From c2edc10e8c7e4f88f8db67099cc82b80bc2a6c39 Mon Sep 17 00:00:00 2001
From: Hubert Cornet <hcornet@noreply@tips-of-mine.fr>
Date: Fri, 8 Aug 2025 09:32:45 +0200
Subject: [PATCH] Ajouter policy-enforce-mfa.tf

---
 policy-enforce-mfa.tf | 33 +++++++++++++++++++++++++++++++++
 1 file changed, 33 insertions(+)
 create mode 100644 policy-enforce-mfa.tf

diff --git a/policy-enforce-mfa.tf b/policy-enforce-mfa.tf
new file mode 100644
index 0000000..2bbfa28
--- /dev/null
+++ b/policy-enforce-mfa.tf
@@ -0,0 +1,33 @@
+data "aws_iam_policy_document" "enforce_mfa" {
+  statement {
+    sid    = "DenyAllExceptListedIfNoMFA"
+    effect = "Deny"
+    not_actions = [
+      "iam:CreateVirtualMFADevice",
+      "iam:EnableMFADevice",
+      "iam:GetUser",
+      "iam:ListMFADevices",
+      "iam:ListVirtualMFADevices",
+      "iam:ResyncMFADevice",
+      "sts:GetSessionToken"
+    ]
+    resources = ["*"]
+    condition {
+      test     = "BoolIfExists"
+      variable = "aws:MultiFactorAuthPresent"
+      values   = ["false", ]
+    }
+  }
+}
+
+resource "aws_iam_policy" "enforce_mfa" {
+  name        = "enforce-to-use-mfa"
+  path        = "/"
+  description = "Policy to allow MFA management"
+  policy      = data.aws_iam_policy_document.enforce_mfa.json
+}
+
+resource "aws_iam_group_policy_attachment" "enforce_mfa" {
+  group      = aws_iam_group.administrators.name
+  policy_arn = aws_iam_policy.enforce_mfa.arn
+}