[Enhancement]: Surface necessary AWS permissions

[corkupine]

Description

In the course of implementing IaC, organizations move toward automating the execution of Terraform using CI/CD pipelines, workflows, and other agents. One issue for us (and others I presume) is that it can be difficult to enforce least privilege AWS permissions.

Current approaches:

• Grant Admin or similar access to your agent
• Use AWS Access Advisor to audit creates, updates and deletes during apply and hope everything is captured
• Manually figure out everything each resource will need
• Probably other methods I am not aware of (feel free to educate me 😁)

There is also the issue of maintaining the appropriate permissions as resources are added and removed.

Possible new approach:

For each resource, have an internal property with a list of AWS permissions that are required to manage it. During plan and apply, generate an output that has the sum of AWS permissions required to manage all resources.

Affected Resource(s) and/or Data Source(s)

All

Potential Terraform Configuration

No response

References

No response

Would you like to implement a fix?

None

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[justinretzolk]

Hey @corkupine 👋 Thank you for taking the time to raise this! I'm not sure this is something that could be easily achieved with the way Terraform operates at the Core level, however, there are third party tools that do a similar thing (iamlive is one I see recommended occasionally).

That said, given that I don't have a solid answer at the moment for whether or not this is attainable, I'm going to leave this open for additional input from others.

[corkupine]

Thank you, @justinretzolk ! I just found this, which seems like it could help as well, though coverage of resources is at about 50%. Having providers use some type of convention/reserved name for an output seems like it would be fairly simple, and putting the onus on the provider author would mean that everything would (eventually) be kept in sync without having to map it afterward in a separate project.

[dgholz]

Another recommendation: I use https://github.com/salesforce/policy_sentry to generate the statements. It has a Terraform module to automatically create the policies, but requires its Python script to be locally installed and executable.