Our Terraform requires extensive IAM permissions. If Nuon is running our Terraform, how do we enforce the customer's permission controls, since our Terraform could provision a role with full

QUESTION

Our Terraform requires extensive IAM permissions. If Nuon is running our Terraform, how do we enforce the customer's permission controls, since our Terraform could provision a role with full admin access?

ANSWER

Two models: (1) Move IAM creation into the CloudFormation stack so the customer manages those permissions themselves. (2) Define IAM boundary policies that govern what types of roles/policies your Terraform is allowed to create. The CloudFormation stack is where the customer decides what they allow; Nuon then executes your Terraform within those boundaries.