I too would like to have transient resource, in my case it would be giving an access right to one provider profile while doing the deployment and remove it once everything is deployed.
This comes from this situation:
profile A has access to a S3 bucket that contains the CI generated artifacts
profiles B, C, D… create Lambda functions that are isolated from resources in profile A but still needs to access the CI generated artifacts that serve as a source for those lambda.
Right now, I use a
local-exec provisioner to retrieve the zip files locally and use a
filename reference on the lambda functions. But I believe it would induce less data transfer if profile B could be granted a temporary ListObject/GetObject ACL while it creates the lambda functions.