Local terraform development: plan but not apply?

Question

I would like to restrict a users permissions, so they can't modify infrastructure without going through a process.

For example, as a requirement, a developer must go through the process of opening a PR, code review, tests pass, before it is merged. They can't push to master until that is complete. Similarly, a user should not be able to terraform apply, despite their AWS account having significant access to access/update/delete resources.

The issue is that running terraform plan is very helpful locally, and saves a lot of time when making changes to the HCL files.

Is there a way to restrict the terraform apply step, while still being able to run terraform plan?

Answer 1

Because Terraform and the associated providers run entirely on the machine where Terraform CLI is installed, those components alone are not able to implement any sort of access controls: a user could, for example, simply modify Terraform CLI or one of the providers to not enforce whatever checks you'd put in place.

Instead, enforcing permissions must be done by some other system. There are two main options for this, and these two options are complementary and could be implemented together as part of a "defense in depth" strategy:

• Use the access control mechanisms offered by the remote system you are interacting with. For example, if you are working with Amazon Web Services then you can write IAM policies that only permit read access to the services in question, which should then be sufficient for most plan-time operations.

  Unfortunately the details about which permissions are required for each operation in AWS are often not clearly documented, so for AWS at least this approach often involves some trial-and-error. Other systems may have clearer documentation.

• Require all Terraform usage to be done remotely via some sort of remote automation, where the automation system can then restrict which users are able to start which actions.

  There are various automation products which enable restricting which actions are available to which users. HashiCorp also offers Terraform Cloud, which includes the possibility of running Terraform remotely either in an execution context provided by Terraform Cloud itself or via an agent running on your own infrastructure. You can configure Terraform Cloud to allow applying only through the version control workflow.