🚀 Terraform Day 16: Bulk IAM User Management Using Terraform (CSV AWS)

#terraform #aws #devops #automation

🧩 What We’re Building
A fully automated IAM user management system using Terraform that:
✔ Reads users from a CSV file
✔ Creates IAM users dynamically
✔ Assigns users to groups based on attributes
✔ Creates console login profiles
✔ Forces password reset on first login
✔ Uses remote state (S3) like real production setups

📄 Step 1: Users CSV File
All user data comes from a CSV file.
Example:
firstname,lastname,department,role
Michael,Scott,management,manager
Jim,Halpert,engineering,engineer
Pam,Beesly,design,designer

This mimics HR-provided onboarding data.

🔄 Step 2: Decode CSV into Terraform Data
Terraform reads the CSV using csvdecode().

locals {
users = csvdecode(file("${path.module}/users.csv"))
}
This converts CSV rows into a list of maps:
[
{
firstname = "Michael"
lastname = "Scott"
department = "management"
role = "manager"
}
]

👤 Step 3: Create IAM Users Dynamically
We use for_each to create one IAM user per CSV row.

resource "aws_iam_user" "users" {
for_each = {
for user in local.users :
lower("${substr(user.firstname, 0, 1)}${user.lastname}") => user
}

name = each.key
}

✅ No copy-paste
✅ Fully scalable
✅ Naming standardized

🔐 Step 4: Enable Console Login (Securely)
Create login profiles with temporary passwords.

resource "aws_iam_user_login_profile" "login" {
for_each = aws_iam_user.users

user = each.value.name
password_reset_required = true
}

🔒 Best practice:
Users must reset password on first login
Passwords should never be printed or stored in outputs

👥 Step 5: Create IAM Groups
resource "aws_iam_group" "engineers" {
name = "engineers"
}

resource "aws_iam_group" "managers" {
name = "managers"
}

🔁 Step 6: Assign Users to Groups Dynamically

Users are added to groups based on CSV attributes.

Example: Engineers group
resource "aws_iam_group_membership" "engineering" {
name = "engineering-members"
group = aws_iam_group.engineers.name

users = [
for k, u in aws_iam_user.users :
u.name
if can(regex("engineering", local.users[*].department[k]))
]
}

✔ Conditional logic
✔ Error-safe using can()
✔ Zero hardcoding

🗄️ Step 7: Use Remote Backend (Production Practice)
terraform {
backend "s3" {
bucket = "terraform-remote-state-bucket"
key = "iam/day16/terraform.tfstate"
region = "us-east-1"
}
}

Why remote state matters:
Team collaboration
Locking
Security
Disaster recovery

📦 Result After terraform apply

Terraform creates:
IAM users
Login profiles
IAM groups
Group memberships

In one run:
✔ 50+ resources created
✔ Fully automated
✔ Auditable
✔ Repeatable