Determining a minimal IAM policy required to perform a terraform run

[gtmtech]

I am trying to create a minimal IAM policy which can govern the CRUD of my defined terraform resources in AWS, so I can run terraform with my configuration.

I couldn't find any guidance on this, so I started off by creating an IAM policy with no access, hooking up cloudtrail and cloudwatch logs, and then going through the creation of a VPC (as an example), and watching for what actions were unauthorized, and slowly piecing together an IAM profile which would allow terraform to CRUD a VPC.

The job of tracking which Actions need to be allowed would be made a lot easier if under TF_LOG=true, the debugger would print out which action it was trying to do at the point it got a NotAuthorized.

It also struck me that by looking at the terraform code, that these are all available from the terraform code itself, if you can be bothered to walk through it ...

e.g.
conn.CreateVPC
conn.DescribeVPCAttribute
conn.DescribeRouteTables

I wonder if relevant IAM policies could be autogenerated somehow from this.

In any case a little line of debug present would help millions.

Thanks

[gilesbutler]

+1 for this.

I'm getting this error Error launching source instance: UnauthorizedOperation: You are not authorized to perform this operation.

If I give the AWS user full access then terrafom apply works. I've looked through the docs but can't find anything on setting the correct IAM policy for Terraform. The Packer docs have an example policy with minimum required policy permissions for IAM though.

[gtmtech]

Here is an attempt to parse out what each resource does, even though some resources are chained. It is in Resource:Actions format, and the Actions are the actions in aws go lib, rather than ec2 actions but they correlate very closely. Might be of help

http://pastebin.com/Xm39eh9q

[gilesbutler]

Thanks for the response @gtmtech unfortunately I can't make sense of that but I appreciate you trying to help.

[gtmtech]

I'm still working on something a bit more coherent for my usecase - hopefully it will be useful to you too.. will keep you posted

[gilesbutler]

Excellent thanks @gtmtech

[wolfspyre]

This is great stuff, and would be awesome to have included in the docs somewhere as it gets fleshed out.

[gtmtech]

In working on this myself, I realised that in practice you want to define multiple terraform policies, otherwise terraform is just too much of a powerful tool and you could accidentally wreck your infrastructure if not careful.

As such, with the aws resources I use, I've defined a "terraform builder" policy which allows my team to build stuff, and a separate "terraform destroyer" policy, which allows people to destroy stuff, and must be used with much greater caution (imagine for example accidentally destroying all your production databases).

I've gone through the code for the resources I use, and split up the actions into CREATE, READ, UPDATE, DELETE (CRUD) operations. A terraform builder policy would then typically be the amalgamation of the CREATE+READ rules. Perhaps a terraform updater policy could be the CREATE+READ+UPDATE rules, and finally the destroyer policy would be READ+UPDATE+DELETE.

I would suggest that we build a database of files (one per aws_resource in terraform), that document the CREATE,READ,UPDATE,DELETE ec2 IAM rules which must be allowed for terraform to do its job, then a simple tool or addition to the terraform cmdline could spit out your minimal IAM policy.

It's not perfect of course - for example when terraform creates a security group, it also revokes the default security group rule , which is a DELETE level operation, so in order to create stuff, you do need a couple of delete privileges. But I've found overall this really protects the infrastructure and the team from mishaps - because in our infrastructure now, it is impossible to accidentally delete what we've built.

Anyway, here are the list of rules I've managed to do so far - there may be a couple of bugs, but its a start. CSV format. The 4th column is the most interested, and you can simply filter by the aws resources you use, and the CRUD operations you want with a simple grep

