- 新しい順
- 投票が多い順
- コメントが多い順
Afraid Terraform will need the access to create, delete and modify the resources. The polices applied to the TF user/role will need to be appropriate for provisioning.
Roles uses by IaC are usually very powerful with administrative rights to many resources. The best practice is to use a CI/CD pipeline and only enable those pipelines to use the role, protecting them using secrets inside the CI/CD tool. That way you keep those credentials away from humans (thus leaks) and only proper procedures through CI/CD leverage the role properly to deploy resources.
Hope this helps!
There is an RFE open for this (doesn't look like it has progressed much) https://github.com/hashicorp/terraform-provider-aws/issues/32823
It makes reference to a stackoverflow question that asks what you're asking https://stackoverflow.com/questions/51273227/whats-the-most-efficient-way-to-determine-the-minimum-aws-permissions-necessary
And it appears you can achieve what you need by running TF_LOG=trace terraform apply --auto-approve &> log.log and then cat log.log | grep "DEBUG: Request".
A more recent reply suggests the log format has changed and you now need to grep for aws.operation=
