Terraform module which create RAM users on Alibaba Cloud.

ram-user

English | 简体中文

Terraform module is used to create a RAM user on Alibaba Cloud, while you can choose whether to create the user's login_profile and access_key and bind policy to this user. This module also supports creating RAM group, adding users to RAM group, and binding policy to RAM group.

Usage

Create a RAM user without any credentials and permissions.

module "ram-user-example" {
  source = "terraform-alicloud-modules/ram-user/alicloud"
  user_name = "test-user"
}

Create a RAM user and grant system policy permissions.

module "ram-user-example" {
  source = "terraform-alicloud-modules/ram-user/alicloud"
  user_name = "test-user"
  managed_system_policy_names   = ["AliyunECSReadOnlyAccess", "AliyunRAMReadOnlyAccess"]
}

Create a RAM user and grant custom policy permissions, custom policies need to be created in advance.

module "ram-user-example" {
  source = "terraform-alicloud-modules/ram-user/alicloud"
  user_name = "test-user"
  managed_custom_policy_names   = ["MyCustomPolicyName"]
}

Create a RAM user and allow login to the AliCloud Web console.

module "ram-user-example" {
  source = "terraform-alicloud-modules/ram-user/alicloud"
  user_name                     = "test-user"
  create_ram_user_login_profile = true
  password                      = "Yourpassword_1234"
}

Create a RAM user and assign an AccessKey, which will be stored in the default secret file "secret.txt".

module "ram-user-example" {
  source = "terraform-alicloud-modules/ram-user/alicloud"
  user_name                     = "test-user"
  create_ram_access_key         = true
}

Create a RAM user and assign an AccessKey, which is encrypted with the specified PGP public key.

module "ram-user-example" {
  source = "terraform-alicloud-modules/ram-user/alicloud"
  user_name                     = "test-user"
  create_ram_access_key         = true
  pgp_key                       = "Your-PGP-Public-Key-Here..."
}

Modules

• ram-group
• ram-group-with-assumable-roles-policy

Examples

• basic
• complete
• ram-group
• ram-group-with-assumable-roles-policy

Notes

From the version v2.0.0, the create_user_attachment parameter and the policies parameter have been removed from this Module, you can manage custom and system policies through managed_custom_policy_names and managed_system_policy_names parameters.

From the version v2.0.0, the existing_user_name parameter has been removed from this Module, you can create a RAM user with user_name parameter.

From the version v1.1.0, the module has removed the following provider explicit settings:

provider "alicloud" {
  profile                 = var.profile != "" ? var.profile : null
  shared_credentials_file = var.shared_credentials_file != "" ? var.shared_credentials_file : null
  region                  = var.region != "" ? var.region : null
  skip_region_validation  = var.skip_region_validation
  configuration_source    = "terraform-alicloud-modules/ram-user"
}

If you still want to use the provider setting to apply this module, you can specify a supported version, like 1.0.0:

module "ram_user" {
  source                        = "terraform-alicloud-modules/ram-user/alicloud"
  version                       = "1.0.0"
  region                        = "cn-beijing"
  profile                       = "Your-Profile-Name"
  name                          = "test-user"
  create_ram_user_login_profile = true
  // ...
}

If you want to upgrade the module to 1.1.0 or higher in-place, you can define a provider which same region with previous region:

provider "alicloud" {
  region  = "cn-beijing"
  profile = "Your-Profile-Name"
}
module "ram_user" {
  source                        = "terraform-alicloud-modules/ram-user/alicloud"
  name                          = "test-user"
  create_ram_user_login_profile = true
  // ...
}

Alternatively, if you have a multi-region deployment, you can define multiple providers using alias and explicitly specify this provider in the Module:

provider "alicloud" {
  region  = "cn-beijing"
  profile = "Your-Profile-Name"
  alias   = "bj"
}
module "ram_user" {
  source  = "terraform-alicloud-modules/ram-user/alicloud"
  providers = {
    alicloud = alicloud.bj
  }
  name   = "test-user"
  create_ram_user_login_profile = true
  // ...
}

and then run terraform init and terraform apply to make the defined provider effect to the existing module state.

More details see How to use provider in the module

Requirements

Name	Version
terraform	>= 0.13

Providers

Name	Version
alicloud	n/a
random	n/a

Modules

No modules.

Resources

Name	Type
alicloud_ram_access_key.no_pgp	resource
alicloud_ram_access_key.this	resource
alicloud_ram_login_profile.this	resource
alicloud_ram_user.this	resource
alicloud_ram_user_policy_attachment.custom	resource
alicloud_ram_user_policy_attachment.system	resource
random_uuid.this	resource

Inputs

Name	Description	Type	Default	Required
comments	Comment of the RAM user. This parameter can have a string of 1 to 128 characters.	string	null	no
create	Whether to create ram user.	bool	true	no
create_ram_access_key	Whether to create ram access key. Default value is 'false'.	bool	false	no
create_ram_user_login_profile	Whether to create ram user login profile	bool	false	no
display_name	Name of the RAM user which for display	string	null	no
email	Email of the RAM user.	string	null	no
force_destroy_user	When destroying this user, destroy even if it has non-Terraform-managed ram access keys, login profile or MFA devices. Without force_destroy a user with non-Terraform-managed access keys and login profile will fail to be destroyed.	bool	false	no
managed_custom_policy_names	List of names of managed policies of Custom type to attach to RAM user	list(string)	[]	no
managed_system_policy_names	List of names of managed policies of System type to attach to RAM user	list(string)	[]	no
mfa_bind_required	This parameter indicates whether the MFA needs to be bind when the user logs in.	bool	null	no
mobile	Phone number of the RAM user. This number must contain an international area code prefix, just look like this: 86-18600008888.	string	null	no
password	Login password of the user	string	null	no
password_reset_required	This parameter indicates whether the password needs to be reset when the user logs in.	bool	null	no
pgp_key	Either a base-64 encoded PGP public key, or a keybase username in the form	string	null	no
secret_file	A file used to store access key and secret key of ther user.	string	null	no
status	Status of access key	string	"Active"	no
user_name	Desired name for the ram user. If not set, a default name with prefix 'ram-user-' will be returned.	string	null	no

Outputs

Name	Description
access_key_encrypted_secret	The access key encrypted secret, base64 encoded
access_key_id	The access key ID
access_key_key_fingerprint	The fingerprint of the PGP key used to encrypt the secret
access_key_secret	The access key secret
access_key_status	Active or Inactive. Keys are initially active, but can be made inactive by other means.
pgp_key	PGP key used to encrypt sensitive data for this user (if empty, no encryption)
this_ram_user_unique_id	(Deprecated, use 'user_id') The unique ID assigned by alicloud
this_user_name	(Deprecated, use 'user_name') The name of RAM user
user_id	The unique ID assigned by alicloud
user_name	The name of RAM user

Authors

Created and maintained by Alibaba Cloud Terraform Team([email protected])

License

Apache 2 Licensed. See LICENSE for full details.

Reference

• Terraform-Provider-Alicloud Github
• Terraform-Provider-Alicloud Release
• Terraform-Provider-Alicloud Docs