Terraform Resources,AWS Resource,CRUD Operation,PolicyRule Required,,,,
aws_network_acl,NetworkAcl,CREATE,ec2:CreateNetworkAcl,1.6.1,,,
aws_network_acl,NetworkAcl,CREATE,ec2:CreateNetworkAclEntry,1.6.1,,,
aws_network_acl,NetworkAcl,READ,ec2:DescribeNetworkAcls,1.6.1,,,
aws_network_acl,NetworkAcl,UPDATE,ec2:ReplaceNetworkAclAssociation,1.6.1,,,
aws_network_acl,NetworkAcl,DELETE,ec2:DeleteNetworkAcl,1.6.1,,,
aws_network_acl,NetworkAcl,DELETE,ec2:DeleteNetworkAclEntry,1.6.1,,,
aws_network_interface,NetworkInterface,CREATE,ec2:CreateNetworkInterface,1.6.1,,,
aws_network_interface,NetworkInterface,CREATE,ec2:AttachNetworkInterface,1.6.1,,,
aws_network_interface,NetworkInterface,READ,ec2:DescribeNetworkInterfaceAttributes,1.6.1,,,
aws_network_interface,NetworkInterface,READ,ec2:DescribeNetworkInterfaces,1.6.1,,,
aws_network_interface,NetworkInterface,UPDATE,ec2:ModifyNetworkInterfaceAttribute,1.6.1,,,
aws_network_interface,NetworkInterface,DELETE,ec2:DetachNetworkInterface,1.6.1,,,
aws_network_interface,NetworkInterface,DELETE,ec2:DeleteNetworkInterface,1.6.1,,,
aws_autoscaling_group,AutoScalingGroup,CREATE,autoscaling:AttachLoadbalancers,1.6.1,,,
aws_autoscaling_group,AutoScalingGroup,CREATE,autoscaling:CreateAutoScalingGroup,1.6.1,,,
aws_autoscaling_group,AutoScalingGroup,READ,autoscaling:DescribeAutoScalingGroups,1.6.1,,,
aws_autoscaling_group,AutoScalingGroup,READ,elasticloadbalancing:DescribeInstanceHealth,1.6.1,,,
aws_autoscaling_group,AutoScalingGroup,UPDATE,autoscaling:UpdateAutoScalingGroup,1.6.1,,,
aws_autoscaling_group,AutoScalingGroup,DELETE,autoscaling:DetachLoadbalancers,1.6.1,,,
aws_autoscaling_group,AutoScalingGroup,DELETE,autoscaling:DeleteAutoScalingGroup,1.6.1,,,
aws_launch_configuration,LaunchConfiguration,CREATE,autoscaling:CreateLaunchConfiguration,1.6.1,,,
aws_launch_configuration,LaunchConfiguration,READ,autoscaling:DescribeLaunchConfiguration,1.6.1,,,
aws_launch_configuration,LaunchConfiguration,DELETE,autoscaling:DeleteLaunchConfiguration,1.6.1,,,
aws_vpc,Vpc,CREATE,ec2:CreateVpc,1.6.1,,,
aws_vpc,Vpc,CREATE,ec2:DescribeNetworkACLs,1.6.1,,,
aws_vpc,Vpc,CREATE,ec2:DescribeRouteTables,1.6.1,,,
aws_vpc,Vpc,READ,ec2:DescribeSecurityGroups,1.6.1,,,
aws_vpc,Vpc,READ,ec2:DescribeVpcAttribute,1.6.1,,,
aws_vpc,Vpc,READ,ec2:DescribeVpc,1.6.1,,,
aws_vpc,Vpc,UPDATE,ec2:ModifyVpcAttribute,1.6.1,,,
aws_vpc,Vpc,DELETE,ec2:DeleteVpc,1.6.1,,,
aws_vpc_endpoint,VpcEndpoint,CREATE,ec2:CreateVpc,1.6.1,,,
aws_vpc_endpoint,VpcEndpoint,CREATE,ec2:CreateVpcEndpoint,1.6.1,,,
aws_vpc_endpoint,VpcEndpoint,READ,ec2:DescribeVpcEndpoints,1.6.1,,,
aws_vpc_endpoint,VpcEndpoint,UPDATE,ec2:ModifyVpcEndpoint,1.6.1,,,
aws_vpc_endpoint,VpcEndpoint,DELETE,ec2:DeleteVpcEndpoints,1.6.1,,,
aws_vpc_endpoint,VpcEndpoint,DELETE,ec2:DeleteVpc,1.6.1,,,
aws_vpc_peering_connection,VpcPeeringConnection,CREATE,ec2:CreateVpc,1.6.1,,,
aws_vpc_peering_connection,VpcPeeringConnection,CREATE,ec2:CreateVpcPeeringConnection,1.6.1,,,
aws_vpc_peering_connection,VpcPeeringConnection,CREATE,ec2:AcceptVpcPeeringConnection,1.6.1,,,
aws_vpc_peering_connection,VpcPeeringConnection,READ,ec2:DescribeVpcPeeringConnections,1.6.1,,,
aws_vpc_peering_connection,VpcPeeringConnection,DELETE,ec2:DeleteVpc,1.6.1,,,
