The user is prevented from doing any actions until they have MFA set.
Due to the above reason, the user is not forced to set a password on the first login.
This policy does not allow users to reset a password while signing in to the AWS Management Console for the first time. We recommend that you do not grant permissions to new users until after they sign in. You can allow this by adding iam:ChangePassword and iam:GetAccountPasswordPolicy to the statement DenyAllExceptListedIfNoMFA. However, we do not recommend this because allowing users to change their password without MFA can be a security risk.
There will be 3 groups
Admin: full permission
Developer: power access
Bot account: power access + full IAM access
As the bot account (used by Terraform) is also generated by code, how can the user generate a new project can provision it? The following steps are needed:
Create a bot account manually using the AWS console
Get an access key for that bot account to put on Terraform Cloud
Provision the project
Get the generated user credentials (admins, developers & bot), then use the new bot account to generate an access key to replace the one on AWS and remove the old access key.
All of the above steps will be documented in Wiki in another PR
Proof Of Work 📹
Genera a new project using this template and run terraform plan showing no (syntax) errors
What happened 👀
This PR allows the provisioning of IAM groups & users by code.
Insight 📝
There will be 3 groups
As the bot account (used by Terraform) is also generated by code, how can the user generate a new project can provision it? The following steps are needed:
All of the above steps will be documented in Wiki in another PR
Proof Of Work 📹
Genera a new project using this template and run
terraform plan
showing no (syntax) errors