Search code examples
amazon-web-servicesterraformterraform-provider-aws

Aws Policy Rejection

Currently spinning wheels while using terraform with the aws provider. The policy below seems valid, but it keeps being rejected. I can't figure out why this is invalid Json for policy:

resource "aws_iam_policy" "aws_dms_secret_sql_server_policy" {
name = "${var.application}-${replace(var.service, "-", "")}-${replace(data.aws_region.current.name, "-", "")}-${terraform.workspace}-dms_secret_sql_server_policy"
policy = <<EOF
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "secretsmanager:GetSecretValue",
            "Resource": "${module.rds_staging.secrets_manager_secret_arn}"
        },
        {
            "Effect": "Allow",
            "Action": [
                    "kms:Decrypt",
                    "kms:DescribeKey"
                    ],
            "Resource": "${module.rds_staging.secrets_manager_kms_key_arn}" 
        }
    ]
}
EOF
tags = local.common_tags
}

Here is the terraform error:

Error: "policy" contains an invalid JSON policy

  with aws_iam_policy.aws_dms_secret_sql_server_policy,
  on dms-bronze-iam.tf line 88, in resource "aws_iam_policy" "aws_dms_secret_sql_server_policy":
  88:     policy = <<EOF
  89:     {
  90:         "Version": "2012-10-17",
  91:         "Statement": [
  92:             {
  93:                 "Effect": "Allow",
  94:                 "Action": "secretsmanager:GetSecretValue",
  95:                 "Resource": "${module.rds_staging.secrets_manager_secret_arn}"
  96:             },
  97:             {
  98:                 "Effect": "Allow",
  99:                 "Action": [
 100:                         "kms:Decrypt",
 101:                         "kms:DescribeKey"
 102:                         ],
 103:                 "Resource": "${module.rds_staging.secrets_manager_kms_key_arn}"
 104:             }
 105:         ]
 106:     }
 107:     EOF
Solution

  • Your JSON must be invalid when evaluated. The terraform documentation states:

    Don't use "heredoc" strings to generate JSON or YAML. Instead, use the jsonencode function or the yamlencode function so that Terraform can be responsible for guaranteeing valid JSON or YAML syntax.

    so, using the jsonencode function:

    jsonencode({
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "secretsmanager:GetSecretValue",
            "Resource": "${module.rds_staging.secrets_manager_secret_arn}"
        },
        {
            "Effect": "Allow",
            "Action": [
                    "kms:Decrypt",
                    "kms:DescribeKey"
                    ],
            "Resource": "${module.rds_staging.secrets_manager_kms_key_arn}" 
        }
    ]
})