DEV Community

Thomas H Jones II
Thomas H Jones II

Posted on • Originally published at thjones2.blogspot.com on

What Permissions Do I Need

In recent months, I've been converting some automation I originally wrote under CloudFormation to instead work under Terraform. Ultimately, the automation I wrote is going to be used in a different account than I (re)developed it in. As part of the customer's "least-privileges" deployment model, I needed to be able to specify to them all of the specific AWS IAM permissions that my TerraForm-based automation would need. Since the development account I've been working in doesn't provide me CloudTrail or other similarly-useful access, I had to find another way. Turns out, that "another way" is effectively built into Terraform, itself!

When one uses the TF_LOG=trace environment-variable, the activity-logging becomes very verbose. Burried amongst the storm of output is all of the IAM permissions that Terraform needs in order to perform its deployment, configuration and removal actions. Extracting it all was a matter of:

  1. Execute a terraform apply using:

    TF_LOG=trace terraform apply -autoapprove > apply.log
    
  2. Execute a terraform apply using:

    TF_LOG=trace terraform apply --autoapprove \  
      -refresh-only > refresh.log
    
  3. Execute a terraform apply using:

    TF_LOG=trace terraform destroy -autoapprove > destroy.log
    

Once each of the above completes successfully, one has three looooong output files. To extract the information (and put it in a format IAM administrators are more used to), a simple set of filters can be applied:

cat *.log | \
grep 'DEBUG: Request ' | \
sed -e 's/.*: Request//' \
  -e 's/ Details:.*$//' \
  -e 's#/#:#' | \
sort -u
Enter fullscreen mode Exit fullscreen mode

In my case, this filter-set resulting in a list that looked something like:

ec2:AuthorizeSecurityGroupEgress
ec2:AuthorizeSecurityGroupIngress
ec2:CreateSecurityGroup
ec2:DescribeImages
ec2:DescribeInstanceAttribute
ec2:DescribeInstanceCreditSpecifications
ec2:DescribeInstances
ec2:DescribeSecurityGroups
ec2:DescribeTags
ec2:DescribeVolumes
ec2:DescribeVpcs
ec2:RevokeSecurityGroupEgress
ec2:RunInstances
elasticloadbalancing:AddTags
elasticloadbalancing:CreateListener
elasticloadbalancing:CreateLoadBalancer
elasticloadbalancing:CreateTargetGroup
elasticloadbalancing:DescribeListeners
elasticloadbalancing:DescribeLoadBalancerAttributes
elasticloadbalancing:DescribeLoadBalancers
elasticloadbalancing:DescribeTags
elasticloadbalancing:DescribeTargetGroupAttributes
elasticloadbalancing:DescribeTargetGroups
elasticloadbalancing:ModifyLoadBalancerAttributes
elasticloadbalancing:ModifyTargetGroup
elasticloadbalancing:ModifyTargetGroupAttributes
elasticloadbalancing:SetSecurityGroups
s3:GetObject
s3:ListObjects
Enter fullscreen mode Exit fullscreen mode

Once such a list is generated, it can then be passed on to the parties that set up the requisite IAM roles.

Discussion (0)