Terraform bad policy

Question

Hello I have the following policy definition in my terraform, but it keeps returning as malformed

resource "aws_iam_role_policy" "task-policy" {
  name   = "docker-flowcell-restore-task-policy"
  role   = "${aws_iam_role.task-role.id}"
  policy = "${file("${path.module}/policies/role-docker-flowcell-restore-${var.environment}-ecs-policy.json")}"
}

Been struggling with trying to find the error in this for awhile.

here is the error

aws_iam_role_policy.task-policy: Error putting IAM role policy docker-flowcell-restore-task-policy: MalformedPolicyDocument: Syntax errors in policy.

Here is the policy that is failing

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid":"AllowWritesS3",
      "Action": [
        "s3:GetObject",
        "s3:RestoreObject"
      ],
      "Effect": "Allow",
      "Resource": [
        "Temp_name_for_post",
        "Temp_name_for_post"
      ]
    },
    {
      "SID": "Allow for user for upload S3 bucket",
      "Action": [
        "s3:PutObject",
        "s3:AbortMultipartUpload"
      ],
      "Resource":[
        "temp_name_for_post",
        "temp_name_for_post"
      ]
    }
  ]
}

Tim Malone · Accepted Answer

Unfortunately AWS doesn't tell you exactly what the syntax errors are, so you have to find them yourself. Sometimes you can do this by eye; other times you may just want to use the AWS Console as Jeffrey suggested - and perhaps take out each statement one-by-one then re-validate, to see where the error lies (it's a lot quicker than waiting for Terraform to finish).

In your case, you need to:

change SID to Sid in your second statement
change the Sid value in that second statement so it has no spaces in it (eg. "AllowForUserForUploadS3Bucket")
use valid S3 ARNs instead of "temp_name_for_post", such as "arn:aws:s3:::my-bucket/*" to refer to all objects in a bucket named my-bucket

After changing these items, the policy now validates for me via the AWS Console.

Terraform bad policy

Answers (2)

Related Questions