I am reviewing this website, https://terragrunt.gruntwork.io/docs/getting-started/quick-start/
where they discuss an IAM role for Terragrunt as in the following code
provider "aws" {
assume_role {
role_arn = "arn:aws:iam::0123456789:role/terragrunt"
}
}
Which IAM Policy or Policies do I attach to the Terragrunt role?
Assuming the terragrunt role is for deployments: Terragrunt have a doc on this.
Assuming you're using an s3 bucket for state:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:GetBucketLocation",
"s3:List*"
],
"Resource": [
"arn:aws:s3:::<BucketName>"
],
"Effect": "Allow"
},
{
"Action": [
"s3:DeleteObject",
"s3:GetObject",
"s3:PutObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::<BucketName>/\*"
],
"Effect": "Allow"
}
]
}
note: if using Dynamodb to lock apply's, you'll need to add that too (documented on that same page); the same applies for KMS
The above policy is the least permissive, not including actions such as s3:CreateBucket.
