Terraform JSON MalformedPolicyDocument:旧版解析策略失败
Terraform JSON MalformedPolicyDocument: The policy failed legacy parsing
我很难解决这个错误
Error: error creating IAM policy policy-assumerole-test: MalformedPolicyDocument: The policy failed legacy parsing
status code: 400, request id: b06e5c24-0b3b-42f3-8580-9e0393434dc1
on ../modules/assume/main.tf line 47, in resource "aws_iam_policy" "permit_assume_role":
47: resource "aws_iam_policy" "permit_assume_role" {
模块创建了附加假设策略的组
模块在这里:
terraform {
required_providers {
template = {
source = "hashicorp/template"
version = "2.2.0"
}
aws = {
source = "hashicorp/aws"
version = ">= 3.72.0"
}
}
required_version = "~> 0.14"
}
## Generate the assume roles policy for this group
data "template_file" "policy" {
template = file("${path.module}/assets/assume_role.json")
vars = {
accounts = join(
",\n",
formatlist(
"\"arn:aws:iam::%s:role/%s\"",
var.account_id,
coalesce(var.role_override, var.role_name),
),
)
}
}
## Create an AWS group
resource "aws_iam_group" "group" {
name = var.group_name
}
## Add the user membership to the group
resource "aws_iam_group_membership" "group" {
name = "group_membership"
group = aws_iam_group.group.name
users = var.users_list
}
## The IAM policy to allow the central account permission to STS assume role
resource "aws_iam_policy" "permit_assume_role" {
name = "policy-assumerole-${var.group_name}"
description = "Permit central account users to assume roles in this account"
policy = data.template_file.policy.rendered
}
## Assigning the IAM policy to the user group
resource "aws_iam_policy_attachment" "permit_group_policy" {
name = "permit_group_policy"
groups = [aws_iam_group.group.name]
policy_arn = aws_iam_policy.permit_assume_role.arn
}
assume_role.json 模板在这里:
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": [
${accounts}
]
}
}
这允许我在调用我的模块时调用和构建策略
示例:
module "assume_group" {
source = "../modules/assume"
account_id = [
var.accounts["account1"],
var.accounts["account2"],
]
group_name = "test"
role_name = "test"
users_list = [
]
providers = {
aws = aws.login
}
}
这给我一个错误,我正在努力解决
VScode 指向的模板没有
该配置在 JSON 数组中会有一个尾随逗号,这是格式规范的语法错误。我建议将用法更新为 templatefile 函数。然后,您还可以使用 jsonencode 函数从 HCL2 进行转换,从而使自己更轻松地进行转换。您的模板将显示为:
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": ${jsonencode(accounts)}
}
}
并且在策略参数的资源值中:
resource "aws_iam_policy" "permit_assume_role" {
name = "policy-assumerole-${var.group_name}"
description = "Permit central account users to assume roles in this account"
policy = templatefile("${path.module}/assets/assume_role.json", { accounts = [ for account_id in var.account_id : "arn:aws:iam::${account_id}:role/${coalesce(var.role_override, var.role_name)}"] })
}
我确实发现我在声明的开头和结尾缺少“[”。这对于单个资源来说应该无关紧要,但它给我带来了问题。添加这个解决了我的问题
谢谢
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": [
${accounts}
]
}]
}
我很难解决这个错误
Error: error creating IAM policy policy-assumerole-test: MalformedPolicyDocument: The policy failed legacy parsing
status code: 400, request id: b06e5c24-0b3b-42f3-8580-9e0393434dc1
on ../modules/assume/main.tf line 47, in resource "aws_iam_policy" "permit_assume_role":
47: resource "aws_iam_policy" "permit_assume_role" {
模块创建了附加假设策略的组
模块在这里:
terraform {
required_providers {
template = {
source = "hashicorp/template"
version = "2.2.0"
}
aws = {
source = "hashicorp/aws"
version = ">= 3.72.0"
}
}
required_version = "~> 0.14"
}
## Generate the assume roles policy for this group
data "template_file" "policy" {
template = file("${path.module}/assets/assume_role.json")
vars = {
accounts = join(
",\n",
formatlist(
"\"arn:aws:iam::%s:role/%s\"",
var.account_id,
coalesce(var.role_override, var.role_name),
),
)
}
}
## Create an AWS group
resource "aws_iam_group" "group" {
name = var.group_name
}
## Add the user membership to the group
resource "aws_iam_group_membership" "group" {
name = "group_membership"
group = aws_iam_group.group.name
users = var.users_list
}
## The IAM policy to allow the central account permission to STS assume role
resource "aws_iam_policy" "permit_assume_role" {
name = "policy-assumerole-${var.group_name}"
description = "Permit central account users to assume roles in this account"
policy = data.template_file.policy.rendered
}
## Assigning the IAM policy to the user group
resource "aws_iam_policy_attachment" "permit_group_policy" {
name = "permit_group_policy"
groups = [aws_iam_group.group.name]
policy_arn = aws_iam_policy.permit_assume_role.arn
}
assume_role.json 模板在这里:
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": [
${accounts}
]
}
}
这允许我在调用我的模块时调用和构建策略
示例:
module "assume_group" {
source = "../modules/assume"
account_id = [
var.accounts["account1"],
var.accounts["account2"],
]
group_name = "test"
role_name = "test"
users_list = [
]
providers = {
aws = aws.login
}
}
这给我一个错误,我正在努力解决 VScode 指向的模板没有
该配置在 JSON 数组中会有一个尾随逗号,这是格式规范的语法错误。我建议将用法更新为 templatefile 函数。然后,您还可以使用 jsonencode 函数从 HCL2 进行转换,从而使自己更轻松地进行转换。您的模板将显示为:
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": ${jsonencode(accounts)}
}
}
并且在策略参数的资源值中:
resource "aws_iam_policy" "permit_assume_role" {
name = "policy-assumerole-${var.group_name}"
description = "Permit central account users to assume roles in this account"
policy = templatefile("${path.module}/assets/assume_role.json", { accounts = [ for account_id in var.account_id : "arn:aws:iam::${account_id}:role/${coalesce(var.role_override, var.role_name)}"] })
}
我确实发现我在声明的开头和结尾缺少“[”。这对于单个资源来说应该无关紧要,但它给我带来了问题。添加这个解决了我的问题
谢谢
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": [
${accounts}
]
}]
}