Gruntwork Pipelines grants permissions by defining three GitHub Teams, which should map to three separate personas in your organization. Each team and its permissions are designed to apply the principle of least privilege to each individual (or machine user) in your organization for them to be able to perform changes to your infrastructure.
infrastructure-collaborators team is for engineers who work on the IaC codebase daily but do not have administrative permissions in AWS. Similarly, the
infrastructure-administrators team is for engineers who likely work on the IaC codebase daily, but do have administrative AWS permissions. Finally, the
ci-code-read-only team is meant for a single machine user who can read your
infrastructure-modules (a repository where you can define custom Terraform modules for your organization) repositories.
The diagram below visually illustrates the above teams:
Gruntwork Pipelines Permissions