How do we get terraform to work without giving it full access?

0

We currently use EC2 full access, S3 full access, & elastic load balancing full access to get terraform up and running. These permissions are turned on and off after every terraform build. This is a security concern. I am wondering what permissions will allow terraform to work without giving full access?

3 Answers
1

Afraid Terraform will need the access to create, delete and modify the resources. The polices applied to the TF user/role will need to be appropriate for provisioning.

profile picture
EXPERT
answered a month ago
profile picture
EXPERT
reviewed a month ago
0

Roles uses by IaC are usually very powerful with administrative rights to many resources. The best practice is to use a CI/CD pipeline and only enable those pipelines to use the role, protecting them using secrets inside the CI/CD tool. That way you keep those credentials away from humans (thus leaks) and only proper procedures through CI/CD leverage the role properly to deploy resources.

Hope this helps!

AWS
answered a month ago
0

There is an RFE open for this (doesn't look like it has progressed much) https://github.com/hashicorp/terraform-provider-aws/issues/32823

It makes reference to a stackoverflow question that asks what you're asking https://stackoverflow.com/questions/51273227/whats-the-most-efficient-way-to-determine-the-minimum-aws-permissions-necessary

And it appears you can achieve what you need by running TF_LOG=trace terraform apply --auto-approve &> log.log and then cat log.log | grep "DEBUG: Request".

A more recent reply suggests the log format has changed and you now need to grep for aws.operation=

profile picture
EXPERT
Steve_M
answered a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions