UPDATE: iam_policy_document: Error: InvalidParameter: Invalid parameter: Policy Error: null status code: 400, request id

Question

所以我正在尝试迁移一个由模块组成的非模块化 Terraform 设置。我有运行进入这个错误。我知道这不是 Terraform 特定的错误，但我正在使用 Terraform。

实现这一目标所需的所有模块的整体结构包括：

%ls

caller_identity     event_rule  event_target    iam_policy_document sns_topic_policy

在caller_dentity:

ls
main.tf     output.tf   variable.tf

在event_rules中：

main.tf     output.tf   variable.tf

在event_target中：

main.tf     variable.tf  (i did not seem to need to have an output to be used somewhere else.)

在iam_policy_document中：

ls% main.tf     output.tf   variable.tf


data "aws_iam_policy_document" "this" {
  statement {
     actions  = [
      "SNS:GetTopicAttributes",
      "SNS:SetTopicAttributes",
      "SNS:AddPermission",
      "SNS:RemovePermission",
      "SNS:DeleteTopic",
      "SNS:Subscribe",
      "SNS:ListSubscriptionsByTopic",
      "SNS:Publish",
      "SNS:Receive"
    ]

    condition {
       test      = "StringEquals"
      variable = "AWS:SourceOwner"

      values = [
      var.account
      ]
    }

    effect = "Allow"

    principals {
       type         = "AWS"
      identifiers = ["*"]
    }

    resources = [
      var.arn
    ]

    sid = "__default_statement_ID"
  }

  statement {
     actions  = [
      "sns:Publish"
    ]

    effect = "Allow"

    principals {
       type         = "Service"
      identifiers = ["events.amazonaws.com"]
    }

    resources = [
      var.arn
    ]

    sid = "TrustCWEToPublishEventsToMyTopic"
  }
}

在sns_topic_policy中：

main.tf     output.tf   variable.tf

resource "aws_sns_topic_policy" "this" {
   arn = var.arn 
   policy = var.policy
}

我开始按照发布的顺序重做所有这些，然后我会边做边测试。总而言之，Terraform 需要构建 4 个项目；我知道肯定是因为非模块版本是我的基础

所以一切似乎都正常，直到我进入 aws_sns_topic_policy。

这是我敲出来的 sns_topic

        }
    }

Plan: 3 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value:

我点击是，它完成了我下面所述的输出。

现在，一旦我添加了 sns 模块，某处就会出现问题。

我的输出：

Apply complete! Resources: 0 added, 0 changed, 0 destroyed.

Outputs:

caller_identity_out = 012345678910
cloudwatch_event_rule_out = Detect-Local-User-Creations
iam_policy_document_out = {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "__default_statement_ID",
      "Effect": "Allow",
      "Action": [
        "SNS:Subscribe",
        "SNS:SetTopicAttributes",
        "SNS:RemovePermission",
        "SNS:Receive",
        "SNS:Publish",
        "SNS:ListSubscriptionsByTopic",
        "SNS:GetTopicAttributes",
        "SNS:DeleteTopic",
        "SNS:AddPermission"
      ],
      "Resource": "arn:aws:sns:us-east-1:012345678910:tf-SnsTopic-EmailSNSTopic-9JJZS66CE1CW",
      "Principal": {
        "AWS": "*"
      },
      "Condition": {
        "StringEquals": {
          "AWS:SourceOwner": "012345678910"
        }
      }
    },
    {
      "Sid": "TrustCWEToPublishEventsToMyTopic",
      "Effect": "Allow",
      "Action": "sns:Publish",
      "Resource": "arn:aws:sns:us-east-1:012345678910:tf-SnsTopic-EmailSNSTopic-9JJZS66CE1CW",
      "Principal": {
        "Service": "events.amazonaws.com"
      }
    }
  ]
}

根据我所看到的，我不知道它指的是什么。消除此错误的唯一方法是使用 jsonencode。然而，这就是下一个错误出现的地方

iam_policy_document: Error: InvalidParameter: Invalid parameter: Policy Error: null status code: 400,

output.tf 文件

output "iam_policy_document_out" {
  value = data.aws_iam_policy_document.this.json
}

有人提到不需要jsonencode，如果我把它去掉就会发生这种情况。

更改#policy = jsonencode("module.aws_iam_policy_document.iam_policy_document_out") 时收到错误

政策=“module.aws_iam_policy_document.iam_policy_document_out”

错误::

dLocalUsers]
module.iam_policy_document.data.aws_iam_policy_document.this: Refreshing state...

Error: "policy" contains an invalid JSON: invalid character 'm' looking for beginning of value

  on ../../../modules/cloudwatch/sns_topic_policy/main.tf line 3, in resource "aws_sns_topic_policy" "this":
   3:    policy = var.policy

最新的事情是当我实施答案中的“替代方案”时。我收到此错误，但我没有发现问题。我不明白这是什么错误。我有输出工作，它在 sns_topic 中声明..所以要么我错过了明显的，我不知道......

Error: Reference to undeclared module

  on main.tf line 43, in module "sns_topic_policy":
  43:   policy = module.aws_iam_policy_document.iam_policy_document_out.json

No module call named "aws_iam_policy_document" is declared in the root module.

Answer 1

您的 iam_policy_document_out 已经是 json 形式：

value = data.aws_iam_policy_document.this.json

因此，在模块中，应使用以下内容：

module "sns_topic_policy" {
  source = "./sns_topic_policy/"
  arn    = module.SnsTopic.arn
  policy = module.aws_iam_policy_document.iam_policy_document_out
}

仍然可能存在其他问题，这些问题在您部署代码之前并不明显。

备选方案：

output "iam_policy_document_out" {
  value = data.aws_iam_policy_document.this
}

module "sns_topic_policy" {
  source = "./sns_topic_policy/"
  arn    = module.SnsTopic.arn
  policy = module.aws_iam_policy_document.iam_policy_document_out.json
}

UPDATE: iam_policy_document: Error: InvalidParameter: Invalid parameter: Policy Error: null status code: 400, request id

UPDATE: iam_policy_document: Error: InvalidParameter: Invalid parameter: Policy Error: null status code: 400, request id

amazon-web-services

amazon-sns

terraform0.12+

备选方案：