policy contains an invalid JSON POLICY

Question

I am getting this error message "Policy containes an invalid JSON policy"when i run terraform apply but when i do terraform validate policy is validated.I dont know what am doing wrongly.please help.

policy = <<EOF

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect":"Allow",
            "Action":["s3:ListBucket"],
            "Resource":["arn:aws:s3:::${var.bucket_name}"]
        },
        {
            "Effect":"Allow",
            "Action":[
                "s3:PutObject",
                "s3:GetObject",
                "s3:GetObjectVersion"
            ],
            "Resource":["arn:aws:s3:::${var.bucket_name}/*"]
        },
        {
            "Effect":"Allow",
            "Action":[
                "kms:Decrypt"
            ],
            "Resource":"arn:aws:kms:${var.region}:${var.aws_account_id}:key/${var.key_id}"
        }
    ]
}

} EOF

Answer 1

Change to jsonencode according to terraform:

Terraform's jsonencode function converts a Terraform expression result to valid JSON syntax.

Reference: aws_iam_role_policy

Answer 2

You haven't given much detail but I just bumped into this myself so this answer makes some assumptions.

There is an issue with aws_iam_role_policy noted in the aws terraform provider which I can't word any better so here's the content:

Most probably it's because the policy contains leading spaces.

For resource "aws_iam_role" assume_role_policy (and leading spaces in the JSON), terraform shows an error message that the policy cannot contain leading spaces. However, for resource "aws_iam_role_policy" (and leading spaces in the JSON), terraform simply says that policy contains an invalid JSON policy.

I think that the error message given by terraform in this case should be more specific.

Remove any leading spaces in your JSON.

  policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect":"Allow",
"Action":["s3:ListBucket"],
"Resource":["arn:aws:s3:::${var.bucket_name}"]
},
{
"Effect":"Allow",
"Action":[
"s3:PutObject",
"s3:GetObject",
"s3:GetObjectVersion"
],
"Resource":["arn:aws:s3:::${var.bucket_name}/*"]
},
{
"Effect":"Allow",
"Action":[
"kms:Decrypt"
],
"Resource":"arn:aws:kms:${var.region}:${var.aws_account_id}:key/${var.key_id}"
}
]
}
  EOF

Or use the indented heredoc form which allows leading space

  policy = <<-EOF
{
  "indented":"true",
}
EOF

Or stop writing policies etc out in their raw form and use the Terraform policy document data sources to create your definitions and attach them using policy resources e.g.

resource "aws_s3_bucket_policy" "alb_pub_log_bucket" {
  bucket = aws_s3_bucket.alb_pub_log_bucket.id
  policy = data.aws_iam_policy_document.alb_pub_log_bucket.json
}

data "aws_iam_policy_document" "alb_pub_log_bucket" {
  statement {
    effect  = "Allow"
    actions = ["s3:PutObject"]
    resources = [
      "arn:aws:s3:::${var.alb_pub_log_bucket}",
      "arn:aws:s3:::${var.alb_pub_log_bucket}/*"
    ]
    principals {
      type        = "AWS"
      identifiers = ["arn:aws:iam::${data.aws_elb_service_account.public.id}:root"]
    }
  }
  statement {
    effect  = "Allow"
    actions = ["s3:PutObject"]
    resources = [
      "arn:aws:s3:::${var.alb_pub_log_bucket}",
      "arn:aws:s3:::${var.alb_pub_log_bucket}/*"
    ]
    principals {
      type        = "Service"
      identifiers = ["delivery.logs.amazonaws.com"]
    }
    condition {
      test     = "StringEquals"
      variable = "s3:x-amz-acl"
      values   = ["bucket-owner-full-control"]
    }
  }
  statement {
    effect    = "Allow"
    actions   = ["s3:GetBucketAcl"]
    resources = ["arn:aws:s3:::${var.alb_pub_log_bucket}"]
    principals {
      type        = "Service"
      identifiers = ["delivery.logs.amazonaws.com"]
    }

  }

}

Which will give you earlier visibility of any policy errors as the data source is computed during validate/plan etc.

Answer 3

Looks like your final Resource is not wrapped in a bracket []...