Add TerraformStateAccess Permission Set

[Benbentwo]

This pull request introduces a new permission set specifically for managing Terraform state access. The main focus is to allow fine-grained, read/write access to the Terraform state backend (S3 and optionally DynamoDB), without granting broader account permissions. The most important changes are:

New Terraform State Access Permission Set

• Added a new terraform_state_access_permission_set to the locals block, which is conditionally created when Terraform access is enabled. This permission set provides access only to the Terraform state backend resources.
• Defined a new aws_iam_policy_document data source, terraform_state_access, which grants S3 read/write permissions for the state bucket, optional DynamoDB table permissions for state locking, and the ability to assume the backend role.
• Included the new terraform_state_access_permission_set in the list of permission sets passed to the permission_sets module, ensuring it is provisioned alongside the other Terraform-related permission sets.

Summary by CodeRabbit

• New Features
  • Added a new Terraform state access permission set enabling read/write access to Terraform state backends, including S3 bucket operations and DynamoDB table access. The feature is configurable and allows assuming a designated role for state access operations.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.

[coderabbitai]

📝 Walkthrough

Walkthrough

This pull request adds a new Terraform state access permission set to the AWS Identity Center configuration. A new IAM policy document is defined that grants read/write access to an S3 backend bucket, optional DynamoDB table access, and IAM role assumption capabilities. The feature is gated by a tf_access_enabled variable and integrated into the existing permission set provisioning flow.

Changes

Cohort / File(s)	Summary
Terraform State Access Permission Set src/policy-TerraformAccess.tf	Introduces new aws_ssoadmin_permission_set for Terraform state access and corresponding aws_iam_policy_document with three statements: S3 bucket read/write (List, GetObject, PutObject, DeleteObject), conditional DynamoDB table access (GetItem, PutItem, DeleteItem), and IAM role assumption (AssumeRole, TagSession, SetSourceIdentity). Gated by tf_access_enabled variable.
Permission Set Inclusion src/main.tf	Adds local.terraform_state_access_permission_set to the permission sets concatenation in the module invocation, enabling the new Terraform state access permission set to be provisioned.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• feat: add TerraformAccess, RootAccess permission sets and account_map bypass #53 — Adds matching Terraform state access permission sets and updates the permission sets concatenation with related policy data resources.

Suggested labels

minor, needs-test

Suggested reviewers

• milldr
• goruha
• osterman

Poem

🐰 Hop! Permission sets now bloom and grow,
State access flows like streams of snow,
S3 buckets dance, DynamoDB spins,
Terraform's golden age now begins! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: adding a new TerraformStateAccess permission set, which is the primary objective reflected in all file modifications.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

📜 Recent review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between c172cca and 7ee6fb2.

📒 Files selected for processing (2)

• src/main.tf
• src/policy-TerraformAccess.tf

🧰 Additional context used

📓 Path-based instructions (2)

src/{main,variables,outputs,providers,versions,context}.tf

📄 CodeRabbit inference engine (AGENTS.md)

Keep the Terraform component source of truth in src with these files present: main.tf, variables.tf, outputs.tf, providers.tf, versions.tf, context.tf

Files:

• src/main.tf

src/**/*.tf

📄 CodeRabbit inference engine (AGENTS.md)

src/**/*.tf: Use 2-space indentation for all Terraform code
In Terraform, prefer lower_snake_case for variables and locals; keep resource/data source names descriptive and aligned with Cloud Posse null-label patterns
Run terraform fmt and adhere to formatting (do not commit formatting violations)
Adhere to TFLint rules defined for the project (do not commit lint violations)

Files:

• src/main.tf
• src/policy-TerraformAccess.tf

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Summary

🔇 Additional comments (3)

src/main.tf (1)

109-109: LGTM!

The new terraform_state_access_permission_set is correctly added to the permission sets concatenation, following the same pattern as other Terraform-related permission sets.

src/policy-TerraformAccess.tf (2)

47-57: LGTM!

The new permission set definition follows the established pattern correctly. The empty policy_attachments array appropriately limits this role to state backend operations only, unlike TerraformApplyAccess (which has AdministratorAccess) and TerraformPlanAccess (which has ReadOnlyAccess).

---

149-189: LGTM! Well-designed minimal permissions for state backend access.

The IAM policy document correctly grants the minimum necessary permissions for Terraform state backend operations:

• S3 permissions including s3:DeleteObject are appropriate for state file cleanup and management operations
• Conditional DynamoDB access follows the established pattern from the Apply policy
• AssumeRole permissions correctly enable backend role access
• Intentional omission of ec2:DescribeRegions: Unlike Plan and Apply policies, this statement is correctly excluded since this role is designed for state backend operations only, not for running Terraform operations that would require region validation

The permission scope aligns perfectly with the stated purpose of "read/write access to Terraform state backend only".

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

These changes were released in v1.540.1.