14.Provision IAM User with Terraform

Source: Dev.to

Lab Information

The Nautilus DevOps team is experimenting with Terraform provisioners. Your task is to create an IAM user and use a local-exec provisioner to log a confirmation message.

• Create an IAM user named iamuser_siva.
• Use a local‑exec provisioner with the IAM user resource to log the message
  KKE iamuser_siva has been created successfully! to a file called KKE_user_created.log under /home/bob/terraform.
• All Terraform configuration should be placed in a single main.tf file (no separate .tf files for resources).
• Use a variables.tf file to define the variable KKE_USER_NAME.
• Use terraform.tfvars to provide the IAM user name.
• Use an outputs.tf file to expose the IAM user name as kke_iam_user_name.

---

Lab Solutions

variables.tf

variable "KKE_USER_NAME" {
  type = string
}

terraform.tfvars

KKE_USER_NAME = "iamuser_siva"

main.tf

resource "aws_iam_user" "kke_user" {
  name = var.KKE_USER_NAME

  provisioner "local-exec" {
    command = "echo 'KKE ${var.KKE_USER_NAME} has been created successfully!' >> /home/bob/terraform/KKE_user_created.log"
  }
}

Important:

• local-exec runs on the machine where Terraform is executed.
• The command appends the message (safe if the file already exists).
• Exact message text matters for grading.

outputs.tf

output "kke_iam_user_name" {
  value = aws_iam_user.kke_user.name
}

Terraform Commands (run in order)

terraform init
terraform validate
terraform apply
# When prompted, type: yes

---

Expected Results

bob@iac-server ~/terraform via 💠 default ➜  terraform apply 

Terraform used the selected providers to generate the following execution plan.
Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # aws_iam_user.kke_user will be created
  + resource "aws_iam_user" "kke_user" {
      + arn           = (known after apply)
      + force_destroy = false
      + id            = (known after apply)
      + name          = "iamuser_siva"
      + path          = "/"
      + tags_all      = (known after apply)
      + unique_id     = (known after apply)
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Changes to Outputs:
  + kke_iam_user_name = "iamuser_siva"

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

aws_iam_user.kke_user: Creating...
aws_iam_user.kke_user: Provisioning with 'local-exec'...
aws_iam_user.kke_user (local-exec): Executing: ["/bin/sh" "-c" "echo 'KKE iamuser_siva has been created successfully!' >> /home/bob/terraform/KKE_user_created.log"]
aws_iam_user.kke_user: Creation complete after 0s [id=iamuser_siva]

Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

Outputs:

kke_iam_user_name = "iamuser_siva"

---

Verify

Check the log file:

cat /home/bob/terraform/KKE_user_created.log

Expected output:

KKE iamuser_siva has been created successfully!

---

Step‑by‑Step Explanation

What the lab teaches

• Terraform provisioners
• Running local commands
• Performing actions after resource creation

What is local-exec?

Runs the specified command on the machine executing Terraform, not inside AWS.

Why attach the provisioner to the IAM user?

Provisioners execute after the resource is created, ensuring the log entry is written only if the user was successfully provisioned.

Why use variables?

• Avoid hard‑coding values.
• Make the configuration reusable.
• The grader checks for proper variable usage.

What happens during terraform apply?

1. Terraform reads terraform.tfvars.
2. Creates the IAM user iamuser_siva.
3. Executes the local-exec command on the local machine.
4. Appends the confirmation message to the log file.
5. Outputs the user name.

---

Common Mistakes

• Writing to the wrong file path.
• Using remote-exec instead of local-exec.
• Misspelling the exact message text.
• Forgetting to define or reference the variable.
• Mismatching the output name (kke_iam_user_name).