fix: Do not attach force MFA statement for iam-groups-with-policies by default (#333)

enver · bryantbiggs · web-flow · commit b9f3409fb696 · 2023-03-22T20:33:53.000-04:00
Co-authored-by: Bryant Biggs &lt;bryantbiggs@gmail.com&gt;
diff --git a/modules/iam-group-with-policies/README.md b/modules/iam-group-with-policies/README.md
@@ -44,6 +44,7 @@ No modules.
 | <a name="input_create_group"></a> [create\_group](#input\_create\_group) | Whether to create IAM group | `bool` | `true` | no |
 | <a name="input_custom_group_policies"></a> [custom\_group\_policies](#input\_custom\_group\_policies) | List of maps of inline IAM policies to attach to IAM group. Should have `name` and `policy` keys in each element. | `list(map(string))` | `[]` | no |
 | <a name="input_custom_group_policy_arns"></a> [custom\_group\_policy\_arns](#input\_custom\_group\_policy\_arns) | List of IAM policies ARNs to attach to IAM group | `list(string)` | `[]` | no |
+| <a name="input_enable_mfa_enforcment"></a> [enable\_mfa\_enforcment](#input\_enable\_mfa\_enforcment) | Determines whether permissions are added to the policy which requires the groups IAM users to use MFA | `bool` | `true` | no |
 | <a name="input_group_users"></a> [group\_users](#input\_group\_users) | List of IAM users to have in an IAM group which can assume the role | `list(string)` | `[]` | no |
 | <a name="input_iam_self_management_policy_name_prefix"></a> [iam\_self\_management\_policy\_name\_prefix](#input\_iam\_self\_management\_policy\_name\_prefix) | Name prefix for IAM policy to create with IAM self-management permissions | `string` | `"IAMSelfManagement-"` | no |
 | <a name="input_name"></a> [name](#input\_name) | Name of IAM group | `string` | `""` | no |
diff --git a/modules/iam-group-with-policies/policies.tf b/modules/iam-group-with-policies/policies.tf
@@ -145,28 +145,29 @@ data "aws_iam_policy_document" "iam_self_management" {
     ]
   }
 
-  statement {
-    sid = "DenyAllExceptListedIfNoMFA"
-
-    effect = "Deny"
-
-    not_actions = [
-      "iam:ChangePassword",
-      "iam:CreateVirtualMFADevice",
-      "iam:EnableMFADevice",
-      "iam:GetUser",
-      "iam:ListMFADevices",
-      "iam:ListVirtualMFADevices",
-      "iam:ResyncMFADevice",
-      "sts:GetSessionToken"
-    ]
-
-    resources = ["*"]
-
-    condition {
-      test     = "BoolIfExists"
-      variable = "aws:MultiFactorAuthPresent"
-      values   = ["false"]
+  dynamic "statement" {
+    for_each = var.enable_mfa_enforcment ? [1] : []
+
+    content {
+      sid    = "DenyAllExceptListedIfNoMFA"
+      effect = "Deny"
+      not_actions = [
+        "iam:ChangePassword",
+        "iam:CreateVirtualMFADevice",
+        "iam:EnableMFADevice",
+        "iam:GetUser",
+        "iam:ListMFADevices",
+        "iam:ListVirtualMFADevices",
+        "iam:ResyncMFADevice",
+        "sts:GetSessionToken"
+      ]
+      resources = ["*"]
+
+      condition {
+        test     = "BoolIfExists"
+        variable = "aws:MultiFactorAuthPresent"
+        values   = ["false"]
+      }
     }
   }
 }
diff --git a/modules/iam-group-with-policies/variables.tf b/modules/iam-group-with-policies/variables.tf
@@ -28,6 +28,12 @@ variable "custom_group_policies" {
   default     = []
 }
 
+variable "enable_mfa_enforcment" {
+  description = "Determines whether permissions are added to the policy which requires the groups IAM users to use MFA"
+  type        = bool
+  default     = true
+}
+
 variable "attach_iam_self_management_policy" {
   description = "Whether to attach IAM policy which allows IAM users to manage their credentials and MFA"
   type        = bool
