MFA enforced for groups with policies since 5.11.0

[enver]

Description

#313 Introduced undocumented change to force MFA for all console and API requests. After applying the change users are forced to use enroll MFA before accessing services via console/API, without an option to opt-in or disable it.

Versions

• Module version [Required]: v5.11.0+

• Terraform version:
  Terraform v1.3.7
  on darwin_amd64

• Provider version(s):
  provider registry.terraform.io/hashicorp/aws v4.52.0

Reproduction Code [Required]

• Apply iam-group-with-policies or iam-group-complete examples
• Log in as one of the admin users
• Try to access any service, i.e. list buckets
• Result: AccessDenied error

Steps to reproduce the behavior:

• Apply iam-group-with-policies or iam-group-complete examples
• Log in as one of the admin users
• Try to access any service, i.e. list buckets
• Result: AccessDenied error due to MFA being enforced

Expected behavior

MFA enforcement should not be the default, but rather opt-in feature

Actual behavior

Ulnlike versions before 5.11.0, MFA is enforced for all created groups via self-manage policy.

Terminal Output Screenshot(s)

None

Additional context

#313 Introduced undocumented change to force MFA for all console and API requests.

https://github.com/terraform-aws-modules/terraform-aws-iam/blob/master/modules/iam-group-with-policies/policies.tf#L131

[bravecobra]

I just encountered the same issue as all my CI/CD pipelines applying terraform broke.

Reverting back to 5.10.0 for now.

[antonbabenko]

This issue has been resolved in version 5.14.3 🎉

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.