Skip to content

docs: explain tfstate trust policy security model and quota limits#870

Open
milldr wants to merge 10 commits intomasterfrom
feat/tfstate-backend-service-quota
Open

docs: explain tfstate trust policy security model and quota limits#870
milldr wants to merge 10 commits intomasterfrom
feat/tfstate-backend-service-quota

Conversation

@milldr
Copy link
Member

@milldr milldr commented Feb 2, 2026
edited
Loading

Summary

Documents the IAM role trust policy security model for the tfstate-backend component.

Changes

  • Explains why wildcard patterns are required: IAM trust policies have a hard limit of 4096 characters (max quota). Listing every role and permission set by explicit ARN would exceed this limit for organizations with multiple accounts.

  • Documents the two-way security handshake: Wildcards in trust policies are secure because:

    1. Trust policy only allows principals within the AWS Organization (aws:PrincipalOrgID condition)
    2. Principals must also have IAM policies granting sts:AssumeRole on the specific tfstate role

  • Shows how to request quota increase (if needed): For customizations that approach the 2048 default limit, documents the quota increase command (auto-approved up to 4096).

Context

Initial investigation attempted to replace wildcards with explicit ARNs for stricter least-privilege. However:

  • 11 accounts × 3 SSO permission sets × 2 roles = ~7000+ characters
  • Even with quota increase to 4096 max, explicit ARNs don't fit
  • Splitting state backends doesn't fully solve it either

The two-way handshake model maintains security while staying within IAM limits.

@milldr milldr added the no-release Do not create a new release (wait for additional code changes) label Feb 2, 2026
@milldr milldr marked this pull request as ready for review February 5, 2026 18:54
@milldr
docs: explain trust policy security model and quota limits
91d7304 
- Remove quota increase as a default/required step
- Explain why wildcard patterns are used (IAM 4096 char hard limit)
- Document the two-way security handshake model
- Show how to request quota increase if customizations require it
@milldr milldr changed the title docs: add S3 bucket policy size quota increase step docs: explain tfstate trust policy security model and quota limits Feb 5, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

no-release Do not create a new release (wait for additional code changes)

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@milldr