From 551ea7b4aee21c2b33a6be8a24ff2fdf9ef4e620 Mon Sep 17 00:00:00 2001
From: Joel Courtney <joel@aceteknologi.com>
Date: Mon, 8 Jan 2024 23:19:39 +1100
Subject: [PATCH] fix: allow user to change password without MFA configured
 (#19)

---
 .gitignore     | 3 +++
 CHANGELOG.md   | 6 ++++++
 groups/main.tf | 2 ++
 3 files changed, 11 insertions(+)

diff --git a/.gitignore b/.gitignore
index 428217a..476b6ff 100644
--- a/.gitignore
+++ b/.gitignore
@@ -4,3 +4,6 @@
 # .tfstate files
 *.tfstate
 *.tfstate.*
+
+# Lockfiles
+.terraform.lock.hcl
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 1bba068..b157a8e 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,11 @@
 # CHANGELOG
 
+## v0.1.3 (2024-01-08)
+
+### Fixed
+
+*   Allow user to change password without MFA configured.
+
 ## v0.1.2 (2019-08-09)
 
 *   Resolves inability to assume roles across accounts.
diff --git a/groups/main.tf b/groups/main.tf
index e8e1631..093c831 100644
--- a/groups/main.tf
+++ b/groups/main.tf
@@ -254,11 +254,13 @@ data "aws_iam_policy_document" "self_management" {
       "iam:DeleteVirtualMFADevice",
       "iam:EnableMFADevice",
       "iam:GetAccountPasswordPolicy",
+      "iam:GetLoginProfile",
       "iam:GetUser",
       "iam:ListMFADevices",
       "iam:ListUsers",
       "iam:ListVirtualMFADevices",
       "iam:ResyncMFADevice",
+      "iam:UpdateLoginProfile",
       "sts:GetSessionToken",
     ]