UX Bug: Terraform is extremely hard to use when MFA for admin action is enforced about teleport HOT 1 OPEN

With @Joerger we discussed the following approaches:

Use the user's local ~/.tsh profile and MFA

This approach removes the use of impersonation, Terraform would run as the user.
The user would get prompted for MFA when running Terraform.

This approach offers a simple setup flow (no additional user, role, bot, just use your rights) and a strong security posture (MFA for admin security properties are preserved).

This approach requires the user to have the appropriate rights. This was already the case indirectly with the previous impersonation approach. This means users potentially have higher standing privileges by default, although most users applying Terraform code are very likely already editors/

Use impersonated certificates + user MFA

This approach is a port of the current impersonation approach, but with "MFA for admin" support.
This implies:

• adding support for requesting the impersionator MFA during impersonated actions.
• adding TF provider support for prompting MFA (similar to the 1st approach)

Allow the user to sign certs bypassing from "MFA for admin"

This would make the old approach functional again. However, this would remove most security benefits brought by "MFA for Admin"

Allow Terraform to run MachineID natively

This would partially address the UX issue. The user would pass a bot token to Terraform, and Terraform would do the MachineID dance to get Bot certs, without the need for tbot.

This improves the UX locally, but also in the CI: you can pass to Terraform a GHA token and let it get the certs automatically.

However this doesn't address the security aspect of having long-lived/renewable admin certificates not subject to MFA on every admin laptop.

from teleport.