It's just an FYI. Though theoretically you can create an aws virtual mfa device through terraform but you can't enable it or assign it to a user.
The process to create virtual mfa has two steps from aws-cli perspective.
aws iam create-virtual-mfa-device --virtual-mfa-device-name BobsMFADevice --outfile C:/QRCode.png --bootstrap-method QRCodePNG
aws iam enable-mfa-device \
--user-name Bob \
--serial-number arn:aws:iam::210987654321:mfa/BobsMFADevice \
--authentication-code1 123456 \
--authentication-code2 789012
You can complete both steps using aws-cli. But using terraform you only can create the mfa device, you can't enable it or assign it to a user.
Yes, I understand it's legit from terraform's perspective. As you need to put auth code every time to enable a virtual mfa device. That's not what we want to do with every terraform apply.
But the scope to create the virtual mfa doesn't mean anything without having the opportunity to assign it.
Looking forward how terraform solves this in future.
Can you try running an AWS IAM analyzer run task from terraform and save the output to an S3 bucket for analysis on the arn:aws:iam::210987654321:mfa/BobsMFADevice policy.