Module TERRAFORM-AWS-ENFORCE-MFA

Terraform module terraform-aws-enforce-mfa

---

---

Documentations

• aws-vault setup
• aws-cli setup
• users with self managed mfa

Optional .aws/config setup and aws-vault

[profile personal]
region=us-west-2
output=json

[profile work]
region=us-west-1
output=json

[profile work]
source_profile = work
mfa_serial = arn:aws:iam::<account>:mfa/<username>
credential_process = aws-vault exec work --json

[profile personal]
source_profile = personal
mfa_serial = arn:aws:iam::<account>:mfa/<username>
credential_process = aws-vault exec work --json

Usage example

Here's the gist of using it directly from github.

data aws_caller_identity current {}

resource aws_iam_group support {
  name =  "support"
}

module enforce_mfa {
  source  = "terraform-module/enforce-mfa/aws"
  version = "~> 1.0"

  policy_name                     = "managed-mfa-enforce"
  account_id                      = data.aws_caller_identity.current.id
  groups                          = [aws_iam_group.support.name]
  manage_own_signing_certificates  = true
  manage_own_ssh_public_keys      = true
  manage_own_git_credentials      = true
}

Assumptions

Available features

Module Variables

Requirements

Name	Version
terraform	>= 0.15.0
aws	>= 3.38

Providers

Name	Version
aws	>= 3.38

Modules

No modules.

Resources

Name	Type
aws_iam_group_policy_attachment.to_groups	resource
aws_iam_policy.this	resource
aws_iam_policy_document.this	data source

Inputs

Name	Description	Type	Default	Required
account_id	Account identification. (Optional, default '*')	string	"*"	no
groups	Enforce MFA for the members in these groups. (Optional, default '[]')	list(string)	[]	no
manage_explicit_deny	Manage explicit deny.	bool	false	no
manage_own_access_keys	Allow a new AWS secret access key and corresponding AWS access key ID for the specified user.	bool	false	no
manage_own_git_credentials	Allow managing git credentials.	bool	false	no
manage_own_signing_certificates	Allow managing signing certificates.	bool	false	no
manage_own_ssh_public_keys	Allow managing ssh public keys.	bool	false	no
path	Path in which to create the policy. (Optional, default '/')	string	"/"	no
policy_name	The name of the policy.	string	"managed-force-mfa-policy"	no

Outputs

Name	Description
arn	The policy's ARN.
groups	The groups to which policy is attached
id	The policy's ID.
policy_json	The above arguments serialized as a standard JSON policy document.

Commands

$ make help
hooks                          Commit hooks setup
validate                       Validate with pre-commit hooks

📝 Guidelines

• 📝 Use a succinct title and description.
• 🐛 Bugs & feature requests can be be opened
• 📶 Support questions are better asked on Stack Overflow
• 😊 Be nice, civil and polite (as always).

License

MIT Licensed. See LICENSE for full details.

How to Contribute

Submit a pull request

Authors

Currently maintained by Ivan Katliarchuk and these awesome contributors.

Terraform Registry

• Module