diff --git a/terraform/040-id-broker/README.md b/terraform/040-id-broker/README.md index 91901b33..7fc75219 100644 --- a/terraform/040-id-broker/README.md +++ b/terraform/040-id-broker/README.md @@ -65,9 +65,11 @@ This module is used to create an ECS service running id-broker. - `method_lifetime` - Defines the amount of time in which a recovery method must be verified. Default: `+1 day` - `method_maxAttempts` - Maximum number of recovery method verification attempts allowed. Default: `10` - `mfa_add_interval` - Interval between reminders to add MFAs. Default: `+30 days` + - `mfa_allow_disable` - If false, `require_mfa` cannot be set to "no" for any user. Default: `true` - `mfa_lifetime` - Defines the amount of time in which an MFA must be verified. Default: `+2 hours` - `mfa_manager_bcc` - Email address to bcc on the manager mfa email. Default: `` - `mfa_manager_help_bcc` - Email address to bcc on the manager mfa help email. Default: `` + - `mfa_required_for_new_users` - Require MFA for all new users. Default: `false` - `minimum_backup_codes_before_nag` - Nag the user if they have FEWER than this number of backup codes. Default: `4` - `notification_email` - Email address to send alerts/notifications to. Default: notifications disabled - `password_expiration_grace_period` - Grace period after `password_lifespan` after which the account will be locked. Default: `+30 days` @@ -160,9 +162,11 @@ module "broker" { method_gracePeriod = "${var.method_gracePeriod}" method_lifetime = "${var.method_lifetime}" method_maxAttempts = "${var.method_maxAttempts}" + mfa_allow_disable = "${var.mfa_allow_disable}" mfa_lifetime = "${var.mfa_lifetime}" mfa_manager_bcc = "${var.mfa_manager_bcc}" mfa_manager_help_bcc = "${var.mfa_manager_help_bcc}" + mfa_required_for_new_users = "${var.mfa_required_for_new_users}" mfa_totp_apibaseurl = "${var.mfa_totp_apibaseurl}" mfa_totp_apikey = "${var.mfa_totp_apikey}" mfa_totp_apisecret = "${var.mfa_totp_apisecret}" diff --git a/terraform/040-id-broker/main.tf b/terraform/040-id-broker/main.tf index c0cff01e..960377a7 100644 --- a/terraform/040-id-broker/main.tf +++ b/terraform/040-id-broker/main.tf @@ -98,9 +98,11 @@ data "template_file" "task_def" { method_lifetime = "${var.method_lifetime}" method_maxAttempts = "${var.method_maxAttempts}" mfa_add_interval = "${var.mfa_add_interval}" + mfa_allow_disable = "${var.mfa_allow_disable}" mfa_lifetime = "${var.mfa_lifetime}" mfa_manager_bcc = "${var.mfa_manager_bcc}" mfa_manager_help_bcc = "${var.mfa_manager_help_bcc}" + mfa_required_for_new_users = "${var.mfa_required_for_new_users}" mfa_totp_apibaseurl = "${var.mfa_totp_apibaseurl}" mfa_totp_apikey = "${var.mfa_totp_apikey}" mfa_totp_apisecret = "${var.mfa_totp_apisecret}" @@ -208,9 +210,11 @@ data "template_file" "task_def_cron" { method_lifetime = "${var.method_lifetime}" method_maxAttempts = "${var.method_maxAttempts}" mfa_add_interval = "${var.mfa_add_interval}" + mfa_allow_disable = "${var.mfa_allow_disable}" mfa_lifetime = "${var.mfa_lifetime}" mfa_manager_bcc = "${var.mfa_manager_bcc}" mfa_manager_help_bcc = "${var.mfa_manager_help_bcc}" + mfa_required_for_new_users = "${var.mfa_required_for_new_users}" mfa_totp_apibaseurl = "${var.mfa_totp_apibaseurl}" mfa_totp_apikey = "${var.mfa_totp_apikey}" mfa_totp_apisecret = "${var.mfa_totp_apisecret}" diff --git a/terraform/040-id-broker/task-definition-cron.json b/terraform/040-id-broker/task-definition-cron.json index 6811f8a8..b03b687a 100644 --- a/terraform/040-id-broker/task-definition-cron.json +++ b/terraform/040-id-broker/task-definition-cron.json @@ -124,7 +124,11 @@ "value": "${mfa_add_interval}" }, { - "name": "MFA_lifetime", + "name": "MFA_ALLOW_DISABLE", + "value": "${mfa_allow_disable}" + }, + { + "name": "MFA_LIFETIME", "value": "${mfa_lifetime}" }, { @@ -135,6 +139,10 @@ "name": "MFA_MANAGER_HELP_BCC", "value": "${mfa_manager_help_bcc}" }, + { + "name": "MFA_REQUIRED_FOR_NEW_USERS", + "value": "${mfa_required_for_new_users}" + }, { "name": "MFA_TOTP_apiBaseUrl", "value": "${mfa_totp_apibaseurl}" diff --git a/terraform/040-id-broker/task-definition.json b/terraform/040-id-broker/task-definition.json index 5d8046ad..f7a7acb9 100644 --- a/terraform/040-id-broker/task-definition.json +++ b/terraform/040-id-broker/task-definition.json @@ -130,7 +130,11 @@ "value": "${mfa_add_interval}" }, { - "name": "MFA_lifetime", + "name": "MFA_ALLOW_DISABLE", + "value": "${mfa_allow_disable}" + }, + { + "name": "MFA_LIFETIME", "value": "${mfa_lifetime}" }, { @@ -141,6 +145,10 @@ "name": "MFA_MANAGER_HELP_BCC", "value": "${mfa_manager_help_bcc}" }, + { + "name": "MFA_REQUIRED_FOR_NEW_USERS", + "value": "${mfa_required_for_new_users}" + }, { "name": "MFA_TOTP_apiBaseUrl", "value": "${mfa_totp_apibaseurl}" diff --git a/terraform/040-id-broker/vars.tf b/terraform/040-id-broker/vars.tf index 119d528d..68843c7c 100644 --- a/terraform/040-id-broker/vars.tf +++ b/terraform/040-id-broker/vars.tf @@ -190,6 +190,11 @@ variable "mfa_add_interval" { default = "+30 days" } +variable "mfa_allow_disable" { + type = "string" + default = "true" +} + variable "mfa_lifetime" { type = "string" default = "+2 hours" @@ -205,6 +210,11 @@ variable "mfa_manager_help_bcc" { default = "" } +variable "mfa_required_for_new_users" { + type = "string" + default = "false" +} + variable "mfa_totp_apibaseurl" { type = "string" }