Day 16: AWS IAM User Management with Terraform
This project demonstrates how to manage AWS IAM users, groups, group memberships, policies, and MFA enforcement using Terraform with a CSV file
I’m a Cloud & DevOps Engineer passionate about building reliable, scalable, and automated cloud infrastructures. I work extensively with AWS, Kubernetes, Terraform, Docker, and CI/CD pipelines to deliver production-ready environments.
My journey started in technical troubleshooting, where I gained strong root-cause analysis and system diagnostic skills. Transitioning into cloud engineering, I have built 3-tier microservices architectures, automated VPCs using Terraform, and containerized legacy applications for performance and portability.
I enjoy solving real-world problems, optimizing cloud cost and performance, and creating automated workflows that reduce manual effort. I’m continuously learning and applying best practices in DevOps, IaC, and cloud security.
Core Skills: AWS • Kubernetes • Docker • Terraform • CI/CD • Linux • Networking • Monitoring • Automation • Troubleshooting
Looking For: Cloud Engineer | DevOps Engineer | SRE (Junior/Mid-level) roles where I can build, automate, and scale cloud workloads.
Overview
This project demonstrates how to manage AWS IAM users, groups, group memberships, policies, and MFA enforcement using Terraform with a CSV file as the data source.
The goal is to implement data-driven IAM management, similar to how identity is managed in enterprise environments (Azure AD / AWS SSO conceptually).
All users, attributes, and access decisions are controlled declaratively using Terraform.
What Gets Created
IAM Users created from a CSV file
IAM Groups:
Education
Managers
Engineers
Dynamic group memberships based on user attributes
IAM Policies attached to groups
MFA enforcement using IAM policy conditions
User metadata stored as IAM tags
Console access with password reset on first login
Prerequisites
AWS CLI configured (
aws configure)Terraform v1.0+
AWS IAM permissions:
- IAM user, group, policy management
S3 bucket for remote Terraform state (recommended)
Architecture Summary
CSV File (users.csv)
↓
Terraform (csvdecode)
↓
IAM Users (tags, login profiles)
↓
IAM Groups
↓
IAM Policies + MFA Enforcement
How It Works
Step 1: Read Users from CSV
locals {
users = csvdecode(file("users.csv"))
}
The CSV file acts as the single source of truth for all IAM users.
Step 2: Create IAM Users
resource "aws_iam_user" "users" {
for_each = { for user in local.users : user.username => user }
name = each.value.username
path = "/users/"
tags = {
DisplayName = "${each.value.first_name} ${each.value.last_name}"
Department = each.value.department
JobTitle = each.value.job_title
Email = each.value.email
Phone = each.value.phone
}
}
Users are created dynamically
Stable
usernameis used asfor_eachkeyMetadata is stored as tags
Step 3: Enable Console Access
resource "aws_iam_user_login_profile" "users" {
for_each = aws_iam_user.users
user = each.value.name
password_reset_required = true
}
Users must reset their password on first login.
Step 4: Create Groups
resource "aws_iam_group" "education" {
name = "Education"
}
resource "aws_iam_group" "managers" {
name = "Managers"
}
resource "aws_iam_group" "engineers" {
name = "Engineers"
}
Step 5: Dynamic Group Membership
resource "aws_iam_group_membership" "education_membership" {
name = "education-members"
group = aws_iam_group.education.name
users = [
for user in aws_iam_user.users :
user.name if user.tags["Department"] == "Education"
]
}
Group membership is determined automatically using user attributes.
IAM Policies Attached to Groups
| Group | Policy |
| Education | ReadOnlyAccess |
| Engineers | PowerUserAccess |
| Managers | AdministratorAccess |
resource "aws_iam_group_policy_attachment" "managers_admin" {
group = aws_iam_group.managers.name
policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
}
MFA Enforcement (Important)
Terraform creates MFA devices, but enforcement is done using IAM policy conditions.
MFA Enforcement Policy
resource "aws_iam_policy" "require_mfa" {
name = "RequireMFA"
policy = jsonencode({
Version = "2012-10-17"
Statement = [{
Effect = "Deny"
Action = "*"
Resource = "*"
Condition = {
BoolIfExists = {
"aws:MultiFactorAuthPresent" = "false"
}
}
}]
})
}
This policy is attached to all IAM groups, ensuring:
Users cannot access AWS without MFA
MFA is mandatory after login
CSV File Example
username,first_name,last_name,department,job_title,email,phone
mscott,Michael,Scott,Education,Regional Manager,mscott@company.com,9999999999
jhalpert,Jim,Halpert,Sales,Sales Rep,jhalpert@company.com,9999999998
Adding or modifying users only requires editing the CSV file.
AWS SSO (Production Recommendation)
This project uses IAM users for learning purposes only.
In production environments, AWS IAM Identity Center (SSO) is recommended to:
Centralize identity management
Enforce MFA by default
Avoid IAM user sprawl
Integrate with external IdPs (Azure AD, Okta)
IAM users are not recommended for large-scale production usage.
How to Run
terraform init
terraform plan
terraform apply -auto-approve
Cleanup
terraform destroy
⚠️ This will delete all IAM users, groups, and policies.
Key Learnings
IAM users should be data-driven
Groups control access, not users
MFA is enforced using policies, not resources
CSV-based IAM management is scalable
AWS SSO is preferred in production
🎥 Day 09 Video ( link )
GitHub Reference ( LINK )[
](https://youtu.be/WGt000THDmQ?si=uCNugJCEyvQnuFJP)
✅ Day 16 Completed
This project demonstrates real-world IAM best practices using Terraform and prepares for production-grade identity management.
🔖 Tags
#30DaysOfAWSTerraform #AWS #Terraform #IAM #MFA #DevOps #CloudComputing #IAM_GROPU
