How to Deploy AWS IAM Users, User Groups, Policies and Roles Using Terraform

6 min readApr 1, 2023

Introduction

AWS Identity and Access Management (IAM) is a powerful service that enables you to manage access to your AWS resources. With IAM, you can create and manage IAM users, groups, roles, and policies to grant or deny access to specific resources or actions.

Terraform, a popular infrastructure as a code tool, can deploy IAM resources in a reliable, consistent, and repeatable manner. This article will explore how to use Terraform to create and manage IAM users, groups, and policies in AWS. We will cover the basics of IAM, the benefits of using Terraform for IAM deployments, and provide step-by-step instructions for deploying IAM resources using Terraform. By the end of this article, you will have a solid understanding of using Terraform to deploy IAM resources and streamline your AWS infrastructure management.

source: https://aws.amazon.com/iam/getting-started

What is AWS IAM?

AWS users are individual identities that can be created and managed within an AWS account. Each user is assigned a set of security credentials, including a username and password, or access keys, which are used to authenticate and authorize access to AWS resources.

What is AWS User Group?

AWS user groups are collections of users that share common permissions and access to AWS resources. By assigning permissions to a group rather than to individual users, you can simplify the management of access to resources.

What is AWS Role?

AWS roles are a way to delegate access to AWS resources. Rather than assigning permissions to individual users, you can create a role and define a set of permissions that the role can assume. This allows you to grant permissions to applications, services, or other AWS accounts, without the need to share long-term access keys.

What is AWS User Policy?

AWS policies are documents that define permissions and access levels for AWS resources. They can be attached to users, groups, or roles and define which actions can be performed on which resources. Policies are written in a JSON format and can be customized to meet the specific needs of your organization.

Prerequisites:

Install Terraform CLI
Install AWS CLI
AWS Account
Code Editor (I used VS Code for this deployment)
Reference: https://registry.terraform.io/

Let’s get started!

Create IAM user and a Developer group, and align IAM user as part of this Developer Group.

Deployment Process

Creating an IAM User: In this task, we used Terraform to create a new IAM user named “achintha”. We also generated access and secret keys for the user and downloaded them.
Creating an IAM Group: In this task, we used Terraform to create a new IAM group named “terraform-developers”. We then added the “achintha” user to the group.
Attaching an AWS Managed Policy: In this task, we used Terraform to attach an AWS managed policy (in this case, the “AmazonRDSFullAccess” policy) to the “developers” group.
Creating a Custom IAM Policy: In this task, we used Terraform to create a custom IAM policy that allows users in the “terraform-developers” group to start and stop EC2 instances. We then attached this policy to the group.
Creating a New IAM Role: In this task, we used Terraform to create a new IAM role and attach the “CloudWatchAgentServerPolicy” managed policy to it.

Steps:

Create provider.tf

The provider.tf file in Terraform is a configuration file that specifies the cloud provider and its corresponding plugin that Terraform will use to manage resources in that provider.

In this case my region is “ap-southeast-1”.

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~>4"
    }
  }
}

provider "aws" {
  profile = "default"
  region  = "ap-southeast-1"

}

2. Create iam.tf

2.1. Create IAM User

resource "aws_iam_user" "achintha" {
  name = "achintha"

  tags = {
    creator = "achintha"
  }
}

2.2 Create Access key and Secret key

In this case, I’m going to create a secret key and access key for my IAM user. So the credentials CSV file automatically downloads our local directory environment.

#create access key ID and secret key 
resource "aws_iam_access_key" "achintha_access_key" {
  user = aws_iam_user.achintha.name
}

output "access_key_id" {
  value = aws_iam_access_key.achintha_access_key.id
  sensitive = true
}

output "secret_access_key" {
  value = aws_iam_access_key.achintha_access_key.secret
  sensitive = true
}

locals {
  achintha_keys_csv = "access_key,secret_key\n${aws_iam_access_key.achintha_access_key.id},${aws_iam_access_key.achintha_access_key.secret}"
}

resource "local_file" "achintha_keys" {
  content  = local.achintha_keys_csv
  filename = "achintha-keys.csv"
}

2.3. Create a User Group

I created an IAM user. So now I’m going to create a new user group and attach an IAM user to it.

resource "aws_iam_group" "terraform-developers" {
  name = "terraform-developers"
}

resource "aws_iam_group_membership" "achintha_membership" {
  name = aws_iam_user.achintha.name
  users = [aws_iam_user.achintha.name]
  group = aws_iam_group.terraform-developers.name
}

2.4. Create AWS-managed policy and Custom policy And attach user group

In this example, I attached AWS custom policy (AmazonRDSFullAccess) and created EC2 Custom policy for a start and stop ec2 instance.

#rds full
data "aws_iam_policy" "rds_full_access" {
  arn = "arn:aws:iam::aws:policy/AmazonRDSFullAccess"
}

#ec2 custome

data "aws_iam_policy_document" "ec2_instance_actions" {
  statement {
    actions = [
      "ec2:StartInstances",
      "ec2:StopInstances",
    ]

    resources = [
      "arn:aws:ec2:*:*:instance/*",
    ]
  }
}

resource "aws_iam_policy" "ec2_instance_actions" {
  name        = "ec2_instance_actions"
  policy      = data.aws_iam_policy_document.ec2_instance_actions.json
}

2.5. Attached AWS managed and custom Policies for the User group

resource "aws_iam_group_policy_attachment" "terraform-developers_rds_full_access" {
  policy_arn = data.aws_iam_policy.rds_full_access.arn
  group      = aws_iam_group.terraform-developers.name
}

resource "aws_iam_group_policy_attachment" "developers_ec2_instance_actions" {
  policy_arn = aws_iam_policy.ec2_instance_actions.arn
  group      = aws_iam_group.terraform-developers.name
}

2.6. Create IAM Role

In this case, I created IAM role for accessing cloudwatch server agent.

resource "aws_iam_role" "terraform-cloudwatchagent-role" {
  name = "terraform-cloudwatchagent-role"

  assume_role_policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Effect    = "Allow"
        Principal = {
          Service = "ec2.amazonaws.com"
        }
        Action    = "sts:AssumeRole"
      }
    ]
  })
}

#attache role policies
resource "aws_iam_role_policy_attachment" "my_role_policy_attachment" {
  policy_arn = "arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy" # Update with your desired policy
  role       = aws_iam_role.terraform-cloudwatchagent-role.name
}

Summary view of the terraform files in VS code:

Let’s deploy!

Make sure you have already inserted your AWS credentials and are operating from the root directory before starting these Terraform commands.

terraform init

The terraform init the command is used to initialize a new or existing Terraform configuration. This command downloads the required provider plugins and sets up the backend for storing state.

terraform init

2. terraform plan

The terraform plan the command is used to create an execution plan for the Terraform configuration. This command shows what resources Terraform will create, modify, or delete when applied.