Terraform-provider-aws: Bug: leading whitespace causes aws_iam_policy to incorrectly report valid JSON policies as invalid
Terraform Version
0.10.7, 0.9.11
Affected Resource(s)
- aws_iam_role
- aws_iam_policy
Terraform Configuration Files
resource "aws_iam_policy" "nodes_sqs_policy" {
name = "nodes_sqs_policy"
description = "nodes SQS"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sqs:GetQueueAttributes"
],
"Resource": [
"arn:aws:sqs:us-east-1:123123123:myapp-dev-us-east-1*"
]
}
]
}
EOF
}
Expected Behavior
The policy was applied
Actual Behavior
1 error(s) occurred:
* aws_iam_policy.nodes_sqs_policy: "policy" contains an invalid JSON policy
Important Factoids
According to RFC 4627, "Insignificant whitespace is allowed before or after any of the six structural characters."
Removing the whitespace before the first character in the policy allows it to be applied:
data "template_file" "nodes_iam_sqs" {
name = "nodes_sqs_policy"
description = "nodes SQS"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sqs:GetQueueAttributes"
],
"Resource": [
"arn:aws:sqs:us-east-1:123123123:myapp-dev-us-east-1*"
]
}
]
}
EOF
}
References
Terraform #11906 is where the JSON validation was applied.
MikeSchuette
All 12 comments
Adding this here as docs but this can cause bugs on resources that depend on this policy and the warning is extremely disconcerting.
The example would be if you have an aws_iam_role_policy_attachment depend on your policy it will tell you that the policy does not exist.
xocasdashdash
on 9 Nov 2017
I came across this today as well. This is a bug right?
policy = <<CONFIG
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::our-org-secrets",
"arn:aws:s3:::our-org-secrets/*"
]
}
]
}
CONFIG
"policy" contains an invalid JSON policy
nodesocket
on 17 Jan 2018
Also affects terraform 0.11.4, aws provider 1.13.0
mplanchard
on 3 Apr 2018
+1 I encountered this as well
lakshmigk01
on 29 Jun 2018
trim
woodcockjosh
on 1 Aug 2018
+1
larroy
on 14 Aug 2018
+1 Same issue for me.
nwipfli
on 19 Aug 2018
whatisaphone
on 14 Sep 2018
I finally had a minute to write https://github.com/terraform-providers/terraform-provider-aws/pull/5887 but I don't currently have an environment I can run acceptance tests in. If someone can pull my branch, run make testacc TEST=./aws TESTARGS='-run=TestAccAWSLaunchTemplate_', and post results in the PR thread, that might help get this merged.
MikeSchuette
on 14 Sep 2018
I found a donor account, test results are added.
MikeSchuette
on 14 Sep 2018
馃憤
mgasner
on 16 Nov 2018
As a workaround on using the ugly JSON inline Heredoc, the aws_iam_policy_document data source works great, HCL to JSON transformer.
goetzc
on 19 Dec 2018
Related issues
blaltarriba
路
3Comments
ghost
路
3Comments
hashibot
路
3Comments
joelittlejohn
路
3Comments
gothrek22
路
3Comments
Most helpful comment
I finally had a minute to write https://github.com/terraform-providers/terraform-provider-aws/pull/5887 but I don't currently have an environment I can run acceptance tests in. If someone can pull my branch, run
make testacc TEST=./aws TESTARGS='-run=TestAccAWSLaunchTemplate_', and post results in the PR thread, that might help get this merged.