resource "aws_iam_user" "testuser" {
  name = "testuser"
  path = "/FIAMS/"

  tags = {
    project = "FIAMS"
  }

  force_destroy = true
}

data "template_file" "FIAM-TESTING-assume_any_fiam_role" {
  template = "${file("../policies/FIAM-TESTING-assume_any_fiam_role.json")}"

  vars = {
    account = "${data.aws_caller_identity.current.account_id}"
  }
}

resource "aws_iam_policy" "FIAM-TESTING-assume_any_fiam_role" {
  name        = "FIAM-TESTING-assume_any_fiam_role"
  description = "Assume any FIAM role"
  policy      = "${data.template_file.FIAM-TESTING-assume_any_fiam_role.rendered}"
}

resource "aws_iam_user_policy_attachment" "FIAM-TESTING-assume_any_fiam_role" {
  user       = "${aws_iam_user.testuser.name}"
  policy_arn = "${aws_iam_policy.FIAM-TESTING-assume_any_fiam_role.arn}"
}

resource "aws_iam_user_login_profile" "testuser" {
  user    = "${aws_iam_user.testuser.name}"
  pgp_key = "keybase:fdamstra"
}

output "testuser_password" {
  # to decrypt, run: terraform output testuser_password | base64 --decode | keybase --standalone pgp decrypt
  value = "${aws_iam_user_login_profile.testuser.encrypted_password}"
}

output "testuser_password_instructions" {
  value = "Execute:  terraform output testuser_password | base64 --decode | keybase --standalone pgp decrypt"
}