require mfa auth for deletion of mfa device (#14)

main.tf

@@ -43,13 +43,12 @@ data "aws_iam_policy_document" "manage_mfa" {
   count = "${local.enabled ? 1 : 0}"
 
   statement {
-    sid = "AllowUsersToCreateEnableResyncDeleteTheirOwnVirtualMFADevice"
+    sid = "AllowUsersToCreateEnableResyncTheirOwnVirtualMFADevice"
 
     actions = [
       "iam:CreateVirtualMFADevice",
       "iam:EnableMFADevice",
       "iam:ResyncMFADevice",
-      "iam:DeleteVirtualMFADevice",
     ]
 
     resources = [
@@ -77,6 +76,25 @@ data "aws_iam_policy_document" "manage_mfa" {
     }
   }
 
+  statement {
+    sid = "AllowUsersToDeleteTheirOwnVirtualMFADevice"
+
+    actions = [
+      "iam:DeleteVirtualMFADevice",
+    ]
+
+    resources = [
+      "arn:aws:iam::${data.aws_caller_identity.current.account_id}:mfa/&{aws:username}",
+      "arn:aws:iam::${data.aws_caller_identity.current.account_id}:user/&{aws:username}",
+    ]
+
+    condition {
+      test     = "Bool"
+      variable = "aws:MultiFactorAuthPresent"
+      values   = ["true"]
+    }
+  }
+
   statement {
     sid = "AllowUsersToListMFADevicesandUsersForConsole"