Incorporate iam policy simulator in aws provider to simulate requisite iam permissions during plan phase #16793
Labels
enhancement
Requests to existing resources that expand the functionality or scope.
service/iam
Issues and PRs that pertain to the iam service.
This issue was originally opened by @RiflerRick as hashicorp/terraform#27301. It was migrated here as a result of the provider split. The original body of the issue is below.
Current Terraform Version
Use-cases
A lot of the times when doing
terraform plan
we are able to see infrastructure updates however when attempting to do aterraform apply
, it might turn out that the host from which we are executing terraform instructions does not have the required permissions to execute some of the infrastructure updates suggested byterraform plan
. It therefore becomes a reactive procedure for users to add the required permissions first and attempt to execute aterraform apply
one more time to see if all the updates happened successfully or not.For example:
Lets say a certain host has been given permissions to start an ec2 instance(
ec2:StartInstances
) but not to terminate one(ec2:TerminateInstances
). In that case during the spinning of a fleet of 5 ec2 instances there would be no issue. However on trying to reduce the number of instances to 4, aTerminateInstances
API call would be fired which would be forbidden as the host does not have the same permission.This however will not be caught during a terraform plan. Rather during terraform apply, we will come to know of the same. A proactive measure of catching such issues especially during terraform plan would be helpful.
Attempted Solutions
Proposal
AWS provides means of simulating iam policies. Check out this link. During the
terraform plan
phase, if we know what actions need to be performed, we can call the policy simulator apis to figure out if the current iam permissions would allow the requisite actions to succeed. If found, all such failing actions can be shown with the terraform plan output. The exit code of the terraform plan output can be non-zero if any of the simulation of corresponding actions fail.References
https://docs.aws.amazon.com/cli/latest/reference/iam/simulate-custom-policy.html
https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_testing-policies.html#policies-simulator-using-api
The text was updated successfully, but these errors were encountered: