add iam user tagging helper script (#11)

* add iam user tagging helper script

* update readme and rename iam user tagging file

.gitignore

@@ -33,8 +33,8 @@ override.tf.json
 terraform.rc
 
 __pycache__
-*.json
-*.sh
+*/*.json
+*/*.sh
 header.tf
 creator.zip
 destructor.zip

README.md

@@ -37,3 +37,6 @@ This tool is responsible for generating a new IAM access key pair every X days a
     - `IKR:ROTATE_AFTER_DAYS`: After how many days new access key should be generated. **Note:** If you want to control key generation period per user add this tag to the user else environment variable `ROTATE_AFTER_DAYS` will be used
     - `IKR:DELETE_AFTER_DAYS`: After how many days existing access key should be deleted. **Note:** If you want to control key deletion period per user add this tag to the user else environment variable `DELETE_AFTER_DAYS` will be used
     - `IKR:INSTRUCTION_0`: Add help instruction related to updating access key. This instruction will be sent to IAM user whenever a new key pair is generated. **Note:** As AWS restricts [tag value](https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html#tag-conventions) to 256 characters you can use multiple instruction tags by increasing the number (`IKR:INSTRUCTION_0`, `IKR:INSTRUCTION_1` , `IKR:INSTRUCTION_2` and so on). All the instruction tags value will be combined and sent as a single string to the user.
+
+### Helper Script:
+- `tag-iam-users.py`: Tags IAM users by reading **iam-user-tags.json** file

iam-user-tags.json

@@ -0,0 +1,9 @@
+{
+  "IAM_USERNAME_1": {
+    "TAG_KEY_1": "TAG_VALUE_1",
+    "TAG_KEY_2": "TAG_VALUE_2"
+  },
+  "IAM_USERNAME_2": {
+    "TAG_KEY": "TAG_VALUE"
+  }
+}

tag-iam-users.py

@@ -0,0 +1,53 @@
+import json
+import boto3
+import os
+import concurrent.futures
+
+from botocore.exceptions import ClientError
+
+# AWS Profile to use for API calls
+IKR_AWS_PROFILE = os.environ.get('IKR_AWS_PROFILE', None)
+
+# AWS Access Key to use for API calls
+IKR_AWS_ACCESS_KEY_ID = os.environ.get('IKR_AWS_ACCESS_KEY_ID', None)
+
+# AWS Secret Access Key to use for API calls
+IKR_AWS_SECRET_ACCESS_KEY = os.environ.get('IKR_AWS_SECRET_ACCESS_KEY', None)
+
+# AWS Session Token to use for API calls
+IKR_AWS_SESSION_TOKEN = os.environ.get('IKR_AWS_SESSION_TOKEN', None)
+
+# AWS region to use
+IKR_AWS_REGION = os.environ.get('IKR_AWS_REGION', 'us-east-1')
+
+session = boto3.Session(aws_access_key_id=IKR_AWS_ACCESS_KEY_ID, aws_secret_access_key=IKR_AWS_SECRET_ACCESS_KEY, aws_session_token=IKR_AWS_SESSION_TOKEN, region_name=IKR_AWS_REGION, profile_name=IKR_AWS_PROFILE)
+iam = session.client('iam')
+
+iamUsers = json.load(open('iam-user-tags.json'))
+
+def tag_user(userName, tags):
+    print('Tagging user {}'.format(userName))
+    try:
+        userTags = []
+        for t in tags:
+            userTags.append({
+                'Key': t,
+                'Value': tags[t]
+            })
+
+        iam.tag_user(
+            UserName=userName,
+            Tags=userTags
+        )
+        print('Tag(s) added to user {}'.format(userName))
+    except (Exception, ClientError) as ce:
+        print('Failed to tag user {}. Reason: {}'.format(userName, ce))
+
+    return userName
+
+if len(iamUsers) == 0:
+    print('No IAM users present in user-tagging.json file')
+else:
+    # Tagging each user using a separate thread
+    with concurrent.futures.ThreadPoolExecutor(max_workers=10) as executor:
+        results = [executor.submit(tag_user, u, iamUsers[u]) for u in iamUsers]