Document IAM Permissions for Managing Resources

[sarcastic-coder]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Setting up IAM permissions to plan & apply changes is a game of whack-a-mole. While some permissions are obvious for managing resources, others are not.

One such example is managing a aws_amplify_webhook requires ec2:DescribeAccountAttributes according to CloudTrail. I don't know why this is required but I trust that it is. Instances like this make infrastructure changes take orders of magnitude longer than they should as it results in multiple cycles of attempting to plan & apply changes, with incremental IAM changes.

It was understandable when AWS IAM documentation was sparse and hard to find but since the creation of the Service Authorization Reference it's a lot easier to find the correct permission for the API call being made.

New or Affected Resource(s)

All AWS resources & data providers

References

Unable to find any similar issues or PRs.

[ewbankkit]

@sarcastic-coder Thanks for raising this issue.
It has already been noticed in #9154. I'm going to close this one as a duplicate so that we can concentrate discussion in the linked issue.
Please add any additional comments there.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.