docs: add docs on extra permissions for public ips

In addition to `DescribeVpcs', the `DescribeInstanceTypeOfferings' permission may also be needed to select a subnet in an AZ that supports the type of instance requested in the template. To make it clear what may happen otherwise, we add a small paragraph to explain it in the IAM section of the docs.
hashicorp · May 1, 2023 · 79a75ea · 79a75ea
1 parent 9bca23a
commit 79a75ea
Showing 1 changed file with 7 additions and 0 deletions.
diff --git a/docs/builders/index.mdx b/docs/builders/index.mdx
@@ -298,6 +298,13 @@ If you are using the `vpc_filter` option, you must also add:
 This permission may also be needed by the `associate_public_ip_address` option, if specified without a subnet.
 In this case the plugin will invoke `DescribeVpcs` to find information about the default VPC.
 
+When using `associate_public_ip_address` without a subnet, you will also benefit from having:
+
+    ec2:DescribeInstanceTypeOfferings
+
+This will ensure that the plugin will pick a subnet/AZ that can host the type of instance
+you're requesting in your template.
+
 ## Troubleshooting
 
 ### Attaching IAM Policies to Roles