IAM policy that allows only terraform plans to be executed

Question

We are running terraform with multiple users.

We want to manage the IAM Policy applied to user A so that user A can execute terraform plan/apply, but user B can only execute terraform plan.

In such a case, what kind of permission should be granted to the IAM Policy that allows only terraform plan execution?

I would appreciate your advice.

Answer 1

I'm assuming you're using a remote backend and you want to restrict the "apply" command, thus preventing some users from modifying the state file. The issue with restricting the write access to the state file is that terraform applies the changes and then updates the state file, so you'll find yourself in a situation where the changes were made in the infrastructure, but terraform wasn't able to update the state file. It's true that these changes will get overridden next time a user with write permission applies, but there's potential to cause a lot of headaches.

Take this with a grain of salt since I haven't done thourough testing on this. But this happened to me with S3 backend and opentofu a couple of days ago. Hope this helps

Answer 2

Terraform takes credentials to setup the infrastructure through so many ways as described here So, when two users are running the terraform code, they can use their seperate credentials (aws_access_key_id and aws_secret_access_key) which have different set of permissions to access the AWS resources. In your case, one user will have a readonly policy attached to its role that can run terraform plan but not terraform apply, while the other user will have the necessary read/write permissions to the aws resources.

Answer 3

Simplest solution would be to:

1. Create a user with arn:aws:iam::aws:policy/ReadOnlyAccess managed policy attached for User B.

2. Create a user with arn:aws:iam::aws:policy/AdministratorAccess managed policy attached for User A.