document IAM permissions / roles are needed to create/destroy the terraform resource

[duxbuse]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment. If the issue is assigned to the "modular-magician" user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If the issue is assigned to a user, that user is claiming responsibility for the issue. If the issue is assigned to "hashibot", a community member has claimed the issue already.

Description

When trying to create a new resource, with an account with no privileges its often hard to understand what IAM roles are needed to create and destroy the resource. Many times the error message is simply 403 permission denied which doesn't help narrow the issue.

It would be really great if the terraform docs had a small section outlining for each resource what perms are needed to interact with it.

[rileykarson]

I don't think the permissions required for an endpoint are documented by GCP proper, much less accessible in an automated system as would be required to scale this up across the entire surface. Also note that the permissions required for a call are sometimes dynamic (i.e. when accessing a crypto key)

[BBBmau]

from triage: We are scoping this ticket to just adding the ability to link API Permissions and roles documentation.

Adding the links will be a separate effort.

[Ameausoone]

For the note:

Hashicorp added a feature in the terraform framework, to be able to test iam privilege during tf plan, it would very practical to add this feature in the Google terraform provider.

related with:

• The issue for Terraform: https://github.com/hashicorp/terraform/issues/16625#issuecomment-343644197

• AWS equivalent : https://github.com/hashicorp/terraform-provider-aws/issues/2286#issuecomment-344360165