How do we get terraform to work without giving it full access?

Afraid Terraform will need the access to create, delete and modify the resources. The polices applied to the TF user/role will need to be appropriate for provisioning.

Roles uses by IaC are usually very powerful with administrative rights to many resources. The best practice is to use a CI/CD pipeline and only enable those pipelines to use the role, protecting them using secrets inside the CI/CD tool. That way you keep those credentials away from humans (thus leaks) and only proper procedures through CI/CD leverage the role properly to deploy resources.

Hope this helps!

There is an RFE open for this (doesn't look like it has progressed much) https://github.com/hashicorp/terraform-provider-aws/issues/32823

It makes reference to a stackoverflow question that asks what you're asking https://stackoverflow.com/questions/51273227/whats-the-most-efficient-way-to-determine-the-minimum-aws-permissions-necessary

And it appears you can achieve what you need by running TF_LOG=trace terraform apply --auto-approve &> log.log and then cat log.log | grep "DEBUG: Request".

A more recent reply suggests the log format has changed and you now need to grep for aws.operation=