Home > Software engineering >  Terraform JSON MalformedPolicyDocument: The policy failed legacy parsing
Terraform JSON MalformedPolicyDocument: The policy failed legacy parsing

Time:01-21

I am having a hard time resolving this error

Error: error creating IAM policy policy-assumerole-test: MalformedPolicyDocument: The policy failed legacy parsing
    status code: 400, request id: b06e5c24-0b3b-42f3-8580-9e0393434dc1
  on ../modules/assume/main.tf line 47, in resource "aws_iam_policy" "permit_assume_role":
  47: resource "aws_iam_policy" "permit_assume_role" {

The module creates group with the assume policy attached

The module is here:

terraform {
  required_providers {
    template = {
      source  = "hashicorp/template"
      version = "2.2.0"
    }

    aws = {
      source  = "hashicorp/aws"
      version = ">= 3.72.0"
    }
  }

  required_version = "~> 0.14"
}

## Generate the assume roles policy for this group
data "template_file" "policy" {
  template = file("${path.module}/assets/assume_role.json")

  vars = {
    accounts = join(
      ",\n",
      formatlist(
        "\"arn:aws:iam::%s:role/%s\"",
        var.account_id,
        coalesce(var.role_override, var.role_name),
      ),
    )
  }
}

## Create an AWS group
resource "aws_iam_group" "group" {
  name = var.group_name
}

## Add the user membership to the group
resource "aws_iam_group_membership" "group" {
  name  = "group_membership"
  group = aws_iam_group.group.name
  users = var.users_list
}

## The IAM policy to allow the central account permission to STS assume role
resource "aws_iam_policy" "permit_assume_role" {
  name        = "policy-assumerole-${var.group_name}"
  description = "Permit central account users to assume roles in this account"
  policy      = data.template_file.policy.rendered
}

## Assigning the IAM policy to the user group
resource "aws_iam_policy_attachment" "permit_group_policy" {
  name       = "permit_group_policy"
  groups     = [aws_iam_group.group.name]
  policy_arn = aws_iam_policy.permit_assume_role.arn
}

The assume_role.json template is here:

{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": "sts:AssumeRole",
    "Resource": [
        ${accounts}
    ]
  }
}

This allows me to call and construct a policy when i call my module

Example:

module "assume_group" {
  source = "../modules/assume"

  account_id = [
    var.accounts["account1"],
    var.accounts["account2"],
  ]

  group_name = "test"
  role_name  = "test"

  users_list = [
  ]

  providers = {
    aws = aws.login
  }
}

This is throwing me an error which i am struggling to resolve VScode is pointing to the template not hav

CodePudding user response:

That config will have a trailing comma in the JSON array, which is a syntax error for the format specification. I would recommend updating the usage to the templatefile function. You could then also make this much easier for yourself with the jsonencode function to convert from HCL2. Your template would appear like:

{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": "sts:AssumeRole",
    "Resource": ${jsonencode(accounts)}
  }
}

and in the resource value for the policy argument:

resource "aws_iam_policy" "permit_assume_role" {
  name        = "policy-assumerole-${var.group_name}"
  description = "Permit central account users to assume roles in this account"
  policy      = templatefile("${path.module}/assets/assume_role.json", { accounts = [ for account_id in var.account_id : "arn:aws:iam::${account_id}:role/${coalesce(var.role_override, var.role_name)}"] })
}

CodePudding user response:

I did find out i was missing the "[" at the start of the statement and at the end of the statement. This shouldn't matter for a single resource but it was causing me issues. Adding this resolved my issue

Thanks

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Action": "sts:AssumeRole",
    "Resource": [
        ${accounts}
    ]
  }]
}
  •  Tags:  
  • Related