aws_vpc_peering_connection,VpcPeeringConnection,DELETE,ec2:DeleteVpcPeeringConnection,1.6.1,,,
aws_subnet,Subnet,CREATE,ec2:CreateSubnet,1.6.1,,,
aws_subnet,Subnet,READ,ec2:DescribeSubnets,1.6.1,,,
aws_subnet,Subnet,UPDATE,ec2:ModifySubnetAttributes,1.6.1,,,
aws_subnet,Subnet,DELETE,ec2:DeleteSubnet,1.6.1,,,
aws,Tags,CREATE,ec2:CreateTags,1.6.1,,,
aws,Tags,DELETE,ec2:DeleteTags,1.6.1,,,
aws_instance,Instance,CREATE,ec2:RunInstances,1.6.1,,,
aws_instance,Instance,CREATE,ec2:MonitorInstances,1.6.1,,,
aws_instance,Instance,READ,ec2:DescribeImages,1.6.1,,,
aws_instance,Instance,READ,ec2:DescribeVolumes,1.6.1,,,
aws_instance,Instance,READ,ec2:DescribeInstances,1.6.1,,,
aws_instance,Instance,UPDATE,ec2:ModifyInstanceAttribute,1.6.1,,,
aws_instance,Instance,DELETE,ec2:TerminateInstances,1.6.1,,,
aws_instance,Instance,DELETE,ec2:UnmonitorInstances,1.6.1,,,
aws_security_group,SecurityGroup,CREATE,ec2:CreateSecurityGroup,1.6.1,,,
aws_security_group,SecurityGroup,CREATE,ec2:AuthorizeSecurityGroupEgress,1.6.1,,,
aws_security_group,SecurityGroup,CREATE,ec2:AuthorizeSecurityGroupIngress,1.6.1,,,
aws_security_group,SecurityGroup,CREATE,ec2:RevokeSecurityGroupEgress,1.6.1,,,
aws_security_group,SecurityGroup,CREATE,ec2:RevokeSecurityGroupIngress,1.6.1,,,
aws_security_group,SecurityGroup,READ,ec2:DescribeSecurityGroups,1.6.1,,,
aws_security_group,SecurityGroup,DELETE,ec2:RevokeSecurityGroupIngress,1.6.1,,,
aws_security_group,SecurityGroup,DELETE,ec2:RevokeSecurityGroupEgress,1.6.1,,,
aws_security_group,SecurityGroup,DELETE,ec2:DeleteSecurityGroup,1.6.1,,,
aws_security_group_rule,SecurityGroupEgress,CREATE,ec2:AuthorizeSecurityGroupEgress,1.6.1,,,
aws_security_group_rule,SecurityGroupEgress,READ,ec2:DescribeSecurityGroups,1.6.1,,,
aws_security_group_rule,SecurityGroupEgress,DELETE,ec2:RevokeSecurityGroupEgress,1.6.1,,,
aws_security_group_rule,SecurityGroupIngress,CREATE,ec2:AuthorizeSecurityGroupIngress,1.6.1,,,
aws_security_group_rule,SecurityGroupIngress,READ,ec2:DescribeSecurityGroups,1.6.1,,,
aws_security_group_rule,SecurityGroupIngress,DELETE,ec2:RevokeSecurityGroupIngress,1.6.1,,,
aws_internet_gateway,InternetGateway,CREATE,ec2:CreateInternetGateway,1.6.1,,,
aws_internet_gateway,InternetGateway,CREATE,ec2:AttachInternetGateway,1.6.1,,,
aws_internet_gateway,InternetGateway,READ,ec2:DescribeInternetGateways,1.6.1,,,
aws_internet_gateway,InternetGateway,DELETE,ec2:DetachInternetGateway,1.6.1,,,
aws_internet_gateway,InternetGateway,DELETE,ec2:DeleteInternetGateway,1.6.1,,,
aws_route_table,Route,CREATE,ec2:CreateRoute,1.6.1,,,
aws_route_table,Route,DELETE,ec2:DeleteRoute,1.6.1,,,
aws_route_table,RouteTable,CREATE,ec2:CreateRouteTable,1.6.1,,,
aws_route_table,RouteTable,CREATE,ec2:EnableVGWRoutePropagation,1.6.1,,,
aws_route_table,RouteTable,READ,ec2:DescribeRouteTable,1.6.1,,,
aws_route_table,RouteTable,DELETE,ec2:DisableVGWRoutePropagation,1.6.1,,,
aws_route_table,RouteTable,DELETE,ec2:DisassociateRouteTable,1.6.1,,,
aws_route_table,RouteTable,DELETE,ec2:DeleteRouteTable,1.6.1,,,
aws_eip,Address,CREATE,ec2:AllocateAddress,1.6.1,,,
aws_eip,Address,CREATE,ec2:AssociateAddress,1.6.1,,,
aws_eip,Address,READ,ec2:DescribeAddresses,1.6.1,,,
aws_eip,Address,DELETE,ec2:ReleaseAddress,1.6.1,,,
