Reputation: 1446
IAM policy: MalformedPolicyDocument: Syntax errors in policy
I was able to successfully run a cloudformation stack that included the following snippet, and now my ultimate goal is to get this ported to Terraform, but..
I'm getting a malformed syntax error even within the AWS Console. I tried to debug this using the AWS Console's "Policy Editor" and clicking the "Validate" button but the error is non specific. Anyone know what I'm doing wrong? It's strange, because this policy seemed to work when I deployed the cloudformation stack template. (btw, this is from GorillaStack's AutoTagging project if that helps)
This policy contains the following error: Syntax errors in policy. For more information about the IAM policy grammar, see AWS IAM Policies.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:*:*:*"
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"cloudformation:DescribeStackResource"
],
"Resource": [
{ "Fn::Join": [ "", [ "arn:aws:cloudformation:", { "Ref" : "AWS::Region" }, ":", { "Ref" : "AWS::AccountId" }, ":stack/autotag/*" ] ] }
]
},
{
"Effect": "Allow",
"Action": [
"sts:*"
],
"Resource": [
{ "Fn::GetAtt" : [ "AutoTagMasterRole", "Arn" ] }
]
}
]
}
My terraform configuration has the following resource (with the above snippet included)
resource "aws_iam_role_policy" "AutoTagExecutionPolicy" {
name = "AutoTagExecutionPolicy"
role = "${aws_iam_role.AutoTagExecutionRole.id}"
policy = <<EOF
<-THE POLICY ABOVE GOES HERE->
EOF
}
Upvotes: 3
Views: 15028
Answers (1)
Reputation: 4491
You need to convert the Cloudformation functions to variables in the terraform script.
data "aws_iam_policy_document" "example" {
statement {
sid = "allow logs"
effect = "Allow"
action = [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
]
Resources = [
"arn:aws:logs:*:*:*",
]
}
statement {
sid = "allow s3"
effect = "Allow"
action = [
"s3:GetObject",
"s3:ListBucket",
]
resource = [
"*",
]
}
statement {
sid = "allow cfn"
effect = "Allow"
action = [
"cloudformation:DescribeStackResource",
]
resource = [
"${var.cfn_stack}",
]
}
statement {
sid = "allow sts"
effect = "Allow"
action = [
"sts:*",
]
resource = [
"${var.AutoTagMasterRole_arn}",
]
}
}
THEN
resource "aws_iam_policy" "example" {
name = "example_policy"
path = "/"
policy = "${data.aws_iam_policy_document.example.json}"
}
https://www.terraform.io/docs/providers/aws/d/iam_policy_document.html
https://www.terraform.io/docs/configuration/interpolation.html
Upvotes: 1
Related Questions
- Terraform IAM Policy creation - MalformedPolicyDocument: The policy failed legacy parsing
- Policy document should not specify a principal - terraform aws_iam_policy_document
- Error creating IAM Role. MalformedPolicyDocument: Has prohibited field Resource. Terraform
- Terraform: Error creating IAM Role. MalformedPolicyDocument: Has prohibited field Resource
- How to fix MalformedPolicyDocument: syntax error in policy generated when use terraform
- How can I solve the error message I am receiving in my below code in my policy documents
- error creating IAM policy example_policy: MalformedPolicyDocument: Policy document should not specify a principal
- Error in CloudFormation Stack: Syntax errors in policy. (Service: AmazonIdentityManagement; Status Code: 400;
- MalformedPolicyDocument error when creating policy via terraform
- MalformedPolicyDocument error while creating an IAM Policy