Skip to main content
Security Modules 0.74.5Last updated in version 0.74.3

Set a Password Policy for IAM Users

View Source Release Notes

This Gruntwork Terraform Module sets the AWS Account Password Policy that will govern password requirements for IAM Users.

Motivation

This module adds no value beyond directly using the aws_iam_account_password_policy, except that having a standardized module supported by Gruntwork enables you to easily invoke this Terraform resource using Terragrunt's functionality of downloading a module and setting values with nothing more than a terraform.tfvars file.

Resources Created

IAM User Password Policy

This module will apply the desired password policy to the given AWS account. Note that this will overwrite any existing password policy you already have in place!

Sample Usage

main.tf

# ------------------------------------------------------------------------------------------------------
# DEPLOY GRUNTWORK'S IAM-USER-PASSWORD-POLICY MODULE
# ------------------------------------------------------------------------------------------------------

module "iam_user_password_policy" {

  source = "git::git@github.com:gruntwork-io/terraform-aws-security.git//modules/iam-user-password-policy?ref=v0.74.5"

  # ----------------------------------------------------------------------------------------------------
  # OPTIONAL VARIABLES
  # ----------------------------------------------------------------------------------------------------

  # Whether to allow users to change their own password (true or false).
  allow_users_to_change_password = true

  # Set to false to have this module create no resources. This weird parameter
  # exists solely because Terraform does not support conditional modules.
  # Therefore, this is a hack to allow you to conditionally decide if the
  # resources should be created or not.
  create_resources = true

  # Whether users are prevented from setting a new password after their password
  # has expired (i.e. require administrator reset) (true or false).
  hard_expiry = true

  # The number of days that an user password is valid. Enter 0 for no
  # expiration.
  max_password_age = 0

  # Minimum length to require for user passwords.
  minimum_password_length = 16

  # The number of previous passwords that users are prevented from reusing.
  password_reuse_prevention = 5

  # Whether to require lowercase characters for user passwords (true or false).
  require_lowercase_characters = true

  # Whether to require numbers for user passwords (true or false).
  require_numbers = true

  # Whether to require symbols for user passwords (true or false).
  require_symbols = true

  # Whether to require uppercase characters for user passwords (true or false).
  require_uppercase_characters = true

}


Reference

Optional

Whether to allow users to change their own password (true or false).

true
create_resourcesbooloptional

Set to false to have this module create no resources. This weird parameter exists solely because Terraform does not support conditional modules. Therefore, this is a hack to allow you to conditionally decide if the resources should be created or not.

true
hard_expirybooloptional

Whether users are prevented from setting a new password after their password has expired (i.e. require administrator reset) (true or false).

true
max_password_agenumberoptional

The number of days that an user password is valid. Enter 0 for no expiration.

0

Minimum length to require for user passwords.

16

The number of previous passwords that users are prevented from reusing.

5

Whether to require lowercase characters for user passwords (true or false).

true
require_numbersbooloptional

Whether to require numbers for user passwords (true or false).

true
require_symbolsbooloptional

Whether to require symbols for user passwords (true or false).

true

Whether to require uppercase characters for user passwords (true or false).

true