Terraform JSON MalformedPolicyDocument：策略遗留解析失败

Question

Terraform JSON MalformedPolicyDocument：策略遗留解析失败

Nic*_*lls 9 json amazon-web-services amazon-iam terraform

我很难解决这个错误

Error: error creating IAM policy policy-assumerole-test: MalformedPolicyDocument: The policy failed legacy parsing
    status code: 400, request id: b06e5c24-0b3b-42f3-8580-9e0393434dc1
  on ../modules/assume/main.tf line 47, in resource "aws_iam_policy" "permit_assume_role":
  47: resource "aws_iam_policy" "permit_assume_role" {

Run Code Online (Sandbox Code Playgroud)

该模块创建附加假设策略的组

该模块在这里：

terraform {
  required_providers {
    template = {
      source  = "hashicorp/template"
      version = "2.2.0"
    }

    aws = {
      source  = "hashicorp/aws"
      version = ">= 3.72.0"
    }
  }

  required_version = "~> 0.14"
}

## Generate the assume roles policy for this group
data "template_file" "policy" {
  template = file("${path.module}/assets/assume_role.json")

  vars = {
    accounts = join(
      ",\n",
      formatlist(
        "\"arn:aws:iam::%s:role/%s\"",
        var.account_id,
        coalesce(var.role_override, var.role_name),
      ),
    )
  }
}

## Create an AWS group
resource "aws_iam_group" "group" {
  name = var.group_name
}

## Add the user membership to the group
resource "aws_iam_group_membership" "group" {
  name  = "group_membership"
  group = aws_iam_group.group.name
  users = var.users_list
}

## The IAM policy to allow the central account permission to STS assume role
resource "aws_iam_policy" "permit_assume_role" {
  name        = "policy-assumerole-${var.group_name}"
  description = "Permit central account users to assume roles in this account"
  policy      = data.template_file.policy.rendered
}

## Assigning the IAM policy to the user group
resource "aws_iam_policy_attachment" "permit_group_policy" {
  name       = "permit_group_policy"
  groups     = [aws_iam_group.group.name]
  policy_arn = aws_iam_policy.permit_assume_role.arn
}

Run Code Online (Sandbox Code Playgroud)

假设_role.json 模板位于此处：

{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": "sts:AssumeRole",
    "Resource": [
        ${accounts}
    ]
  }
}

Run Code Online (Sandbox Code Playgroud)

这允许我在调用模块时调用并构建策略

例子：

module "assume_group" {
  source = "../modules/assume"

  account_id = [
    var.accounts["account1"],
    var.accounts["account2"],
  ]

  group_name = "test"
  role_name  = "test"

  users_list = [
  ]

  providers = {
    aws = aws.login
  }
}

Run Code Online (Sandbox Code Playgroud)

这给我带来了一个错误，我正在努力解决 VScode 指向的模板没有

Answer 1

Nic*_*lls 10

我确实发现我在声明开头和声明结尾处缺少“[”。这对于单个资源来说应该不重要，但它给我带来了问题。添加此解决了我的问题

谢谢

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Action": "sts:AssumeRole",
    "Resource": [
        ${accounts}
    ]
  }]
}

Run Code Online (Sandbox Code Playgroud)

归档时间：	3 年，7 月前
查看次数：	4405 次
最近记录：	2 年前