terraform-aws-iam icon indicating copy to clipboard operation
terraform-aws-iam copied to clipboard

Published 20 hours ago β€’ verified publisher icon terraform-aws-modules

MFA test condition is Bool where it should be BoolIfExists

Open DutchEllie opened this issue 1 year ago β€’ 1 comments

Description

In the IAM assumable role module, the option to create a role with an MFA condition is not working properly when using long-term credentials. The condition to check if MFA is enabled is currently Bool, which fails when the aws:MultiFactorAuthPresent variable is not present (such as when running with long-term credentials using the AWS CLI). AWS strongly recommends not doing this, as this breaks the above use case of the AWS CLI.

Instead, they recommend that you use the BoolIfExists operator to check this condition. Therefor I suggest that you change the operator to BoolIfExists. In addition, I suggest changing the operator for the aws:MultiFactorAuthAge condition to NumericLessThanIfExists to make sure this does not fail either when using a long-term credential type.

  • [x] βœ‹ I have searched the open/closed issues and my issue is not listed.

Versions

  • Module version: 5.44.0

Reproduction Code

I understand that you ask for "code that works without modifications", but uh no.. I will redact things.

module "describecluster_policy" {
  source = "terraform-aws-modules/iam/aws//modules/iam-policy"
  version = ">= 5.44.0, < 6.0.0"

  name        = "describecluster"
  path        = "/"
  description = "Policy with the DescribeCluster permission for the cluster"

  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "eks:DescribeCluster",
      "Resource": "<Redacted>"
    }
  ]
}
EOF

}

module "cluster_admin_role" {
  source      = "terraform-aws-modules/iam/aws//modules/iam-assumable-role"
  version = ">= 5.44.0, < 6.0.0"
  create_role = true

  trusted_role_arns = [
    "<Redacted>",
  ]
  role_name         = "cluster_admin_role"
  role_requires_mfa = true

  custom_role_policy_arns = [
    module.describecluster_policy.arn
  ]
}

Steps to reproduce the behavior:

  1. It doesn't matter how you set up the describecluster policy, as long as you can assume the role it's fine.
  2. Set up your user's arn in the trusted_role_arns array.
  3. Deploy the code
  4. Use long-term credentials to try and assume the role (via the CLI for example)

Expected behavior

I expect that using the role_requires_mfa makes it so that I can actually use the role using my terminal as well.
I also expect that this AWS module follows AWS's recommendations.

Following from that, I expect the operation of assuming the role to succeed.

Actual behavior

Assuming the role doesn't succeed. I don't have access, because long-term credentials don't have the aws:MultiFactorAuthPresent condition set to anything, so the Bool operator fails.

DutchEllie avatar Sep 16 '24 07:09 DutchEllie

This issue has been automatically marked as stale because it has been open 30 days with no activity. Remove stale label or comment or this issue will be closed in 10 days

github-actions[bot] avatar Oct 17 '24 00:10 github-actions[bot]

This issue was automatically closed because of stale in 10 days

github-actions[bot] avatar Oct 27 '24 00:10 github-actions[bot]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

github-actions[bot] avatar Nov 26 '24 02:11 github-actions[bot]

This issue has been resolved in version 6.0.0 :tada:

antonbabenko avatar Aug 13 '25 19:08 antonbabenko