- Le plus récent
- Le plus de votes
- La plupart des commentaires
Afraid Terraform will need the access to create, delete and modify the resources. The polices applied to the TF user/role will need to be appropriate for provisioning.
Roles uses by IaC are usually very powerful with administrative rights to many resources. The best practice is to use a CI/CD pipeline and only enable those pipelines to use the role, protecting them using secrets inside the CI/CD tool. That way you keep those credentials away from humans (thus leaks) and only proper procedures through CI/CD leverage the role properly to deploy resources.
Hope this helps!
There is an RFE open for this (doesn't look like it has progressed much) https://github.com/hashicorp/terraform-provider-aws/issues/32823
It makes reference to a stackoverflow question that asks what you're asking https://stackoverflow.com/questions/51273227/whats-the-most-efficient-way-to-determine-the-minimum-aws-permissions-necessary
And it appears you can achieve what you need by running TF_LOG=trace terraform apply --auto-approve &> log.log
and then cat log.log | grep "DEBUG: Request"
.
A more recent reply suggests the log format has changed and you now need to grep
for aws.operation=
Contenus pertinents
- demandé il y a un an
- demandé il y a 8 mois
- demandé il y a un an
- AWS OFFICIELA mis à jour il y a 3 ans
- AWS OFFICIELA mis à jour il y a 2 ans
- AWS OFFICIELA mis à jour il y a 2 ans
- AWS OFFICIELA mis à jour il y a 2 ans