It's just an FYI. Though theoretically you can create an aws virtual mfa device through terraform but you can't enable it or assign it to a user.
The process to create virtual mfa has two steps from aws-cli perspective.
aws iam create-virtual-mfa-device --virtual-mfa-device-name BobsMFADevice --outfile C:/QRCode.png --bootstrap-method QRCodePNG
aws iam enable-mfa-device \
--user-name Bob \
--serial-number arn:aws:iam::210987654321:mfa/BobsMFADevice \
--authentication-code1 123456 \
--authentication-code2 789012
You can complete both steps using aws-cli. But using terraform you only can create the mfa device, you can't enable it or assign it to a user.
Yes, I understand it's legit from terraform's perspective. As you need to put auth code every time to enable a virtual mfa device. That's not what we want to do with every terraform apply.
But the scope to create the virtual mfa doesn't mean anything without having the opportunity to assign it.
Looking forward how terraform solves this in future.
Top comments (3)
Can you try running an AWS IAM analyzer run task from terraform and save the output to an S3 bucket for analysis on the arn:aws:iam::210987654321:mfa/BobsMFADevice policy.
If I have understood you, you are asking if it's possible to make an AWS IAM analyzer run task terraform program that will save the analyzer output to an s3 bucket. The output will be further used to analysis the access of arn:aws:iam::210987654321:mfa/BobsMFADevice device. Am I right ?
I'm not 100% sure about it. But you can have a look on github.com/aws-ia/terraform-aws-ru....
Exactly. I was thinking this could help debugging.