Set a Password Policy for IAM Users
This Gruntwork Terraform Module sets the AWS Account Password Policy that will govern password requirements for IAM Users.
This module adds no value beyond directly using the aws_iam_account_password_policy, except that having a standardized
module supported by Gruntwork enables you to easily invoke this Terraform resource using Terragrunt's functionality of
downloading a module and setting values with nothing more than a terraform.tfvars
Resources Created
IAM User Password Policy
This module will apply the desired password policy to the given AWS account. Note that this will overwrite any existing password policy you already have in place!
Sample Usage
- Terraform
- Terragrunt
# ------------------------------------------------------------------------------------------------------
# ------------------------------------------------------------------------------------------------------
module "iam_user_password_policy" {
source = ""
# ----------------------------------------------------------------------------------------------------
# ----------------------------------------------------------------------------------------------------
# Whether to allow users to change their own password (true or false).
allow_users_to_change_password = true
# Set to false to have this module create no resources. This weird parameter
# exists solely because Terraform does not support conditional modules.
# Therefore, this is a hack to allow you to conditionally decide if the
# resources should be created or not.
create_resources = true
# Whether users are prevented from setting a new password after their password
# has expired (i.e. require administrator reset) (true or false).
hard_expiry = true
# The number of days that an user password is valid. Enter 0 for no
# expiration.
max_password_age = 0
# Minimum length to require for user passwords.
minimum_password_length = 16
# The number of previous passwords that users are prevented from reusing.
password_reuse_prevention = 5
# Whether to require lowercase characters for user passwords (true or false).
require_lowercase_characters = true
# Whether to require numbers for user passwords (true or false).
require_numbers = true
# Whether to require symbols for user passwords (true or false).
require_symbols = true
# Whether to require uppercase characters for user passwords (true or false).
require_uppercase_characters = true
# ------------------------------------------------------------------------------------------------------
# ------------------------------------------------------------------------------------------------------
terraform {
source = ""
inputs = {
# ----------------------------------------------------------------------------------------------------
# ----------------------------------------------------------------------------------------------------
# Whether to allow users to change their own password (true or false).
allow_users_to_change_password = true
# Set to false to have this module create no resources. This weird parameter
# exists solely because Terraform does not support conditional modules.
# Therefore, this is a hack to allow you to conditionally decide if the
# resources should be created or not.
create_resources = true
# Whether users are prevented from setting a new password after their password
# has expired (i.e. require administrator reset) (true or false).
hard_expiry = true
# The number of days that an user password is valid. Enter 0 for no
# expiration.
max_password_age = 0
# Minimum length to require for user passwords.
minimum_password_length = 16
# The number of previous passwords that users are prevented from reusing.
password_reuse_prevention = 5
# Whether to require lowercase characters for user passwords (true or false).
require_lowercase_characters = true
# Whether to require numbers for user passwords (true or false).
require_numbers = true
# Whether to require symbols for user passwords (true or false).
require_symbols = true
# Whether to require uppercase characters for user passwords (true or false).
require_uppercase_characters = true
- Inputs
- Outputs
Whether to allow users to change their own password (true or false).
boolSet to false to have this module create no resources. This weird parameter exists solely because Terraform does not support conditional modules. Therefore, this is a hack to allow you to conditionally decide if the resources should be created or not.
boolWhether users are prevented from setting a new password after their password has expired (i.e. require administrator reset) (true or false).
numberThe number of days that an user password is valid. Enter 0 for no expiration.
numberMinimum length to require for user passwords.
The number of previous passwords that users are prevented from reusing.
Whether to require lowercase characters for user passwords (true or false).
boolWhether to require numbers for user passwords (true or false).
boolWhether to require symbols for user passwords (true or false).
Whether to require uppercase characters for user passwords (true or false).
Whether to allow users to change their own password.
Indicates whether passwords in the account expire.
Whether users are prevented from setting a new password after their password has expired (i.e. require administrator reset).
The number of days that an user password is valid. 0 means no expiration.
Minimum length to require for user passwords.
The number of previous passwords that users are prevented from reusing.
Whether to require lowercase characters for user passwords.
Whether to require symbols for user passwords.
Whether to require uppercase characters for user passwords.