Hi there, a colleague noticed on a test MSDN sandbox subscription he could run a terraform plan with a personal account that just had reader rights. We are currently needing to PIM contributor rights each time which is a faff.
Can anyone tell me exactly what a terraform plan needs. I find this youtube video which states you need reader but if you specify providers (which he may not have in his personal) you can get around needing write/contributor by creating a custom role - https://www.youtube.com/watch?v=K2anHu0IMRs
Does anyone have experience or knowledge of this and just be able to tell me the answer?
Hi @OllyFox-RSPB,
There is no single answer to exactly what permissions are required, because it can depend on the providers, the resource types, the state storage, and how/where you are executing terraform.
The general answer is that planning should never have any side-effects, so providers that do need to make API calls during the plan generally only need read permission. Many providers don’t make any API calls during a plan, so the entire process is essentially offline. On the other hand, some providers may always authenticate and verify permissions regardless of what actions are being taken, and hence appear to always require elevated access.
Thanks a lot for your reply jbardin. We only use terraform from local VSC to a few Azure subscriptions but resource types will vary.