CODEWITHSUNDEEP
amazon-web-servicesterraformterraform-provider-aws
dave-ng77
dave-ng77

Reputation: 29

Terraform - issue with extra caractere after interpolation

I have an issue which i can quite figure out why

I'm trying to create a custom policy but i get this message : Error: Extra characters after interpolation expression on this line

 {
            "Effect": "Allow",
            "Action": "iam:ChangePassword",
            "Resource": "arn:aws:iam::766281746212:user/${aws:username}"
        },

it state : Expected a closing brace to end the interpolation expression, but found extra characters.

here my code

resource "aws_iam_policy" "policy" {
  name        = "AllowManageOwnAccessKeys"
  path        = "/"
  description = "Allow to manage Access key"

  policy = <<EOF
  {
    Version = "2012-10-17"
     "Statement": [
        {
            "Effect": "Allow",
            "Action": "iam:GetAccountPasswordPolicy",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "iam:ChangePassword",
            "Resource": "arn:aws:iam::766281746212:user/${aws:username}"
        },
        {
            "Sid": "AllowViewAccountInfo",
            "Effect": "Allow",
            "Action": "iam:ListVirtualMFADevices",
            "Resource": "*"
        },
        {
            "Sid": "AllowManageOwnVirtualMFADevice",
            "Effect": "Allow",
            "Action": [
                "iam:CreateVirtualMFADevice",
                "iam:DeleteVirtualMFADevice"
            ],
            "Resource": "arn:aws:iam::766281746212:mfa/${aws:username}"
        },
        {
            "Sid": "AllowManageOwnUserMFA",
            "Effect": "Allow",
            "Action": [
                "iam:DeactivateMFADevice",
                "iam:EnableMFADevice",
                "iam:GetUser",
                "iam:ListMFADevices",
                "iam:ResyncMFADevice"
            ],
            "Resource": "arn:aws:iam::766281746212:user/${aws:username}"
        },
        {
            "Sid": "DenyAllExceptListedIfNoMFA",
            "Effect": "Deny",
            "NotAction": [
                "iam:CreateVirtualMFADevice",
                "iam:EnableMFADevice",
                "iam:GetUser",
                "iam:ListMFADevices",
                "iam:ListVirtualMFADevices",
                "iam:ResyncMFADevice",
                "sts:GetSessionToken"
            ],
            "Resource": "*",
            "Condition": {
                "BoolIfExists": {
                    "aws:MultiFactorAuthPresent": "false"
                }
            }
        },
        {
            "Sid": "ManageOwnAccessKeys",
            "Effect": "Allow",
            "Action": [
                "iam:CreateAccessKey",
                "iam:DeleteAccessKey",
                "iam:GetAccessKeyLastUsed",
                "iam:GetUser",
                "iam:ListAccessKeys",
                "iam:UpdateAccessKey"
            ],
            "Resource": "arn:aws:iam::766281746212:user/${aws:username}"
        }
    ]
  }
EOF
}

if anyone has a lead for that it would be much appreciate.

Thks

Upvotes: 0

Views: 600

Answers (1)

Martin Atkins
Martin Atkins

Reputation: 74694

The immediate cause of this error is that ${aws:username} is a sequence you want to have interpreted by AWS IAM as part of policy checking, rather than by Terraform as part of template evaluation. Unfortunately both IAM and Terraform use a similar syntax for interpolation, so you'll need to escape it in Terraform in order for the sequence to pass through literally to IAM:

            "Resource": "arn:aws:iam::766281746212:user/$${aws:username}"

Terraform understands $${ as an escape sequence to produce a literal ${, and so Terraform will replace $${aws:username} with ${aws:username} when constructing this string to send to the AWS provider. The AWS provider will then send it to IAM as-is, allowing IAM to interpret it.

You also have a syntax error in your IAM policy with how you specified the version number. So far that hasn't appeared as an error because Terraform is failing to parse your string before sending it to the AWS provider, but once you fix the above you'll probably see another syntax error from the AWS provider. To fix that one, you'll need to set the Version property using valid JSON syntax:

  "Version": "2012-10-17",

It looks like you were trying to use Terraform object syntax there. It is possible to write an IAM policy using Terraform's own expression syntax and then convert it to JSON using jsonencode, and that's pretty helpful in situations where your policy will incorporate some dynamic data computed within Terraform itself, but switching to that syntax from what you have would be quite involved and not directly related to the question you asked here. If you're interested in learning more, you can see a simple example in the aws_iam_policy documentation.

Upvotes: 0

Related Questions