Terraform-provider-aws: `aws_iam_role_policy` should notify the user to use `id`s instead of `arn`s for the `role` parameter

Created on 22 Jan 2018 · 10Comments · Source: hashicorp/terraform-provider-aws

Terraform Version

Run terraform -v to show the version. If you are not running the latest version of Terraform, please upgrade because your issue may have already been fixed.

Terraform v0.11.1

Affected Resource(s)

aws_iam_role_policy

Terraform Configuration Files

resource "aws_iam_role_policy" "execution_role_policy" {
  name = "ecs_execution_role_policy"
  role = "${aws_iam_role.execution_role.id}"
  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "logs:*",
        "cloudwatch:*"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}
EOF
}

Expected Behavior

Error: Error applying plan:

1 error(s) occurred:

* aws_ecs_task_definition.task: 1 error(s) occurred:

* aws_iam_role_policy.execution_role_policy: Error putting IAM role policy EcsExecutionRolePolicy: ValidationError:

You've provided an ARN. Please provide an ID instead.
````

### Actual Behavior

Error: Error applying plan:

1 error(s) occurred:

aws_ecs_task_definition.task: 1 error(s) occurred:
aws_iam_role_policy.execution_role_policy: Error putting IAM role policy EcsExecutionRolePolicy: ValidationError:
The specified value for roleName is invalid. It must contain only alphanumeric characters and/or the following: +=
,.@_-
status code: 400, request id: 30e2d314-ff1f-11e7-81b8-31fe685c36f6

```

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

Create a tf from the code above.
terraform apply

enhancement serviciam

Source

carlosonunez

👍23

Most helpful comment

Can we update the docs for the aws_iam_role_policy resource, to clarify what the role property should be?

Currently all it says is:

role - (Required) The IAM role to attach to the policy.

It would be more clear if it said:

role - (Required) The id of the IAM role to attach to the policy.

Though I'm also confused as to whether this is supposed to be role.id or role.name.

It would be great if it could support role.arn as well.

eschwartz on 25 Jul 2018

👍8 ❤3

All 10 comments

@carlosonunez currently the aws_iam_role_policy resource does not perform any plan-time validation for the role attribute and unfortunately AWS only allows role names. It would be fairly trivial to add it though, based on the validation already performed by aws_iam_role's name attribute.

Basically, we could move this to its own function: https://github.com/terraform-providers/terraform-provider-aws/blob/master/aws/resource_aws_iam_role.go#L44-L56

Then add ValidateFunc to the role attribute schema here: https://github.com/terraform-providers/terraform-provider-aws/blob/master/aws/resource_aws_iam_role_policy.go#L49-L53

For most of these validation cases we don't specifically try to determine if the implementor was trying to specify a certain type of value (e.g. ARN) since its harder to maintain, but rather supply the valid character/length restrictions.

bflad on 23 Jan 2018

Can we update the docs for the aws_iam_role_policy resource, to clarify what the role property should be?

Currently all it says is:

role - (Required) The IAM role to attach to the policy.

It would be more clear if it said:

role - (Required) The id of the IAM role to attach to the policy.

Though I'm also confused as to whether this is supposed to be role.id or role.name.

It would be great if it could support role.arn as well.

eschwartz on 25 Jul 2018

👍8 ❤3

@bflad That's an interesting approach that could work. I'll try having a go at it.

carlosonunez on 25 Jul 2018

👍1

@eschwartz @carlosonunez did you consider moving this into 1.33.0 ?
if so this, would be awesome! 👏

fr34k8 on 20 Aug 2018

@fr34k8 unfortunately i have to put this on the back burner, as other work has been prioritized above this. Apologies for the inconvenience. I'll leave this issue open for others who feel like this is something that should be addressed but am fine with the mods closing this as wontfix, too.

carlosonunez on 29 Aug 2018

😕1

It could be a basic layer of protection to check, for example in the resource aws_iam_role_policy_attachment and anywhere else where required, that the role attribute is the role.name and not a role.arn. You could literally just enforce that the argument is {something}.name It seems like an inconsistency in Amazon AWS API that most of the time it needs arn but sometimes it needs to be name.

Actually validating the format of the role name or the arn is not necessary because that error is already returned from the API, the problem is confusion in the terraform resource. It's just called role so not obvious that this error message really means you've stuck an arn where a name should go.

The specified value for roleName is invalid. It must contain only alphanumeric characters and/or the following: +=,.@_-

davehowell on 6 Nov 2018

This information needs to be added to the documentation, until this this issue is resolved.

genert on 25 Feb 2019

👍5 ❤1

if arn is available, this is a good workaround

resource "aws_iam_role_policy_attachment" "additional_permissions" {
  role = regex("[\\w|-]+$", module.lambda.role_arn)
  policy_arn = aws_iam_policy.additional_permissions_lambda.arn
}

mohsen0 on 6 Jan 2020

I find the error message really confusing, I believed it meant something wrong was with the name attribute of the aws_iam_role_policy resource. A more accurate error message would certainly be most helpful.