AWS with Terraform (Day 16)

Advanced AWS IAM User Management with Terraform (CSV-Driven, MFA Enabled, Policies Added)

Today I pushed my IAM automation project further by turning a basic CSV-driven setup into a production-ready IAM onboarding system powered entirely by Terraform.
This wasn’t just about creating IAM users — the goal was to build a repeatable, scalable, secure identity-management workflow that any DevOps team can adopt.

What I Built Today

A complete IAM onboarding automation pipeline, including:

Bulk IAM user creation from CSV

  • Extended CSV now includes:
    first_name, last_name, email, phone, employe_id, department, job_title, location

  • Terraform loads the CSV with csvdecode()

  • Creates a typed list/map for dynamic iteration

Automated username generation

  • Normalized, lowercase usernames

  • Combines first name + last name + emp_id

  • Ensures uniqueness & traceability

Console access + MFA-first login

  • Users get a login profile

  • password_reset_required = true

  • Enforced MFA via IAM policies + dynamic group assignment

  • Strong security baseline for all new accounts

IAM Groups + Dynamic Membership

Automatically assigns users to groups based on CSV fields:

  • Engineering, HR, Education, Management, etc.

  • Filters built using for, for_each, conditional expressions

  • Uses can() to safely evaluate optional CSV keys

IAM Policies Attached

I added:

  • Least-privilege policies

  • MFA enforcement policy

  • Department-specific permissions

  • Custom JSON policies for restricted & privileged roles

Everything is driven by Terraform for reproducibility.

S3 Backend for Team Usage

  • Remote state stored in an encrypted S3 bucket

  • DynamoDB table for state locking

  • Safe for collaboration & CI/CD pipelines

Why This Matters

Traditional IAM user creation is:
❌ Manual
❌ Error-prone
❌ Inconsistent
❌ Hard to audit

My Day-16 setup fixes all of that.

Now IAM onboarding is:
✅ Automated
✅ Consistent
✅ Secure
✅ Version-controlled
✅ Auditable
✅ Scalable

A single CSV commit becomes the source of truth for onboarding/offboarding.

Key Terraform Concepts I Used

  • csvdecode() for structured data

  • for_each loops for IAM users

  • Dynamic group membership with list comprehensions

  • Conditional logic with can()

  • Sensitive variables & MFA enforcement

  • Reusable locals for usernames, tags, and department mapping

  • S3 backend + DynamoDB locking

Great real-world Terraform practice.

What’s Next

For Day 17, I plan to:

  • Turn this into a reusable Terraform module

  • Push passwords into AWS Secrets Manager

  • Add Slack/Email notifications for new user onboarding

  • Build a CI workflow for automated validation of CSV changes

Day 16 Summary

IAM user management is more than creating users — it's building a secure, automated identity workflow.

 Today’s work was a deep dive into real DevOps foundations: automation, repeatability, and security-first design.

You can check out the code here: https://github.com/Mo-Adnan-Mo-Ayyub/Aws-with-Terraform

You can check out the session here:


Comments

Post a Comment

Popular posts from this blog

AWS with Terraform (Day 01)

Image
  Terraform Fundamentals – Day 01 (My Learning Notes as a DevOps Engineer) Today I wrapped up Day-01 of my Terraform with AWS series, and even with my DevOps background, this session helped me tighten my fundamentals and rethink how I approach cloud provisioning. Terraform is something I’ve used before, but today was more about understanding why IaC matters at scale and why Terraform continues to dominate in real-world DevOps ecosystems. Understanding Infrastructure as Code (IaC) As a DevOps engineer, IaC is not new to me. But today’s session broke it down in a way that clarified its real value. IaC = Infrastructure represented as code. Instead of building resources manually through AWS/Azure/GCP consoles, we define everything in .tf files. This ensures our setup is predictable, repeatable, and version-controlled. What I liked most is how clearly the contrast was shown: Cloud-Agnostic Tools (Terraform / Pulumi) Work across AWS, Azure, GCP, Kubernetes, GitHub, etc. ...
Read more

AWS with Terraform (Day 02)

Image
  AWS with Terraform – Day 02 Deep Dive into Providers, Versioning & the Real “Bridge” Between Code and Cloud Today’s session took me from simply writing Terraform code to actually understanding the engine behind it — the Provider layer . And honestly, once this clicks, Terraform stops feeling like just a tool and starts feeling like a real engineering system. Here’s what I learned and how I’ve started applying it. Providers: The Plugin That Makes Terraform Real The simplest way I now understand it: Terraform writes the story. Providers translate it into cloud actions. Before today, I treated the provider block as just two lines of mandatory code. Now I see it as the translator that turns HCL into actual AWS API calls . Example: I write: resource "aws_s3_bucket" "demo" { bucket = "my-app-demo" } The AWS provider turns that into the exact S3 API request. This layer saves us from manually hitting APIs, building payloads, or juggling ...
Read more

AWS with Terraform (Day 06)

Image
Mastering Terraform File Structure: Best Practices for Scalable AWS Infrastructure as Code You've built your first AWS resources with Terraform in one big main.tf file. It works fine at first. But as your project grows, that single file turns into a mess. Resources pile up. Variables hide in plain sight. Debugging takes forever. Good news. You can fix this now. Split your Terraform files the right way. Follow HashiCorp's tips for a clean setup. This boosts readability. It helps teams work together. Plus, it scales for big AWS setups like VPCs, EC2s, and S3 buckets. Stick with me. You'll see hands-on steps to organize your root module today. The Anatomy of a Well-Organized Terraform Root Module The root directory acts as your Terraform project's heart. It's the root module. Here, you keep all key files. No strict rules exist for names. But smart choices make life easier. Start simple. Break one fat main.tf into focused files. This stops resource clutter. You n...
Read more