
],
},
]);