Day 16 - Managing AWS IAM Users with Terraform using CSV

 

Introduction

Today I worked on managing AWS IAM users using Terraform with a CSV-driven approach.

Instead of creating users manually in the AWS Console, I treated the CSV file as a source of truth. Terraform reads this file, creates users, assigns tags, and dynamically places them into groups.

This felt very similar to database thinking. Each row in the CSV behaves like a table row, and Terraform applies logic on top of it.

Architecture Overview



What I Built

  • IAM users created from CSV file
  • IAM groups for logical organization
  • Dynamic group membership using filters
  • Tags used as metadata to drive logic

Step 1: Using CSV as a Data Source

The users.csv file acts as a structured dataset.

Example:

first_name,last_name,department,job_title
Michael,Scott,Education,Regional Manager
Dwight,Schrute,Sales,Assistant to the Regional Manager

Each row represents one user.

Step 2: Reading CSV in Terraform

locals {
  users = csvdecode(file("${path.module}/users.csv"))
}


csvdecode() converts the CSV into a list of objects. This is similar to loading a table into memory.

Step 3: Creating IAM Users

resource "aws_iam_user" "users" {
  for_each = local.users_map

  name = each.key
}

Instead of manually defining each user, Terraform loops through the dataset and creates users automatically.

Step 4: Enabling Console Access

resource "aws_iam_user_login_profile" "users" {
  for_each = aws_iam_user.users
}


Each user gets console access with password reset enforced.

Step 5: Dynamic Group Membership

users = [
  for user in aws_iam_user.users : user.name
  if user.tags.Department == "Education"
]


This is the most important part.

Instead of assigning users manually, Terraform filters users based on attributes.

How I Think About This

This felt very similar to SQL:

SELECT username
FROM users
WHERE department = 'Education';
  • CSV = table
  • rows = users
  • filter = WHERE clause
  • Terraform = execution engine

Step 6: Validation

Commands used:

terraform init
terraform plan
terraform apply




Key Learnings

  • Terraform can work like a data processing engine
  • CSV can act as a lightweight source of truth
  • for_each is critical for scaling
  • Tags can drive automation logic
  • Group membership can be fully dynamic

Real World Use

This approach can be used for:

  • Employee onboarding
  • Department-based access control
  • Bulk user provisioning
  • Reproducible IAM setup across environments

Improvements I Would Add Next

  • Attach IAM policies to groups
  • Enforce MFA
  • Integrate with AWS SSO
  • Extend CSV with email or environment fields

Conclusion

This was one of the most practical exercises so far.

It showed how Terraform can move beyond infrastructure and manage identities in a structured and scalable way.

Video Reference


Jay

Comments

Post a Comment

Popular posts from this blog

ASM Integrity check failed with PRCT-1225 and PRCT-1011 errors while creating database using DBCA on Exadata 3 node RAC

Image
  Error: The error message PRCT-1225: failed to verify Oracle Automatic Storage Management (Oracle ASM) user credentials using the command 'asmcmd credverify' indicates that the asmcmd credverify command failed to verify the Oracle ASM user credentials. This can happen for a number of reasons, including: The user credentials are incorrect. The user credentials file is corrupted. The user does not have the necessary permissions to run the asmcmd credverify command. There is a problem with the Oracle ASM instance. To troubleshoot this error, you can try the following: Make sure that the user credentials are correct. You can do this by trying to log in to the Oracle ASM instance using the same credentials. Check the user credentials file for errors. You can do this by using a text editor to open the file and inspect the contents. Make sure that the user has the necessary permissions to run the asmcmd credverify command. You can do this by checking the user's permissi...
Read more

Life is beautiful

Image
Life brings unexpected tragedies that are beyond our control. It's heartbreaking to witness people facing circumstances they never chose. We react with tears and inevitably wonder, "What if that happens to me?" As humans, we naturally focus on the positive and avoid dwelling on such thoughts—and that's healthy. But this perspective has shaped how I approach life: Am I prepared for these scenarios? Are my loved ones protected if something goes wrong? If I were to die, I couldn't be there to tell them to stay strong—they'd have to face that grief alone. But I can give them financial security through proper planning, wills, and trusts. These are tangible ways to care for them even when I'm gone. Beyond that, what else can I control? I don't waste energy worrying about an uncertain past or future. Instead, I choose to spread peace, truly listen to others, and share genuine smiles. I embrace the principle of living fully while letting others do the same. ...
Read more

Lock Tables in MariaDB

Whether or not you need to lock tables while backing up MariaDB depends on a few factors, including the type of backup you are performing and the tools you are using. If you are performing a full backup , you should lock the tables to ensure that the backup is consistent. This is because a full backup copies all of the data in the database, including any data that is currently being modified by transactions. If you do not lock the tables, it is possible that the backup could contain inconsistent data. If you are performing a differential backup or an incremental backup , you may not need to lock the tables. Differential and incremental backups only copy the data that has changed since the previous backup. This means that the data is already consistent, so there is no need to lock the tables. However, some backup tools may require you to lock the tables, even if you are performing a differential or incremental backup. This is because these tools may need to modify the database in some ...
Read more