aws_eip,Address,DELETE,ec2:DisassociateAddress,1.6.1,,,
aws_main_route_table_association,RouteTable,READ,ec2:DescribeRouteTable,1.6.1,,,
aws_main_route_table_association,RouteTable,UPDATE,ec2:ReplaceRouteTableAssociation,1.6.1,,,
aws_route_table_association,RouteTable,CREATE,ec2:AssociateRouteTable,1.6.1,,,
aws_route_table_association,RouteTable,UPDATE,ec2:ReplaceRouteTableAssociation,1.6.1,,,
aws_route_table_association,RouteTable,DELETE,ec2:DisassociateRouteTable,1.6.1,,,
aws_route_53_record,Route53Record,UPDATE,route53:ChangeResourceRecordSets,1.6.1,,,
aws_route_53_record,Route53Record,READ,route53:GetHostedZone,1.6.1,,,
aws_route_53_record,Route53Record,READ,route53:ListResourceRecordSets,1.6.1,,,
aws_route_53_record,Route53Record,UPDATE,route53:ChangeTagsForResource,1.6.1,,,
aws_reoute_53_health_check,Route53HealthCheck,CREATE,route53:CreateHealthCheck,1.6.1,,,
aws_reoute_53_health_check,Route53HealthCheck,READ,route53:GetHealthCheck,1.6.1,,,
aws_reoute_53_health_check,Route53HealthCheck,READ,route53:ListTagsForResource,1.6.1,,,
aws_reoute_53_health_check,Route53HealthCheck,UPDATE,route53:UpdateHealthCheck,1.6.1,,,
aws_reoute_53_health_check,Route53HealthCheck,DELETE,route53:DeleteHealthCheck,1.6.1,,,
aws_ebs_volume,Volume,CREATE,ec2:CreateVolume,1.6.1,,,
aws_ebs_volume,Volume,DELETE,ec2:DeleteVolume,1.6.1,,,
aws_ebs_volume,Volume,READ,ec2:DescribeVolumes,1.6.1,,,
aws_volume_attachment,Volume,CREATE,ec2:AttachVolume,1.6.1,,,
aws_volume_attachment,Volume,READ,ec2:DescribeVolumes,1.6.1,,,
aws_volume_attachment,Volume,DELETE,ec2:DetachVolume,1.6.1,,,
aws_elb,ElasticLoadBalancer,CREATE,elasticloadbalancing:ApplySecurityGroupsToLoadbalancer,1.6.1,,,
aws_elb,ElasticLoadBalancer,CREATE,elasticloadbalancing:ConfigureHealthCheck,1.6.1,,,
aws_elb,ElasticLoadBalancer,CREATE,elasticloadbalancing:CreateLoadBalancer,1.6.1,,,
aws_elb,ElasticLoadBalancer,CREATE,elasticloadbalancing:CreateLoadBalancerListeners,1.6.1,,,
aws_elb,ElasticLoadBalancer,CREATE,elasticloadbalancing:RegisterInstancesWithLoadBalancer,1.6.1,,,
aws_elb,ElasticLoadBalancer,CREATE,elasticloadbalancing:AddTags,1.6.1,,,
aws_elb,ElasticLoadBalancer,READ,elasticloadbalancing:DescribeLoadBalancerAttributes,1.6.1,,,
aws_elb,ElasticLoadBalancer,READ,elasticloadbalancing:DescribeLoadBalancers,1.6.1,,,
aws_elb,ElasticLoadBalancer,READ,elasticloadbalancing:DescribeTags,1.6.1,,,
aws_elb,ElasticLoadBalancer,UPDATE,elasticloadbalancing:ModifyLoadBalancerAttributes,1.6.1,,,
aws_elb,ElasticLoadBalancer,DELETE,elasticloadbalancing:DeleteLoadBalancer,1.6.1,,,
aws_elb,ElasticLoadBalancer,DELETE,elasticloadbalancing:DeleteLoadBalancerListeners,1.6.1,,,
aws_elb,ElasticLoadBalancer,DELETE,elasticloadbalancing:DeregisterInstancesFromLoadBalancer,1.6.1,,,
aws_elb,ElasticLoadBalancer,DELETE,elasticloadbalancing:RemoveTags,1.6.1,,,
aws_iam_instance_profile,IamInstanceProfile,CREATE,iam:AddRoleToInstanceProfile,1.6.1,,,
aws_iam_instance_profile,IamInstanceProfile,CREATE,iam:CreateInstanceProfile,1.6.1,,,
aws_iam_instance_profile,IamInstanceProfile,READ,iam:GetInstanceProfile,1.6.1,,,
aws_iam_instance_profile,IamInstanceProfile,DELETE,iam:DeleteInstanceProfile,1.6.1,,,
aws_iam_instance_profile,IamInstanceProfile,DELETE,iam:RemoveRoleFromInstanceProfile,1.6.1,,,

