Add flag to require users to have MFA enabled (#4)

cloudposse · Apr 12, 2018 · 18ee773 · 18ee773
1 parent 1dd369a
commit 18ee773
Show file tree

Hide file tree

Showing 5 changed files with 49 additions and 10 deletions.
diff --git a/.gitignore b/.gitignore
@@ -5,4 +5,4 @@
 # Module directory
 .terraform/
 .idea
-terraform-aws-organization-access-group.iml
+*.iml
diff --git a/README.md b/README.md
@@ -51,6 +51,7 @@ module "organization_access_group" {
   name              = "cluster"
   user_names        = ["User1","User2"]
   member_account_id = "XXXXXXXXXXXXXX"
+  require_mfa       = "true"
 }
 ```
 
@@ -65,9 +66,10 @@ module "organization_access_group" {
 | `user_names`          | ``                                | A list of IAM User names to associate with the Group                                     | Yes      |
 | `member_account_id`   | ``                                | The ID of the member account to grant access permissions to the users in the Group       | Yes      |
 | `role_name`           | `OrganizationAccountAccessRole`   | The name of the Role in the member account to grant permissions to the users in the Group   | No       |
-| `attributes`          | `[]`                              | Additional attributes (_e.g._ `policy` or `role`)                                        | No       |
+| `attributes`          | `[]`                              | Additional attributes (_e.g._ `1`)                                                       | No       |
 | `tags`                | `{}`                              | Additional tags  (_e.g._ `map("BusinessUnit","XYZ")`                                     | No       |
 | `delimiter`           | `-`                               | Delimiter to be used between `namespace`, `stage`, `name`, and `attributes`              | No       |
+| `require_mfa`         | `false`                           | Require the users to have MFA enabled                                                    | No       |
 
 
 ## Outputs

diff --git a/main.tf b/main.tf
@@ -21,7 +21,38 @@ resource "aws_iam_group_membership" "default" {
 }
 
 # https://www.terraform.io/docs/providers/aws/d/iam_policy_document.html
-data "aws_iam_policy_document" "default" {
+data "aws_iam_policy_document" "with_mfa" {
+  count = "${var.require_mfa == "true" ? 1 : 0}"
+
+  statement {
+    actions = [
+      "sts:AssumeRole",
+    ]
+
+    resources = [
+      "arn:aws:iam::${var.member_account_id}:role/${var.role_name}",
+    ]
+
+    condition {
+      test     = "Bool"
+      variable = "aws:MultiFactorAuthPresent"
+      values   = ["true"]
+    }
+
+    effect = "Allow"
+  }
+}
+
+resource "aws_iam_group_policy" "with_mfa" {
+  count  = "${var.require_mfa == "true" ? 1 : 0}"
+  name   = "${module.label.id}"
+  group  = "${aws_iam_group.default.id}"
+  policy = "${data.aws_iam_policy_document.with_mfa.json}"
+}
+
+data "aws_iam_policy_document" "without_mfa" {
+  count = "${var.require_mfa == "true" ? 0 : 1}"
+
   statement {
     actions = [
       "sts:AssumeRole",
@@ -35,9 +66,9 @@ data "aws_iam_policy_document" "default" {
   }
 }
 
-# https://www.terraform.io/docs/providers/aws/r/iam_group_policy.html
-resource "aws_iam_group_policy" "default" {
+resource "aws_iam_group_policy" "without_mfa" {
+  count  = "${var.require_mfa == "true" ? 0 : 1}"
   name   = "${module.label.id}"
   group  = "${aws_iam_group.default.id}"
-  policy = "${data.aws_iam_policy_document.default.json}"
+  policy = "${data.aws_iam_policy_document.without_mfa.json}"
 }
diff --git a/output.tf b/output.tf
@@ -15,9 +15,9 @@ output "group_arn" {
 }
 
 output "policy_name" {
-  value = "${aws_iam_group_policy.default.name}"
+  value = "${join("", coalescelist(aws_iam_group_policy.without_mfa.*.name, aws_iam_group_policy.with_mfa.*.name))}"
 }
 
 output "policy_id" {
-  value = "${aws_iam_group_policy.default.id}"
+  value = "${join("", coalescelist(aws_iam_group_policy.without_mfa.*.id, aws_iam_group_policy.with_mfa.*.id))}"
 }
diff --git a/variables.tf b/variables.tf
@@ -14,6 +14,12 @@ variable "role_name" {
   description = "The name of the Role in the member account to grant permissions to the users in the Group"
 }
 
+variable "require_mfa" {
+  type        = "string"
+  default     = "false"
+  description = "Require the users to have MFA enabled"
+}
+
 variable "namespace" {
   type        = "string"
   description = "Namespace (e.g. `cp` or `cloudposse`)"
@@ -38,11 +44,11 @@ variable "delimiter" {
 variable "attributes" {
   type        = "list"
   default     = []
-  description = "Additional attributes (e.g. `policy` or `role`)"
+  description = "Additional attributes (e.g. `1`)"
 }
 
 variable "tags" {
   type        = "map"
   default     = {}
-  description = "Additional tags (e.g. map('BusinessUnit`,`XYZ`)"
+  description = "Additional tags (e.g. map(`BusinessUnit`,`XYZ`)"
 }