Add new iam user for self @here

[here]

Fixes #77

What changes did you make?

• User alexe role changed from ops-leads to read-only-group to avoid terraform apply 404 error on group ops-leads
• New user request for self at Create new AWS user account - here #89

Why did you make the changes (we will use this info to test)?

• Completing Pre-work checklist Pre-work Checklist: DevOps-Security-Member: Mike Waggoner #77

[github-actions]

Terraform plan in terraform
With backend config files: terraform/prod.backend.tfvars

Plan: 3 to add, 1 to change, 0 to destroy.

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
+   create
!~  update in-place

Terraform will perform the following actions:

  # module.iam_oidc_gha_incubator.aws_iam_role.github_actions_oidc will be updated in-place
!~  resource "aws_iam_role" "github_actions_oidc" {
!~      assume_role_policy    = jsonencode(
!~          {
!~              Statement = [
!~                  {
!~                      Condition = {
!~                          StringLike   = {
!~                              "token.actions.githubusercontent.com:sub" = "*************************************************************************"
                            }
#                            (1 unchanged attribute hidden)
                        }
#                        (3 unchanged attributes hidden)
                    },
                ]
#                (1 unchanged attribute hidden)
            }
        )
        id                    = "gha-incubator"
        name                  = "gha-incubator"
        tags                  = {}
#        (11 unchanged attributes hidden)
    }

  # module.iam_user_herehfla.aws_iam_user.user will be created
+   resource "aws_iam_user" "user" {
+       arn           = (known after apply)
+       force_destroy = false
+       id            = (known after apply)
+       name          = "herehfla"
+       path          = "/"
+       tags          = {
+           "Access Level" = "1"
+           "Project"      = "devops-security"
        }
+       tags_all      = {
+           "Access Level" = "1"
+           "Project"      = "devops-security"
        }
+       unique_id     = (known after apply)
    }

  # module.iam_user_herehfla.aws_iam_user_group_membership.user_group_membership will be created
+   resource "aws_iam_user_group_membership" "user_group_membership" {
+       groups = [
+           "read-only-group",
        ]
+       id     = (known after apply)
+       user   = "herehfla"
    }

  # module.iam_user_herehfla.aws_iam_user_login_profile.user_login will be created
+   resource "aws_iam_user_login_profile" "user_login" {
+       encrypted_password      = (known after apply)
+       id                      = (known after apply)
+       key_fingerprint         = (known after apply)
+       password                = (known after apply)
+       password_length         = 20
+       password_reset_required = true
+       user                    = "herehfla"
    }

Plan: 3 to add, 1 to change, 0 to destroy.

📝 Plan generated in Write Terraform Plan to Pull Request #65

[ale210]

Suggested change

	user_groups = ["read-only-group"]
	user_groups = ["ops-leads"]

[ale210]

Hi @here this needs to be its original value of 'ops-leads'

[here]

Reverted this change with 1aa4e8c , thanks for confirming.

[here]

All known feedback resolved, ready for review and merge.

---

• Reverted changes to @ale210 returning to "ops-leads" user group. Note that this re-introduces a local error on terraform apply , details below.
• Confirmed use of iam username "herehfla" on weekly check in call due to conflict existing legacy iam user "here"
• Re-ran local terraform init , plan , apply to confirm on new local workstation.

---

devops-security/terraform/state.config

bucket = "herebox-hfla-ops-terraform-state"
region = "us-west-2"
key    = "devops-security/terraform.tfstate"

$ terraform init -backend-config="./state.config"
Terraform has been successfully initialized!

$ terraform plan

Terraform will perform the following actions:

  # module.iam_user_alexe.aws_iam_user_group_membership.user_group_membership will be updated in-place
  ~ resource "aws_iam_user_group_membership" "user_group_membership" {
      ~ groups = [
          - "read-only-group",
          + "ops-leads",
        ]
        id     = "terraform-20241125052739631500000001"
        # (1 unchanged attribute hidden)
    }

  # module.iam_user_herehfla.aws_iam_user.user will be updated in-place
  ~ resource "aws_iam_user" "user" {
        id                   = "herehfla"
        name                 = "herehfla"
      ~ tags                 = {
          - "AKIAVWCBVOVGETOY5NU5" = "hfla-onboarding-2025-01-15" -> null
            "Access Level"         = "1"
            "Project"              = "devops-security"
        }
      ~ tags_all             = {
          - "AKIAVWCBVOVGETOY5NU5" = "hfla-onboarding-2025-01-15" -> null
            # (2 unchanged elements hidden)
        }
        # (5 unchanged attributes hidden)
    }

Plan: 0 to add, 2 to change, 0 to destroy.

Note that terraform apply results in a 404 error related to "ops-leads" group not found. This was confirmed above by alexe and weekly call to be working as expected for the purposes of this onboarding MR.

│ Error: updating IAM User Group Membership (alexe): adding User (alexe) to Group (ops-leads): NoSuchEntity: The group with name ops-leads cannot be found.
│       status code: 404, request id: 1325bdc3-5798-4123-8f73-4adc6d48e125
│
│   with module.iam_user_alexe.aws_iam_user_group_membership.user_group_membership,
│   on modules/aws-users/main.tf line 23, in resource "aws_iam_user_group_membership" "user_group_membership":
│   23: resource "aws_iam_user_group_membership" "user_group_membership" {