DEV Community

Rafaf Tahsin
Rafaf Tahsin

Posted on

You can't create aws virtual mfa with terrafrom

It's just an FYI. Though theoretically you can create an aws virtual mfa device through terraform but you can't enable it or assign it to a user.

The process to create virtual mfa has two steps from aws-cli perspective.

  1. Creating the mfa device
aws iam create-virtual-mfa-device --virtual-mfa-device-name BobsMFADevice --outfile C:/QRCode.png --bootstrap-method QRCodePNG
Enter fullscreen mode Exit fullscreen mode
  1. Enabling the mfa device with auth Code
aws iam enable-mfa-device \
    --user-name Bob \
    --serial-number arn:aws:iam::210987654321:mfa/BobsMFADevice \
    --authentication-code1 123456 \
    --authentication-code2 789012
Enter fullscreen mode Exit fullscreen mode

You can complete both steps using aws-cli. But using terraform you only can create the mfa device, you can't enable it or assign it to a user.

Yes, I understand it's legit from terraform's perspective. As you need to put auth code every time to enable a virtual mfa device. That's not what we want to do with every terraform apply.

But the scope to create the virtual mfa doesn't mean anything without having the opportunity to assign it.

Looking forward how terraform solves this in future.

Top comments (3)

Collapse
 
femolacaster profile image
femolacaster

Can you try running an AWS IAM analyzer run task from terraform and save the output to an S3 bucket for analysis on the arn:aws:iam::210987654321:mfa/BobsMFADevice policy.

Collapse
 
rafaftahsin profile image
Rafaf Tahsin • Edited

If I have understood you, you are asking if it's possible to make an AWS IAM analyzer run task terraform program that will save the analyzer output to an s3 bucket. The output will be further used to analysis the access of arn:aws:iam::210987654321:mfa/BobsMFADevice device. Am I right ?

I'm not 100% sure about it. But you can have a look on github.com/aws-ia/terraform-aws-ru....

Collapse
 
femolacaster profile image
femolacaster

Exactly. I was thinking this could help debugging.