[Bug Fix] security/account-password-policy - allow to disable MaxPass…

…wordAge and PasswordReusePrevention
jalawala · Apr 12, 2019 · 4825ab7 · 4825ab7
1 parent 2468358
commit 4825ab7
Showing 1 changed file with 10 additions and 5 deletions.
diff --git a/security/account-password-policy.yaml b/security/account-password-policy.yaml
@@ -49,7 +49,7 @@ Parameters:
     - true
     - false
   MaxPasswordAge:
-    Description: 'You can set IAM user passwords to be valid for only the specified number of days.'
+    Description: 'You can set IAM user passwords to be valid for only the specified number of days. Choose 0 if you don not want passwords to expire.'
     Type: Number
     Default: 90
     ConstraintDescription: 'Must be in the range [0-1095]'
@@ -148,17 +148,22 @@ Resources:
             if (event.RequestType === 'Delete') {
               iam.deleteAccountPasswordPolicy({}, done);
             } else if (event.RequestType === 'Create' || event.RequestType === 'Update') {
-              iam.updateAccountPasswordPolicy({
+              let params = {
                 AllowUsersToChangePassword: event.ResourceProperties.AllowUsersToChangePassword === 'true',
                 HardExpiry: event.ResourceProperties.HardExpiry === 'true',
-                MaxPasswordAge: parseInt(event.ResourceProperties.MaxPasswordAge, 10),
                 MinimumPasswordLength: parseInt(event.ResourceProperties.MinimumPasswordLength, 10),
-                PasswordReusePrevention: parseInt(event.ResourceProperties.PasswordReusePrevention, 10),
                 RequireLowercaseCharacters: event.ResourceProperties.RequireLowercaseCharacters === 'true',
                 RequireNumbers: event.ResourceProperties.RequireNumbers === 'true',
                 RequireSymbols: event.ResourceProperties.RequireSymbols === 'true',
                 RequireUppercaseCharacters: event.ResourceProperties.RequireUppercaseCharacters === 'true',
-              }, done);
+              };
+              if (parseInt(event.ResourceProperties.MaxPasswordAge, 10) > 0) {
+                params.MaxPasswordAge = parseInt(event.ResourceProperties.MaxPasswordAge, 10);
+              }
+              if (parseInt(event.ResourceProperties.PasswordReusePrevention, 10) > 0) {
+                params.PasswordReusePrevention = parseInt(event.ResourceProperties.PasswordReusePrevention, 10);
+              }
+              iam.updateAccountPasswordPolicy(params, done);
             } else {
               cb(new Error(`unsupported RequestType: ${event.RequestType}`));
             }