π― Goal: Automate IAM user onboarding β from HR CSV β AWS users, groups, console access β zero manual steps.
β Youβll build:
- β 26 IAM users (The Office characters β scalable to 10,000+)
- β Dynamic groups (Education, Managers, Engineers)
- β Conditional group membership (e.g.,
JobTitlecontains "Manager")- β Console access with password reset enforcement
- β Tags for audit/search (
DisplayName,Department,JobTitle)
| Manual IAM Onboarding | Terraform-Managed IAM |
|---|---|
| β HR β Email β Ticket β IAM Admin β 3-day delay | β
HR β CSV β terraform apply β 30 seconds |
β Inconsistent usernames (Michael, mscott, michael-scott) |
β
Standardized: mscott β [first_initial][last_name] |
| β No audit trail for user creation | β Git-tracked CSV + Terraform state |
| β Passwords shared insecurely (Slack/email) | β Auto-generated + reset-on-first-login |
π‘ Golden Rule:
βIf your identity system isnβt version-controlled β itβs not production-ready.β
flowchart LR
A[HR System<br/>(users.csv)] -->|Git| B[Terraform Repo]
B --> C[Terraform Plan/Apply]
C --> D[AWS IAM]
D --> E[Users: mscott, dschrute...]
D --> F[Groups: Education, Managers, Engineers]
D --> G[Memberships: Dwight β Managers]
D --> H[Login Profiles: Reset required]
β Critical Flow:
users.csv (adds jdoe,Engineering,Software Engineer)terraform applyjdoe IAM userEngineers group/day16/)day16/
βββ backend.tf # S3 remote state (encrypted, versioned)
βββ provider.tf # AWS provider (locked version)
βββ users.csv # π HR data source (26 users)
βββ main.tf # User creation + CSV parsing
βββ groups.tf # Groups + dynamic membership
βββ TASK.md # π Your challenge (MFA, SSO, HR integration)
users.csv β Single Source of Truth