Incorporate iam policy simulator in aws provider to simulate requisite iam permissions during plan phase

[ghost]

This issue was originally opened by @RiflerRick as hashicorp/terraform#27301. It was migrated here as a result of the provider split. The original body of the issue is below.

---

Current Terraform Version

v0.12.24

Use-cases

A lot of the times when doing terraform plan we are able to see infrastructure updates however when attempting to do a terraform apply, it might turn out that the host from which we are executing terraform instructions does not have the required permissions to execute some of the infrastructure updates suggested by terraform plan. It therefore becomes a reactive procedure for users to add the required permissions first and attempt to execute a terraform apply one more time to see if all the updates happened successfully or not.
For example:
Lets say a certain host has been given permissions to start an ec2 instance(ec2:StartInstances) but not to terminate one(ec2:TerminateInstances). In that case during the spinning of a fleet of 5 ec2 instances there would be no issue. However on trying to reduce the number of instances to 4, a TerminateInstances API call would be fired which would be forbidden as the host does not have the same permission.
This however will not be caught during a terraform plan. Rather during terraform apply, we will come to know of the same. A proactive measure of catching such issues especially during terraform plan would be helpful.

Attempted Solutions

Proposal

AWS provides means of simulating iam policies. Check out this link. During the terraform plan phase, if we know what actions need to be performed, we can call the policy simulator apis to figure out if the current iam permissions would allow the requisite actions to succeed. If found, all such failing actions can be shown with the terraform plan output. The exit code of the terraform plan output can be non-zero if any of the simulation of corresponding actions fail.

References

https://docs.aws.amazon.com/cli/latest/reference/iam/simulate-custom-policy.html
https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_testing-policies.html#policies-simulator-using-api

[apparentlymart]

I didn't notice this old issue at the time but belatedly: I contributed something for this in #25569 and it's been merged and included in the provider's v5.2.0 release. The policy simulator is wrapped in the aws_iam_principal_policy_simulation data source.

You can use that in conjunction with Terraform's built-in postconditions feature (as shown in the data source docs) to make planning fail if the policy simulation fails.

I don't have the necessary permissions to close this, but hopefully someone who does will see this comment. 😀 I expect that what I implemented there was not exactly what the original requester had in mind -- I think they had hoped for the AWS provider to automatically test permissions during the planning phase, based on its own knowledge of what permissions are required -- but I suspect that a manually-written policy check is the closest we're going to get here just due to the inherent complexity in a generic solution, and the performance cost of repeatedly calling the policy API as part of every individual resource instance plan.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.