I'm Creating an AWS Code Deploy IAM Policy for S3 using Terraform, But Getting Error MalformedPolicyDocument: Has prohibited field Resource.
main.tf file:
resource "aws_iam_role" "codedeploy_iam_role" {
name = "AutoScalePolicy"
assume_role_policy = file("${path.module}/AutoScalePolicy.json")
tags = {
Name = "AutoScale-CodeDeploy-BlueGreen-Role"
}
}
Here is the AutoScalePolicy.json:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:ListStorageLensConfigurations",
"s3:ListAccessPointsForObjectLambda",
"s3:GetAccessPoint",
"s3:PutAccountPublicAccessBlock",
"s3:GetAccountPublicAccessBlock",
"s3:ListAllMyBuckets",
"s3:ListAccessPoints",
"s3:PutAccessPointPublicAccessBlock",
"s3:ListJobs",
"s3:PutStorageLensConfiguration",
"s3:ListMultiRegionAccessPoints",
"s3:CreateJob"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::s3-demo",
"arn:aws:s3:::s3-demo/*"
]
}
]
}
Tried changing the IAM Policy and S3 Bucket names but still the isssues persist. had troubleshooted with these issues:
AutoScalePolicy.json is a policy, and not an an assume_role_policy. You should use something like this:
resource "aws_iam_role" "test_role" {
...
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = "sts:AssumeRole"
Effect = "Allow"
Sid = ""
Principal = {
Service = "codedeploy.amazonaws.com"
}
},
]
})
inline_policy {
name = "role_policy"
policy = file("${path.module}/AutoScalePolicy.json")
}
...
}
The resource documentation mentions the difference between a policy and an assume role policy.