Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: Do not attach force MFA statement for iam-groups-with-policies by default #333

Merged
merged 10 commits into from
Mar 23, 2023
1 change: 1 addition & 0 deletions modules/iam-group-with-policies/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,7 @@ No modules.
| <a name="input_create_group"></a> [create\_group](#input\_create\_group) | Whether to create IAM group | `bool` | `true` | no |
| <a name="input_custom_group_policies"></a> [custom\_group\_policies](#input\_custom\_group\_policies) | List of maps of inline IAM policies to attach to IAM group. Should have `name` and `policy` keys in each element. | `list(map(string))` | `[]` | no |
| <a name="input_custom_group_policy_arns"></a> [custom\_group\_policy\_arns](#input\_custom\_group\_policy\_arns) | List of IAM policies ARNs to attach to IAM group | `list(string)` | `[]` | no |
| <a name="input_enable_mfa_enforcment"></a> [enable\_mfa\_enforcment](#input\_enable\_mfa\_enforcment) | Determines whether permissions are added to the policy which requires the groups IAM users to use MFA | `bool` | `true` | no |
| <a name="input_group_users"></a> [group\_users](#input\_group\_users) | List of IAM users to have in an IAM group which can assume the role | `list(string)` | `[]` | no |
| <a name="input_iam_self_management_policy_name_prefix"></a> [iam\_self\_management\_policy\_name\_prefix](#input\_iam\_self\_management\_policy\_name\_prefix) | Name prefix for IAM policy to create with IAM self-management permissions | `string` | `"IAMSelfManagement-"` | no |
| <a name="input_name"></a> [name](#input\_name) | Name of IAM group | `string` | `""` | no |
Expand Down
45 changes: 23 additions & 22 deletions modules/iam-group-with-policies/policies.tf
Original file line number Diff line number Diff line change
Expand Up @@ -145,28 +145,29 @@ data "aws_iam_policy_document" "iam_self_management" {
]
}

statement {
sid = "DenyAllExceptListedIfNoMFA"

effect = "Deny"

not_actions = [
"iam:ChangePassword",
"iam:CreateVirtualMFADevice",
"iam:EnableMFADevice",
"iam:GetUser",
"iam:ListMFADevices",
"iam:ListVirtualMFADevices",
"iam:ResyncMFADevice",
"sts:GetSessionToken"
]

resources = ["*"]

condition {
test = "BoolIfExists"
variable = "aws:MultiFactorAuthPresent"
values = ["false"]
dynamic "statement" {
for_each = var.enable_mfa_enforcment ? [1] : []

content {
sid = "DenyAllExceptListedIfNoMFA"
effect = "Deny"
not_actions = [
"iam:ChangePassword",
"iam:CreateVirtualMFADevice",
"iam:EnableMFADevice",
"iam:GetUser",
"iam:ListMFADevices",
"iam:ListVirtualMFADevices",
"iam:ResyncMFADevice",
"sts:GetSessionToken"
]
resources = ["*"]

condition {
test = "BoolIfExists"
variable = "aws:MultiFactorAuthPresent"
values = ["false"]
}
}
}
}
6 changes: 6 additions & 0 deletions modules/iam-group-with-policies/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,12 @@ variable "custom_group_policies" {
default = []
}

variable "enable_mfa_enforcment" {
description = "Determines whether permissions are added to the policy which requires the groups IAM users to use MFA"
type = bool
default = true
}

variable "attach_iam_self_management_policy" {
description = "Whether to attach IAM policy which allows IAM users to manage their credentials and MFA"
type = bool
Expand Down