Better logging on 403 of aws_iam_policy delete

[hashibot]

This issue was originally opened by @gtmtech as hashicorp/terraform#3625. It was migrated here as part of the provider split. The original body of the issue is below.

---

Terraform is much better at telling you the "Action" permission required in AWS in order to achieve things these days. If it cant complete an action because the terraform credentials arent associated with an iam policy with sufficient actions, it tells you which action is lacking - this is very useful.

However, I spotted an omission when dealing with an aws_iam_policy resource. On trying to terraform plan -destroy, this is the error:

aws_iam_policy.my-iam-policy: Error reading IAM policy arn:aws:iam::###########:policy/my-iam-policy: &awserr.requestError{awsError:(*awserr.baseError)(0x#########), statusCode:403, requestID:"e8474b15-####-####-####-e754d2c48ddd"}

To keep with the rest of the helpful messages, it would be much more useful if the message said that it couldnt do its job because the iam:DeletePolicy action was missing from the policy attached to the terraform credentials.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!