diff --git a/outputs.tf b/outputs.tf index e69de29..bf2be4f 100644 --- a/outputs.tf +++ b/outputs.tf @@ -0,0 +1,139 @@ +locals { + has_encrypted_password = length(compact(aws_iam_user_login_profile.this.*.encrypted_password)) > 0 + has_encrypted_secret = length(compact(aws_iam_access_key.this.*.encrypted_secret)) > 0 +} + +output "iam_user_name" { + description = "The user's name" + value = element(concat(aws_iam_user.this.*.name, [""]), 0) +} + +output "iam_user_arn" { + description = "The ARN assigned by AWS for this user" + value = element(concat(aws_iam_user.this.*.arn, [""]), 0) +} + +output "iam_user_unique_id" { + description = "The unique ID assigned by AWS" + value = element(concat(aws_iam_user.this.*.unique_id, [""]), 0) +} + +output "iam_user_login_profile_key_fingerprint" { + description = "The fingerprint of the PGP key used to encrypt the password" + value = element(concat(aws_iam_user_login_profile.this.*.key_fingerprint, [""]), 0) +} + +output "iam_user_login_profile_encrypted_password" { + description = "The encrypted password, base64 encoded" + value = element(concat(aws_iam_user_login_profile.this.*.encrypted_password, [""]), 0) +} + +output "iam_access_key_id" { + description = "The access key ID" + value = element( + concat( + aws_iam_access_key.this.*.id, + aws_iam_access_key.this_no_pgp.*.id, + [""], + ), + 0 + ) +} + +output "iam_access_key_secret" { + description = "The access key secret" + value = element(concat(aws_iam_access_key.this_no_pgp.*.secret, [""]), 0) + sensitive = true +} + +output "iam_access_key_key_fingerprint" { + description = "The fingerprint of the PGP key used to encrypt the secret" + value = element(concat(aws_iam_access_key.this.*.key_fingerprint, [""]), 0) +} + +output "iam_access_key_encrypted_secret" { + description = "The encrypted secret, base64 encoded" + value = element(concat(aws_iam_access_key.this.*.encrypted_secret, [""]), 0) +} + +output "iam_access_key_ses_smtp_password_v4" { + description = "The secret access key converted into an SES SMTP password by applying AWS's Sigv4 conversion algorithm" + value = element( + concat( + aws_iam_access_key.this.*.ses_smtp_password_v4, + aws_iam_access_key.this_no_pgp.*.ses_smtp_password_v4, + [""], + ), + 0 + ) + sensitive = true +} + +output "iam_access_key_status" { + description = "Active or Inactive. Keys are initially active, but can be made inactive by other means." + value = element( + concat( + aws_iam_access_key.this.*.status, + aws_iam_access_key.this_no_pgp.*.status, + [""], + ), + 0 + ) +} + +output "pgp_key" { + description = "PGP key used to encrypt sensitive data for this user (if empty - secrets are not encrypted)" + value = var.pgp_key +} + +output "keybase_password_decrypt_command" { + description = "Decrypt user password command" + value = !local.has_encrypted_password ? null : <