Merge pull request #93 from silinternational/develop

add mfa_allow_disable and mfa_required_for_new_users
silinternational · Mar 9, 2020 · d61843f · d61843f
2 parents 9b6df81 + ccc0b87
commit d61843f
Show file tree

Hide file tree

Showing 5 changed files with 36 additions and 2 deletions.
diff --git a/terraform/040-id-broker/README.md b/terraform/040-id-broker/README.md
@@ -65,9 +65,11 @@ This module is used to create an ECS service running id-broker.
  - `method_lifetime` - Defines the amount of time in which a recovery method must be verified. Default: `+1 day`
  - `method_maxAttempts` - Maximum number of recovery method verification attempts allowed. Default: `10`
  - `mfa_add_interval` - Interval between reminders to add MFAs. Default: `+30 days`
+ - `mfa_allow_disable` - If false, `require_mfa` cannot be set to "no" for any user. Default: `true`
  - `mfa_lifetime` - Defines the amount of time in which an MFA must be verified. Default: `+2 hours`
  - `mfa_manager_bcc` - Email address to bcc on the manager mfa email. Default: ``
  - `mfa_manager_help_bcc` - Email address to bcc on the manager mfa help email. Default: ``
+ - `mfa_required_for_new_users` - Require MFA for all new users. Default: `false`
  - `minimum_backup_codes_before_nag` - Nag the user if they have FEWER than this number of backup codes. Default: `4` 
  - `notification_email` - Email address to send alerts/notifications to. Default: notifications disabled
  - `password_expiration_grace_period` - Grace period after `password_lifespan` after which the account will be locked. Default: `+30 days`
@@ -160,9 +162,11 @@ module "broker" {
   method_gracePeriod               = "${var.method_gracePeriod}"
   method_lifetime                  = "${var.method_lifetime}"
   method_maxAttempts               = "${var.method_maxAttempts}"
+  mfa_allow_disable                = "${var.mfa_allow_disable}"
   mfa_lifetime                     = "${var.mfa_lifetime}"
   mfa_manager_bcc                  = "${var.mfa_manager_bcc}"
   mfa_manager_help_bcc             = "${var.mfa_manager_help_bcc}"
+  mfa_required_for_new_users       = "${var.mfa_required_for_new_users}"
   mfa_totp_apibaseurl              = "${var.mfa_totp_apibaseurl}"
   mfa_totp_apikey                  = "${var.mfa_totp_apikey}"
   mfa_totp_apisecret               = "${var.mfa_totp_apisecret}"

diff --git a/terraform/040-id-broker/main.tf b/terraform/040-id-broker/main.tf
@@ -98,9 +98,11 @@ data "template_file" "task_def" {
     method_lifetime                  = "${var.method_lifetime}"
     method_maxAttempts               = "${var.method_maxAttempts}"
     mfa_add_interval                 = "${var.mfa_add_interval}"
+    mfa_allow_disable                = "${var.mfa_allow_disable}"
     mfa_lifetime                     = "${var.mfa_lifetime}"
     mfa_manager_bcc                  = "${var.mfa_manager_bcc}"
     mfa_manager_help_bcc             = "${var.mfa_manager_help_bcc}"
+    mfa_required_for_new_users       = "${var.mfa_required_for_new_users}"
     mfa_totp_apibaseurl              = "${var.mfa_totp_apibaseurl}"
     mfa_totp_apikey                  = "${var.mfa_totp_apikey}"
     mfa_totp_apisecret               = "${var.mfa_totp_apisecret}"
@@ -208,9 +210,11 @@ data "template_file" "task_def_cron" {
     method_lifetime                  = "${var.method_lifetime}"
     method_maxAttempts               = "${var.method_maxAttempts}"
     mfa_add_interval                 = "${var.mfa_add_interval}"
+    mfa_allow_disable                = "${var.mfa_allow_disable}"
     mfa_lifetime                     = "${var.mfa_lifetime}"
     mfa_manager_bcc                  = "${var.mfa_manager_bcc}"
     mfa_manager_help_bcc             = "${var.mfa_manager_help_bcc}"
+    mfa_required_for_new_users       = "${var.mfa_required_for_new_users}"
     mfa_totp_apibaseurl              = "${var.mfa_totp_apibaseurl}"
     mfa_totp_apikey                  = "${var.mfa_totp_apikey}"
     mfa_totp_apisecret               = "${var.mfa_totp_apisecret}"

diff --git a/terraform/040-id-broker/task-definition-cron.json b/terraform/040-id-broker/task-definition-cron.json
@@ -124,7 +124,11 @@
         "value": "${mfa_add_interval}"
       },
       {
-        "name": "MFA_lifetime",
+        "name": "MFA_ALLOW_DISABLE",
+        "value": "${mfa_allow_disable}"
+      },
+      {
+        "name": "MFA_LIFETIME",
         "value": "${mfa_lifetime}"
       },
       {
@@ -135,6 +139,10 @@
         "name": "MFA_MANAGER_HELP_BCC",
         "value": "${mfa_manager_help_bcc}"
       },
+      {
+        "name": "MFA_REQUIRED_FOR_NEW_USERS",
+        "value": "${mfa_required_for_new_users}"
+      },
       {
         "name": "MFA_TOTP_apiBaseUrl",
         "value": "${mfa_totp_apibaseurl}"

diff --git a/terraform/040-id-broker/task-definition.json b/terraform/040-id-broker/task-definition.json
@@ -130,7 +130,11 @@
         "value": "${mfa_add_interval}"
       },
       {
-        "name": "MFA_lifetime",
+        "name": "MFA_ALLOW_DISABLE",
+        "value": "${mfa_allow_disable}"
+      },
+      {
+        "name": "MFA_LIFETIME",
         "value": "${mfa_lifetime}"
       },
       {
@@ -141,6 +145,10 @@
         "name": "MFA_MANAGER_HELP_BCC",
         "value": "${mfa_manager_help_bcc}"
       },
+      {
+        "name": "MFA_REQUIRED_FOR_NEW_USERS",
+        "value": "${mfa_required_for_new_users}"
+      },
       {
         "name": "MFA_TOTP_apiBaseUrl",
         "value": "${mfa_totp_apibaseurl}"

diff --git a/terraform/040-id-broker/vars.tf b/terraform/040-id-broker/vars.tf
@@ -190,6 +190,11 @@ variable "mfa_add_interval" {
   default = "+30 days"
 }
 
+variable "mfa_allow_disable" {
+  type    = "string"
+  default = "true"
+}
+
 variable "mfa_lifetime" {
   type    = "string"
   default = "+2 hours"
@@ -205,6 +210,11 @@ variable "mfa_manager_help_bcc" {
   default = ""
 }
 
+variable "mfa_required_for_new_users" {
+  type    = "string"
+  default = "false"
+}
+
 variable "mfa_totp_apibaseurl" {
   type = "string"
 }