[lkraider]

Please provide this as part of the docs/repo so that policy can be generated as needed.

[blalor]

That's pretty excellent @gtmtech. Would really like to see official support for this.

[blalor]

oh, neat. AWS has a maximum policy size limit of 2k. so if you've got an even moderately-sized terraform config for AWS you've basically gotta just wildcard everything. :-(

[steve-jansen]

@blalor my IAM skills aren't very sharp... anyways, perhaps you can use a short Deny to allow TF to do most things but deny deletes?

Source: AWS re:Invent 2015 (SEC305) - How to Become an IAM Policy Ninja in 60 Minutes or Less

*edit: corrected myself after not reading far enough ahead.. d'oh

[blalor]

Thanks, Steve. I'll give that a look. I was also thinking that resource groups may be a thing to limit scope (allow the iam user to only manage resources tagged with a particular environment), but that inky seems to apply to the console. Maybe I'm thinking of something else.

[blalor]

Ah, this is what I was thinking of: http://blogs.aws.amazon.com/security/post/Tx29HCT3ABL7LP3/Resource-level-Permissions-for-EC2-Controlling-Management-Access-on-Specific-Ins

[blalor]

So, reading through that, policy documents can be bigger, depending on how they're used (ie policies attached to users are limited to 2k, but managed policies are I think 5k). I'm using Vault's AWS secret backend to create a user with the required permissions to apply Terraform configs, and that doesn't currently seem to support managed policies.

Anyway: