In recent months, I've been converting some automation I originally wrote under CloudFormation to instead work under Terraform. Ultimately, the automation I wrote is going to be used in a different account than I (re)developed it in. As part of the customer's "least-privileges" deployment model, I needed to be able to specify to them all of the specific AWS IAM permissions that my TerraForm-based automation would need. Since the development account I've been working in doesn't provide me CloudTrail or other similarly-useful access, I had to find another way. Turns out, that "another way" is effectively built into Terraform, itself!
When one uses the TF_LOG=trace environment-variable, the activity-logging becomes very verbose. Burried amongst the storm of output is all of the IAM permissions that Terraform needs in order to perform its deployment, configuration and removal actions. Extracting it all was a matter of:
- Execute a `terraform apply` using:
TF_LOG=trace terraform apply -autoapprove > apply.log - Execute a `terraform apply` using:
TF_LOG=trace terraform apply --autoapprove \
-refresh-only > refresh.log` - Execute a `terraform apply` using:
TF_LOG=trace terraform destroy -autoapprove > destroy.log
This filter-set gives you a list that looks something like:cat *.log | \ grep 'DEBUG: Request ' | \ sed -e 's/.*: Request//' \ -e 's/ Details:.*$//' \ -e 's#/#:#' | \ sort -u
Which you can then pass on to the parties that set up your IAM roles.ec2:AuthorizeSecurityGroupEgress ec2:AuthorizeSecurityGroupIngress ec2:CreateSecurityGroup ec2:DescribeImages ec2:DescribeInstanceAttribute ec2:DescribeInstanceCreditSpecifications ec2:DescribeInstances ec2:DescribeSecurityGroups ec2:DescribeTags ec2:DescribeVolumes ec2:DescribeVpcs ec2:RevokeSecurityGroupEgress ec2:RunInstances elasticloadbalancing:AddTags elasticloadbalancing:CreateListener elasticloadbalancing:CreateLoadBalancer elasticloadbalancing:CreateTargetGroup elasticloadbalancing:DescribeListeners elasticloadbalancing:DescribeLoadBalancerAttributes elasticloadbalancing:DescribeLoadBalancers elasticloadbalancing:DescribeTags elasticloadbalancing:DescribeTargetGroupAttributes elasticloadbalancing:DescribeTargetGroups elasticloadbalancing:ModifyLoadBalancerAttributes elasticloadbalancing:ModifyTargetGroup elasticloadbalancing:ModifyTargetGroupAttributes elasticloadbalancing:SetSecurityGroups s3:GetObject s3:ListObjects
No comments:
Post a Comment