terraform-linters / tflint-ruleset-aws

TFLint ruleset for terraform-provider-aws
Mozilla Public License 2.0
337 stars 72 forks source link

tflint deep IAM policy #33

Closed ian-bartholomew closed 3 years ago

ian-bartholomew commented 4 years ago

Hello, we want to run this in CI, and be able to also run the deep inspection, but its not clear what kind of IAM permissions are needed. We want to run this in CI, and grant it the least privileged IAM policy.

Thanks!

wata727 commented 4 years ago

Hi @ian-bartholomew

I recommend that when running the deep inspection, you have the same privileges as the account that actually performs terraform plan or terraform apply. This partially ensures that you have the necessary privileges when running terraform commands.

On the other hand, TFLint doesn't require write permission, so it is also a good practice to use the least privilege for security. For such cases, it may be worth describing the IAM policy in the documentation.

ian-bartholomew commented 4 years ago

@wata727 thank you, that answers my question. Thanks!

rquadling commented 3 years ago

Hi.

Please can we have a complete list of required permissions for tflint.

We have a specific user that is used to plan and apply using terraform and all is working there.

We've introduced tflint into our process and we now requiring additional access...

Failed to check ruleset. An error occurred:

Error: Failed to check `aws_instance_invalid_key_name` rule: An error occurred while invoking DescribeKeyPairs; UnauthorizedOperation: You are not authorized to perform this operation.
    status code: 403, request id: *********

amongst other things.

As it stands, the user used to deploy the terraform plan does NOT require these permissions and so we would not have granted that.

If this is something that is available in code (but not documented), then potentially the list of calls being made by the ruleset could be extracted and the logged. That would certainly be a start?

Some sort of auto-discovery?

wata727 commented 3 years ago

Ah, that makes sense. It's easy to document the list of required permissions because just check the implementation under the api directory.

I haven't been able to work on this for other work, but I'd be happy to review it if you open a PR.