Skip to content
Enforces MFA on an AWS account
HCL Go Makefile
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
.circleci
.dependabot
examples/simple
test
.gitignore
.golangci.yml
.markdownlintrc
.pre-commit-config.yaml
.terraform-version
LICENSE
Makefile
README.md
go.mod
go.sum
main.tf
variables.tf
versions.tf

README.md

Configures IAM policy to enforce MFA when accessing the AWS API.

This configured policy also requires users to assume a role for most API calls.

Creates the following resources:

  • IAM policy requiring a valid MFA security token for all API calls except those needed for managing a user's own IAM user.
  • IAM group policy attachment for defining which IAM groups to enforce MFA on.
  • IAM user policy attachment for defining which IAM users to enforce MFA on.

Terraform Versions

Terraform 0.12. Pin module version to ~> 2.X. Submit pull-requests to master branch.

Terraform 0.11. Pin module version to ~> 1.X. Submit pull-requests to terraform011 branch.

Usage

module "aws_mfa" {
  source = "trussworks/mfa/aws"

  iam_groups = ["engineers"]
  iam_users  = ["joe"]
}

Inputs

Name Description Type Default Required
iam_groups List of IAM groups to enforce MFA when accessing the AWS API. list(string) [] no
iam_users List of IAM users to enforce MFA when accessing the AWS API. list(string) [] no

Developer Setup

Install dependencies (macOS)

brew install pre-commit go terraform terraform-docs

Testing

Terratest is being used for automated testing with this module. Tests in the test folder can be run locally by running the following command:

make test

Or with aws-vault:

AWS_VAULT_KEYCHAIN_NAME=<NAME> aws-vault exec <PROFILE> -- make test
You can’t perform that action at this time.