Handling AWS permissions across modules

I’m struggling with how to architect handling permissions across a terraform environment that contains ~30 modules. Most modules create resources that need to be refined with permissions for the various actors in our organization. Creating a single module that takes these 30 other modules as inputs seems like an anti-pattern. At the same time, trying to find a way to distribute permissions across the 30 modules seems impossible to implement cleanly.

The hard limits on the number of policies attached to IAM entities makes this even more challenging. It’s not feasible for each module to produce a policy and attach it to a user/group, as you’d quickly reach the hard limit.

So I’m inquiring to see if anyone has run into this problem before, and if so, how you went about architecting a solution in Terraform.

Could you describe a bit more about what you are trying to achieve? I generally wouldn’t expect a single credential to have permissions for 30 different things, instead expecting different IAM roles/users with specific permissions, used where needed.

We have a handful of groups to which users are assigned based on their function. We’re following a typical Terragrunt layout where each environment is contained within a folder and re-uses the previously discussed modules for setting up distinct environments. Most (not all) of the modules create resources that need permissions assigned to manage them, and these permissions differ based on each group (i.e., read-only, read-write, etc.).

Perhaps it’s not normal to have this many resources that require fine-tuned permissions, but this is our use-case currently and trying to find a way to manage it with Terraform is proving difficult.

So this is for assigning permissions for people rather than other applications?

For people you’d often use assumed roles, so you have to switch to a set of permissions based on what you are wanting to be able to do (for example switching from a read-only role to a read-write role, or to a role which allows access to EKS).