What Permissions Do I Need

In recent months, I've been converting some automation I originally wrote under CloudFormation to instead work under Terraform. Ultimately, the automation I wrote is going to be used in a different account than I (re)developed it in. As part of the customer's "least-privileges" deployment model, I needed to be able to specify to them all of the specific AWS IAM permissions that my TerraForm-based automation would need. Since the development account I've been working in doesn't provide me CloudTrail or other similarly-useful access, I had to find another way. Turns out, that "another way" is effectively built into Terraform, itself!

When one uses the TF_LOG=trace environment-variable, the activity-logging becomes very verbose. Burried amongst the storm of output is all of the IAM permissions that Terraform needs in order to perform its deployment, configuration and removal actions. Extracting it all was a matter of:

1. Execute a terraform apply using:
   

   TF_LOG=trace terraform apply -autoapprove > apply.log 

2. Execute a terraform apply using:
   

   TF_LOG=trace terraform apply --autoapprove \ -refresh-only > refresh.log 

3. Execute a terraform apply using:
   

   TF_LOG=trace terraform destroy -autoapprove > destroy.log 

Once each of the above completes successfully, one has three looooong output files. To extract the information (and put it in a format IAM administrators are more used to), a simple set of filters can be applied:

cat *.log | \ grep 'DEBUG: Request ' | \ sed -e 's/.*: Request//' \ -e 's/ Details:.*$//' \ -e 's#/#:#' | \ sort -u 

In my case, this filter-set resulting in a list that looked something like:

ec2:AuthorizeSecurityGroupEgress ec2:AuthorizeSecurityGroupIngress ec2:CreateSecurityGroup ec2:DescribeImages ec2:DescribeInstanceAttribute ec2:DescribeInstanceCreditSpecifications ec2:DescribeInstances ec2:DescribeSecurityGroups ec2:DescribeTags ec2:DescribeVolumes ec2:DescribeVpcs ec2:RevokeSecurityGroupEgress ec2:RunInstances elasticloadbalancing:AddTags elasticloadbalancing:CreateListener elasticloadbalancing:CreateLoadBalancer elasticloadbalancing:CreateTargetGroup elasticloadbalancing:DescribeListeners elasticloadbalancing:DescribeLoadBalancerAttributes elasticloadbalancing:DescribeLoadBalancers elasticloadbalancing:DescribeTags elasticloadbalancing:DescribeTargetGroupAttributes elasticloadbalancing:DescribeTargetGroups elasticloadbalancing:ModifyLoadBalancerAttributes elasticloadbalancing:ModifyTargetGroup elasticloadbalancing:ModifyTargetGroupAttributes elasticloadbalancing:SetSecurityGroups s3:GetObject s3:ListObjects 

Once such a list is generated, it can then be passed on to the parties that set up the requisite IAM roles.