Terraform-provider-aws: Feature request: Check IAM permissions during plan phase

Some additional context for those wondering what I was talking about in that other issue:

We recently merged hashicorp/terraform#14887 which allows a new callback to be included on a resource, called CustomizeDiff. This is a little different than the others in that it accepts a ResourceDiff object rather than a ResourceData object, but many of the same things are possible. The intent here is to do any custom validation of the diff that might help Terraform catch a problem during plan rather than apply, and in some cases also to _modify_ the diff based on collected information, e.g. if the provider is able to predict what value a Computed attribute will take after apply.

I expect that handling this _fully-generally_ with SimulatePrincialPolicy would not be possible because Terraform doesn't necessarily "know" all of the policies required for a particular action (for reasons discussed in hashicorp/terraform#16196) but that doesn't mean we couldn't have specialized support for certain resources where we expect such checking to be most impactful and where the set of required permissions is well-defined. If you have some specific ideas for such resource, @coryodaniel, that could help with prioritization.

There is a non-trivial additional testing overhead in supporting such a feature (since we'd need to provision roles that have different levels of access, assume then, etc) so my gut is that we probably won't act on this in the short term, but I agree it's good polish and would like to do it eventually. Probably we will first get some more experience using CustomizeDiff for simpler scenarios first and then, at some later point, apply that experience to _this_ problem.

I too would love a feature like this - just to validate some resource policy schema. I wouldn't need it to verify/test permissions, only validate that the policy has all the correct keys and that the CreatePolicy API would accept it as a valid policy. When testing the policy simulator it seems to accept things that the API doesn't accept so maybe there isn't a really great way to validate policy via API on AWS :/

This... 💯 this... I'm tired of playing terraform IAM permissions whack-a-mole every time a new project is created and our jenkins project specific role is handling the build. Run it, fail, add the minimum policy, run it, fail, add the next action, lather, rinse repeat. tf plan in no way catches these. Asterisks in IAM policy json is a big no-no in the world of health care.

Having this feature would be a huge time saver for us, a lot of my day is spent debugging IAM permissions.

Has there been any movement on this over the past 3 years?