确定Terraform配置所需的最低AWS权限的最有效方法是什么? [英] What's the most efficient way to determine the minimum AWS permissions necessary for a Terraform configuration?
问题描述
我有一个针对AWS上的Terraform配置部署.当使用有权执行任何操作的IAM用户(即{actions: ["*"], resources: ["*"]}.
I have a Terraform configuration targeting deployment on AWS. It applies beautifully when using an IAM user that has permission to do anything (i.e. {actions: ["*"], resources: ["*"]}.
为使此Terraform配置的应用程序自动化,我想确定最初应用配置并影响后续更改所必需的 minimum 权限集.我特别想避免在政策中授予过分的权限,例如{actions: ["s3:*"], resources: ["*"]}.
In pursuit of automating the application of this Terraform configuration, I want to determine the minimum set of permissions necessary to apply the configuration initially and effect subsequent changes. I specifically want to avoid giving overbroad permissions in policy, e.g. {actions: ["s3:*"], resources: ["*"]}.
到目前为止,我只是运行terraform apply直到出现错误.我查看输出或terraform日志输出,以查看失败的API调用,然后将其添加到部署用户策略中. EC2和S3尤其令人沮丧,因为操作的名称似乎不一定与API方法名称一致.我花了几个小时来用简单的方式告诉我我要走多长时间.
So far, I'm simply running terraform apply until an error occurs. I look at the output or at the terraform log output to see what API call failed and then add it to the deployment user policy. EC2 and S3 are particularly frustrating because the name of the actions seems to not necessarily align with the API method name. I'm several hours into this with easy way to tell how far long I am.
有更有效的方法吗?
如果Terraform告诉我我需要什么许可/动作,那真是太好了,但这是Hashicorp最好的产品增强功能.
It'd be really nice if Terraform advised me what permission/action I need but that's a product enhancement best left to Hashicorp.
推荐答案
由于我认为没有完美的解决方案,因此请将此问题作为我脑力激荡的结果.至少对于初始权限设置,我可以想象以下内容:
As I guess that there's no perfect solution, treat this answer a bit as result of my brain storming. At least for the initial permission setup, I could imagine the following:
首先允许所有内容,然后处理CloudTrail日志以查看在terraform apply/destroy周期中进行了哪些API调用.
Allow everything first and then process the CloudTrail logs to see, which API calls were made in a terraform apply / destroy cycle.
然后,您更新IAM策略以完全包括这些调用.
Afterwards, you update the IAM policy to include exactly these calls.
这篇关于确定Terraform配置所需的最低AWS权限的最有效方法是什么?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
