Configures IAM policy to enforce MFA when accessing the AWS API.
This configured policy also requires users to assume a role for most API calls.
Creates the following resources:
- IAM policy requiring a valid MFA security token for all API calls except those needed for managing a user's own IAM user.
- IAM group policy attachment for defining which IAM groups to enforce MFA on.
- IAM user policy attachment for defining which IAM users to enforce MFA on.
module "aws_mfa" {
source = "trussworks/mfa/aws"
iam_groups = ["engineers"]
iam_users = ["joe"]
}| Name | Version |
|---|---|
| terraform | >= 0.12 |
| Name | Version |
|---|---|
| aws | n/a |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| iam_groups | List of IAM groups to enforce MFA when accessing the AWS API. | list(string) |
[] |
no |
| iam_users | List of IAM users to enforce MFA when accessing the AWS API. | list(string) |
[] |
no |
No output.
Install dependencies (macOS)
brew install pre-commit go terraform terraform-docsTerratest is being used for
automated testing with this module. Tests in the test folder can be run
locally by running the following command:
make test
Or with aws-vault:
AWS_VAULT_KEYCHAIN_NAME=<NAME> aws-vault exec <PROFILE> -- make test