问题
I am using Terraform to construct our applications infrastructure, its been executed from a container. At the beginning I have attached a IAM (AWS) role which basically provide the container with Admin permissions (which is a mistake, i know).
Now i need to create a role that is minimal for the existing state. I have a lot of services and resources in that terraform plan.
Is there a tool that can read a state or a plan and generate a list of necessary IAM policies? Or what would be the best/easiest approach to handle such task?
*i am using workspaces for different environments, so probably i will need different role for each workspace.
回答1:
I cannot speak to the effectiveness of these tools, but I figured I'd share them. It's worth noting, also, that they may not currently be maintained or up-to-date.
terraform-policymaker contains mappings of what AWS API calls are made from each resource. Then it scans your terraform and generates a least privilege policy policy. Seems very useful, I wonder why it's not more popular.
terraform-aws-permissions-generator takes a different approach. You run it in a dummy account and it tracks all calls made to AWS. It destroys all resources and generates a policy with the exact operations that were done. The big drawback I see here is that it may not account for update operations (since it's just creating then destroying).
Use at your own risk, especially the permissions generator.
来源:https://stackoverflow.com/questions/61207632/terraform-aws-auto-generated-iam-role