[nightfly]

Not if you use "bastion" type hosts, right?

[nijave]

Same issue. Terraform doesn't separate invoker permissions from runtime permissions. It runs with whatever privileges the invoker provides and since it's doing arbitrary privileged things it generally runs with arbitrary privileges.

The only real fix is to run it in a client-server model like a web app where the user has limited permissions and the server gates access to the privileged backend permissions.

Put another way, if I want to create an S3 bucket on AWS, I need S3 CreateBucket privileges, not "run Terraform" privileges.

[foota]

Ideally, wouldn't your configuration be checked in and only executed by a runner of some kind?

[erik_seaberg]

That’s pretty close to what I meant by hosted Terraform.

[nijave]

Yup

[ArchOversight]

Don't grant privileges to users that should not have those privileges?

The gating here is at the cloud level...