Description

#313 Introduced undocumented change to force MFA for all console and API requests. After applying the change users are forced to use enroll MFA before accessing services via console/API, without an option to opt-in or disable it.

Versions

• Module version [Required]: v5.11.0+

• Terraform version:
  Terraform v1.3.7
  on darwin_amd64

• Provider version(s):
  provider registry.terraform.io/hashicorp/aws v4.52.0

Reproduction Code [Required]

• Apply iam-group-with-policies or iam-group-complete examples
• Log in as one of the admin users
• Try to access any service, i.e. list buckets
• Result: AccessDenied error

Steps to reproduce the behavior:

• Apply iam-group-with-policies or iam-group-complete examples
• Log in as one of the admin users
• Try to access any service, i.e. list buckets
• Result: AccessDenied error due to MFA being enforced

Expected behavior

MFA enforcement should not be the default, but rather opt-in feature

Actual behavior

Ulnlike versions before 5.11.0, MFA is enforced for all created groups via self-manage policy.

Terminal Output Screenshot(s)

None

Additional context

#313 Introduced undocumented change to force MFA for all console and API requests.

https://github.com/terraform-aws-modules/terraform-aws-iam/blob/master/modules/iam-group-with-policies/policies.tf#L131