通过terraform创建策略时出现MalformedPolicyDocument错误

Question

运行terraform时出现以下错误:

* aws_iam_role_policy.rds_policy: Error putting IAM role policy my-rds-policy: MalformedPolicyDocument: The policy failed legacy parsing

这是我对资源的定义:

resource "aws_iam_role_policy" "rds_policy" {
  name = "my-rds-policy"
  role = "${aws_iam_role.rds_role.id}"
  policy = <<EOF
  {
  "Version": "2012-10-17",
  "Statement": [
      {
          "Effect": "Allow",
          "Action": [
              "s3:ListBucket",
              "s3:GetBucketLocation"
          ],
          "Resource": [
              "arn:aws:s3:::my-bucket"
          ]
      },
      {
          "Effect": "Allow",
          "Action": [
              "s3:GetObjectMetaData",
              "s3:GetObject",
              "s3:PutObject",
              "s3:ListMultipartUploadParts",
              "s3:AbortMultipartUpload"
          ],
          "Resource": [
              "arn:aws:s3:::my-bucket/backups/*"
          ]
      }
  ]
}
EOF
}

JSON策略文档格式正确,我看不到任何明显的东西.

Answer 1

您需要确保在EOF heredoc开始时没有任何缩进,因为您的JSON策略不应以缩进大括号开头.

所以你应该对这个简单的改变很好:

resource "aws_iam_role_policy" "rds_policy" {
  name = "my-rds-policy"
  role = "${aws_iam_role.rds_role.id}"
  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
      {
          "Effect": "Allow",
          "Action": [
              "s3:ListBucket",
              "s3:GetBucketLocation"
          ],
          "Resource": [
              "arn:aws:s3:::my-bucket"
          ]
      },
      {
          "Effect": "Allow",
          "Action": [
              "s3:GetObjectMetaData",
              "s3:GetObject",
              "s3:PutObject",
              "s3:ListMultipartUploadParts",
              "s3:AbortMultipartUpload"
          ],
          "Resource": [
              "arn:aws:s3:::my-bucket/backups/*"
          ]
      }
  ]
}
EOF
}

Answer 2

或者改变<<EOF，以<<-EOF允许缩进。然后它将删除与应用时缩进最少的行匹配的缩进数量。