search

terraform-aws-modules / terraform-aws-iam

Terraform module to create AWS IAM resources πŸ‡ΊπŸ‡¦
https://registry.terraform.io/modules/terraform-aws-modules/iam/aws
Apache License 2.0
787 stars 996 forks source link

(iam-group-with-policies) user first password reset is denied if mfa enforcement is enabled #447

Closed Lyneals closed 8 months ago

Lyneals commented 10 months ago

Description

iam:ChangePassword permission has been removed from explicit deny allowed list in commit https://github.com/terraform-aws-modules/terraform-aws-iam/commit/eb5b21840bdb1e5549c24200920250692844bcee

This used to be implemented since https://github.com/terraform-aws-modules/terraform-aws-iam/commit/b9f3409fb696abee186b5b914e87ef7a783492a0

User first login with password reset required is now blocked as the DenyAllExceptListedIfNoMFA statement deny iam:ChangePassword and the user cannot setup an MFA before changing passwords.

Versions

 terraform -version
Terraform v1.6.6
on linux_amd64
terraform providers -version
Terraform v1.6.6
on linux_amd64
+ provider registry.terraform.io/hashicorp/aws v5.30.0

Reproduction Code [Required]

module "users" {
  source  = "terraform-aws-modules/iam/aws//modules/iam-user"
  version = "~> 5.32"

  name          = "test"
  force_destroy = true

  password_reset_required       = true
  create_iam_access_key         = false
  create_iam_user_login_profile = true
}

module "groups" {
  source  = "terraform-aws-modules/iam/aws//modules/iam-group-with-policies"
  version = "~> 5.32"

  name = "test-group"

  group_users = [module.users.iam_user_name]

  attach_iam_self_management_policy = true
  enable_mfa_enforcement            = true
}

Steps to reproduce the behavior:

Execute code above and try to login on AWS Console with the created user

Expected behavior

User allowed to reset his password while MFA is not active

Actual behavior

User is stuck at the change password page

Terminal Output Screenshot(s)

N/A

Additional context

github-actions[bot] commented 9 months ago

This issue has been automatically marked as stale because it has been open 30 days with no activity. Remove stale label or comment or this issue will be closed in 10 days

github-actions[bot] commented 8 months ago

This issue was automatically closed because of stale in 10 days

github-actions[bot] commented 7 months ago

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.