gruntwork-io · yhakbar · Oct 10, 2025 · Oct 10, 2025 · Oct 10, 2025 · Oct 10, 2025
diff --git a/...s/tutorials/deploying-to-aws-gov-cloud.md → .../tutorials/deploying-to-aws-gov-cloud.mdx b/...s/tutorials/deploying-to-aws-gov-cloud.md → .../tutorials/deploying-to-aws-gov-cloud.mdx
@@ -5,6 +5,7 @@ import Tabs from "@theme/Tabs"
 import TabItem from "@theme/TabItem"
 
 In this tutorial, we will guide you through deploying an AWS S3 bucket to AWS GovCloud using Gruntwork Pipelines.
+
 ## What you'll get
 
 By the end of this tutorial, you will have:

diff --git a/docs/2.0/docs/pipelines/tutorials/deploying-your-first-infrastructure-change.mdx b/docs/2.0/docs/pipelines/tutorials/deploying-your-first-infrastructure-change.mdx
@@ -31,6 +31,18 @@ This section covers creating a cloud storage resource using Pipelines and GitOps
 <Tabs>
 <TabItem value="aws" label="AWS" groupId="platform" default>
 
+:::caution Permissions Required
+
+By default, Pipelines is configured with the permissions needed to complete this tutorial. However, depending on your specific setup, you may need to adjust the IAM roles used by Pipelines to ensure they have the necessary permissions.
+
+The default Pipelines role has permissions to create S3 buckets with names that start with `test-pipelines-`. If you want to use a different bucket name, you may need to update the IAM policy accordingly.
+
+:::tip
+The default `bootstrap` Terragrunt stack provided in the installation guide includes `plan_iam_policy` and `apply_iam_policy` values that can be configured to adjust the permissions granted to Pipelines.
+:::
+
+:::
+
 1. Create the folder structure for the new S3 bucket in your environment. Replace <CustomizableValue id="ACCOUNT_NAME" /> with the account name you are deploying to and <CustomizableValue id="REGION" /> with the AWS region where the S3 bucket will be deployed.
 
     ```bash
@@ -59,7 +71,7 @@ This section covers creating a cloud storage resource using Pipelines and GitOps
     }
 
     include "root" {
-      path = find_in_parent_folders()
+      path = find_in_parent_folders("root.hcl")
     }
 
     inputs = {
@@ -70,6 +82,16 @@ This section covers creating a cloud storage resource using Pipelines and GitOps
 </TabItem>
 <TabItem value="azure" label="Azure" groupId="platform">
 
+:::caution Permissions Required
+
+By default, Pipelines is configured with the permissions needed to complete this tutorial. However, depending on your specific setup, you may need to adjust the role used by Pipelines to ensure it has the appropriate permissions to create Resource Groups and Storage Accounts in your subscription.
+
+:::tip
+The default `bootstrap` Terragrunt stack provided in the installation guide includes `plan_custom_role_actions` and `apply_custom_role_actions` values that can be configured to adjust the permissions granted to Pipelines.
+:::
+
+:::
+
 1. Create the folder structure for the new Resource Group and Storage Account in your environment. Replace <CustomizableValue id="SUBSCRIPTION_NAME" /> with the subscription name you are deploying to, <CustomizableValue id="LOCATION" /> with the Azure location where the resources will be deployed, and <CustomizableValue id="RESOURCE_GROUP_NAME" /> with your desired resource group name.
 
     ```bash

diff --git a/docs/2.0/docs/pipelines/tutorials/destroying-infrastructure.mdx b/docs/2.0/docs/pipelines/tutorials/destroying-infrastructure.mdx
@@ -30,6 +30,18 @@ This section explains how to destroy cloud resources using Pipelines and GitOps
 <Tabs>
 <TabItem value="aws" label="AWS" default>
 
+:::caution Permissions Required
+
+By default, Pipelines is configured with the permissions needed to complete this tutorial. However, depending on your specific setup, you may need to adjust the IAM roles used by Pipelines to ensure they have the necessary permissions to destroy resources.
+
+The default Pipelines role has permissions to delete S3 buckets with names that start with `test-pipelines-`. If you're destroying resources with different naming conventions, you may need to update the IAM policy accordingly.
+
+:::tip
+The default `bootstrap` Terragrunt stack provided in the installation guide includes `plan_iam_policy` and `apply_iam_policy` values that can be configured to adjust the permissions granted to Pipelines.
+:::
+
+:::
+
 1. Remove the folder containing the infrastructure code for the resource you want to destroy. For the S3 bucket example, delete the folder containing the S3 bucket code. Replace <CustomizableValue id="ACCOUNT_NAME" /> and <CustomizableValue id="REGION" /> with the appropriate values.
 
     ```bash
@@ -41,6 +53,16 @@ This section explains how to destroy cloud resources using Pipelines and GitOps
 </TabItem>
 <TabItem value="azure" label="Azure">
 
+:::caution Permissions Required
+
+By default, Pipelines is configured with the permissions needed to complete this tutorial. However, depending on your specific setup, you may need to adjust the role used by Pipelines to ensure it has the appropriate permissions to delete Resource Groups and Storage Accounts in your subscription.
+
+:::tip
+The default `bootstrap` Terragrunt stack provided in the installation guide includes `plan_custom_role_actions` and `apply_custom_role_actions` values that can be configured to adjust the permissions granted to Pipelines.
+:::
+
+:::
+
 1. Remove the folder containing the infrastructure code for the resources you want to destroy. For the Resource Group and Storage Account example, delete the folder containing all the resource group code. Replace <CustomizableValue id="SUBSCRIPTION_NAME" />, <CustomizableValue id="LOCATION" />, and <CustomizableValue id="RESOURCE_GROUP_NAME" /> with the appropriate values.
 
     ```bash