devops

->> Day-16 AWS IAM User Management with Terraform

Published: (January 7, 2026 at 10:08 AM EST)
3 min read
Source: Dev.to

Source: Dev.to

Managing IAM users manually in AWS is fine… until it isn’t.
When your team grows, clicking around the console becomes painful and chaotic.

This demo shows a Terraform‑based IAM user management system where:

  • Users are defined in a CSV file
  • Groups and memberships are auto‑assigned
  • Everything is reproducible, version‑controlled, and scalable

Overview

The demo manages:

  • IAM Users
  • IAM Groups
  • Group Memberships

All driven by a single CSV file. Instead of manually creating users, you simply update the CSV, run terraform apply, and you’re done.

Prerequisites

Make sure you have:

  • AWS CLI configured (aws configure)
  • Terraform v1.0+ installed
  • IAM permissions to create users & groups
  • An S3 bucket for remote Terraform state

Quick Start

1️⃣ Create S3 Backend Bucket

terraform {
  backend "s3" {
    bucket = "my-aws-terraform-state-bucket-amit-123"
    key    = "Day-16/terraform/terraform.tfstate"
    region = "us-east-1"
  }
}

2️⃣ Initialize Terraform

terraform init

3️⃣ Review Changes

terraform plan

4️⃣ Apply Configuration

terraform apply -auto-approve

5️⃣ Project File Structure

Day16/terraform
├── backend.tf          # S3 backend configuration
├── provider.tf         # AWS provider setup
├── versions.tf         # Terraform & provider versions
├── main.tf             # IAM users + CSV parsing
├── groups.tf           # Groups and memberships
├── users.csv           # User data source
└── README.md           # Project overview

How It Works (Step‑by‑Step)

Step 1 – Read Users from CSV

# Read users from CSV
locals {
  users = csvdecode(file("users.csv"))
}

Step 2 – Create IAM Users

# Create IAM users
resource "aws_iam_user" "users" {
  for_each = { for user in local.users : user.first_name => user }

  name = lower("${substr(each.value.first_name, 0, 1)}${each.value.last_name}")
  path = "/users/"

  tags = {
    DisplayName = "${each.value.first_name} ${each.value.last_name}"
    Department  = each.value.department
    JobTitle    = each.value.job_title
  }
}

Username format: {first_initial}{lastname} (e.g., Michael Scott → mscott)

Step 3 – Enable Console Access

# Create IAM user login profile (password)
resource "aws_iam_user_login_profile" "users" {
  for_each = aws_iam_user.users

  user                     = each.value.name
  password_reset_required = true

  lifecycle {
    ignore_changes = [
      password_length,
      password_reset_required,
    ]
  }
}

Step 4 – Create Groups & Memberships

# Create IAM Groups
resource "aws_iam_group" "education" {
  name = "Education"
  path = "/groups/"
}

resource "aws_iam_group" "managers" {
  name = "Managers"
  path = "/groups/"
}

resource "aws_iam_group" "engineers" {
  name = "Engineers"
  path = "/groups/"
}

Groups are created once; memberships are assigned dynamically (not shown here for brevity).

Terraform Outputs

After apply, you can inspect:

terraform output account_id
terraform output user_names
terraform output user_passwords   # sensitive

Useful for verification and automation.

Sample Users List (users.csv)

first_name,last_name,department,job_title
Michael,Scott,Education,Regional Manager
Dwight,Schrute,Sales,Assistant to the Regional Manager
Jim,Halpert,Sales,Sales Representative
Pam,Beesly,Reception,Receptionist
Ryan,Howard,Temps,Temp
Andy,Bernard,Sales,Sales Representative
Robert,California,Corporate,CEO
Stanley,Hudson,Sales,Sales Representative
Kevin,Malone,Accounting,Accountant
Angela,Martin,Accounting,Accountant
Oscar,Martinez,Accounting,Accountant
Phyllis,Vance,Sales,Sales Representative
Toby,Flenderson,HR,HR Representative
Kelly,Kapoor,Customer Service,Customer Service Representative
Darryl,Philbin,Warehouse,Warehouse Foreman
Creed,Bratton,Quality Assurance,Quality Assurance
Meredith,Palmer,Supplier Relations,Supplier Relations
Erin,Hannon,Reception,Receptionist
Gabe,Lewis,Corporate,Coordinating Director of Emerging Regions
Jan,Levinson,Corporate,Vice President of Northeast Sales
David,Wallace,Corporate,CFO
Holly,Flax,HR,HR Representative
Charles,Miner,Corporate,Vice President of the Northeast Region
Jo,Bennett,Corporate,CEO of Sabre
Clark,Green,Sales,Sales Representative
Pete,Miller,Customer Service,Customer Service Representative

Cleanup

To remove all created resources:

terraform destroy

Warning: This will delete all users, groups, and memberships.

Troubleshooting

Error: Backend Access Denied

Check your AWS credentials:

aws sts get-caller-identity

Error: User Already Exists

Import the existing user into the state:

terraform import aws_iam_user.users["Michael"] mscott

Or delete the existing user manually:

aws iam delete-login-profile --user-name mscott
aws iam delete-user --user-name mscott

Resources

Success!

Your AWS IAM infrastructure is now managed as code. You can:

  • Add new users by editing the CSV
  • Modify group memberships by changing user attributes
  • Version control all changes
  • Replicate this setup across multiple AWS accounts

Happy Terraforming! 🚀

Back to Blog

Related posts

Read more »

Why Traditional DevOps Stops Scaling

Traditional DevOps works well… until the organization grows. At small scale, a central DevOps team deploying, fixing, and firefighting everything feels efficien...

Terraform Stacks

Overview A collection of production‑ready Terraform Stacks that showcase enterprise patterns across full applications, multi‑region fan‑out, and Kubernetes pla...