[#160] Creating the IAM groups & users

[longnd]

• Close Support creating new IAM users in IAM module #160

What happened 👀

This PR allows the provisioning of IAM groups & users by code.

Insight 📝

• This PR follows the implementation in a recent project (easyHotel) with some modifications.
• Simplify the custom IAM policy, there is only one policy taken from https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_aws_my-sec-creds-self-manage.html
• The user is prevented from doing any actions until they have MFA set.
• Due to the above reason, the user is not forced to set a password on the first login.

This policy does not allow users to reset a password while signing in to the AWS Management Console for the first time. We recommend that you do not grant permissions to new users until after they sign in. You can allow this by adding iam:ChangePassword and iam:GetAccountPasswordPolicy to the statement DenyAllExceptListedIfNoMFA. However, we do not recommend this because allowing users to change their password without MFA can be a security risk.

There will be 3 groups

• Admin: full permission
• Developer: power access
• Bot account: power access + full IAM access

As the bot account (used by Terraform) is also generated by code, how can the user generate a new project can provision it? The following steps are needed:

• Create a bot account manually using the AWS console
• Get an access key for that bot account to put on Terraform Cloud
• Provision the project
• Get the generated user credentials (admins, developers & bot), then use the new bot account to generate an access key to replace the one on AWS and remove the old access key.

All of the above steps will be documented in Wiki in another PR

Proof Of Work 📹

Genera a new project using this template and run terraform plan showing no (syntax) errors

[hoangmirs]

LGTM 💪

[malparty]

Time saver feature! 🤩