AWS Terraform IAM 用户管理
发布: (2025年12月15日 GMT+8 14:43)
5 min read
原文: Dev.to
Source: Dev.to
Introduction
在 AWS 中手动管理 IAM 用户很快会变得复杂、容易出错且难以扩展。随着团队的壮大,你需要一种可重复、可审计且安全的方式来管理用户、组、权限以及 MFA 等安全控制。本指南展示了如何使用 Terraform 实现 AWS IAM 用户管理,并以 CSV 文件作为唯一可信的数据源。
Advantages of Terraform for IAM
- 集中化且受版本控制的用户管理
- 轻松的用户入职和离职
- 跨团队的一致安全策略
- 减少手动错误
- 幂等且可审计的变更
Setup Overview
- 根据 CSV 文件动态创建 IAM 用户
- 为 Education、Managers 和 Engineers 创建 IAM 组
- 基于用户属性自动分配组成员资格
- 控制台访问时强制密码重置
- 在所有组中强制 MFA
- 基于组的权限管理
CSV 文件成为身份数据的唯一可信来源。
Load User Data from CSV
locals {
users = csvdecode(file("users.csv")) // List of maps for the data
}Terraform 将每一行转换为映射,允许我们动态遍历用户。添加或删除用户只需编辑 CSV 即可。
IAM Users
resource "aws_iam_user" "users" {
for_each = { for user in local.users : user.first_name => user }
name = lower("${substr(each.value.first_name, 0, 1)}${each.value.last_name}")
path = "/users/"
tags = {
DisplayName = "${each.value.first_name} ${each.value.last_name}"
Department = each.value.department
JobTitle = each.value.job_title
Email = each.value.email
Phone = each.value.phone
}
}- 用户名自动生成(首字母 + 姓氏)
- 标签存储丰富的元数据,用于过滤、审计和策略
- 没有硬编码用户
Console Access (Login Profiles)
resource "aws_iam_user_login_profile" "users" {
for_each = aws_iam_user.users
user = each.value.name
password_reset_required = true
lifecycle {
ignore_changes = [
password_reset_required,
password_length
]
}
}在首次登录时强制密码重置,符合安全最佳实践。
IAM Groups
resource "aws_iam_group" "education" {
name = "Education"
path = "/groups/"
}
resource "aws_iam_group" "managers" {
name = "Managers"
path = "/groups/"
}
resource "aws_iam_group" "engineers" {
name = "Engineers"
path = "/groups/"
}在组层面管理权限可简化运维。
Automatic Group Membership
resource "aws_iam_group_membership" "education_members" {
name = "education-group-membership"
group = aws_iam_group.education.name
users = [
for user in aws_iam_user.users : user.name
if user.tags.Department == "Education"
]
}
resource "aws_iam_group_membership" "managers_members" {
name = "managers-group-membership"
group = aws_iam_group.managers.name
users = [
for user in aws_iam_user.users : user.name
if contains(keys(user.tags), "JobTitle") &&
can(regex("Manager|CEO", user.tags.JobTitle))
]
}
resource "aws_iam_group_membership" "engineers_members" {
name = "engineers-group-membership"
group = aws_iam_group.engineers.name
users = [
for user in aws_iam_user.users : user.name
if user.tags.Department == "Engineering"
]
}这消除了手动分配组成员的步骤,确保准确性。
MFA Enforcement
Terraform 不能创建 MFA 设备,但可以通过 IAM 策略强制使用 MFA。
resource "aws_iam_policy" "require_mfa" {
name = "Require-MFA"
description = "Deny access unless MFA is enabled"
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Sid = "DenyAllExceptMFA"
Effect = "Deny"
Action = "*"
Resource = "*"
Condition = {
BoolIfExists = {
"aws:MultiFactorAuthPresent" = "false"
}
}
}
]
})
}Attach MFA Policy to Groups
resource "aws_iam_group_policy_attachment" "mfa_enforcement" {
for_each = {
education = aws_iam_group.education.name
managers = aws_iam_group.managers.name
engineers = aws_iam_group.engineers.name
}
group = each.value
policy_arn = aws_iam_policy.require_mfa.arn
}这些组中的所有用户必须启用 MFA 才能访问 AWS。
Permissions via Managed Policies
resource "aws_iam_group_policy_attachment" "education_readonly" {
group = aws_iam_group.education.name
policy_arn = "arn:aws:iam::aws:policy/ReadOnlyAccess"
}
resource "aws_iam_group_policy_attachment" "managers_admin" {
group = aws_iam_group.managers.name
policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
}
resource "aws_iam_group_policy_attachment" "engineers_poweruser" {
group = aws_iam_group.engineers.name
policy_arn = "arn:aws:iam::aws:policy/PowerUserAccess"
}- Education 用户拥有只读访问权限
- Managers 拥有完整的管理员权限
- Engineers 拥有 PowerUser 权限(可管理资源但不能管理 IAM)
Additional Useful Data
data "aws_caller_identity" "current" {}用于输出、调试以及确保 Terraform 正在正确的 AWS 账户中运行。
Summary
- 在所有用户上强制 MFA
- 通过组而非单个用户分配权限
- 使用标签存储元数据以便审计
- 基于 CSV 的用户生命周期管理
- 基础设施完全可复现且可审计
对于生产环境,建议使用 AWS IAM Identity Center (SSO) 替代 IAM 用户。此基于 Terraform 的方案演示了如何将身份视为代码而非配置。通过结合 CSV 驱动的数据、动态组成员资格、MFA 强制以及最小权限访问,你可以获得一个适用于真实环境的可扩展且安全的 IAM 架构。