From b9f3409fb696abee186b5b914e87ef7a783492a0 Mon Sep 17 00:00:00 2001 From: enver Date: Thu, 23 Mar 2023 01:33:53 +0100 Subject: [PATCH] fix: Do not attach force MFA statement for iam-groups-with-policies by default (#333) Co-authored-by: Bryant Biggs --- modules/iam-group-with-policies/README.md | 1 + modules/iam-group-with-policies/policies.tf | 45 ++++++++++---------- modules/iam-group-with-policies/variables.tf | 6 +++ 3 files changed, 30 insertions(+), 22 deletions(-) diff --git a/modules/iam-group-with-policies/README.md b/modules/iam-group-with-policies/README.md index bbd813fc..02497251 100644 --- a/modules/iam-group-with-policies/README.md +++ b/modules/iam-group-with-policies/README.md @@ -44,6 +44,7 @@ No modules. | [create\_group](#input\_create\_group) | Whether to create IAM group | `bool` | `true` | no | | [custom\_group\_policies](#input\_custom\_group\_policies) | List of maps of inline IAM policies to attach to IAM group. Should have `name` and `policy` keys in each element. | `list(map(string))` | `[]` | no | | [custom\_group\_policy\_arns](#input\_custom\_group\_policy\_arns) | List of IAM policies ARNs to attach to IAM group | `list(string)` | `[]` | no | +| [enable\_mfa\_enforcment](#input\_enable\_mfa\_enforcment) | Determines whether permissions are added to the policy which requires the groups IAM users to use MFA | `bool` | `true` | no | | [group\_users](#input\_group\_users) | List of IAM users to have in an IAM group which can assume the role | `list(string)` | `[]` | no | | [iam\_self\_management\_policy\_name\_prefix](#input\_iam\_self\_management\_policy\_name\_prefix) | Name prefix for IAM policy to create with IAM self-management permissions | `string` | `"IAMSelfManagement-"` | no | | [name](#input\_name) | Name of IAM group | `string` | `""` | no | diff --git a/modules/iam-group-with-policies/policies.tf b/modules/iam-group-with-policies/policies.tf index 016e20c7..c3763b8e 100644 --- a/modules/iam-group-with-policies/policies.tf +++ b/modules/iam-group-with-policies/policies.tf @@ -145,28 +145,29 @@ data "aws_iam_policy_document" "iam_self_management" { ] } - statement { - sid = "DenyAllExceptListedIfNoMFA" - - effect = "Deny" - - not_actions = [ - "iam:ChangePassword", - "iam:CreateVirtualMFADevice", - "iam:EnableMFADevice", - "iam:GetUser", - "iam:ListMFADevices", - "iam:ListVirtualMFADevices", - "iam:ResyncMFADevice", - "sts:GetSessionToken" - ] - - resources = ["*"] - - condition { - test = "BoolIfExists" - variable = "aws:MultiFactorAuthPresent" - values = ["false"] + dynamic "statement" { + for_each = var.enable_mfa_enforcment ? [1] : [] + + content { + sid = "DenyAllExceptListedIfNoMFA" + effect = "Deny" + not_actions = [ + "iam:ChangePassword", + "iam:CreateVirtualMFADevice", + "iam:EnableMFADevice", + "iam:GetUser", + "iam:ListMFADevices", + "iam:ListVirtualMFADevices", + "iam:ResyncMFADevice", + "sts:GetSessionToken" + ] + resources = ["*"] + + condition { + test = "BoolIfExists" + variable = "aws:MultiFactorAuthPresent" + values = ["false"] + } } } } diff --git a/modules/iam-group-with-policies/variables.tf b/modules/iam-group-with-policies/variables.tf index 7c5d764d..4f75fc21 100644 --- a/modules/iam-group-with-policies/variables.tf +++ b/modules/iam-group-with-policies/variables.tf @@ -28,6 +28,12 @@ variable "custom_group_policies" { default = [] } +variable "enable_mfa_enforcment" { + description = "Determines whether permissions are added to the policy which requires the groups IAM users to use MFA" + type = bool + default = true +} + variable "attach_iam_self_management_policy" { description = "Whether to attach IAM policy which allows IAM users to manage their credentials and MFA" type = bool