Description

#313 introduces undocumented change to force MFA for all console and API user. A similar issue #332 was created, and a supposed fix #333 was released in version 5.14.3, introduces new enable_mfa_enforcement variable which defaults to true, which causes IAM groups with attach_iam_self_management_policy set to true still inadvertently opts in to MFA enforcement due to this line:

In my opinion, MFA enforcement should be an opt in feature. Users migrating from older version (example version 5.3.1) to current version may find that IAM groups users with attach_iam_self_management_policy set to true suddenly lose access to their consoles, which can cause more harm than good.

If the maintainers agree, I am willing to submit a PR along with clear documentation to ensure that the implications of enabling MFA enforcement are made clear.

Versions

• Module version [Required]: 5.43.0

• Terraform version: 1.3+

• Provider version(s): 5.x.x

Reproduction Code [Required]

module "iam_group_test" {
  source  = "terraform-aws-modules/iam/aws//modules/iam-group-with-policies"
  version = "5.43.0"

  name                              = "test-group"
  attach_iam_self_management_policy = true

  group_users = [
    module.iam_testuser.iam_user_name,
  ]

  custom_group_policy_arns = [
    "arn:aws:iam::aws:policy/AdministratorAccess",
  ]
}

module "iam_testuser" {
  source  = "terraform-aws-modules/iam/aws//modules/iam-user"
  version = "5.43.0"

  name                          = "testuser"
  create_iam_user_login_profile = true
}

Steps to reproduce the behavior:

1. Create iam-group-with-policies, with attach_iam_self_management_policy set to true, without specifying enable_mfa_enforcement (left as default)
2. Attach user to the group.
3. Login as user via console and try access any services.

Result:

• AccessDenied error due to MFA being enforced

Expected behavior

enable_mfa_enforcement should be default to false

Actual behavior

enable_mfa_enforcement is currrently defaults to true, as shown in this line