terraform-aws-iam icon indicating copy to clipboard operation
terraform-aws-iam copied to clipboard

Published 20 hours ago β€’ verified publisher icon terraform-aws-modules

MFA enforcement should remain as opt-in feature in IAM groups, as such `enable_mfa_enforcement` should default to `false`.

Open claytonchew opened this issue 6 months ago β€’ 3 comments

Description

#313 introduces undocumented change to force MFA for all console and API user. A similar issue #332 was created, and a supposed fix #333 was released in version 5.14.3, introduces new enable_mfa_enforcement variable which defaults to true, which causes IAM groups with attach_iam_self_management_policy set to true still inadvertently opts in to MFA enforcement due to this line:

https://github.com/terraform-aws-modules/terraform-aws-iam/blob/89fe17a6549728f1dc7e7a8f7b707486dfb45d89/modules/iam-group-with-policies/policies.tf#L157

In my opinion, MFA enforcement should be an opt in feature. Users migrating from older version (example version 5.3.1) to current version may find that IAM groups users with attach_iam_self_management_policy set to true suddenly lose access to their consoles, which can cause more harm than good.

If the maintainers agree, I am willing to submit a PR along with clear documentation to ensure that the implications of enabling MFA enforcement are made clear.

Versions

  • Module version [Required]: 5.43.0

  • Terraform version: 1.3+

  • Provider version(s): 5.x.x

Reproduction Code [Required]

module "iam_group_test" {
  source  = "terraform-aws-modules/iam/aws//modules/iam-group-with-policies"
  version = "5.43.0"

  name                              = "test-group"
  attach_iam_self_management_policy = true

  group_users = [
    module.iam_testuser.iam_user_name,
  ]

  custom_group_policy_arns = [
    "arn:aws:iam::aws:policy/AdministratorAccess",
  ]
}

module "iam_testuser" {
  source  = "terraform-aws-modules/iam/aws//modules/iam-user"
  version = "5.43.0"

  name                          = "testuser"
  create_iam_user_login_profile = true
}

Steps to reproduce the behavior:

  1. Create iam-group-with-policies, with attach_iam_self_management_policy set to true, without specifying enable_mfa_enforcement (left as default)
  2. Attach user to the group.
  3. Login as user via console and try access any services.

Result:

  • AccessDenied error due to MFA being enforced

Expected behavior

enable_mfa_enforcement should be default to false

Actual behavior

enable_mfa_enforcement is currrently defaults to true, as shown in this line https://github.com/terraform-aws-modules/terraform-aws-iam/blob/89fe17a6549728f1dc7e7a8f7b707486dfb45d89/modules/iam-group-with-policies/variables.tf#L40

claytonchew avatar Aug 13 '24 01:08 claytonchew